Facebook is getting hit with the maximum penalty allowable under United Kingdom law for a scandal in which the social media website failed to keep user data out of the hands of the political research firm Cambridge Analytica.
The U.K. Information Commissioner’s Office (ICO) announced on Thursday that it is fining Facebook £500,000 ($664,000) for “serious breaches of data protection law.” The ICO initially announced its intent to levy the fine in July.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” said Elizabeth Denham, the U.K.’s information commissioner said, in a statement.
The ICO fine is the maximum that U.K. law allowed at the time the Cambridge Analytica ordeal went down, the office said. That’s based on the Data Protection Act of 1998. The law was replaced in May by the European Union’s General Data Protection Regulation (GDPR), which sets requirements to protect the data of European citizens. Had Facebook been subject to GDPR for this case, it would have to pay €17 million, or 4 percent of its global revenue (whichever higher).
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR,” Denham added. “One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
The ICO said its investigation found that Facebook allowed application developers to scrape data from everyday users without informing them or asking for their consent. The company’s lack of enforcement of data protection led to the harvesting of at least one million U.K. users’ data, which was “put at risk of further misuse,” the ICO said.
Facebook has faced sharp backlash about its handling of user data since the Cambridge Analytica story came out in March 2018, with CEO Mark Zuckerberg having to testify before Congress and the U.K. parliament. The ICO fine is the first official financial consequence of the scandal.
Separately, Facebook potentially faces a much higher fine of up to $1.63 billion for a security issue it reported last month, this time under GDPR. Facebook said that a bug existed on the website for more than a year that allowed access tokens to 30 million accounts to be stolen.