General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
Italy Fines Facebook $1 Million Over Cambridge Analytica
Social Network Still Faces Reckoning With US Federal Trade CommissionItaly’s data protection regulator has slapped Facebook with a €1 million ($1.1 million) fine for mismanaging user data and precipitating the Cambridge Analytica debacle.
See Also: Using the Netskope HIPAA Mapping Guide
Because the data sharing occurred prior to the EU's General Data Protection Regulation going into full effect in May 2018, the Italian regulator on Friday said it imposed the fine using Italy’s former privacy code.
The €1 million fine is in addition to a €52,000 fine that the regulator, known as Garante Per La Protezione Dei Dati Personali, already levied against Facebook in March.
Data Vacuuming
Facebook is still facing a range of global inquiries by regulators as well as lawsuits over the scandal centering on Cambridge Analytica, which was a digital marketer that focused in part on political campaigns.
Cambridge Analytica received Facebook profile information for 87 million people in the U.S. from a Cambridge University lecturer, Aleksandr Kogan. Around 2013, Kogan launched a personality quiz app called This Is Your Digital Life on Facebook.
The app collected profile information for those who used it but also the profile data for those users’ friends without their consent. Facebook allowed that kind of data collection at the time, but the social networking site later changed its rules to forbid it.
Kogan later gave that data to Cambridge Analytica, where the company reportedly used it to develop psychographic profiles that could be used for political advertising. Cambridge Analytica, which filed for U.S. bankruptcy in May 2018 and worked for a few months for President Donald Trump’s campaign, denied the data was useful (see Probes Begin as Facebook Slammed by Data Leak Blowback).
The Italian regulator found that Facebook users within the country didn’t have their data transferred to Cambridge Analytica, which Facebook has emphasized in a statement responding to the new fine.
But Italy says 57 people in the country used This Is Your Digital Life. As a result, personal data for them and some of their Facebook friends - totaling 214 Italian users - would have been illegally transferred without those users’ proper consent.
Italy says it has the power to levy an additional fine based on other factors, such as the economic conditions of Facebook and “the number of global and Italian users” of the platform.
Facebook says “we have said before that we wish we had done more to investigate claims about Cambridge Analytica in 2015.” The company also reiterated Italy’s findings that no Italian users' data ended up with Cambridge Analytica.
“We made major changes to our platform back then and have also significantly restricted the information which app developers can access,” the company says. “We're focused on protecting people's privacy and have invested in people, technology and partnerships, including hiring more than 20,000 people focused on safety and security over the last year.”
Privacy Probes Continue
Italy’s higher fines add to a growing list of penalties Facebook has absorbed as the result of the Cambridge Analytica debacle.
The U.K.’s Information Commissioner’s Office imposed the maximum possible fine of £500,000 ($635,000) on Facebook in October 2018. The ICO cited Facebook for a "serious contravention" of the U.K.'s data protection principles (see Facebook Slammed With Maximum UK Privacy Fine).
In April, meanwhile, the Canadian privacy commissioner's Cambridge Analytica investigation found that Facebook violated the country's privacy laws. But Canada’s privacy commissioner has no power to levy fines.
Instead, the privacy commissioner presented Facebook with a series of recommendations to improve how it handles and protects user data. But the commissioner alleges that since then, Facebook has refused to make any of the suggested changes. As a result, the commissioner plans to take Facebook to federal court (see Canada Says Facebook Violated Privacy Laws).
FTC Fine Looms
The biggest potential dark cloud still facing Facebook, however, involves the U.S. Federal Trade Commission. Facebook set aside $3 billion from its first quarter earnings this year in anticipation of an FTC fine that could range from $3 billion to $5 billion (see Facebook Takes $3 Billion Hit, Anticipating FTC Fine).
The hangover from Cambridge Analytica comes as Facebook last month announced that it plans to introduce a new, virtual currency called Libra next year. Facebook says it doesn’t plan to use Libra transactions for targeted advertising purposes. But the company’s planned move into finance is already raising privacy concerns and seems set to put the social network on a fresh intercept course with regulators (see Facebook's Libra Cryptocurrency Prompts Privacy Backlash).