The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.


The ICO’s enforcement action relates to Facebook’s involvement in Cambridge Analytica’s “harvesting” of the personal data of approximately 87 million Facebook users. The ICO’s investigation commenced in February 2018 following evidence provided by a former Cambridge Analytica employee that an app (known as “thisisyourdigitallife”) had been dispatched by Cambridge Analytica (among other political consultancies), with the purpose of obtaining user data, by requiring the users to log into the app via their Facebook profile.

The app requested permission from users to access their profile information including current location, Facebook timeline, friends list, email addresses, news feed posts, “liked” pages and posts, and date of birth, among other information. This information was processed by Cambridge Analytica for the purpose of creating voter profiles. The relevant individuals were then made the subject of targeted messaging and advertising during political campaigns in the UK and the US.

ICO Investigation

The ICO’s investigation found that users of the app did sign-up to terms and conditions permitting access to users’ Facebook data; however, the ICO determined that this acceptance of terms was insufficient to amount to “informed consent” to such data being sold on to third-party organizations. Additionally, the collection of such data in this manner was in breach of Facebook’s privacy policy at the relevant time (which included limitations on the use of harvested data for commercial purposes). Any such access should have been permitted for the purpose of augmenting user experiences, only.

Ultimately, the ICO found that Facebook’s failure to ensure the security of user data and its lack of transparency in relation to the ways in which user data could be accessed and used by third parties, constitute breaches of the first and seventh data protection principles under the Data Protection Act 1998.

Elizabeth Denham (UK Information Commissioner) explained that “People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”  She also noted that “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act”.

The ICO’s Notice of Intent provides for a fine of £500,000 ($665,000) which is the maximum fine that the ICO can levy under the Data Protection 1998.

Potential fines under the GDPR

Facebook’s infringing activity occurred prior to the EU data protection regime under the General Data Protection Regulation (GDPR) coming into full effect. Should such infringing activity have occurred under the new regime, and should the ICO also seek to impose the maximum fines available, Facebook would face a fine of €20million ($23million) or 4% of global, group wide, annual turnover (whichever is higher).

In 2017, Facebook’s turnover was approximately $40 billion; the potential fine that the ICO could levy on Facebook for a serious breach of the GDPR would therefore be up to $1.6billion.

Transparency and security

The ICO’s enforcement action highlights the importance of the use of clear, transparent and accurate privacy notices. As well as ensuring personal data is secure, it is vital that data subjects are fully informed of the purposes for which data is processed and how it will be used, shared, accessed and (to the extent relevant) sold to third parties. Privacy notices should be regularly reviewed and updated to reflect business practices in order to ensure compliance with the GDPR’s principles of lawfulness, fairness and transparency.

Ongoing investigation by the ICO

The ICO’s decision to issue a Notice of Intent to Facebook is one of the key updates communicated in the ICO’s progress report on its investigation into data analytics in political campaigns (the full report can be found here).

In addition to actions taken in connection with Facebook’s activities, the report also details regulatory action taken against Cambridge Analytica and its parent company, SCL Election Limited as well as other data consultancies and data brokers implicated in the investigation. Notably, the ICO is pursuing a criminal prosecution against SCL Elections Limited for its failure to properly deal with an enforcement notice requiring it to respond to a subject access request. The ICO also intends to audit the data protection practices of numerous political parties.