Post GDPR, Facebook’s Cambridge Analytica fine could have been up to £1.4bn

Under new data protection regulations, offending companies can be forced to hand over up to 4 per cent of their global turnover.

Sign Up

Get the New Statesman's Morning Call email.

It was revealed earlier today that Facebook will be fined £500,000 for its part in the Cambridge Analytica scandal, in which Facebook user data was secretly harvested for political purposes in 2016. The Information Commissioner’s Office (ICO), the independent public body that upholds information rights and ultimately hands out fines and penalties, announced that it intended to fine the social media company for two violations of the Data Protection Act of 1998: the first, for failing to safeguard its users’ data and the second, for failing to inform its users that their data was being harvested.  

The obvious response to, and problem with, this announcement (beyond the, uh, tens of millions of data violations) is that £500,000 represents mere pennies for Facebook. The social media giant made roughly $92,000 a minute (£69,000) in the first quarter of 2018, meaning it could have paid off the fine in less than ten minutes. However, under the Data Protection Act of 1998 against which these violations were assessed, this is the maximum penalty that can be levied. Even if Facebook had committed greater violations, there would be no way to fine it more.

Under the General Data Protection Regulation (GDPR), though, it could have been a different story. When the new data protection regulation came into play on 25 May 2018, it created a new upper boundary for fines, increasing the maximum fine from £500,000 to €20m (£17m), or 4 per cent of the offending company’s annual global turnover – whichever is higher. For Facebook, the maximum fine would then have become £1.4bn. 

Whether Facebook would have had to pay the maximum penalty, though, is another question. The GDPR as it stands is relatively vague. It says data breach fines could be “at a lower level” than that maximum, without specification of exactly how much lower. In a case like Facebook’s, where data breaches affect millions of people’s data, but ultimately isn't the most brutally harmful misuse recorded, it’s up in the air whether or not it would have had to pay even near the maximum penalty (with the Cambridge Analytica scandal, Facebook data was used for political targetting without the knowledge or approval of those users.) Ultimately, the cost of the fine would be at the discretion of the ICO to decide on the severity of the violation. However, the new rules could potentially be enough to motivate Facebook and similar companies handling large amounts of data to be more careful.

“Previous data protection fines were a drop in the ocean for tech giants like Facebook, and the new maximum fines under the GDPR may potentially be a deterrent for further data breaches,” says Kavya Kaushik, a product manager with SAGE Ocean, an initiative from SAGE Publishing to equip social scientists to work with big data and new technology.

“This does not however solve the issue of technologists navigating big data without considering data ethics. Political campaigns from Obama to the Labour Party have effectively used big data and ‘quizzes’ to learn about voter behaviour.”

Kaushik is referring to the Obama campaign’s use of social media user data to target voters, and the similar tactics used by the Labour Party. In these cases, data was harvested in accordance with the laws at the time. This practice will also be more difficult under GDPR, where users will have to actively choose to have their data given to third parties. 

“As campaigns continue to use big data in elections, there is a role for social scientists to collaborate within this process to apply data ethics and ultimately shape the future of society for the better,” adds Kaushik. 

Regardless of new regulations, Facebook’s fine will likely remain as it stands (and legally, it couldn’t be any higher.) But to call it, as many have, a slap on the wrist would be generous. Even before the GDPR became law, the fine still looks pathetically small, but in the post-GDPR world, a fine that miniscule for a company of Facebook's size will seem like a relic of a bygone age. 

Sarah Manavis is the New Statesman's tech and digital culture writer.