back to article UK privacy watchdog to fine Facebook 18 mins of profit (£500,000) for Cambridge Analytica

Facebook faces a £500,000 ($665,000) fine from the UK’s data protection watchdog, the ICO, for failing to protect netizens' info nor tell them how their data would be harvested by apps. The looming penalty relates to the social media giant's role in the Cambridge Analytica data-harvesting scandal – in which the personal …

  1. Anonymous Coward
    Anonymous Coward

    Conclusions?

    Just like the ODPC Yahoo breach result, the ICO took action... They wrote a Report! Anyone who isn't terrified by the direction we're heading, just isn't paying attention. Facebook will stomach GDPR fines fine too.

    Why? Zuckerberg's emotions betrayed his test-of-money to US/EU lawmakers. He has no intention of stopping the slurp road-show. Families using the Facebook-Stasi should be seriously worried. It feels like parents are condemning their kids them to some god awful Stasi-like future... An unholy alliance of corporate and state surveillance or interference...

    All for what? Some convenience and cheap tech today. Its a dangerous tradeoff. Be prepared for your kids to ask one day: 'how did we get here Daddy'? Especially when AI makes ruthless decisions about medical procedures or drugs your family needs but can't get. Or a job your kid really wants, but is unfairly denied. Want a nice home? You've been auto-rejected! If you're on the bread line, expect more miscarriages of justice, once that's automated too. But don't take an AC's word for it:

    https://www.bbc.co.uk/news/business-44702483

    https://www.bbc.co.uk/news/technology-44642569

    https://www.bbc.co.uk/news/business-44466213

    1. steviebuk Silver badge

      Re: Conclusions?

      There might be a valid argument for the data slurp but what I don't understand is when people call Facebook a Stasi. It's people choice to use it. It's a free service. How else do people think they will make their money from the free service. It costs a lot of money to run and maintain all those servers.

      I'm not defending Facebook, people have a right to be angry with them but it's still a free service and people choose to use it or not. I choose not to use it. Simple as that really.

      "But some sites require it to sign up to stuff". Well then just use a dummy account, it's what I do. So when I say I don't use it, that was a lie, I use it just for signing into some sites that have no other option but to use Facebook.

      1. Sir Runcible Spoon Silver badge
        Paris Hilton

        Re: Conclusions?

        "It's people choice to use it. It's a free service"

        Did you not hear about it creating profiles for people who have never had an account?

        1. bombastic bob Silver badge
          Devil

          Re: Conclusions?

          "creating profiles for people who have never had an account?"

          How can I *poison* their data... ?

          1. Anonymous Coward
            Anonymous Coward

            Re: Conclusions?

            "How can I *poison* their data... ?"

            Ask everyone you know who has a Faecebook account to amend their info on you in some way, such as adding a spurious letter to your contact email and a dummy number for your mobile # etc.

            Not sure what else you can do to be honest.

            This is when being a billy no-mates comes in handy, even my Mum only has my work mobile number (which gets recycled regularly).

      2. Anonymous Coward
        Anonymous Coward

        Re: Conclusions?

        "But some sites require it to sign up to stuff"

        Use a different site? I want nothing to do with Facebook or Facebook Logins which are just as bad for tracking you online.

        Anyone use them doesn't get my visit.

        1. This post has been deleted by its author

      3. Mike Richards Silver badge

        Re: Conclusions?

        With Facebook there are also all the 'shadow accounts' of people who haven't actively signed up with the service, but about which Facebook knows a lot from them being included in users' messages and photographs. Their personal data is at risk, but they don't have any way of deleting it from Facebook - because they don't have an account.

        How these accounts can possibly be GDPR compliant is something of a mystery to me.

        1. TkH11

          Re: Conclusions?

          What is particularly worrying about the shadow accounts, is that firstly people didn't consent to Facebook collecting their data on them, and data subjects have no way to request that Facebook cease processing and storing the data.

          These are both in themselves breaches of the GDPR regulation.

          1. Anonymous Coward
            Anonymous Coward

            'people didn't consent to Facebook collecting their data on them'

            To add to that and the point about 'don't understand when people call Facebook a Stasi'. See this ruling today. The data was sold to Experian. So, will this info make it to Facebook ultimately? Seems likely as Experian / Facebook are data partners. More unintended consequences of data sharing.

            ~~~~~~~~~~

            "Emma's Diary faces fine for selling new mums' data to Labour - BBC News - A company that offers pregnant women and new parents health advice and gifts, faces a fine for illegally sharing more than a million people's personal data with the Labour Party. It said Lifecycle Marketing had sold the data for use in the 2017 general election campaign without disclosing it might do so. - The ICO said that on 5 May 2017, Lifecycle Marketing has supplied 1,065,200 records to the data broker Experian Marketing Services for use by Labour. - Each record included: the name of the parent who had joined Emma's Diary their home address whether children up to the age of five were present the birth dates of the mother and children - Emma's Diary is promoted by the Royal College of General Practitioners among others, and its information packs are distributed by many GPs and midwives. - It added that there may also have been a breach of the European Convention on Human Rights."

