Facebook will pay a £500,000 fine following an investigation into the use of personal data in political campaigns, the Information Commissioner’s Office (ICO) says.
The social media giant made no admission of liability but agreed to pay the fine, which was originally imposed in October 2018.
The ICO last year said it would fine Facebook over breaches including the Cambridge Analytica scandal in which user data was harvested from tens of millions of people, including at least one million British users.
Facebook initially appealed the fine and a court ordered the ICO to disclose files about its decision-making process in order to examine potential bias against the social media company.
The ICO appealed against this decision, but both parties have since dropped their appeals.
Despite the fine, the investigation is ongoing.
James Dipple-Johnstone, deputy commissioner for the ICO, said: “The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm.
“Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy.
“We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection.”
A spokesperson for Facebook said they wished the company had “done more” to investigate claims about Cambridge Analytica in 2015.
Harry Kinmonth, director and associate general counsel of Facebook, said: “We made major changes to our platform back then, significantly restricting the information which app developers could access.”
He added that the ICO had not given any evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by an American data scientist named Dr Aleksandr Kogan.
The ICO alleges that Dr Kogan created a third party app known as “thisisyourdigitallife” which was available on Facebook’s platform.
It says the app required users to log in with their Facebook details, requesting permission to access data including the user’s name, date of birth, friends lists, current city, posts on their news feed, email addresses and Facebook messages.
The information was then used to generate “personality profiles” for users, according to the ICO.
The data was allegedly shared with a number of companies, including SCL Elections Limited, which controls Cambridge Analytica.
The commissioner said there was evidence suggesting the app had access to messages sent by some users who had not given their permission, but had been exchanging Facebook messages with other people using the “thisisyourdigitallife” app – and therefore could not consent to the use of data.
It also said that where the app collected data about the Facebook friends of the app’s users, those friends were not informed about the use of their data.
Although Facebook made changes to its platform in 2014 which reduced the ability of apps to access data from users, the ICO alleges that some app developers including Dr Kogan were still able to retain information that they had previously collected.
The app was used by some 300,000 Facebook users worldwide, but because it also had access to the data of the Facebook friends of its users, the total number of people whose data was accessed is estimated by Facebook to be up to 87 million.
The ICO says Facebook “unfairly processed” the data of users and said at least some of the information is likely to have been used for the purposes of political campaigning.
Cambridge Analytica, which has since shut down, used data from millions of Facebook accounts to help Donald Trump’s 2016 presidential election campaign.
The £500,000 penalty is the maximum that can be given under the Data Protection Act 1998.
Facebook will now continue its own internal investigations into the Cambridge Analytica scandal.