Facebook Fined 500,000 For Cambridge Analytica Scandal: Example # 1
Facebook Fined 500,000 For Cambridge Analytica Scandal: Example # 1
Facebook Fined 500,000 For Cambridge Analytica Scandal: Example # 1
Share
Image copyrightGETTY IMAGESImage captionFacebook's chief executive has repeatedly declined to answer
questions from UK MPs about the scandal
Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge
Analytica data scandal.
The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place.
The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in
May.
The ICO said Facebook had given app developers access to people's data "without clear consent".
In July, the ICO notified the social network that it intended to issue the maximum fine.
Confirming the fine, it said in a statement: "Between 2007 and 2014, Facebook processed the personal
information of users unfairly by allowing application developers access to their information without
sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but
were simply 'friends' with people who had."
Media captionJULY 2018: Ms Denham warns Facebook
"Facebook also failed to keep the personal information secure because it failed to make suitable checks on
apps and developers using its platform."
"While we respectfully disagree with some of their findings, we have said before that we should have done
more to investigate claims about Cambridge Analytica and taken action in 2015," it said in a statement.
Some of this data was shared with Cambridge Analytica, which used it to target political advertising in the US.
"Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure
those who continued to hold it had taken adequate and timely remedial action, including deletion," the ICO
said.
The ICO found that more than one million people in the UK had their data harvested by the personality quiz.
"A company of its size and expertise should have known better and it should have done better," said
Information Commissioner Elizabeth Denham.
The ICO is still investigating how data analytics is used for political purposes.
Ms Denham is due to give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select
Committee on 6 November.
Example #2
Email
Wed 3 Oct 2018 17.12 EDT
The Irish Data Protection Commission regulates Facebook’s adherence to European data
standards. Photograph: Alamy Stock Photo
The Irish Data Protection Commission has opened a formal investigation into a data
breach that affected nearly 50m Facebook accounts, which could result in a fine of up to
$1.63bn.
“We have been in close contact with the Irish Data Protection Commission since we have
become aware of the security attack and will continue to cooperate with their
investigation,” said a Facebook spokeswoman.
Shortly after the Irish Data Protection Commission announced its investigation, the
Spanish Data Protection Agency announced it would collaborate on the investigation to
protect the rights of Spanish citizens.
The security breach is believed to be the largest in Facebook’s history and is particularly
egregious because the hackers stole “access tokens”, a digital security key that allows
users to stay logged into Facebook over multiple browsing sessions without having to
enter their password each time. When an attacker has this token they can take full
control of a victim’s account, including logging into third-party applications that use
Facebook Login.
The breach comes at time when Facebook is under heavy scrutiny over issues including
foreign interference in elections, its role in spreading misinformation and hate
speech, and privacy.
Facebook announced the breach in a blogpost on Friday, saying it was taking the issue
“incredibly seriously”. Over the weekend the commission said it was “concerned that
this breach was discovered on Tuesday and affects millions of users”.
Facebook was “unable to clarify the nature of breach and risk” to users at that point, the
commission said, adding that it was pushing the company to “urgently clarify these
matters”.
Rowenna Fielding, a senior data protection lead at Protecture Limited, said: “Facebook
should have tested the ‘view as’ function with a ‘what could an attacker do with this’
mindset and they either didn’t, or didn’t care about the gaping hole.”
The investigation will focus on ‘Facebook’s compliance with its obligation under
(GDPR)’. Photograph: Alamy Stock Photo
Dr Lukasz Olejnik, an independent cybersecurity and privacy adviser, noted that this
was the first major GDPR investigation that would test whether Facebook followed its
rules around security of data processing.
“This high-stakes matter may become the defining moment of GDPR,” he said.
Other data security experts believe that Facebook will get off lightly.
“The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t
think Facebook is likely to be concerned about penalties they might levy,” said Fielding.
She said that the $1.63bn potential fine was “unlikely”, describing it as a “ceiling, not a
stipulation”.
“However, the precedent set by any regulatory finding of unlawful processing could be
very significant, especially in follow-on litigation by individual data subjects affected,”
she added.
Example #3:
Sean Keane
The Noyb group is run by Austrian data privacy activist Max Schrems, who
compared that choice to a "North Korean election process."
Noyb is asking regulators in France, Belgium, Hamburg and Austria to fine the
companies up to the maximum 4 percent of their annual revenue that the GDPR
rules allow, which could potentially add up to a $4.88 billion fine for Google
parent company Alphabet and $1.63 billion for each of Facebook, and its
Instagram and WhatsApp services. That's only if European regulators agree with
Noyb.eu and decide to fine the companies the full amount, though.
GDPR, short for General Data Protection Regulation, is designed to give citizens
of the European Union greater control over how their information is used online.
It kicked in Friday after a two-year transitional period, and its effect was
immediate. Europeans, for example, were blocked from several US news
outlets Friday as a result of the regulation.
Google has said it has taken key steps to ensure compliance ahead of the new
law.
"We build privacy and security into our products from the very earliest stages and
are committed to complying with the EU General Data Protection Regulation," a
Google spokesperson said in a statement, which also noted its blog post on
GDPR.
Facebook, which owns Instagram and WhatsApp, said the company has been
working to meet the requirements of GDPR.
"Over the last 18 months, we have taken steps to update our products, policies
and processes to provide users with meaningful data transparency and control
across all the services that we provide in the EU," Erin Egan, Facebook's chief
privacy officer, said in an emailed statement.
Example #4:
BA's 2018 breach saw hackers take off with customer info
Carly Page
08 July 2019
The ICO noted that its investigation found that the personal data
of approximately 500,000 BA ustomers was compromised in the mega-
breach, due to "poor security arrangements" at the company. This data
included names and addresses, log-in details, travel booking info and
payment card details - including the number, expiry date and three-digit
security code.
"That's why the law is clear - when you are entrusted with personal data you
must look after it.
"Those that don't will face scrutiny from my office to check they have taken
appropriate steps to protect fundamental privacy rights."
BA CEO and chairman Alex Cruz said the airline was "surprised and
disappointed" the ICO's decision, sobbing: "British Airways responded quickly
to a criminal act to steal customers' data.
"We intend to take all appropriate steps to defend the airline's position
vigorously, including making any necessary appeals."