If you read the Information Commissioner’s report into why she imposed a £500,000 fine for data breaches on Facebook you might think the case only matters to political parties. Or to those seeking to use personal data for political purposes. But it has much broader relevance than that.  And a close reading of the Information Commissioner’s Office (ICO) findings makes this clear. Although the case was decided under the pre GDPR regime, the ICO appears determined to adopt an aggressive attitude to data breaches. Whatever the nature of the organisation responsible for contravening data laws. In the internet age the processing of digital data will be under particular scrutiny.


Technically the social media company hasn’t been fined yet. The Information Commissioner’s Office (ICO) has issued a so-called Notice of Intent (to fine). Facebook does have a chance to dispute the ICO’s findings. But given the extreme damage the scandal has already caused to its reputation we don’t see how it would wish to prolong the case by raising significant objections to the sanction.

The fine is for two breaches of the Data Protection Act, 1998 (DPA).

  • Firstly the ICO has decided that Facebook broke the law by failing to safeguard individual personal information.
  • Secondly the company was not transparent about the way third parties were using Facebook user data.

We set out the background to the case when the alleged breaches first emerged in February 2018. In short,Cambridge Analytica, a political consulting firm, gained access to the data of millions of Facebook users. Ultimately the data appears to have been used as a basis for voter modelling in the run-up to the 2016 US presidential election. Astonishingly it’s now estimated that the data breach involved 87 million users.


The Information Commissioner has her sights set on safeguarding individual data when used for political campaigns. And in the wake of the Facebook/Cambridge Analytica scandal it’s easy to see why. To many the way political parties and consultants use information risks undermining the democratic process itself because individual voters have no idea what’s going on behind the scenes. As the Information Commissioner said this week,

Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system”


It seems to us that, as cases like this continue to dominate headlines, there will be a greater willingness on the part of consumers to speak out when they believe their data has been mishandled. And the ICO will not hesitate to act. Although the £500,000 fine has been described as a ‘pittance’ to a company the size of Facebook, it is the maximum permitted under the DPA. As the Information Commissioner pointed out in a Radio 4 discussion following the publication of the Facebook findings, if she were deciding the case under GDPR the fine would likely to have been in the ‘hundreds of millions’.

For our clients, small and medium-sized businesses that control and process personal data, it’s important to remember that, while the Facebook case concerned the political arena, the spotlight could just as easily be shone on a different sector. It’s no surprise that financial firms were this week put on notice by their regulator to be up-front with clients about what personal data they are collecting and how they use it. The new head of the Financial Conduct Authority warned the financial sector to guard against its own Cambridge Analytica moment.

The message is clear: GDPR compliance matters now more than ever.

At Big Data Law in London we specialisein GDPR and related data protection matters. We have a range of compliance packages available to suit all types and sizes of business. For more information please contact one of our solicitors on 0203 670 5540.

Shubha Nath