            ~~~~~~~~~~

            https://www.bbc.co.uk/news/technology-44794635

            ~~~~~~~~~~

      4. phuzz Silver badge

        Re: Conclusions?

        Just because you've never opened a Facebook account, doesn't mean they don't know anything about you.

        They probably know your contact details from slurping the contacts from one of your friends or family. They might well have a picture of you, again, helpfully tagged by one of your friends.

        They might even have an idea of which websites you visit, based on tracking cookies, if you ever clicked on a link to their site that a friend sent you. They can then cross reference that with the information from the wide number of other sites that have Facebook cookies.

        That's just the stuff I can think of off the top of my head. I have never signed up to Facebook, but I'm sure they know something about me.

        1. VinceH Silver badge

          Re: Conclusions?

          "Just because you've never opened a Facebook account, doesn't mean they don't know anything about you."

          Is that the new "Just because you're paranoid, it doesn't mean they're not out to get you" ?

          "I have never signed up to Facebook, but I'm sure they know something about me"

          Quite. And as I've mentioned before, since signing up to Facebook again (long after "deleting" the old account) - and this time with a different address etc - it's interesting to see what shows up in my profile that hasn't been (directly) provided to them by me.

          In particular, I'm looking at the 'advertising settings' which shows something from my phone, even though the Facebook application has never been anywhere near it - and here we see something very wrong. (I suspect Facebook may have randomly added these because of a lack of real data - but their wording says otherwise!)

      5. Anonymous Coward
        Anonymous Coward

        'Don't understand when people call Facebook a Stasi. Its people choice to use it. Its free service'

        You're not looking at things from Zuk's perspective. Many of these sources only came to light after the CA-Palantir scandal. We may never have learned about them otherwise. What else is Facebook hoovering up. Right now Zuk is getting data from:

        1. Firms uploading their CRM databases as part of advertising on Facebook. your insurer, your bank, your telco. Quality data!

        2. Data Brokers trading bank and credit-card and utility financial datasets (Experian). Some bad data in there, but damaging!

        3. Hospitals sharing health info. This is new and potentially very damaging. It raises uncomfortable questions like: What else do we not know about?

        4. Shadow Profiles from Email / Phonebooks of anyone you've ever crossed paths with. Low hanging fruit contacts in your life!

        5. All the Facebook buttons on millions of websites around the world phone home constantly. Some of it is blockable using adblockers. Some of it isn't when done Server-side (Passenger-Booking-Data etc).

        1. Doctor Syntax Silver badge

          Re: 'Don't understand ...

          "your insurer, your bank, your telco"

          As I'm in the UK all these entities will be getting attention under GDPR if they try that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Be prepared for your kids to ask one day: 'how did we get here Daddy'?

      I think they're way too optimistic, the kids already don't give a flying monkey about how they got there. It's not that they've been boiled slow, they positively poured the water and turned the flame to FULL POWER, before jumping in.

      But hey, given that this course is, ultimately, short-term, I see the bright side. It might be a nuclear flash, it might be an AI turning us off, but the future's bright, and f... the sapiens.

    3. Sir Runcible Spoon Silver badge
      Unhappy

      Re: Conclusions?

      "https://www.bbc.co.uk/news/business-44466213"

      About this article - it mentions that we could end up facing negative decisions by AI with no way of knowing how it was arrived at.

      If I, as a human being in a position of authority, make a decision, aren't I expected to be able to provide a rationale for that decision?

      Surely if an AI system provided a decision with no ability to provide the rationale behind it, then the decision is not valid and could be challenged in a court of law? Perhaps I'm being overly optimistic. (There's probably no perhaps about it).

      1. Anonymous Coward
        Anonymous Coward

        Re: negative decisions by AI

        this has been done for quite some time already, the future's here already. Not by AI, because it doesn't exist, but by "algorithms" (human-designed, sure). Apparently though, it's already got to such a level of complexity that it's impossible (or too expensive, which comes to the same thing) to backtrack and see what went wrong. And if there's no path to enforce backtracking and remedy (cost optimisation, hurrah) - computer says no, there's no poit shouting down the phone line, long dead, there's nobody there.

        ...

        there was an article on the subject somewhere... ah, here it is. Well, the orginal article by Washington Post is behind a paywall so, leftovers:

        huffingtonpost.com/patricia-mcguire/teacher-evaluations_b_1328456.html

        ...

        Also, fairly recently, a book on the subject with a rather cheesy title "Weapons Of Math Destruction".

