‘It’s a warning shot’: Experts say ICO’s fine to Facebook signals seriousness of its GDPR enforcement
It may not know it yet, but Facebook is fast becoming the poster child for any business that hasn’t got its data privacy cards in order, experts believe.
The Information Commissioner’s Office came down hard on Facebook last week for its part in the Cambridge Analytica scandal. Or at least, it came down as hard as it could, pledging to fine the platform £500,000 ($661,000) — the maximum it could give under the older data protection law. The ICO has since conceded that the fine is not as hard-hitting as it would have given, had the breaches occurred after May 25, when the General Data Protection Regulation was enforced.
“The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000,” said an ICO spokesperson. “After May 25, 2018, when the GDPR came into force, then the fine issued to Facebook would have been at the upper end of the scale.”
The maximum fine for GDPR regulations is 4 percent of annual global turnover or €20 million [$23 million]. Facebook’s 2017 global revenue was $40 billion, meaning a 4 percent fine would amount to $1.6 billion.
“For anybody wondering whether GDPR would have more enforcement teeth than the damp squib ePrivacy Directive, the ICO’s comments on the Facebook/Cambridge Analytica case should leave them in no doubt,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “It’s very unusual for any enforcement agency to take such a definitive and public position, and I am sure that was deliberately intended as a serious warning. It illustrates exactly the kind of personal data abuse that GDPR was designed to prevent and the ICO’s comments should be taken as a firm indication of its intent to exercise their enforcement powers to the fullest extent of the law when necessary.”
So far, the ICO’s attention has been on data breaches that have had some kind of political ramification. The regulator has also announced its intention to fine Emma’s Diary, a website which offers pregnant women and new parents health advice, £140,000 ($185,000) for sharing more than a million people’s personal data with the Labour Party.
“This is about the bigger picture — not just Facebook but political parties,” said Alexander Egerton, partner at legal firm Seddons.
Others believe the ICO’s data protection fine to Facebook signals that the social platform’s general GDPR policy will come under significant scrutiny. It won’t be alone however — the likes of Amazon and Google will also be in the cross-hairs, according to Newby.
To some industry executives, the fine is indicative of how the ICO intends to police GDPR across the board. “It’s a warning shot,” said Dan Wilson, CEO of London Media Exchange. “It signals, we’re watching. Are you sure your consent is what you think it is, are you sure others are acting on the consent you think you’ve given them. Ad tech may be in for a shock.”
Publishers may be too though. Data leakage has long been deemed an acceptable trade off by publishers (kind of) for monetization of their sites. But under GDPR, not being able to control what third party companies may be doing with a website’s data, is suddenly a lot more problematic because publishers can be on the hook for having allowed it to happen, even if they’re unaware it has been. Publishers are attuned to that, and their accountability as data controllers under GDPR, but the ICO fine has brought that into sharper focus, some experts have said.
“Facebook is being punished because it allowed someone else [Dr Kogen] to do something they were not allowed to do,” said media analyst Thomas Baekdal. If you translate that to publishers, it’s saying you’re responsible for what all the ad tech companies are doing, even if you tell them not to do it. If the ICO takes the same principle it’s giving Facebook and applies it to publishers and makes them responsible, that’s a big deal.”
Historically, the ICO has always stressed the fact that fines will be a last resort under GDPR, that its focus is more to ensure businesses are changing their behaviors for the better, rather than seeking to punish. “The ICO is not like a traffic warden [who work on commission],” added Egerton. “It doesn’t keep the fines, it regards them as last resorts. It’s more interested in improving behaviors. But the political pressures here are huge. They had to do something.”
But for some, the public intention to fine Facebook for its role in the Cambridge Analytica scandal is just the beginning. There are many people in ad tech that have interpreted the ICO’s former assertion that when it comes to GDPR it prefers the carrot to the stick approach, as a reason to not over worry about compliance.
“They [independent vendors] thought, well, we’re only likely to get a slap on the wrist [from the ICO] for that [any GDPR breach] as opposed to a big swinging fine,” added Wilson. “The fines for ad tech would never be as bad as they would be if there were to be a breach in the medical or credit card sectors, but this [ICO Facebook fine] has shown that ad tech is no longer deemed low risk.”
Download our complete guide to GDPR.
The Washington Post hopes to bring in young, diverse readers with a cross-company task force
The "Next Generation" task force will work to figure out new products, partnerships and initiatives to draw in more readers who are young and from around the country and the world.
California Attorney General says popular, digital ad opt-outs from trade groups don’t comply with CCPA
Commonly used opt-out tools from the Network Advertising Initiative and Digital Advertising Alliance will not suffice for compliance with California's privacy law.
Hearst UK wants all of its brands to have Good Housekeeping’s authority in product testing
The Good Housekeeping Institute set the precedent for Hearst UK and the new Hearst Institute is looking to replicate those successes across all its brands.
SponsoredData-driven solutions: Charting a better way forward for brands and publishers
Travis Clinger, senior vp of addressability and ecosystem, LiveRamp Updates to mobile identifiers and browser data privacy policies have become an everyday part of life in the advertising industry. The browsers and device manufacturers have made privacy a competitive differentiator, as consumers have become increasingly concerned over how their data is being used. As an […]
Member ExclusiveDigiday Research: The pandemic sped the wrong things up for publishers
Publishers are now much more reliant on direct-sold ads, and at an industry level, diversification strategies have made little progress.
Why two brothers are betting on creating new brands and e-commerce to grow their media company
Former Bonnier Corp. CEO Eric Zinczenko is the new COO/president of his brother David Zinczenko's company Galvanized Media.