Today the UK's data protection regulator, Information Commissioner Elizabeth Denham, announced that Facebook (defined as Facebook Ireland Ltd, and Facebook Inc -- the Facebook Companies) has indeed been fined £500,000. "The ICO's investigation," explains the regulator, "found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends' with people who had."
The specific app in question was developed by Dr Aleksandr Kogan and his company GSR. It harvested data of up to 87 million people worldwide. A large portion of this data was shared with the SCL group -- the parent company of political campaign organization Cambridge Analytica. The ICO's investigation found that "the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse."
During the process of the investigation, Facebook argued that the ICO had no jurisdiction in the matter -- although it did cooperate with the ICO. The ICO's Decision Notice (PDF) explains its position:
"UK Users would include (but would not be confined to) UK residents who made use of the Facebook site during the material time. UK Users would also include persons visiting the UK who made use of the Facebook site during the material time while visiting the UK. Because the processing by the Facebook Companies of personal data about the UK Users took place in the context of a UK establishment: (i) such processing fell within the scope of the DPA ; and (ii) the Commissioner has jurisdiction over the Facebook Companies in respect of such processing."
While Facebook has asserted that only personal data from U.S. citizens was used (misused under European principles) for Cambridge Analytica's political campaigning, the ICO comments, "Some US residents would also, from time to time, have been UK users (as defined above): e.g. if they used the Facebook site while visiting the UK."
The same principle of 'user' rather than citizen applies to GDPR. It reinforces a key point often missed by U.S. organizations: GDPR is not merely about protecting the PII of EU citizens, it applies to any person of any nationality who is within the geographical boundaries of the EU at the time.
Part of the reason for the ICO to apply the maximum fine possible under the legislation applicable at the time (the UK's Data Protection Act 1998, now superseded by the Data Protection Act 2018, being the UK's implementation of GDPR) was the persistence of Facebook's failing.
"Even after the misuse of the data was discovered in December 2015," says the ICO, "Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018."
This is another key aspect of GDPR -- regulators will take into consideration efforts made to protect personal data. While rapid remedial action is unlikely to reduce any applicable fine, failure to act promptly and effectively will almost certainly increase it.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," said Elizabeth Denham.
It is, however, her next comment that should sound a warning to all companies of any size that process -- and allow the unlawful processing -- of EU users' data: "We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people's personal data. Our work is continuing."
GDPR isn't merely designed to punish transgressors; it is designed to punish them so severely that they will actually change their business practices. Much larger fines under GDPR are inevitable.