      2. Mike Richards Silver badge

        Re: Conclusions?

        This is a real issue with machine learning. How much of the stuff is replicable when algorithms are proprietary and data sets aren't published? A lot of news about data science shouldn't be considered 'science' because the results aren't replicable.

        But it's being pushed as the next big thing even though no one really knows how it comes to its decisions and many of those decisions and insights are of only marginal statistical significance. Dredge enough data long enough and you'll find some correlation - chances are it's bollocks, but you might make a billion.

    4. Loyal Commenter Silver badge

      Re: Conclusions?

      Facebook will stomach GDPR fines fine too.

      It's worth noting that FB have shouldered the maximum possible fine under the existing legislation (£0.5M). GDPR has provision for far greater fines (4% of annual global turnover). FB's global revenue was over $40Bn in 2017, 4% of that is $1.6Bn, or £1.2Bn. A fine of that magnitude would be a much more interesting proposition. Not least because FB may resist paying it, which would presumably be a criminal matter and involve the invocation of international extradition treaties for those in charge. That's when it would be a good time to invest in popcorn.

      1. Anonymous Coward
        Anonymous Coward

        Re: Conclusions?

        It's worth noting that FB have shouldered the maximum possible fine under the existing legislation (£0.5M)

        IIRC the "prompt payment discount" is 20%, so FB will only have to cough £400k.

        GDPR may allow higher fines, but lets see what actually transpires - just because they could now fine FB over a billion quid, how likely do you think that is? The regulator will have a process that considers the scale and severity of the breach, then applies aggravating and mitigating factors. Evidence from other UK regulators with "up to 10% of turnover" powers shows that these powers are not used. Which is just as well, because the impact would be far more severe on low margin companies than those with vast profits.

        The problem is that financial penalties aren't hitting companies where it hurts - rather than fines that are merely passed on to either customers or investors, regulators need to suspend offending companies from their core business activity either new customer sign ups, sales, loans or (in the case of FB/Google) all data scraping. Doesn't even need to be for very long - a couple of weeks for a first offence REALLY makes a point. Ofgem have issued over quarter of a billion quid in fines to energy companies over recent years without improving anything. But the couple of times they've suspended companies from signing up new customers, I can assure you (from within the industry) that sent shivers of fear through all companies.

        1. Anonymous Coward
          Anonymous Coward

          Re: Conclusions?

          "But the couple of times they've suspended companies from signing up new customers, I can assure you (from within the industry) that sent shivers of fear through all companies."

          That works for "trading companies" but with the social media they already have a huge database.... better to issue PERSONAL penalties to the directors and chief officers, including jail time for abuse of personal data especially maintaining shadow profiles, there is NO way that consent can be assumed there and as such should attract a really hash penalty for those at the very top.

      2. Doctor Syntax Silver badge

        Re: Conclusions?

        "It's worth noting that FB have shouldered the maximum possible fine under the existing legislation (£0.5M). GDPR has provision for far greater fines (4% of annual global turnover)."

        Yup. Was going to say the same thing. Unlike many comments and the article FB should read this as a warning of what happens next time. We could also end up with the ICO and at least one EU regulator handing out 4% fines. A billion here, a billion there and it soon adds up to real money.

  2. Jamie Jones Silver badge

    Review of the impact of ICO Civil Monetary Penalties - 20140723

    Interesting read:

    Review of the impact of ICO Civil Monetary Penalties - 20140723 (https://ico.org.uk/media/about-the-ico/documents/1042346/review-of-the-impact-of-ico-civil-monetary-penalties.pdf (PDF)

    1. eldakka Silver badge
      Holmes

      Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

      > Interesting read:

      What in your estimation makes it interesting? How does it relate to the article at hand? What conclusion did you draw from the document that makes it interesting/relevant?

      Give me some clue as to why it's worthwhile to visit an external site and download and read a PDF document of unknown content and length.

      1. Cuddles Silver badge

        Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

        "What in your estimation makes it interesting? How does it relate to the article at hand? What conclusion did you draw from the document that makes it interesting/relevant?"

        Well, it's a report by the ICO on how effective ICO fines are, so it sounds like it should be relevant. As it turns out... not so much. The impact of penalties was assessed by interviewing a few organisations who had been fined. Amazingly, they all say that they've totally become more proactive in addressing their information rights obligations. No effort appears to have been made to find out if that's actually true. In addition, out of 14 organisations interviewed, only three were private companies with the rest all being government related bodies of some sort (councils, police, etc.). No mention is made of how big those three companies were.

        So the conclusion is that a local council that reports itself to the ICO for a data breach will tell you that a fine made it take data security more seriously. Any impact from fining Facebook some pocket change isn't really considered at all.

