Big news from across the pond: The U.K. Information Commissioner’s Office (ICO) has completed an interim investigation report about Facebook’s data-sharing practices and fined the tech company 500,000 pounds for two breaches of the Data Protection Act 1998. Further, the report states that SCL, parent company of Cambridge Analytica, will face criminal prosecution for not complying with an order the office issued the now-defunct company in May.
The fine is the largest ever given out for a breach under the Data Protection Act. Facebook’s actions came before a new set of European Union data rules -- the General Data Protection Regulation -- went into effect, but had the data breach happened under GDPR, the fine could have been up to 359 million pounds.
The ICO first began investigating Cambridge Analytica when an American academic, David Carroll, asked Cambridge Analytica to provide all of the data it had about him -- a request U.K. law required the company follow. Note that the data Carroll was requesting was his voter profile, which he was unable to obtain under U.S. law even though the information was used in U.S. elections.
When Cambridge Analytica failed to supply the data, Carroll asked the ICO to enforce his request, which spurred the office to open an investigation. Just a few weeks later, the news broke that Cambridge Analytica had harvested the Facebook profiles of 50 million users (the reported number has since increased to at least 87 million). Cambridge Analytica executives were also caught on hidden camera bragging to potential customers about the company’s use of “bribes, ex-spies, fake IDs and sex workers” on behalf of its clients. Because Facebook failed to protect its users, the company became part of the ICO investigation.
Today’s interim report doesn’t mean the investigation is over. According to The Guardian, “More than 20 different organisations, including political parties, data brokers, and social media companies, were approached by the ICO. One of the commissioner’s announcements on Wednesday was that the ICO would audit the data-processing practices of 11 political parties in the UK.” The ICO has also called on the U.K. government to “legislate a statutory code of practice under the new Data Protection Act to govern the use of data in political campaigns.”
I appreciate the ICO’s suggestion that the U.K. needs additional legislation to protect Facebook’s users, but to be honest, that won’t be enough. Practically speaking, Facebook is too large a company for any one government to oversee. We already know that Cambridge Analytica wasn’t the only firm to exploit Facebook’s user data, and just yesterday news broke that a Russian company with Kremlin links also had access to user data, having developed “hundreds of Facebook apps” to collect data, “some of which were test apps that were not made public.”
Facebook’s users are spread across the globe, and breaches of their data and other abuses have a global impact. The response to Facebook’s failures must be global as well. The American professor who is suing in the U.K. came up with a creative approach, and we need more of the same, as Facebook will change only in response to pressure. The more we can organize pressure campaigns with international reach and the more those campaigns utilize institutions in multiple countries, the more successful we’ll be at forcing Facebook’s hand.