Skip to main content


Facebook faces record £500,000 fine for Cambridge Analytica data breaches

The Information Commissioner's Office ('the ICO') has published a progress report on its investigation into the “invisible processing” of individuals’ personal data and the “micro-targeting” of political adverts during the EU referendum campaign.  The investigation is principally concerned with the Facebook-Cambridge Analytica scandal in which third party developers used apps (for example, a personality test) to "scrape" users' personal data and that of their [Facebook] friends.  This was ostensibly done under the guise of academic research, but the demographic information gathered is said to have been used in political campaigns in the UK and overseas. Up to 87 million Facebook users are believed to have been affected, including one million in the UK.

At all material times the governing law was the Data Protection Act 1998, which imposed a number of obligations on data controllers known as ‘Data Protection Principles’.  These included requirements to process personal data fairly and to have appropriate technical measures in place to ensure that personal data is secure (respectively, the First and Seventh Data Protection Principles).  These are the obligations Facebook is said to have breached.

The progress report confirms that the ICO has issued Facebook with a “Notice of Intent” to issue a monetary penalty in the sum of £500,000 for security issues and a lack of transparency in respect of the harvesting of data.  Facebook now has the opportunity to make representations on the alleged breaches before a final decision is made.

Other enforcement action contemplated in the report includes:

  • The sending of warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices.
  • An Enforcement Notice for SCL Elections Ltd to compel it to deal properly with a subject access request from Professor David Carroll.
  • A criminal prosecution against SCL Elections Ltd for failing to properly deal with an ICO Enforcement Notice.
  • An Enforcement Notice for Aggregate IQ to stop processing retained data belonging to UK citizens.
  • A Notice of Intent to take regulatory action against data broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd).
  • Audits of the main credit reference companies and Cambridge University Psychometric Centre.

Commenting on the investigation and wider issues, Information Commissioner Elizabeth Denham said:-

"We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes...New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law...People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”

A full copy of the report can be found here.


It is difficult to see Facebook avoiding sanction. When the story broke, its initial response was to blame third parties for the misuse of its platform.  Whilst these parties have a case to answer, it was a surprise to many that Facebook allowed personal data to be harvested, even for the purposes of academic research.  Given Facebook’s resources and the vast amount of personal data it is entrusted in, it is not unreasonable to expect it to have a secure system in place.  The fact that the system was exploited on such a massive scale highlights that this is a case where "the facts speak for themselves".  Facebook has now publicly acknowledged (including before the US Senate and UK parliament) that it should have done better.

Facebook should be grateful that these breaches occurred under the Data Protection Act 1998.  Understandably, the Information Commissioner feels that the extent and potential impact of the breaches justifies the maximum fine of £500,000.  The Data Protection Act 1998 has now been repealed and replaced by the General Data Protection Regulation (‘GPDR’) and Data Protection Act 2018.  The maximum sanction for breaches under the new legislation is €20million (£17.7million) or 4% of annual global turnover, whichever figure is higher.  In Facebook’s case, this could mean a fine of over $1.6bn (£1.2bn).  Whilst some might say Facebook has got off lightly here, the exposure of the breach and the publicity surrounding the ICO’s intended sanction will inevitably diminish trust in the platform amongst users and damage its reputation.


Click here to find out how Brett Wilson LLP privacy solicitors can help you if your private information or personal data has been misused. 


Legal Disclaimer

Articles are intended as an introduction to the topic and do not constitute legal advice.