        1. VinceH Silver badge

          Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

          "Well, it's a report by the ICO on how effective ICO fines are, so it sounds like it should be relevant. As it turns out... not so much. The impact of penalties was assessed by interviewing a few organisations who had been fined. Amazingly, they all say that they've totally become more proactive in addressing their information rights obligations."

          They probably received a discount against the fine for taking part in the survey and giving suitable answers.

      2. Doctor Syntax Silver badge

        Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

        "Give me some clue as to why it's worthwhile to visit an external site and download and read a PDF document of unknown content and length."

        To find out what's in it. Or would you prefer to rely on someone you don't know and whose abilities you don't know understanding not only the report but also its significance to your particular situation - which they don't know. The latter doesn't really seem like a good way to keep yourself informed if it's your standard practice.

        1. eldakka Silver badge

          Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

          > To find out what's in it. Or would you prefer to rely on someone you don't know and whose abilities you don't know understanding not only the report but also its significance to your particular situation - which they don't know.

          Wait a minute, so some random has linked a random document to a story, with no topical comment, no indication what it's about and you say I should read it to see if it's relevant?

          Is the document porn?

          Or a treatise on the way to skin a cat?

          Or a dissertation on the speed of an unladen swallow?

          An intelligent design essay?

          Cock pics?

          Why Scientology is good for you and why you should join?

          Do you read every random document everyone links in comments without knowing what the topic of the document is at least?

          How about "Here's a report from the ICO on the impact of paying fines that seems to indicate that the fines do/don't have usefulness". At least then I'd have a clue what the linked document was (allegedly) about and then I can decide if I'm interested enough in that particular topic to open it and read it.

          1. Cuddles Silver badge

            Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

            "Wait a minute, so some random has linked a random document to a story, with no topical comment, no indication what it's about and you say I should read it to see if it's relevant?"

            No indication of what it's about? It's a document entitled "Review of the impact of ICO Civil Monetary Penalties", hosted at the ICO's own site, posted in response to an article about ICO civil monetary penalties and which comments how ineffective they are likely to be. While I can sympathise with your sentiment in response to people posting random links with no comment, in this case it really doesn't take a genius to figure out what the linked document might be about and how it might be relevant.

  3. eldakka Silver badge

    ethical pause

    Isn't that what we've been in for several decades now?

    1. Jack of Shadows Silver badge

      Re: ethical pause

      Last couple of millenia at least, near as I can tell. The invention of the corporation has even accelerated if anything.

  4. Dave 137

    Surely this isn't fair on them

    Now I'm not one to stand up for facebook, but I do believe that old saying that I was always taught about the ol' information superhighway (yes, I'd love to bring that back lol) where common knowledge was 'if the service is free, you are the product.'

    These moaning kids don't seem to understand that they signed up for this, hell they even agreed to it in the terms and conditions, even if those were something along the lines of the Big Zucker-B owning their souls for all eternity, and they still sucked it up and uploaded all of their data to Him without thought.

    Then someone came along and said "omg, they SOLD the data we gave them for FREE! All I got was a communications system and an infinite photo upload depository. For free."

    I know I'm doing the same for apple simply by owning a product, and bY Google (by its own definition of flogging me for ads every second of every day), but FFS what did people really expect? They'd hold on to all of their photos and thoughts for free, and they're going to continue to do so without making a penny from them? COME ON! If you're really that stupid you probably deserve to vote for christmas because an advert on Facebook told you to. Gobble gobble.

    All hail the hypnotoad!

    Disclaimer: I have no social media accounts (apart from enforced SSO test accounts at work) and never have done. My voting data is even more safe as it's either Labour or bust, and as I'm in the North it's normally bust. As me old pa said "they're all bastards anyway, just get on with it yourself".

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely this isn't fair on them

      People in general are stupid, ignorant and lazy. But that doesn't mean they should be exploited.

      1. Anonymous Coward
        Anonymous Coward

        Re: Surely this isn't fair on them

        ... unless the law says they can. Or unless you make the law. Ethicks and morals? Yeah, we've heard of such things.

    2. TkH11

      Re: Surely this isn't fair on them

      It might be a free service but that does not give the company providing that service the right to break the law.

      The law sets out everybody's expectations, it's a standard from which everybody works and complies. The public knows what their rights are and the suppliers of services know what they have to provide.

      It's completely inappropriate then to say "There is a legal standard which you must follow, but if you're providing a free service, you can totally ignore it". How do customers know what their rights are if the providers of free services are given complete carte blanche to ignore the standard and do whatever they want?

  5. Winkypop Silver badge
    Alert

    Cardinal Fang!

    Fetch...THE COMFY CHAIR!

    [JARRING CHORD].

