The fining of Facebook: lessons learned


The UK's Information Commissioner, Elizabeth Denham, is not one to shy away from a challenge. In the midst of implementing one of the biggest changes to European data protection legislation in the last 20 years (the General Data Protection Regulation (GDPR)), she embarked upon a series of high profile investigations – and the first target in the firing line was Facebook.

On 19 June 2018 the Information Commissioner’s Office (ICO) served a notice of intent (NOI) on Facebook for an intent to fine the global social media giant £500,000 for two breaches of the Data Protection Act 1998 (the DPA) (the behaviour was pre-GDPR). Whilst serving NOIs aren’t uncommon for the ICO and the maximum fine (under the DPA) (note that GDPR maximum fines are much higher) is a drop in the ocean for Facebook, the background to this has more far reaching consequences.

The NOI resulted from an inquiry into the use of data analytics by Cambridge Analytica and Facebook during the EU referendum following allegations of 'invisible processing' of personal data and micro targeting of political ads. This led to a broader formal investigation into the use of data analytics in political campaigns, which represents the ICO's first step into scrutinising the processing of data by political parties. Other 'organisations of interest' targeted by the ICO include data analytics companies, social media platforms such as Snapchat and Twitter as well as the search engine Google. The approach taken indicates the Information Commissioner’s willingness to take a more aggressive and vigilant stance in ensuring personal data does not get misused, regardless of whether that means wading into political waters. In doing so, she has exercised the full range of her powers, not only under the DPA but under the Regulation of Investigatory Powers Act 2000 (e.g. for audit, inspection, powers of entry and seizure under warrant). The result is unavoidably high profile given the public interest element involved and the investigation is the largest of its kind that has been undertaken by a data protection authority globally.

Why should you be concerned?

In its investigation update, the ICO highlighted ten recommendations as a result of the inquiry as well as describing its key concerns. These are distilled into three key take away points below:

  1. Transparency: One of the "most concerning findings" was the "significant shortfall" in the transparency and provision of fair processing information. This isn’t something that is a new concept, particularly in the wake of the prescriptive requirements under the GDPR, so it is not surprising that this is something that the ICO is hot on. Organisations should therefore ensure their privacy notices are clear and explicit when outlining processing purposes, including naming (or at least describing) third parties to whom data may be disclosed. As a side note, parties will need to ensure that their operations align with the terms and conditions of all relevant platforms and remember to explicitly state where a third party's privacy policy and/or terms and conditions apply to the processing of personal data. 
  2. Legal basis for processing: organisations need to fall within one of the 'gateways' set out in the DPA so that they can demonstrate that they have a legal basis for processing the data they process. Here, the ICO is clearly concerned about the lack of understanding of what constitutes a valid legal basis for processing. It is important that all organisations which process data do so in a lawful manner, clearly identifying the most appropriate legal basis for each separate purpose.
  3. Due diligence on third parties: As with any element of an organisation's supply chain, it is important to ensure that proper due diligence is conducted into the processing activities of third parties. In particular, where an organisation relies on consent as a lawful basis for processing, and uses a third party to collect data, that organisation should ask for evidence that appropriate consents have been obtained and that (in all cases) individuals have been sufficiently informed about the purposes of the collection and processing.

What next?

As part of the investigation, the ICO issued warning letters to 11 political parties outlining steps it requires them to take (e.g. undertaking a review of transparency notices and legal basis for processing, conducting data protection impact assessments within 3 months) and requiring a report on actions taken by 2 October 2018.

Facebook can respond to the NOI before a final decision is made (as far as we know it has yet to do so). Meanwhile, the wider investigation is still ongoing, but the ICO anticipates that it will conclude the next phase by the end of October.

The subject matter of the investigation has clear relevance to businesses (and in particular targeted advertising), and as well as following the outcomes from the current matter, it will be interesting to see how Ms Denham uses her new powers under GDPR to drive change in this area.


Read Dan Reavill Profile
Dan Reavill
Back To Top