The social network had lodged an appeal against the Information Commissioner’s Office (ICO), and in June a tribunal agreed that the watchdog’s decision-making process should be scrutinized as part of the case, to investigate allegations of bias. The ICO appealed this judgment in September this year.
However, the two parties have now agreed to withdraw their respective appeals, which means Facebook will pay the £500,000 but accept no liability relating to the penalty notice. Both parties will pay their own legal costs.
“The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals but also as we now know, for the preservation of a strong democracy,” argued deputy commissioner, James Dipple-Johnstone.
“We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”
The original penalty notice alleged that Facebook had processed user information “unfairly” under the old Data Protection Act 1998. It did this by allowing developers to access the data without adequately “clear and informed consent,” and by allowing access to users who had not downloaded an app but were friends of those who had.
The social network was also accused of failing to check how this data was being secured or used by developers. That is said to have led to one developer, Aleksandr Kogan, harvesting info on 87 million users without their knowledge and subsequently sharing some of this with Cambridge Analytica parent SCL Group. It was then purportedly used to target wavering voters ahead of the 2016 US presidential election.
The ICO also claimed at the time that Facebook failed to take swift enough action to ensure this highly sensitive data was deleted when, in December 2015, it discovered what had happened. SCL Group wasn’t suspended until 2018.
The penalty issued was a rare maximum fine under the old data protection regime, although commissioner Elizabeth Denham said it could have been much greater had the incident happened during the GDPR era.
In the US, Facebook was fined $5bn by the FTC earlier this year.
Facebook associate general counsel, Harry Kinmonth, was quick to point out that the ICO had found no evidence that users in the EU had their data transferred by Kogan to Cambridge Analytica.
“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015,” he added.
“We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information.”