ICO sends clear signal with Facebook fine

07 August 2018

Recent months have seen some big fines dished out to technology companies by regulators in Europe. In July, the EU fined Google a record USD 5 billion for anti-trust practices, while Facebook faces a large fine for the misuse of some 87 million of its users’ data by consultants.

Facebook looks to have avoided a more material fine because the misuse of users’ data revealed in March occurred before the EU’s General Data Protection Regulation (GDPR) was enforced on 25 May. However, comments by the Information Commissioner’s Office (ICO) suggest it will be taking enforcement of the GDPR seriously.


Publishing its provisional findings into the misuse of personal data in political campaigns, the UK’s ICO sent the clearest message yet that it is not afraid to seek maximum penalties for serious breaches of data protection laws. Commissioner Elizabeth Denham said the misuse of Facebook user data was a “game changer” and that the fine “sends a clear signal” that the incident and Facebook’s failings were regarded as a significant issue.

The ICO said in its July report that it intends to fine Facebook GBP 500,000 for two breaches of the Data Protection Act 1998, the maximum penalty under the UK’s pre-GDPR legislation. The ICO concluded that Facebook contravened the law by failing to safeguard users’ information and that it failed to be transparent about how personal data was harvested by third parties.

As part of its wider investigation, the ICO is taking enforcement action against a number of data analytics firms and issued a Notice of Intent to take regulatory action against parenting website Emma’s Diary. The company faces a GBP 140,000 fine from the ICO after it was found to have shared data with a political party without users’ consent.


The ICO noted that the timings of these incidents meant that fines were calculated under the Data Protection Act 1998, not the GDPR (although it was able to use some new powers afforded by the GDPR during its investigation). The maximum financial penalty in civil cases under the 1998 law is GBP 500,000, but under the GDPR the ICO can impose a fine of up to EUR 20 million or 4% of global turnover, whichever is highest.

The ICO has since indicated that it may well have issued a larger fine against Facebook, had the breaches occurred after May 25, when the GDPR was implemented. A spokesperson told the media, had the incident been in breach of the GDPR, then the fine issued to Facebook would have been at the “upper end” of the scale. Based on Facebook’s 2017 global revenue, a 4% fine would amount to GBP 1.2 billion under the GDPR.

Some experts said the ICO’s intention to levy a maximum fine against Facebook demonstrates the regulator’s resolve to be tough on GDPR enforcement. They say that the ICO’s comments should be taken as a firm indication of its intent to exercise enforcement powers to the fullest extent of the law.

Subscribe to our  Latest Cyber Decoder newsletter


Facebook is facing a number of regulatory investigations around the world – the ICO says that it is helping overseas regulators and agencies in their investigations into Facebook. The US Federal Trade Commission and the EU are looking into the conduct of the US technology firm, as are data protection authorities in Australia and Canada. Facebook also faces legal action in the US and Australia. Class actions have been touted in both countries, as affected consumers and investors seek damages following the privacy breach.


It is still early days for the GDPR and regulators have yet to issue significant investigations or fines under the new EU law. However, comments in the media suggest that regulators have already experienced an uptick in notifications under the GDPR. The French data protection regulator reported a 50% increase in the number of complaints since May, while regulators in the UK, Ireland and the Czech Republic have also seen a rise in complaints and/or data breach reports.

Some jurisdictions are expected to be more active on consumer protection than others, in particular Germany, France, the UK and Spain. Germany’s privacy regulator has, for example, started an infringement procedure against Facebook in Ireland, its European headquarters, which could result in a maximum fine of EUR 300,000.

A court in Germany recently decided that attempts by US non-profit firm ICANN to obtain data from a third party were not permissible under the GDPR. The Dutch data protection regulator is reportedly investigating GDPR compliance among the country’s largest companies. A sample of 30 companies, across a range of sectors, is intended to check compliance with the GDPR, which requires companies to have certain procedures in place to protect personal data.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.