Facebook is set to be fined £500,000, the maximum amount possible, for two breaches of the Data Protection Act 1998 (DPA 1998).
Due of the timing of the breaches, the ICO was unable to levy the fines introduced by the General Data Protection Regulation (GDPR), which caps fines at the higher level of 20m (EUR) or 4% of annual global group turnover - which in Facebook's case is around $1.9bn.
The ICO has stated that the social media giant is in breach of the DPA 1998 for lack of transparency and security issues relating to the harvesting of data.
However, although Facebook managed to avoid higher fines, it was unable to escape what The Economist described as a "reputation meltdown".
The ongoing ICO inquiry has become the largest investigation of its type and involves social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups, and even the operator of a mother and baby website.
A key strand of the investigation surrounds the link between Cambridge Analytica, its parent company SCL Elections Limited, and Aggregate IQ. It involves allegations that Facebook data may have been misused in the UK referendum and to target voters during the 2016 American presidential election.
11 political parties have received a warning letter and notices compelling them to agree to audits of their data protection practices. The ICO will also conduct audits of the main credit reference companies and Cambridge University Psychometric Centre.
The ICO issued an enforcement notice to SCL Elections Limited requiring them to deal with a subject access request from a Professor Carroll. The ICO is now taking steps to bring a criminal prosecution against SCL Elections Limited for failing to properly deal with the Enforcement Notice issued by the ICO.
An enforcement notice has been served on Aggregate IQ to stop processing retained data belonging to UK citizens. The ICO has issued a notice of intent to take regulatory action against data broker Emma's Diary, a data broker website that provides information to new parents.
These organisations fell foul of the first principle of the DPA 1998. There was a lack of transparency from the organisations and a lack of consent from the individuals involved (where required) around how that data was subsequently used by the political parties in their profiling, analytics and targeting.
Under the accountability principle laid out in Article 5.2 of the GDPR (the rules which now apply, following 25 May 2018), a data controller "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject." The rules stipulate that information or communication to data subjects must be concise, transparent, intelligible and easily accessible, and use clear and plain language.
This can achieved through a clear and transparent notice or policy which provides data subjects with information such as purposes of processing; categories recipients with whom the data will be shared; the data subject's rights and retention periods.
Facing up to data breaches
The GDPR introduces a wider definition of a data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This often categories as a loss of confidentiality, integrity or accessibility (CIA).
Organisations which are data controllers have a duty to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, organisations which are data controllers must also inform those individuals without undue delay.
The ICO has the power to serve enforcement notices and failure to comply could result in imprisonment or fines of the higher values now in the GDPR.
How we can help and your action points
Our experienced data and privacy team at Shoosmiths can assist with:
- ensuring your privacy notices reflect what happens in practice with your employees', customers' and contacts' personal data;
- providing data breach policies and procedures (and indeed other policies and procedures to demonstrate your readiness and compliance); and
- liaising with the ICO.
Please contact either JP Buckley or Andrew Mills with any of your queries.