United Kingdom

[GB] Information Commissioner’s Office issues Notice of Intent to fine Facebook GBP500 000

IRIS 2018-8:1/29

Lorna Woods

School of Law, University of Essex

In 2017, the Information Commissioner’s Office (ICO) launched a formal investigation into the use of data analytics for political purposes, and the investigation is expected to continue until October 2018. On 11 July 2018, the ICO published a progress report as well as a second report, Democracy Disrupted: Personal information and political influence, which sets out a number of policy recommendations arising from the investigation so far. Of the actions detailed by the progress report, the most high-profile is the one against Facebook. The ICO issued a Notice of Intent to fine it GBP500 000, the maximum amount under section 55A of the Data Protection Act 1998 (DPA). It found serious breaches of the first (fairness) (DPP 1) and seventh (security) (DPP 7) data protection principles (DPP) in contravention of section 4(4) DPA.

The case concerned the access a researcher had to Facebook users’ data via an app that users could download. It potentially gave the researcher access to their friends’ data too. These users would not be aware of this, let alone have consented to the processing of their data. Facebook changed its policies in 2015 to allow access to a more restricted range of data, but the app developers were allowed to retain the data they had previously acquired. Although Facebook had platform policies regarding usage of data, it had taken no steps to ensure that the apps using Facebook data were doing so in accordance with its policy; there was no system in place according to which a review could take place. Furthermore, Facebook had taken no steps to verify that the data was being used in accordance with an undertaking given which limited use to academic, not commercial purposes.  

The ICO determined that Facebook Ireland as well as Facebook based in the United States of America were joint controllers of Facebook users’ personal data and that they processed that personal data in the context of a UK establishment, thus bringing them within jurisdiction based on Google Spain (see IRIS 2014-6/3) and a domestic appellate decision in which it was considered, CG v Facebook and McCloskey [2016] NICA 54. The breach of DPP 1 came about because of the access to friends’ data without their knowledge or consent; Facebook had not attempted to prevent this behaviour. It was not prohibited by the platform policy. By permitting this, Facebook’s processing was deemed unfair; no valid consent could be given under these circumstances. The fact that an individual could have adopted more stringent privacy settings did not render the processing fair, as Facebook did not provide information to suggest that this sort of processing could take place. Furthermore, Facebook had taken no steps to monitor the use of the app. The breach of DPP 7 arose because Facebook had taken no measures to prevent the collection of data by the app, and had not monitored access to data - indeed, it was unaware of what was going on until the story was reported in the press.

This is not yet a final decision; a decision will be made once the ICO has received a response from Facebook later in August 2018.