Procurement · 11 July 2018

Facebook dodges 479m GDPR penalty with unacceptable? 500, 000 fine

Facebook’s data breaches occurred before new data protection laws were introduced
Following a controversial breach of user data, social media giant Facebook been hit with a 500, 000 fine from the UK’s GDPR watchdog.

Under GDPR, companies responsible for a breach of data are liable to fines up to 4% of annual turnover. For Facebook, this would have amounted to a penalty worth 479m.

Following a 16-month investigation by the Information Commissioner’s Office (ICO), Facebook was deemed to have failed to ensure controversial data harvester, Cambridge Analytica, had deleted data of Facebook users.

GDPR support for small firms
? ICO helpline
? Guide to the GDPR
? GDPR checklist
? 12 steps to prepare now

The ICO has confirmed it intends to fine Facebook 500, 000 over the incident, which was made public by whistle-blower and former Cambridge Analytica employee, Christopher Wylie, in revelations made to the Observer and New York Times newspapers.

In an official statement, the watchdog said: “The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information.

“It also found that the company failed to be transparent about how people’s data was harvested by others.”



GDPR watchdog tells small businesses: We are not looking for perfection?

The UK’s information commissioner spoke to small business owners on the day of GDPR’s introduction stating it will focus on bigger players over smaller firms


While the highest fines under the new data protection bill, legislation which brought GDPR into UK statute books, are set at 17m or 4% of annual turnover, whichever is higher, the ICO was forced to act under old data protection laws as Facebook’s offences took place in 2016.

Responding to Facebook’s fine, Kyle Taylor, director of campaigning group Fair Vote UK, suggested the represented a mere slap on the wrist for Facebook.

“Unfortunately, because they had to follow old data protection laws, they were only able to fine them the maximum of 500, 000. This is unacceptable, ” Taylor added.

Information Commissioner Elizabeth Denham maintained that accountability for such data breaches was not all about fines, as companies also have a reputation at stake.

She added: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system, ” she said.

Facebook has a chance to respond to its fine before a final decision is made.

GDPR factsheet: It isnt just about customers, it matters for employee data too

Sign up to our newsletter to get the latest from Business Advice.



Praseeda Nair is an impassioned advocate for women in leadership, and likes to profile business owners, advisors and experts in the field of entrepreneurship and management.

Business Law & Compliance