Login or register to read more


The Price of Misusing Personal Data


What is the news?

Social media giant Facebook is to be fined £500,000 for two breaches of the Data Protection Act 1998 due to its part in the Cambridge Analytica scandal. According to Christopher Wylie, a former employee of Cambridge Analytica, the company collected information on around 87 million Facebook users to influence the outcome of the US 2016 presidential election and the UK Brexit referendum.

What does the news mean?

The Information Commissioner’s Office (ICO) has concluded that ‘Facebook contravened the law by failing to safeguard people’s information’ and ‘failed to be transparent about how people’s data was harvested by others’. It will, therefore, impose a £500,000 fine against Facebook and bring criminal action against SCL Elections, Cambridge Analytica’s parent company.

What do we think of the news?

The £500,000 fine reflects the maximum allowed for data breaches under the Data Protection Act 1998. However, it is barely a drop in the ocean considering Facebook reported $11.97bn in revenue in the first three months of 2018. Fast-forward to 25 May 2018 and had the breaches occurred under the General Data Protection Regulation, a fine could have been at the higher level of €20m or 4% of global turnover. In the case of Facebook, this would have been a maximum $1.9bn (£1.4bn) according to reported figures. It is speculative whether the ICO would have exercised their discretion to impose the new maximum penalty, however, it serves as a useful reminder (and perhaps a deterrent) to companies handling any personal data that financial penalties may be imposed in cases of data breaches. Whilst Facebook may be an extreme example, if you are a company or an individual who processes or controls data, just a gentle reminder that you have obligations to process data lawfully and the ICO will be taking a more active approach to auditing what measures you have put in place to ensure compliance.

If you would like to talk through any concerns you may have on data protection you can contact Associate, Graham Hansen on T: 0161 358 0552 or E: grahamhansen@hrclaw.co.uk.

This contains a general overview of information only. It does not constitute, and should not be relied upon, as legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.