The ICO concluded that Facebook failed to adequately protect user data, leading to the improper exposure and use of a large trove of consumer information by app developers.
Facebook emphasized that it has “made major changes” to the site in the wake of the Cambridge Analytica scandal and that it has “significantly” restricted the information which app developers can access. Facebook noted that the ICO did not find that the data had actually been transferred to Cambridge Analytica, a political consulting firm.
“We are pleased to hear that Facebook has taken, and will continue to take significant steps to comply with the fundamental principles of data protection,” said James Dipple-Johnstone, the ICO’s Deputy Commissioner. “With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case."
The ICO said in a statement that Facebook “made no admission of liability.”
Settling with regulators
The ICO hit Facebook with a smaller fine in July of 2018, but Facebook appealed the ruling on the grounds that the agency should be required to share the documents that led to its decision. The ICO appealed Facebook’s appeal a few months later. A year later, a new settlement has been agreed upon.
Several months ago, Facebook agreed to pay a $5 billion fine to the Federal Trade Commission over its handling of user data. The fine levied this week by the ICO is the maximum possible penalty allowed under the UK data protection law.
Facebook's Director and Associate General Counsel Harry Kinmonth said in a statement that the company is “pleased to have reached a settlement with the ICO.”