  6. Eltonga
    Meh

    Ouch... that must have hurt

    Actually, Mark lost more in his own time, plane tickets, hotel rooms, plus the hefty bill his attorneys' buffet certainly sent him.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ouch... that must have hurt

      Though, of course, we have it on record that Mark would be uncomfortable telling us which hotel he stayed at.

    2. jmch Silver badge

      Re: Ouch... that must have hurt

      Suerely it's an unnoticeable sum to Facebook, but unfortunately ICO can't fine them more, that's the limit prescribed by law. Surely law needs to allow setting of fines on a 'per user' basis. eg £1k / user. You're careless with 1 million user profiles, you're on the hook for a billion quid.

      1. Sir Runcible Spoon Silver badge

        Re: Ouch... that must have hurt

        GDPR allows for much bigger fines.

        1. bombastic bob Silver badge
          Trollface

          Re: Ouch... that must have hurt

          good luck collecting those "larger fines" GDPR allows for. once the legal sidestepping starts, nobody will be responsible.

  7. Pseu Donyme

    While the fine in itself is of no consequence to Facebook this may still come back to bite them down the line: I'd imagine a legal argument against, say, Facebook like / share buttons all over the place would be bolstered by pointing out repeated prior violations.

  8. Stoneshop Silver badge
    Devil

    “to reflect on their responsibilities in the era of big data "

    That comes after those companies' responsibilities towards Big Money, especially when it's their own.

  9. Tinslave_the_Barelegged Silver badge

    Something missing

    Yes, these scumbag companies (The BBC report lists others) and their disturbing lack of ethics deserve to be held to account, but what about the political results of these activities? There appears to be complete silence about that. Is it simply that all political colours were up to their necks in this, so politics over the last 10 years was all about a financial arms race, or do we simply not have the leadership to draw any societal conclusions from these scummy activities?

    1. Wellyboot Silver badge

      Re: Something missing

      Politicians are exactly the same as these big corporates, they want to gain as much information about us as possible to sell us their product (socialist utopia, free market nirvana - both are impossible BS).

      The further away from reqgular interaction with ordinary people they get, the more sociopathic they become.

  10. A Non e-mouse Silver badge
    Headmaster

    Income Vs Profit

    a net income of $5bn in its latest quarter, making that £500,000 about 18 minutes of quarterly profit

    Income does not equal profit. You can have a huge income and still not turn a profit.

    1. Wellyboot Silver badge

      Re: Income Vs Profit

      >>Income does not equal profit<<

      Very true, but in these companies it's a lot closer than any manufacturing outfit.

    2. Danny 2 Silver badge

      Re: Income Vs Profit

      "You can have a huge income and still not turn a profit."

      Often deliberately in this sector.

      1. Aladdin Sane Silver badge
        Headmaster

        Re: Income Vs Profit

        Net income is synonymous with profit before tax(es). If they'd used revenue then you'd be correct with your pedantry.

        1. eldakka Silver badge

          Re: Income Vs Profit

          > Net income is synonymous with profit before tax(es). If they'd used revenue then you'd be correct with your pedantry.

          And since we know these big corps pay pretty much no tax anywhere in the world, then net income (profit before tax) is approximately equal to profit after tax.

    3. TkH11

      Re: Income Vs Profit

      That is true, but under the Data Protection Act £500,000 is the most they can fine.

      Under GDPR, fines can be much larger, and in Facebook's case, because their turnover is so high, the maximum fine would be $1.6 billion dollars.

  11. Danny 2 Silver badge

    Max Fine

    £500,000 is the maximum fine, and yet it is parking ticket for the uber-rich. Why is there a maximum fine? And why aren't there prison sentences as an option for the judge?

    There are people in British prisons for stealing sandwiches when they are hungry, smoking a joint or not having a BBC TV licence. Let those losers out and make some space for some corporate criminals.

    1. Aladdin Sane Silver badge

      Re: Max Fine

      Because the lawmakers couldn't conceive of social media platforms existing when the law was drafted.

      1. Voland's right hand Silver badge

        Re: Max Fine

        Because the lawmakers couldn't conceive of social media platforms

        Because the lawmakers could not conceive trading in personal information and its derivatives (*) being a business with profits and turnovers comparable to G20 economies.

        screw the attribute social it is misplaced - there is nothing "social" about it

      2. TkH11

        Re: Max Fine

        That is probably true for the Data Protection Act, which is now defunct. But GDPR was specifically developed with social media companies in mind, given the way the data was being shared. This was recognised by the EU. Under GDPR, there is no single fixed maximum fine which applies to everybody.

        The maximum fine payable by any company is dependent upon their company turnover.

        The fine payable, is determined by the ICO, taking many factors in to consideration, including how cooperative the company has been with the ICO, and lies between zero and the upper limit calculated from the company's global turnover.

