Privacy & Information Security Law Blog

On October 30, 2019, Facebook reached a settlement with the UK Information Commissioner’s Office (“ICO”) under which it agreed to pay (without admission of liability) the £500,000 fine imposed by the ICO in 2018 in relation to the processing and sharing of its users’ personal data with Cambridge Analytica.

The ICO issued its Monetary Penalty Notice (“MPN”) against Facebook on October 24, 2018, following an investigation into the use of data analytics in political campaigns. The ICO determined that personal data of up to 87 million of Facebook’s global users had been collected by the “This Is Your Digital Life” application, deployed on the Facebook platform, and shared with several third parties, including SCL Elections Limited (the parent company of Cambridge Analytica). The fine of £500,000 was the maximum available under the Data Protection Act 1998.

Facebook appealed the fine to the First-tier Tribunal (General Regulatory Chamber) (the “Tribunal”) in the UK in November 2018, alleging “bias, pre-determination and procedural irregularity. ” In June 2019, at a preliminary hearing, the Tribunal ruled that under the circumstances it would consider Facebook’s allegations of procedural unfairness as part of the appeal itself, rather than following the usual course of conducting an appeal by way of re-hearing as a means to cure any alleged procedural irregularity. The Tribunal described “the alleged bias and pre-determination pleaded by counsel in this case…(as falling) into the most serious of categories.” According to the ICO, the Tribunal also required the ICO to disclose materials relating to its decision-making process concerning the MPN. The ICO appealed the Tribunal’s preliminary ruling.

Under the settlement, both parties have agreed to withdraw their respective appeals. Despite agreeing to pay the fine (which will be paid into the UK Treasury’s consolidated fund), Facebook made no admission of liability with regard to the MPN. In a statement issued following the settlement, Facebook said: “We are pleased to have reached a settlement with the ICO. As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then, significantly restricting the information which app developers could access…The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr. Kogan. However, we look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”

The ICO stated: “Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy. We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”