PogoWasRight.org

Menu
  • About
  • Privacy
Menu

ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information

Posted on October 25, 2018June 25, 2025 by Dissent

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law.

In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes.

After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred – will remain unchanged. The full penalty notice can be read here.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.

Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Elizabeth Denham, Information Commissioner, said:

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation. These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4% of global turnover.

Ms Denham added:

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

Watch Elizabeth Denham talk about the fine here.

A further update on the ICO investigation into data analytics for political purposes will be on Tuesday 6 November, when Ms Denham will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.

In July, the ICO published an interim progress updateon its investigation and also published a partner report, Democracy Disrupted? Personal information and political influencelooking at the broader policy issues identified during the investigation along with findings and the Information Commissioner’s recommendations for future action.

If you need more information, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.

Source: Information Commissioner’s Office

Related posts:

  • How Political Campaigns Use Your Phone’s Location to Target You
Category: BreachesBusinessFeatured News

Post navigation

← Schools balance student safety, privacy for enrolled sex offenders
Portuguese hospital receives and contests 400,000 € fine for GDPR infringement →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People

RSS Recent Posts on DataBreaches.net

  • Connex Credit Union notifies 172,000 members of hacking incident
  • Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks (CORRECTED)
  • Bank of America Refused To Reimburse Georgia Customer After Hackers Hit Account. Then a News Station Showed Up.
  • NCERT Issues Advisory on “Blue Locker” Ransomware Targeting Pakistan’s Key Institutions
  • Scattered Spider has a new Telegram channel to list its attacks
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy