Sixteen months after the Information Commissioners Office (ICO) began its investigation into the Facebook’s sharing the personal details of users with political consulting firm Cambridge Analytica, the ICO has announced that Facebook will be fined £500,000 for data breaches.

Maximum

The amount of the fine is the maximum that can be imposed under GDPR. Although it sounds like a lot, for a corporation valued at around $500 billion, and with $11.97 billion in advertising revenue and $4.98 billion in profit for the past quarter (mostly from mobile advertising), it remains to be seen how much of an effect it will have on Facebook.

Time Before Responding

Facebook has now been given time to respond to the ICO’s verdict before a final decision is made by the ICO.

Facebook have said, however, that it acknowledges that it should have done more to investigate claims about Cambridge Analytica and taken action back in 2015.

Reminder of What Happened

The fine relates to the harvesting of the personal details of 87 million Facebook users without their explicit consent, and the sharing of that personal data with London-based political Consulting Firm Cambridge Analytica, which is alleged to have used that data to target political messages and advertising in the last US presidential election campaign.

Also, harvested Facebook user data was shared with Aggregate IQ, a Data Company which worked with the ‘Vote Leave’ campaign in the run-up to the Brexit Referendum.

The sharing of personal user data with those companies was exposed by former Cambridge Analytica employee and whistleblower Christopher Wylie. The resulting publicity caused public outrage, saw big falls in Facebook’s share value, brought apologies from its founder / owner, and saw insolvency proceedings (back in May) for Cambridge Analytica and its parent SCL Elections.

What About Cambridge Analytica?

Although Facebook has been given a £500,000 fine, Cambridge Analytica no longer exists as a company. The ICO has indicated, however, that it is still considering taking legal action against the company’s directors. If successful, a prosecution of this kind could result in convictions and an unlimited fine.

AggregateIQ

As for Canadian data analytics firm AggregateIQ, the ICO is reported to still be investigating whether UK voters’ personal data provided by the Brexit referendum’s Vote Leave campaign had been transferred and accessed outside the UK and whether this amounted to a breach of the Data Protection Act. Also, the ICO is reported to be investigating to what degree AIQ and SCL Elections had shared UK personal data, and the ICO is reported to have served an enforcement notice forbidding AIQ from continuing to make use of a list of UK citizens’ email addresses and names that it still holds.

Worries About 11 Main Political Parties

The ICO is also reported to have written to the UK’s 11 main political parties, asking them to have their data protection practices audited because it is concerned that the parties may have purchased certain information about members of the public from data brokers, who might not have obtained consent.

What Does This Mean For Your Business?

When this story originally broke, it was a wake-up call about what can happen to the personal data that we trust companies / corporations with, and it undoubtedly damaged trust between Facebook and its users to a degree. It’s a good job that the ICO is there to follow things up on our behalf because, for example, a Reuters/Ipsos survey conducted back in April found that, even after all the publicity surrounding Facebook and Cambridge Analytica scandal, most users remained loyal to the social media giant.

Also, the case has raised questions about how our data is shared and used for political purposes, and how the using and sharing of our data to target messages can influence the outcome of elections, and, therefore, can influence the whole economic and business landscape. This has meant that there has now been a call for the UK government to step-in and introduce a code of practice which should limit how personal information can be used by political campaigns before the next general election.
Facebook has recently been waging a campaign, including heavy television advertising, to convince us that it has changed and is now more focused on protecting our privacy. Unfortunately, this idea has been challenged by the recent ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council, which accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not actually benefit their privacy.

The ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

Illusion of Control

The report alleges that, far from actually giving users more control over their personal data (as laid out by GDPR), the tech giants may simply be giving users the illusion that this is happening. The report points to the possible presence of practices such as:

– Facebook and Google making users who want the privacy-friendly option go through a significantly longer process (privacy intrusive defaults).

– Facebook, Google and Windows 10 using pop-ups that direct users away from the privacy-friendly choices.

– Google presenting users with a hard-to-use dashboard with a maze of options for their privacy and security settings. For example, on Facebook it takes 13 clicks to opt out of authorising data collection (opting in can take just one).
– Making it difficult to delete data that’s already been collected. For example, deleting data about location history requires clicking through 30 to 40 pages.

– Google not warning users about the downside of personalisation e.g. telling users they would simply see less useful ads, rather than mentioning the potential to be opted in to receive unbalanced political ad messages.

– Facebook and Google pushing consumers to accept data collection e.g. with Facebook stating how, if users keep face recognition turned off, Facebook won’t be able to stop a stranger from using the user’s photo to impersonate them, while not stating how Facebook will use the information collected.

Dark Patterns

In general, the reports criticised how the use of “dark patterns” such as misleading wording and default settings that are intrusive to privacy, settings that give users an illusion of control, hiding privacy-friendly options, and presenting “take-it-or-leave-it choices”, could be leading users to make choices that actually stop them from exercising all of their privacy rights..

Big Accept Button

The report, by Norway’s consumer protection watchdog, also notes how the GDPR-related notifications have a large button for consumers to accept the company’s current practices, which could appear to many users to be far more convenient than searching for the detail to read through.

Response

Google, Facebook and Microsoft are all reported to have responded to the report’s findings by issuing statements focusing on the progress and improvements they’ve made towards meeting the requirements of the GDPR to date.

What Does This Mean For Your Business?

GDPR was supposed to give EU citizens much more control over their data, and the perhaps naive expectation was that companies with a lot to lose (in fines for non-compliance and reputation), such as the big tech giant and social media companies would simply fall into line and afford us all of those new rights straight away.

The report by the Norwegian consumer watchdog appears to be more of a reality check that shows how our personal data is a valuable commodity to the big tech companies, and that, according to the report, the big tech companies are willing to manipulate users and give the illusion that they are following the rules without actually doing so. The report appears to indicate that these large corporations are willing to force consumers to try to fight for rights that have already been granted to them in GDPR.