‘It’s a warning shot’: Experts say ICO’s fine to Facebook signals seriousness of its GDPR enforcement
It may not know it yet, but Facebook is fast becoming the poster child for any business that hasn’t got its data privacy cards in order, experts believe.
The Information Commissioner’s Office came down hard on Facebook last week for its part in the Cambridge Analytica scandal. Or at least, it came down as hard as it could, pledging to fine the platform £500,000 ($661,000) — the maximum it could give under the older data protection law. The ICO has since conceded that the fine is not as hard-hitting as it would have given, had the breaches occurred after May 25, when the General Data Protection Regulation was enforced.
“The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000,” said an ICO spokesperson. “After May 25, 2018, when the GDPR came into force, then the fine issued to Facebook would have been at the upper end of the scale.”
The maximum fine for GDPR regulations is 4 percent of annual global turnover or €20 million [$23 million]. Facebook’s 2017 global revenue was $40 billion, meaning a 4 percent fine would amount to $1.6 billion.
“For anybody wondering whether GDPR would have more enforcement teeth than the damp squib ePrivacy Directive, the ICO’s comments on the Facebook/Cambridge Analytica case should leave them in no doubt,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “It’s very unusual for any enforcement agency to take such a definitive and public position, and I am sure that was deliberately intended as a serious warning. It illustrates exactly the kind of personal data abuse that GDPR was designed to prevent and the ICO’s comments should be taken as a firm indication of its intent to exercise their enforcement powers to the fullest extent of the law when necessary.”
So far, the ICO’s attention has been on data breaches that have had some kind of political ramification. The regulator has also announced its intention to fine Emma’s Diary, a website which offers pregnant women and new parents health advice, £140,000 ($185,000) for sharing more than a million people’s personal data with the Labour Party.
“This is about the bigger picture — not just Facebook but political parties,” said Alexander Egerton, partner at legal firm Seddons.
Others believe the ICO’s data protection fine to Facebook signals that the social platform’s general GDPR policy will come under significant scrutiny. It won’t be alone however — the likes of Amazon and Google will also be in the cross-hairs, according to Newby.
To some industry executives, the fine is indicative of how the ICO intends to police GDPR across the board. “It’s a warning shot,” said Dan Wilson, CEO of London Media Exchange. “It signals, we’re watching. Are you sure your consent is what you think it is, are you sure others are acting on the consent you think you’ve given them. Ad tech may be in for a shock.”
Publishers may be too though. Data leakage has long been deemed an acceptable trade off by publishers (kind of) for monetization of their sites. But under GDPR, not being able to control what third party companies may be doing with a website’s data, is suddenly a lot more problematic because publishers can be on the hook for having allowed it to happen, even if they’re unaware it has been. Publishers are attuned to that, and their accountability as data controllers under GDPR, but the ICO fine has brought that into sharper focus, some experts have said.
“Facebook is being punished because it allowed someone else [Dr Kogen] to do something they were not allowed to do,” said media analyst Thomas Baekdal. If you translate that to publishers, it’s saying you’re responsible for what all the ad tech companies are doing, even if you tell them not to do it. If the ICO takes the same principle it’s giving Facebook and applies it to publishers and makes them responsible, that’s a big deal.”
Historically, the ICO has always stressed the fact that fines will be a last resort under GDPR, that its focus is more to ensure businesses are changing their behaviors for the better, rather than seeking to punish. “The ICO is not like a traffic warden [who work on commission],” added Egerton. “It doesn’t keep the fines, it regards them as last resorts. It’s more interested in improving behaviors. But the political pressures here are huge. They had to do something.”
But for some, the public intention to fine Facebook for its role in the Cambridge Analytica scandal is just the beginning. There are many people in ad tech that have interpreted the ICO’s former assertion that when it comes to GDPR it prefers the carrot to the stick approach, as a reason to not over worry about compliance.
“They [independent vendors] thought, well, we’re only likely to get a slap on the wrist [from the ICO] for that [any GDPR breach] as opposed to a big swinging fine,” added Wilson. “The fines for ad tech would never be as bad as they would be if there were to be a breach in the medical or credit card sectors, but this [ICO Facebook fine] has shown that ad tech is no longer deemed low risk.”
Download our complete guide to GDPR.
Member ExclusiveCase Study: How The Week successfully created a children’s media property amid the pandemic
The Week created and grew a children's publication in the unprecedented pandemic year to keep young audiences engaged.
Bloomberg Media is testing paid tiers for virtual events
Bloomberg is testing a virtual events model where attendees could pay different amounts to attend with a slew of tracks.
‘They won’t enable our identifier’: Identity tech providers try to make sense of Google’s plan not to support alternate identifiers
Some identifiers just won’t work in some Google inventory, but identity tech providers are keeping a stiff upper lip.
SponsoredPeople-based identifiers are driving personalized customer experiences
Marketing teams are now well into 2021, and third-party cookies along with mobile ad IDs are officially on notice, which has implications for all marketers. Soon, cookie- and device-based targeting, frequency capping, measurement and attribution will break. Evolving privacy regulations and policy changes from browsers and device makers have sparked many proposed solutions to replace […]
PopSugar Fitness expands health and wellness coverage after success with at-home workout videos
PopSugar hired Jennifer Fields as deputy editor of fitness to broaden fitness content to include mental health and wellness.
‘It moved quicker than we planned’: iProspect’s global president Amanda Morrissey on the restructure with Vizeum
iProspect's global president Amanda Morrissey expects to complete Denstu-owned performance agency's restructure with Vizeum by the end of March.