The UK Information Commissioner has imposed a monetary penalty of £500,000 on Facebook Ireland Ltd and Facebook Inc. as part of her Office's investigation into Cambridge Analytica. The monetary penalty notice was issued under the now-repealed UK Data Protection Act 1998. However, there are multiple important points to note from the notice – not least the Commissioner's statement that "but for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty". The penalty notice also includes comments which will be relevant to any organisation which makes personal data available to others to process – certainly any kind of platform or API such as that operated by Facebook, although the principle could be applied more widely still.
The penalty was imposed in connection with the app developed by Dr Aleksandr Kogan. The app collected data which was subsequently passed to SCL Elections Ltd, the parent company of Cambridge Analytica. The penalty was imposed for breach of the first data protection principle (fair processing) and breach of the 7th principle (appropriate technical and organisational measures). In GDPR terms, these would equate to Articles 5(1)(a) and 5(1)(f).
The facts leading to the monetary penalty are now notorious. Dr Aleksandr Kogan and his company, Global Science Research Limited, created an app for use on Facebook. The app obtained a wide range of information from Facebook, which is listed in full in the monetary penalty notice, but which included public profile, birthdate, posts and likes, friends lists and email addresses and Facebook messages. The app also requested permission from its users to access information about the user's Facebook friends – profile, birthdate, city, likes and photos where the friends were tagged. The app operated from November 2013. From May 2015, due to changes introduced by Facebook, it had access to a restricted range of information about users and could not access detailed information about friends of users at all. In December 2015, the Guardian published an article about the app's data collection, at which point Facebook terminated the app's ability to use Facebook's API. Facebook estimated that about 1 million UK Facebook users had data accessed via the app – the total number of individuals in the UK using the app itself being somewhere between 1,040 and 1,765.
Dr Kogan and/ or GSR shared data from the app, or derived from the app data, with others including SCL Elections Limited. The Commissioner found that some of the data shared with these companies was likely to have been used for purposes of political campaigning. Facebook advised the Commissioner that the only individuals whose data was used in this way were US residents – however, the Commissioner noted that some of those would have used Facebook while visiting the UK (p.13) and so would have amounted to UK users at that point.
The app breached multiple provisions of Facebook's Platform Policy. In particular:
- Data about friends of users should only have been used to augment the experience of the user, whereas it was used for the app developer's own purpose
- The sale of data to third parties breached the Policy
- The transfer of the data to third parties breached the Policy
- The app requested permission from users to obtain personal data that the app itself didn’t need.
Dr Kogan had given an undertaking to Facebook that the app was only being used for research purposes, and not for commercial purposes. He was also in breach of this undertaking.
Lessons for those operating platforms/ allowing others to collect data via their sites or properties
Dr Kogan collected large amounts of data without the knowledge of the relevant individuals. However, the Commissioner concluded that Facebook had breached the Data Protection Act in allowing this to happen. "The Facebook Companies permitted the App to operate in such a way that it collected personal data about Facebook friends of users of the App, without those friends being informed that such data was being collected… The Facebook Companies did not attempt to prevent the App from collecting data in this manner… By permitting the App to operate in this way, the Facebook Companies unfairly processed the personal data of the Facebook friends of uses of the App".
Although the Commissioner does not spell this point out, the definition of processing includes making personal data available – so by making data available to Dr Kogan, Facebook was processing personal data and was responsible for that processing. There is a clear lesson here for those companies who allow others to use their data, or who operate platforms, which facilitate this: 1) be clear what further uses you consider are or are not permissible under data protection law and state this clearly in your terms – if you don’t prohibit it, you may be liable for allowing it; and 2) even if you do prohibit certain actions, you must take steps to monitor whether these restrictions are implemented in practice. The Commissioner noted that Facebook initially did not take any steps to check the processing by Dr Kogan and, even when it was alerted to the problem by the Guardian article, it did not respond sufficiently swiftly. Facebook took no steps to check that the app was being operated in accordance with Dr Kogan's undertaking, nor did it check the terms in place between Dr Kogan and users of the app to see if they were consistent with the Platform Policy. The Commissioner also noted that Facebook also did not have any system under which this type of a review would have taken place (such as a periodic audit of apps).
As mentioned above, Facebook argued that the data used in political campaigns in the US only related to US citizens – i.e. that it did not include UK users (so that the Commissioner would not have jurisdiction in this regard). However, the Commissioner concluded that Facebook's failure to implement appropriate systems and controls was still problematic: "the personal data of UK Users who were UK residents was put at serious risk of being shared and used in connection with or for the purposes of political campaigning (even if that risk did not eventuate)".
