The U.K.’s privacy watchdog on Thursday fined
£500,000 ($645,000) for allowing illicit access to users’ data by the political-data firm Cambridge Analytica—and said it would have handed the social network a bigger fine if it could have.
The fine is a pittance for Facebook, just over 1% of its daily profit in the second quarter. But it is the first legal slap at Facebook in a case that led to government hearings on both sides of the Atlantic and became emblematic of the ways in which personal information can be collected and abused on the internet.
Thursday’s action also serves as warning to what tech companies like Facebook might face for future violations.
The U.K. fine is the maximum allowed under the country’s old privacy law. Under the European Union’s new GDPR privacy law, which has been implemented by the U.K., Britain’s Information Commissioner’s Office can now issue fines up to 4% of a company’s annual global revenue, or $1.6 billion in Facebook’s case.
“The fine would inevitably have been significantly higher under the GDPR,” said Elizabeth Denham, the country’s information commissioner. “A company of its size and expertise should have known better and it should have done better.”
Facebook said it was reviewing the U.K. decision.
“While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” a spokeswoman for the social network said.
The fine confirms a preliminary decision the U.K. regulator issued in July, giving Facebook a chance to respond. The regulator said Thursday that its investigation had confirmed that the now-defunct Cambridge Analytica got access to data on tens of millions of Facebook users from the developer of a third-party app that plugged into the social network. That includes data on roughly a million U.K. residents, the regulator said.
The regulator said that even after the breach was disclosed to Facebook in 2015, the social network didn’t do enough to make sure the problem was fixed, noting that Cambridge Analytica wasn’t suspended from Facebook until earlier this year.
The case has become a rallying cry for privacy activists who say that companies are doing too little to safeguard user data. Some privacy groups have filed complaints under the EU’s new privacy law against Facebook, arguing that its take-it-or-leave-it terms of service don’t give users the ability to decide freely whether to share their data with firms. Ireland’s Information Commissioner’s Office is currently investigating those complaints, because Facebook’s EU headquarters are in Dublin.
Concern about how user data can be misused has also been tapped into by one of Facebook’s Silicon Valley rivals. Apple Inc. Chief Executive Tim Cook on Wednesday gave a blistering speech before a conference of privacy regulators—including the U.K.’s Ms. Denham—that made thinly veiled references to the Cambridge Analytica scandal and Facebook’s admission that Russian-backed propagandists had exploited the social network.
“Our own information—from the everyday to the deeply personal—is being weaponized against us with military efficiency,” Mr. Cook said.
Write to Sam Schechner at firstname.lastname@example.org