The Information Commissioner’s Office (ICO) has imposed its maximum fine, of £500,000, on Facebook Ireland and Facebook US following an investigation into the unfair processing of user data by Facebook and the subsequent use of such data in relation to political campaigning.
The case is particularly interesting for a number of reasons including:
- This is the second time in recent months that the ICO has imposed the maximum fine available to it under the previous legislation (the Data Protection Act 1998 (DPA));
- The ICO has fined two non-UK companies in Facebook Ireland and Facebook US on the basis that these companies were processing data in the context of a UK establishment;
- Prior to fining these two Facebook companies the ICO issued a “Notice of Intent” and allowed Facebook to make written representations before the monetary penalty was finalised; and
- It was irrelevant that the Application or App in question was being operated in contravention both of Facebook’s terms and conditions and of a specific undertaking given to Facebook by the operator of the App because Facebook had taken no steps, or no sufficient steps to ensure that the App was operating in accordance with its rules.
What was the App?
The Application (App) in question was created in 2013 by Dr Aleksandr Kogan and became known as “thisisyourdigitallife”. It is believed that the App harvested data obtained from personality test results and other data on psychological patterns, however, of more significance (and concern to Facebook’s vast user base), the App was also permitted to obtain personal data about individuals who had not downloaded or used the App, but were merely Facebook friends with users who did. This data was obtained without sufficiently informed consent, as although the App required users to agree to a set of terms and conditions, this lacked the necessary clarity and transparency and, as a result, the ICO has concluded that it amounted to the unfair processing of personal data of users contrary to the first Data Protection Principle of the Data Protection Act 1998 (DPA ’98) which states that:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
- At least one of the conditions in schedule 2 is met, and
- In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
In addition to the above, Facebook were also found to have breached the seventh Data Protection Principle, which provides that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Under the new General Data Protection Regulation (GDPR), these would have been in breach of Article 5, in particular the principles of ‘lawfulness, fairness and transparency’ and ‘integrity and confidentiality’.
What happened with the data?
The data harvested by the App was subsequently shared by Dr Kogan and/or his organisation with a number of third party companies including SCL Elections Limited, the parent company of Cambridge Analytica. It is believed that some of the data was then used in relation to political campaigning.
The ICO response
The ICO began investigating the potential misuse of personal data by both sides of the Brexit campaign in March 2017. The scope extended in May of 2017 to include social media companies as well as political parties and data analytics companies. The focus of the investigation was, early this year, directed firmly at Facebook and Cambridge Analytica following the revelation of evidence demonstrating that a significant amount of user data had been harvested and used in political campaigns.
Following the notice of intent back in July, the ICO has, irrespective of arguments made by Facebook in their response, concluded that the maximum fine of £500,000 under the DPA ‘98 should be levied. In coming to this decision, the ICO took into account the number of individuals affected, the significant amount of data shared with third parties without consent having been obtained and the fact that the data of both UK users and UK users who were US residents were put at risk of being shared with third parties in connection with political campaigning. Additionally, it was suggested that Facebook should have been aware of the risks by virtue of its size, significant resources and experience as a data controller.
The long arm of the law
One feature of this case which is particularly interesting, is that the ICO relied on the previous CJEU decision in Google Spain (Google Spain v AEPD  QB 1022) and found that both Facebook US and Facebook Ireland were processing data in the context of a UK establishment, in respect of any individuals who made use of the Facebook site from the UK. The ICO pointed out that this could include both UK residents and people who were simply visiting the UK. In reaching this conclusion the ICO was essentially saying that there was an inextricable link between the business of Facebook UK and that of Facebook Ireland and Facebook US.
The ICO therefore demonstrated a willingness to look at the overall substance of the arrangement between the various Facebook companies. The GDPR adopts very similar wording to the DPA and the result is therefore likely to have been the same under the GDPR. Indeed under the GDPR there is a far greater likelihood of companies based outside of the EU having to comply with the EU’s data privacy laws as the GDPR extends its jurisdiction to those offering goods or services to people in Europe and to those monitoring the behaviour of people in Europe where that behaviour takes place in Europe.
A lucky escape?
This will likely be considered by many to be a lucky escape for Facebook who, if the breach was heard under the GDPR could have been in excess of $1 billion dollars (4% of the global annual turnover of the social media giant).
Indeed, had Facebook’s activities taken place following 25 May 2018, the fine would almost certainly have been very much higher. In the Monetary Penalty Notice issued by the ICO to Facebook it was made clear that the Information Commissioner ‘…considers that the amount of £500,000 is not excessive…’ and that ‘…but for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty’.
When considered in conjunction with the recent fine levied against credit rating agency Equifax, this is certainly a demonstration of the ICO’s tougher stance on data protection and willingness to use the full extent of remedies that are at its disposal.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.