        1. Doctor Syntax Silver badge

          Re: Max Fine

          "The fine payable, is determined by the ICO, taking many factors in to consideration ... between zero and the upper limit calculated from the company's global turnover."

          The fact that the ICO went for the maximum here might be a good indication of how they'll respond to similar factors in the future. It should be a pretty good warning. Whether it'll be heeded remains to be seen but a max fine under GDPR should certainly get board level attention.

    2. Zippy's Sausage Factory

      Re: Max Fine

      £500,000 is the maximum fine, and yet it is parking ticket for the uber-rich. Why is there a maximum fine?

      Because that's an old law. The GDPR replaces it with much larger fines - it would have been in billions under GDPR - but because of when the offences were committed, they can only fine what was the maximum at the time.

    3. DavCrav Silver badge

      Re: Max Fine

      "There are people in British prisons for stealing sandwiches when they are hungry, smoking a joint or not having a BBC TV licence. Let those losers out and make some space for some corporate criminals."

      No there aren't.

      1) The law has since changed, the fine is now a certain percentage of global turnover or €20m, whichever is greater. This is the GDPR, you might have heard about it. There is also a criminal investigation happening, which has the potential to result in jail time if the stronger offences are proved.

      2) Nobody is in jail for not having a TV licence. People are in jail for not paying the resulting fine. If you don't pay court fines, I don't know of anywhere in the world where you don't end up in jail.

      3) A few people were jailed for stealing bottles of water during a riot, and as such were charged with rioting, not theft. You would rarely get jailed for stealing sandwiches, as in never.

      4) More or less nobody is in UK jail for possession of marijuana for personal use. The only example I could find was a British man who smoked cannabis in the UK, then flew to Dubai, where we was then arrested. You know, in Dubai.

      1. Anonymous Coward
        Anonymous Coward

        Re: Max Fine

        Well, let's remove the strawman:

        "There are people being punished at greatly higher proportions for stealing sandwiches when they are hungry, smoking a joint or not having a BBC TV licence"

        I think that's the point that was being made.

        Imagine being fined a 3rd of your hourly rate. Of course you'd do it again.

      2. Danny 2 Silver badge

        Re: Max Fine

        @davcrav

        It's tangential to my point but I was being serious with my examples. I did prisoner support a dozen years ago and met people inside for not paying their TV licence, stealing a sandwich and possessing marijuana.

        The Ministry of Justice said that from 2005-2014, a total of 353 people were handed custodial sentences for not paying fines for not having a TV licence. That's just England and Wales so add another 35 for Scotland. I fully admit they were jailed for not paying the fines but if they can't afford the licence then they can't afford the fines, so it's a distinction without a difference. I think the licence fee is unnecessary, and the BBC should be self-funding by selling it's content and cutting its costs. There is no logic in why it is illegal to watch live ITV.

        I realise the prosecution of possession of marijuana has changed in the past decade, and so has the categorisation. They all are just labelled 'drugs offences' now in the official documents I can find, regardless of class. I met various prisoners who were in for possession back then, and I can point to numerous cases of people in prison for growing. Complete waste of police and prison expense.

        One of my friends was imprisoned for stealing a policeman's sandwich, after he'd arrested her for stealing a sandwich from a shop. She was a persistent shoplifter but was only charged with the one sandwich. Albeit she also pointed out the officer was a "fat peeg". She'd lived on the streets with no income for a year because the DWP wrongly told her she couldn't claim benefits as a Spaniard. Again, now all the data just lists 'shoplifters' rather than the seriousness of the thefts.

    4. TkH11

      Re: Max Fine

      There is a maximum fine under the now defunct Data Protection Act, there is no maximum fine under GDPR. There is an upper limit which is determined by a percentage of the company's turnover, and the fine, in pounds sterling, can be anywhere from 0 to that upper limit, but the higher the company turnover, the higher the upper limit There is no limit to the upper limit.

      In Facebook's case the fine they would pay under GDPR would be anywhere from zero to $1.6 billion.

      A company with a higher turnover, the upper limit on the fine would be higher.

    5. Doctor Syntax Silver badge

      Re: Max Fine

      "And why aren't there prison sentences as an option for the judge?"

      There are but you need to understand the processes at work here.

      Although it's commonly referred to as a fine it's a Civil Monetary Penalty (CMP). The key word there is "civil"; the ICO can apply that, it can't apply a fine which would be a criminal matter. Criminal penalties are applied by a court of law and the normal ICO procedure doesn't go to court although it could end up there if the miscreant doesn't pay up.

      Like a fine, it's only a court that can hand out prison sentences. Off hand I'm not sure what the process is for the ICO to take a case against the individuals to court in that way but there must be one because the relevant Act has provision for it.