Dr Kogan's activities did breach multiple terms in Facebook's Platform Policy – however, this made things worse, not better, for Facebook. The 7th data protection principle (now Article 5(1)(f)) requires appropriate technical and organisational measures against unauthorised or unlawful processing of personal data. The Commissioner concluded that Dr Kogan's processing was unauthorised as it breached the Platform Policy and Dr Kogan's undertaking – however, Facebook had not taken adequate steps to prevent the processing. Having terms in place and doing nothing to enforce them is, therefore, no better than not having terms in place.
Joint and several liability
The Commissioner concluded that the two Facebook companies were joint data controllers in respect of the relevant processing "and hence the Commissioner considers that they are jointly and severally liable for the amount of the monetary penalty". Neither the Data Protection Act 1998, nor Directive 95/46, nor the GDPR state that joint controllers will be jointly and severally liable as regards fines imposed by supervisory authorities.
Of course the GDPR does impose a principle of joint and several liability as regards claims by individuals – in Art.82. However, this applies not just to joint controllers but whenever there is more than one controller or processor involved in the processing – and reflects the policy objective expressed in recital 146 - to ensure full and effective compensation for individuals - with the organisations involved in the processing left with the job of reclaiming compensation which has been paid between themselves. This same policy objective does not apply to a supervisory authority which should be able to establish who is responsible for what. The recent Facebook Fan Page CJEU case (5 June 2018, Case C-210/16) also takes this approach, stating that:
"... joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages... and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case".
The Article 29 Working Party Opinion on the concepts of controller and processor (WP169) also noted (p.22) that it is not clear that joint control means joint and several liability – or at least not in all cases. At best, WP29 suggests that the Directive "hints" that there may be joint and several liability on some occasions. The point may not seem significant here – if Facebook Ireland wasn’t' responsible for the processing, then Facebook Inc. must have been. However, the Facebook Fan Page case suggests that many organisations may now be joint controllers – even when they have little real control over much of the processing, as is the case with administrators for Facebook fan pages. This presumption by the Commissioner that she can impose fines on a joint and several liability basis – without any legal arguments to substantiate her approach and in contrast to suggestions in case law and from the Article 29 Working Party – will be a significant concern.
The monetary penalty notice is addressed to Facebook's Irish and US entities. The Commissioner relied on Google Spain (as well as a Northern Ireland case involving Facebook – CG v Facebook Limited and McCloskey), finding that Facebook has a UK establishment, which was involved in providing marketing and advertising services, and that when Facebook processed personal data about individuals using Facebook in the UK, that it was processing personal data in the context of the activities of its UK establishment.
The personal data was processed by Facebook in the context of establishments in more than one EU Member State (Ireland and the UK – others could also be relevant). In GDPR terms, therefore, it amounts to "cross-border processing". The monetary penalty was based on facts which occurred before 25th May 2018 – but it is interesting to consider the difference which GDPR – and Brexit - would make here. Where cross border processing is involved, then according to Art.56, the supervisory authority for Facebook's main establishment is competent to handle the investigation under the co-operation procedure – that would mean the Irish Data Protection Commission handling the investigation against Facebook Ireland. Once the UK ceases to be a Member State of the EU on 29 March 2019, then (subject to any provisions in the eventual withdrawal agreement), the UK would cease to participate in procedures relating to cross-border processing. Like the GDPR, the Data Protection Act 2018 provides that it applies "to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom" – assuming there are no changes to this in UK Brexit legislation, then – post Brexit – the UK Commissioner would once again become competent to investigate and impose penalties. Brexit may well, therefore, leave organisations facing separate proceedings and penalties in the UK and the EU.
Dealing with the Information Commissioner
The Commissioner noted that Facebook had been co-operative with the Commissioner's investigation – "including by providing details answers [sic] to successive Information Notices served by the Commissioner".
Although the Commissioner has always been able to require controllers to respond to enquiries, previous Commissioners have rarely relied on this – especially in situations where a controller was co-operating. The previous Regulatory Action Policy stated that the Commissioner "will not resort to formal action where we are satisfied that the risk can be addressed by negotiation or other less formal means".
The current Commissioner recently consulted on a new policy on regulatory action, currently awaiting Parliamentary approval. This does not contain any similar statement – and the use of information notices in relation to a controller which is co-operating in full confirms a toughening of approach, which many organisations who have dealt with the current Commissioner may already have experienced. In this regard, controllers and processors should note that the Data Protection Act 2018 gives the Commissioner significantly stronger powers of investigation – including a right, in urgent situations, to conduct on site assessments without prior notice.