Facebook brings in £500,000 easily. At this point, even if everyone at the company disappeared via technological rapture, its ad platform would still churn out cash. That makes the UK Information Commissioner's Office (ICO) £500,000 ($641,878) fine against the company over the Cambridge Analytica incident seem inconsequential, but that's actually the highest fine the regulator can levy. And on top of that, Facebook also has a class-action lawsuit on its hands.
Here's a quick recap: Cambridge Analytica was revealed to have collected information about 50 million people in the U.S. by exploiting Facebook's laissez-faire data policies. This in turn raised questions about those policies and how Facebook planned to make sure researchers weren't gathering--and using--people's information without oversight. (You can learn more about the ins and outs of the controversy in our round-up.)
Regulators around the world quickly criticized Facebook over this failure. ICO announced in July that it planned to levy the maximum £500,000 fine against Facebook over the scandal; now it's actually issued that fine. While that may seem low, especially in light of the stricter GDPR rules that went into effect in May, the regulator noted that it issued the highest fine it could based on the previous Data Protection Act legislation.
That's because the incidents that provoked the fine occurred between 2007 and 2014. Instead of retroactively applying GDPR, which would incur a much higher fine, ICO had to rely on a decade-old law.
Information Commissioner Elizabeth Denham explained:
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data. ... Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
Class-Action Lawsuit Against Facebook
But there are signs that Facebook users aren't content to wait around for regulators to manage Facebook and other companies' data practices. A class-action lawsuit filed late last week complains that Facebook continued to track users' location via its smartphone apps and share it with advertisers even if they disabled that feature. Claiming Facebook violated the U.S. Federal Stored Communications Act, the lawsuit, in part, seeks $1,000 per violation of that act, an explanation of how affected users were impacted, destruction of user data accumulated and a commitment to not do these acts again. This is the latest in a long series of lawsuits; maybe they'll help nudge things in the direction of privacy reform.