‘It’s a warning shot’: Experts say ICO’s fine to Facebook signals seriousness of its GDPR enforcement
It may not know it yet, but Facebook is fast becoming the poster child for any business that hasn’t got its data privacy cards in order, experts believe.
The Information Commissioner’s Office came down hard on Facebook last week for its part in the Cambridge Analytica scandal. Or at least, it came down as hard as it could, pledging to fine the platform £500,000 ($661,000) — the maximum it could give under the older data protection law. The ICO has since conceded that the fine is not as hard-hitting as it would have given, had the breaches occurred after May 25, when the General Data Protection Regulation was enforced.
“The incidents being investigated occurred under the Data Protection Act 1998 for which the maximum fine was £500,000,” said an ICO spokesperson. “After May 25, 2018, when the GDPR came into force, then the fine issued to Facebook would have been at the upper end of the scale.”
The maximum fine for GDPR regulations is 4 percent of annual global turnover or €20 million [$23 million]. Facebook’s 2017 global revenue was $40 billion, meaning a 4 percent fine would amount to $1.6 billion.
“For anybody wondering whether GDPR would have more enforcement teeth than the damp squib ePrivacy Directive, the ICO’s comments on the Facebook/Cambridge Analytica case should leave them in no doubt,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “It’s very unusual for any enforcement agency to take such a definitive and public position, and I am sure that was deliberately intended as a serious warning. It illustrates exactly the kind of personal data abuse that GDPR was designed to prevent and the ICO’s comments should be taken as a firm indication of its intent to exercise their enforcement powers to the fullest extent of the law when necessary.”
So far, the ICO’s attention has been on data breaches that have had some kind of political ramification. The regulator has also announced its intention to fine Emma’s Diary, a website which offers pregnant women and new parents health advice, £140,000 ($185,000) for sharing more than a million people’s personal data with the Labour Party.
“This is about the bigger picture — not just Facebook but political parties,” said Alexander Egerton, partner at legal firm Seddons.
Others believe the ICO’s data protection fine to Facebook signals that the social platform’s general GDPR policy will come under significant scrutiny. It won’t be alone however — the likes of Amazon and Google will also be in the cross-hairs, according to Newby.
To some industry executives, the fine is indicative of how the ICO intends to police GDPR across the board. “It’s a warning shot,” said Dan Wilson, CEO of London Media Exchange. “It signals, we’re watching. Are you sure your consent is what you think it is, are you sure others are acting on the consent you think you’ve given them. Ad tech may be in for a shock.”
Publishers may be too though. Data leakage has long been deemed an acceptable trade off by publishers (kind of) for monetization of their sites. But under GDPR, not being able to control what third party companies may be doing with a website’s data, is suddenly a lot more problematic because publishers can be on the hook for having allowed it to happen, even if they’re unaware it has been. Publishers are attuned to that, and their accountability as data controllers under GDPR, but the ICO fine has brought that into sharper focus, some experts have said.
“Facebook is being punished because it allowed someone else [Dr Kogen] to do something they were not allowed to do,” said media analyst Thomas Baekdal. If you translate that to publishers, it’s saying you’re responsible for what all the ad tech companies are doing, even if you tell them not to do it. If the ICO takes the same principle it’s giving Facebook and applies it to publishers and makes them responsible, that’s a big deal.”
Historically, the ICO has always stressed the fact that fines will be a last resort under GDPR, that its focus is more to ensure businesses are changing their behaviors for the better, rather than seeking to punish. “The ICO is not like a traffic warden [who work on commission],” added Egerton. “It doesn’t keep the fines, it regards them as last resorts. It’s more interested in improving behaviors. But the political pressures here are huge. They had to do something.”
But for some, the public intention to fine Facebook for its role in the Cambridge Analytica scandal is just the beginning. There are many people in ad tech that have interpreted the ICO’s former assertion that when it comes to GDPR it prefers the carrot to the stick approach, as a reason to not over worry about compliance.
“They [independent vendors] thought, well, we’re only likely to get a slap on the wrist [from the ICO] for that [any GDPR breach] as opposed to a big swinging fine,” added Wilson. “The fines for ad tech would never be as bad as they would be if there were to be a breach in the medical or credit card sectors, but this [ICO Facebook fine] has shown that ad tech is no longer deemed low risk.”
Download our complete guide to GDPR.
Advertising, mired in racism, has a long road to recovery
Companies need to respond to the racism row with genuine intentions or not participate in the conversation at all, anything in between can be very disingenuous.
‘The boundaries have broken’: Employers deal with the reality of workers bringing their ‘whole selves’
ven as employers have touted “bring your whole self to work” theorems over the past couple of years, it’s forgotten that that privilege has only really been afforded to a few. For many, bringing your whole selves to work isn’t an option. And the realities of the current work-from-home brigade mean that many haven’t been given a choice: When work is literally in your home, how do you keep it at arm’s length?
How publishers are changing branded content operations to remotely produce high-res campaigns
By using emerging technology like camera drop kits to ensure higher resolution content, branded content studios are able to ensure clients achieve brand safety.
SponsoredVideo: Marketers discuss the future state of less interruptive in-stream ads
In a new video, experts from GumGum, The Martin Agency and Pinterest discuss the future of video advertising — and outline their vision for how video ads can be less disruptive.
MediaMath explores a possible sale
The ad tech company is working with investment bank Centerview Partners on the process -- which could also include a debt refinancing -- according to people familiar with the matter.
With the latest crisis, media needs to back up words with actions
For the media industry, this was a week of introspection -- and a time of decision. For all the progressive ideals espoused by publishers, marketers and agencies, most fall well short when it comes to turning words into action.