Support 100 years of independent journalism.

  1. Science & Tech
11 July 2018updated 01 Jul 2021 12:15pm

Post GDPR, Facebook’s Cambridge Analytica fine could have been up to £1.4bn

Under new data protection regulations, offending companies can be forced to hand over up to 4 per cent of their global turnover.

By Sarah Manavis

It was revealed earlier today that Facebook will be fined £500,000 for its part in the Cambridge Analytica scandal, in which Facebook user data was secretly harvested for political purposes in 2016. The Information Commissioner’s Office (ICO), the independent public body that upholds information rights and ultimately hands out fines and penalties, announced that it intended to fine the social media company for two violations of the Data Protection Act of 1998: the first, for failing to safeguard its users’ data and the second, for failing to inform its users that their data was being harvested.  

The obvious response to, and problem with, this announcement (beyond the, uh, tens of millions of data violations) is that £500,000 represents mere pennies for Facebook. The social media giant made roughly $92,000 a minute (£69,000) in the first quarter of 2018, meaning it could have paid off the fine in less than ten minutes. However, under the Data Protection Act of 1998 against which these violations were assessed, this is the maximum penalty that can be levied. Even if Facebook had committed greater violations, there would be no way to fine it more.

Under the General Data Protection Regulation (GDPR), though, it could have been a different story. When the new data protection regulation came into play on 25 May 2018, it created a new upper boundary for fines, increasing the maximum fine from £500,000 to €20m (£17m), or 4 per cent of the offending company’s annual global turnover – whichever is higher. For Facebook, the maximum fine would then have become £1.4bn. 

Whether Facebook would have had to pay the maximum penalty, though, is another question. The GDPR as it stands is relatively vague. It says data breach fines could be “at a lower level” than that maximum, without specification of exactly how much lower. In a case like Facebook’s, where data breaches affect millions of people’s data, but ultimately isn’t the most brutally harmful misuse recorded, it’s up in the air whether or not it would have had to pay even near the maximum penalty (with the Cambridge Analytica scandal, Facebook data was used for political targetting without the knowledge or approval of those users.) Ultimately, the cost of the fine would be at the discretion of the ICO to decide on the severity of the violation. However, the new rules could potentially be enough to motivate Facebook and similar companies handling large amounts of data to be more careful.

“Previous data protection fines were a drop in the ocean for tech giants like Facebook, and the new maximum fines under the GDPR may potentially be a deterrent for further data breaches,” says Kavya Kaushik, a product manager with SAGE Ocean, an initiative from SAGE Publishing to equip social scientists to work with big data and new technology.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

“This does not however solve the issue of technologists navigating big data without considering data ethics. Political campaigns from Obama to the Labour Party have effectively used big data and ‘quizzes’ to learn about voter behaviour.”

Content from our partners
Building the business case for growth
“On supporting farmers, McDonald’s sets a high standard”
City of London Corporation brings stakeholders together to drive climate action

Kaushik is referring to the Obama campaign’s use of social media user data to target voters, and the similar tactics used by the Labour Party. In these cases, data was harvested in accordance with the laws at the time. This practice will also be more difficult under GDPR, where users will have to actively choose to have their data given to third parties. 

“As campaigns continue to use big data in elections, there is a role for social scientists to collaborate within this process to apply data ethics and ultimately shape the future of society for the better,” adds Kaushik. 

Regardless of new regulations, Facebook’s fine will likely remain as it stands (and legally, it couldn’t be any higher.) But to call it, as many have, a slap on the wrist would be generous. Even before the GDPR became law, the fine still looks pathetically small, but in the post-GDPR world, a fine that miniscule for a company of Facebook’s size will seem like a relic of a bygone age. 

Topics in this article :