  12. Bavaria Blu
    FAIL

    Follow the money

    It would be nice if sharing data without the user's permission was a criminal offence and punished accordingly. It would also be good if legal action could be taken against the individuals involved as well as the organisations they were working for. Cambridge has billions in assets, they could also afford a fine of a few million.

    I bet the £500k doesn't cover the costs of the investigation. The ICO doesn't have enough powers to fine people. It should really be part of HMRC and treat data like cash and freeze assets when it goes missing.

  13. Crisp Silver badge

    I didn't know my government was selling democracy so cheaply

    Just like everything else they've privatised.

  14. Mixedbag
    Holmes

    Seems inconsistant

    Firstly we have to remember here that the incident occurred prior to GDPR so the requirements and penalty's differ from what they would be today.

    Regardless of Facebook's ability to pay, the fine seems too high in comparison to other cases.

    TalkTalk caused potential harm to a large number of its customers by failing to implement basic security controls, and failed to act on warnings it had previously been given. In other words it was considered to have been willfully negligent.

    Facebook is being fined for not being quite clear enough about what data was being shared with who and being lied to by Cambridge Analytica who said they had deleted the data when Facebook became aware it was being misused but in fact didn't.

    So they did tell users what they were letting happen with their information, and they did act when somebody did something incorrect with it. Not willful and not negligent and yet they get fined more than they would have done if they had failed to try and protect the information.

    1. DavCrav Silver badge

      Re: Seems inconsistant [sic]

      "Regardless of Facebook's ability to pay, the fine seems too high in comparison to other cases."

      Remember this is in connection with (allegedly) fraudulently maniplulating the Brexit referendum, and the find is actually really small beer.

  15. FlamingDeath Bronze badge
    Facepalm

    A poorly formed...

    wet turd could do a better job than than the ICO at getting some correct perspective on how much a company should be fined.

    I'm! still! waiting! for! my! reply! from! the! ICO! and! my! £0.50! share! of! the! fine! for! the! Yahoo! database(s)! breach(s)!

    fucking useless cunts

    1. Sir Runcible Spoon Silver badge

      Re: A poorly formed...

      They fined them the maximum they could under the law, what else do you expect them to do?

      1. Anonymous Coward
        Anonymous Coward

        Re: A poorly formed...

        I want MORE!

    2. m-k

      Re: fucking useless cunts

      but we're toothless sir, we're lame, don't blame us, guv, blame the... ehm... take a guess.

      And once you found the oh-so-f-obvious-answer, ask yourself "why"? And once you found the oh-so-f-obvious-answer to "why?", ask yourself "what can I do about it?" And once you found the oh-so-f-obvious answer (democracy, blah-blah-blah-blah-blah-blah) - don't you even DARE thinking about alternative solutions, cause those you put in the comfy chair, will do _exactly_ the same.

  16. Anonymous Coward
    Anonymous Coward

    500k was under the old rules. The new fines are up to €20 million or 4 per cent of turnover (whichever is greater). Unfortunately because of when this happened the old rules apply. They wont get off so lightly moving forward.

    1. Anonymous Coward
      Anonymous Coward

      "They wont get off so lightly moving forward"

      Ahh.... bless... you really really believe that dont you?

      This is the modern UK... our rights come a distant second to that of the parasites looking to rape our data for an easy buck. Theres always a back door.... a nod and a wink and a token fine.... Theres a maximum fine... maybe there should be a statutory minimum as a start point... with costs added for aggravating factors...

      Then MAYBE I would have some faith in the idea that there is any protection for citizens data.

      1. TkH11

        Yes, it is possible the ICO may continue to be toothless and fine lightly.

        But consider this.

        Any data subject in the EU that wishes to make a complaint about a data abuse or breach, has the power to report the breach to ANY GDPR supervisory authority in the EU, not just the ICO.

        The GDPR regulation requires that supervisory authorities across member states share information and work together.

        If the ICO develops a reputation for being weak on issuing penalties, UK data subjects can take their complaints to other supervisory authorities outside of the UK.

        1. Doctor Syntax Silver badge
          Unhappy

          "UK data subjects can take their complaints to other supervisory authorities outside of the UK."

          Not for much longer.

      2. Doctor Syntax Silver badge

        "They wont get off so lightly moving forward"

        Ahh.... bless... you really really believe that dont you?

        If it had been less than the maximum amount (and I'm not sure the maximum amount has ever been applied in the past) you might have had a point. Although the ICO can do no more than what amounts, given FB's scale, to firing a warning shot it is nevertheless a warning shot. If FB has any wit they'll anticipate very big penalties under GDPR. And it'll be no help to them that they've managed to piss off Parliament by the snubbing them so your reflex cynicism might well be misleading you.

  17. Only me!
    Thumb Down

    How much did the investigation cost?

    I bet the real cost of the investigation cost was over £500,000 and some twonk in a government office thinks £500,000 is a lot of money!

