Facebook — Enforcement
Executive Summary
The UK ICO fined Facebook £500,000 — the maximum under the pre-GDPR Data Protection Act 1998 — for failing to protect user data in the Cambridge Analytica scandal. The ICO found that between 2007 and 2014, Facebook allowed app developers access to user data without sufficiently clear consent.
What Happened
On October 25, 2018, the UK Information Commissioner's Office fined Facebook £500,000, the maximum penalty under the Data Protection Act 1998, for failing to protect user data in the Cambridge Analytica scandal. The ICO found that between 2007 and 2014, Facebook allowed app developers access to user data without sufficiently clear consent, and failed to take adequate action when the issue was identified in 2015. Facebook paid the fine in October 2019 after more than a year of appeals, making no admission of liability.
Who Is Affected
At least one million UK users were among 87 million Facebook users worldwide whose private data was harvested by Dr. Aleksandr Kogan and his company Global Science Research. The data was obtained without users' consent and subsequently shared with Cambridge Analytica, which used it for political purposes including work on the Trump presidential campaign.
Why It Matters
This fine represented the maximum regulatory penalty possible under UK law at the time, demonstrating serious failures in Facebook's data protection practices over a seven-year period. The punishment was limited to £500,000 because the investigation began before GDPR took effect in 2018, though under current law the same violations could have resulted in fines up to £17 million or four percent of global turnover, potentially reaching $1.6 billion for Facebook.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources