‘It’s a warning shot’: Experts say ICO’s fine to Facebook signals seriousness of its GDPR enforcement
It may not know it yet, but Facebook is fast becoming the poster child for any business that hasn’t got its data privacy cards in order, experts believe.
The Information Commissioner’s Office came down hard on Facebook last week for its part in the Cambridge Analytica scandal. Or at least, it came down as hard as it could, pledging to fine the platform £500,000 ($661,000) — the maximum it could give under the older data protection law. The ICO has since conceded that the fine is not as hard-hitting as it would have given, had the breaches occurred after May 25, when the General Data Protection Regulation was enforced.
“The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000,” said an ICO spokesperson. “After May 25, 2018, when the GDPR came into force, then the fine issued to Facebook would have been at the upper end of the scale.”
The maximum fine for GDPR regulations is 4 percent of annual global turnover or €20 million [$23 million]. Facebook’s 2017 global revenue was $40 billion, meaning a 4 percent fine would amount to $1.6 billion.
“For anybody wondering whether GDPR would have more enforcement teeth than the damp squib ePrivacy Directive, the ICO’s comments on the Facebook/Cambridge Analytica case should leave them in no doubt,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “It’s very unusual for any enforcement agency to take such a definitive and public position, and I am sure that was deliberately intended as a serious warning. It illustrates exactly the kind of personal data abuse that GDPR was designed to prevent and the ICO’s comments should be taken as a firm indication of its intent to exercise their enforcement powers to the fullest extent of the law when necessary.”
So far, the ICO’s attention has been on data breaches that have had some kind of political ramification. The regulator has also announced its intention to fine Emma’s Diary, a website which offers pregnant women and new parents health advice, £140,000 ($185,000) for sharing more than a million people’s personal data with the Labour Party.
“This is about the bigger picture — not just Facebook but political parties,” said Alexander Egerton, partner at legal firm Seddons.
Others believe the ICO’s data protection fine to Facebook signals that the social platform’s general GDPR policy will come under significant scrutiny. It won’t be alone however — the likes of Amazon and Google will also be in the cross-hairs, according to Newby.
To some industry executives, the fine is indicative of how the ICO intends to police GDPR across the board. “It’s a warning shot,” said Dan Wilson, CEO of London Media Exchange. “It signals, we’re watching. Are you sure your consent is what you think it is, are you sure others are acting on the consent you think you’ve given them. Ad tech may be in for a shock.”
Publishers may be too though. Data leakage has long been deemed an acceptable trade off by publishers (kind of) for monetization of their sites. But under GDPR, not being able to control what third party companies may be doing with a website’s data, is suddenly a lot more problematic because publishers can be on the hook for having allowed it to happen, even if they’re unaware it has been. Publishers are attuned to that, and their accountability as data controllers under GDPR, but the ICO fine has brought that into sharper focus, some experts have said.
“Facebook is being punished because it allowed someone else [Dr Kogen] to do something they were not allowed to do,” said media analyst Thomas Baekdal. If you translate that to publishers, it’s saying you’re responsible for what all the ad tech companies are doing, even if you tell them not to do it. If the ICO takes the same principle it’s giving Facebook and applies it to publishers and makes them responsible, that’s a big deal.”
Historically, the ICO has always stressed the fact that fines will be a last resort under GDPR, that its focus is more to ensure businesses are changing their behaviors for the better, rather than seeking to punish. “The ICO is not like a traffic warden [who work on commission],” added Egerton. “It doesn’t keep the fines, it regards them as last resorts. It’s more interested in improving behaviors. But the political pressures here are huge. They had to do something.”
But for some, the public intention to fine Facebook for its role in the Cambridge Analytica scandal is just the beginning. There are many people in ad tech that have interpreted the ICO’s former assertion that when it comes to GDPR it prefers the carrot to the stick approach, as a reason to not over worry about compliance.
“They [independent vendors] thought, well, we’re only likely to get a slap on the wrist [from the ICO] for that [any GDPR breach] as opposed to a big swinging fine,” added Wilson. “The fines for ad tech would never be as bad as they would be if there were to be a breach in the medical or credit card sectors, but this [ICO Facebook fine] has shown that ad tech is no longer deemed low risk.”
Download our complete guide to GDPR.
‘Necessity drives innovation’: Despite the economic downturn, upstart agencies are finding their way to launch
Agencies are launching despite— and as a result of — the pandemic as new creative opportunities arise from the disrupted marketing landscape.
‘Fewer, bigger, better’: RFP close rates rise for publishers as buyers look to keep things simple
Some publishers are now closing close to half the RFPs they send out. The trick is getting onto the shortening lists receiving the RFP.
Inside the Atlantic’s triumphant and tumultuous run during the coronavirus pandemic
The Trump 'losers' and 'suckers' scoop provided a boost not only to The Atlantic’s renewed sense of importance, but to its bottom line.
SponsoredFor brand marketers, watch parties are where connections and entertainment meet
Jen Prince, managing director, media and entertainment, Twitter Bridget Harvey, head of media and entertainment strategy, Twitter Next Whether it’s finding new shows, rewatching old favorites or tuning into a history-making world premiere, watching movies and TV at home brings people together during times of isolation. And while audiences are looking to be entertained, they’re also […]
Member Exclusive‘Stricter than the ad tech industry expected’: Apple clarifies its upcoming privacy changes will leave little wriggle room
A recently published FAQ section on Apple's developer site offers more clarification on how its forthcoming app privacy changes will be applied.
‘Retention has been one of our best stories of the year’: Bob Cohn on steering The Economist through crisis
The Economist has recently switched tactics from being 'an acquisition machine' to honing its subscriber retention tactics — a move its recently appointed president says is paying off.