    They broke the rules....they CERTAINLY knew they were braking the rules....they CONTINUE to break the rules.....so why let them trade in the UK, EU?

    Only a good hard slap up the money grabbing box will get them to change....even then only to the minimum requirement. So be very, very careful about what you state as the minimum.

    One place to start is to make opting out just as easy as opting in. And if you opt in, they tell you who is allowed to slurp and for what...IN PLAIN English, which is not an easy thing to do.

    1. DavCrav Silver badge

      Re: How much did the investigation cost?

      "How much did the investigation cost?

      I bet the real cost of the investigation cost was over £500,000 and some twonk in a government office thinks £500,000 is a lot of money!

      They broke the rules....they CERTAINLY knew they were braking the rules....they CONTINUE to break the rules.....so why let them trade in the UK, EU?

      Only a good hard slap up the money grabbing box will get them to change....even then only to the minimum requirement. So be very, very careful about what you state as the minimum."

      Maximum. Punishment. Allowed. By. The. Law.

    2. Doctor Syntax Silver badge

      Re: How much did the investigation cost?

      "One place to start is to make opting out just as easy as opting in."

      If you're going to have a rant at least make it a properly informed* one. Under GDPR the default position is opt-out and if you opt-in opting-out again has to be equally easy.

      * DavCrav has already pointed you to the concept of maximum fines under the law.

  18. Sir Runcible Spoon Silver badge
    WTF?

    Missed a trick?

    The UK's ICO <snip> ruled Facebook had twice broken British data protection laws <snip> it has served Facebook with a notice of intent to fine the biz <snip> £500,000 <snip> the maximum allowed

    So why not fine them once for each breach for a cool £1m?

    1. TkH11

      Re: Missed a trick?

      because the law which was in effect at the time they committed the breach/abuse, limits the fine to £500,000. They cannot be fined more than the law permits. That is why.

      1. Sir Runcible Spoon Silver badge

        Re: Missed a trick?

        Yeah, but didn't they breach the law twice?

  19. one crazy media

    Is this joke?

    This pittance of a fine is the reason multi-billion dollar corporations continue steam from the consumer, carry-on illegal activities all across the world.

    All fines should be a % of their global revenue. Let's set the base 6% of global revenue for the first offense, x 1.5 for the second and to 25% for the third.

    1. Doctor Syntax Silver badge

      Re: Is this joke?

      "All fines should be a % of their global revenue."

      Do you work for ICANN? Because they spent a couple of years ignoring GDPR as well.

  20. Anonymous Coward
    Anonymous Coward

    Pissing in the data pool ?

    Having worked with *massive* data sets for quite a while, whilst I applaud the ICOs action, and certainly don't condone law breaking, it might make people sleep a little easier if I revealed the dirty secret of data analytics, which is that - quite simply - about 60-80% of data is crap. And I mean really crap. Not only useless, but potentially dangerously so.

    Ask yourself this question: How many times have *you* lied when submitting responses ? And although you'd think analytics would winkle out the deception, perversely the reinforce it.

    I am also starting to wonder if hostile nations cyber capabilities hasn't been used to screw up commercial and political datasets for quite a while.

    AC, because it's a little Emperors New Clothes.

    1. DropBear Silver badge

      Re: Pissing in the data pool ?

      Ever since House we're keenly aware that everybody lies, and also that the immediate very very simple way to get around that is not bothering to _ask them_ anything but rather to observe their actions instead. Which is exactly what I would expect 99% of "gathered data" to consist of.

    2. Doctor Syntax Silver badge

      Re: Pissing in the data pool ?

      "the dirty secret of data analytics, which is that - quite simply - about 60-80% of data is crap. And I mean really crap. Not only useless, but potentially dangerously so.

      Ask yourself this question: How many times have *you* lied when submitting responses ? "

      Lying to questions only explains user-submitted crapness. It doesn't even get near explaining how crap the typical application is even when genuine transaction data has been collected.

  21. Mike Richards Silver badge

    It's a shame the ICO didn't demand that Facebook stops processing Brits' personal data until it can demonstrate to the satisfaction of an independent body that it is not abusing it.

    And at least the ICO has done something, there's still no pressure in Parliament to reform our electoral laws to cope with social media and campaigning.

    1. Doctor Syntax Silver badge

      "there's still no pressure in Parliament to reform our electoral laws to cope with social media and campaigning."

      Existing legislation may well cover that anyway. That's going to take a lot more investigation and is beyond the ICO's remit anyway. There could be a good deal more to come.

  22. 0laf Silver badge

    It's a bigger deal than it appears, the ICO hardly ever issued its max fine.

    But yeah, not quite a rounding error for FB. Can't wait to see the squirming when the prosecutions start under GDPR.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019