November 4, 2019
In 2017 the ICO commenced a formal investigation into the misuse of personal data in political campaigns.
As part of that investigation, on 24 October 2018 the ICO issued a monetary penalty notice under s 55A of the Data Protection Act 1998 against Facebook Inc and Facebook Ireland Limited in the sum of £500,000. The penalty notice identified suspected failings related to compliance with the UK data protection principles covering lawful processing of data and data security.
On 21 November 2018, Facebook filed an appeal with the First Tier Tribunal (General Regulatory Chamber) against the penalty notice.
On 14 June 2019, the Tribunal issued an interim decision holding that procedural fairness and allegations of bias on the part of the ICO should be considered as part of the appeal, and that the ICO should be required to disclose materials relating to its decision-making process regarding the penalty notice. The ICO appealed that interim decision on 2 September 2019.
An agreement has now been reached between the parties. As part of this agreement, Facebook and the ICO have agreed to withdraw their respective appeals. Facebook has agreed to pay the £500,000 fine, but has made no admission of liability in relation to the penalty notice. The ICO explains that the fine is paid to HM Treasury’s consolidated fund.
The ICO and Facebook will each pay their own legal costs of the proceedings.
The agreement also enables Facebook to retain documents disclosed by the ICO during the appeal for other purposes, including furthering its own investigation into issues around Cambridge Analytica. Parts of this investigation had previously been put on hold at the ICO’s direction and can now resume.
The Commissioner considers that this agreement “best serves the interests of all UK data subjects who are Facebook users”. Both Facebook and the ICO state that they are committed to continuing to work to ensure compliance with applicable data protection laws. To read the ICO’s statement in full, click here.