Massive Fines for Social Media Companies Following Data Breach
The Information Commissioner’s Office (ICO) is expected to impose a massive £500,000 fine on Facebook for failing to secure people’s information – and failing to be clear on how people’s data are used by others.
This huge fine, one of the biggest ever handed out, is in keeping with a series of recent fines imposed by the data watchdog.
You may be aware that Facebook and Cambridge Analytica have been the subject of headline reports and under the radar of the Information Commission’s Office (ICO) for some months.
This is because Facebook are alleged to have allowed an app developer to access their users’ information without Facebook informing their users that they were doing so.
The developer subsequently used this information to contact the friends – and the friends’ of their friends, and so on – of all the users they had been given access to. And there had been claims that this data had then been used to help elect Donald Trump in the 2016 US Presidential Election, and/or sway the Brexit referendum vote.
Elsewhere, fines were imposed on TalkTalk (£400,000) for allowing a cyber attacker to access customer data “with ease”, and in another case involving the use of CCTV, a newsagent was fined a total of £439 for failing to register with the ICO the fact that she operated CCTV on her premises. The newsagent argued that she did not know that she had to register, but the ICO did not accept her explanation.
In each of these cases legal action began before GDPR or the Data Protection Act 2018 came into force, but it is highly likely that the fines would have been more severe if the matter had begun after 25 May 2018.
Fines and Rights under the new Data Protection Act 2018
The Data Protection Act 2018 in effect passes the General Data Protection Regulation (GDPR) into UK law in preparation for our withdrawal from the European Union.
In summary, the new Act:
- Gives individuals easier access to their own data and the “right to be forgotten”
- Gives individuals the right to know if their data has been hacked
- Requires organizations to pay a fine of £17m or up to 4% of global turnover for breaching the new rules
- Requires employers in certain circumstances to appoint a data protection officer
- Requires consent for the processing of children’s data
As a business/organisation you must be able to show active compliance, such as:
- Keeping and maintaining up-to-date records of the data processing activities and data flows and the legal basis for these
- Have data protection policies and procedures in place
- A legal requirement to report certain data security breaches within 72 hours
Please bear in mind that the updated regime is not to panic businesses/organisations, but to get them to think more carefully on how they store and process data.