‘It’s a warning shot’: Experts say ICO’s fine to Facebook signals seriousness of its GDPR enforcement
It may not know it yet, but Facebook is fast becoming the poster child for any business that hasn’t got its data privacy cards in order, experts believe.
The Information Commissioner’s Office came down hard on Facebook last week for its part in the Cambridge Analytica scandal. Or at least, it came down as hard as it could, pledging to fine the platform £500,000 ($661,000) — the maximum it could give under the older data protection law. The ICO has since conceded that the fine is not as hard-hitting as it would have given, had the breaches occurred after May 25, when the General Data Protection Regulation was enforced.
“The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000,” said an ICO spokesperson. “After May 25, 2018, when the GDPR came into force, then the fine issued to Facebook would have been at the upper end of the scale.”
The maximum fine for GDPR regulations is 4 percent of annual global turnover or €20 million [$23 million]. Facebook’s 2017 global revenue was $40 billion, meaning a 4 percent fine would amount to $1.6 billion.
“For anybody wondering whether GDPR would have more enforcement teeth than the damp squib ePrivacy Directive, the ICO’s comments on the Facebook/Cambridge Analytica case should leave them in no doubt,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “It’s very unusual for any enforcement agency to take such a definitive and public position, and I am sure that was deliberately intended as a serious warning. It illustrates exactly the kind of personal data abuse that GDPR was designed to prevent and the ICO’s comments should be taken as a firm indication of its intent to exercise their enforcement powers to the fullest extent of the law when necessary.”
So far, the ICO’s attention has been on data breaches that have had some kind of political ramification. The regulator has also announced its intention to fine Emma’s Diary, a website which offers pregnant women and new parents health advice, £140,000 ($185,000) for sharing more than a million people’s personal data with the Labour Party.
“This is about the bigger picture — not just Facebook but political parties,” said Alexander Egerton, partner at legal firm Seddons.
Others believe the ICO’s data protection fine to Facebook signals that the social platform’s general GDPR policy will come under significant scrutiny. It won’t be alone however — the likes of Amazon and Google will also be in the cross-hairs, according to Newby.
To some industry executives, the fine is indicative of how the ICO intends to police GDPR across the board. “It’s a warning shot,” said Dan Wilson, CEO of London Media Exchange. “It signals, we’re watching. Are you sure your consent is what you think it is, are you sure others are acting on the consent you think you’ve given them. Ad tech may be in for a shock.”
Publishers may be too though. Data leakage has long been deemed an acceptable trade off by publishers (kind of) for monetization of their sites. But under GDPR, not being able to control what third party companies may be doing with a website’s data, is suddenly a lot more problematic because publishers can be on the hook for having allowed it to happen, even if they’re unaware it has been. Publishers are attuned to that, and their accountability as data controllers under GDPR, but the ICO fine has brought that into sharper focus, some experts have said.
“Facebook is being punished because it allowed someone else [Dr Kogen] to do something they were not allowed to do,” said media analyst Thomas Baekdal. If you translate that to publishers, it’s saying you’re responsible for what all the ad tech companies are doing, even if you tell them not to do it. If the ICO takes the same principle it’s giving Facebook and applies it to publishers and makes them responsible, that’s a big deal.”
Historically, the ICO has always stressed the fact that fines will be a last resort under GDPR, that its focus is more to ensure businesses are changing their behaviors for the better, rather than seeking to punish. “The ICO is not like a traffic warden [who work on commission],” added Egerton. “It doesn’t keep the fines, it regards them as last resorts. It’s more interested in improving behaviors. But the political pressures here are huge. They had to do something.”
But for some, the public intention to fine Facebook for its role in the Cambridge Analytica scandal is just the beginning. There are many people in ad tech that have interpreted the ICO’s former assertion that when it comes to GDPR it prefers the carrot to the stick approach, as a reason to not over worry about compliance.
“They [independent vendors] thought, well, we’re only likely to get a slap on the wrist [from the ICO] for that [any GDPR breach] as opposed to a big swinging fine,” added Wilson. “The fines for ad tech would never be as bad as they would be if there were to be a breach in the medical or credit card sectors, but this [ICO Facebook fine] has shown that ad tech is no longer deemed low risk.”
Download our complete guide to GDPR.
How Verizon’s self-imposed data privacy limits contributed to the demise of its media ambitions
Digital ad industry execs say regulatory pressures and internal restrictions on data sharing contributed to Verizon's decision to unload its media and ad tech properties.
‘My intuition was to hide my experience to protect my image’: Rise of miscarriage leave prompts debate around pregnancy discrimination
Women want to see the back of stigma around being open and honest in the workplace about the physical and psychological trauma caused by miscarriages.
Member ExclusiveMedia Briefing: How media leaders are trying to combat burnout beyond the newsroom
Media leaders are trying to combat burnout as it spreads through their companies — from the newsroom to the business team. Journalism students are feeling it too.
SponsoredHow The Company Store is reimagining customer experiences for pandemic-era growth
Throughout the pandemic, some retail categories have been inherently successful. Home furnishings and décor are among them; with consumers spending so much more time at home, updates and renovations flourished. Criteo data from the first half of 2020 showed sales for items like outdoor furniture sets up 434% year over year, with other home items […]
‘This isn’t the year to take baby steps’: PHD U.S. CEO Catherine Sullivan discusses media spending heading into 2H 2021
Sullivan is focused on agency transformation, video's shifts and wants multicultural planning and buying to go mainstream.
‘Pet anxiety is real’: More employers willing to allow pandemic-pets when staff return to the office
Pet adoption became a go-to coping mechanism during the pandemic. Now more employers are allowing staff to bring their pets to work once offices return, in recognition of their benefit to mental health and to stave off separation anxiety.