British regulators slapped Facebook on Thursday with a fine of 500,000 pounds ($644,000) — the maximum possible — for failing to protect the privacy of its users in the Cambridge Analytica scandal.
At the same time, European Union lawmakers demanded an audit of Facebook to better understand how it handles information, reinforcing how regulators in the region are taking a tougher stance on data privacy compared with U.S. authorities.
Britain’s Information Commissioner Office found that between 2007 and 2014, Facebook processed the personal information of users unfairly by giving app developers access to their information without informed consent. The failings meant the data of some 87 million people was used without their knowledge.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” said Elizabeth Denham, the information commissioner. “A company of its size and expertise should have known better and it should have done better.”
The ICO said a subset of the data was later shared with other organizations, including SCL Group, the parent company of political consultancy Cambridge Analytica, which counted U.S. President Donald Trump’s 2016 election campaign among its clients. News that the consultancy had used data from tens of millions of Facebook accounts to profile voters ignited a global scandal on data rights.
The fine amounts to a speck on Facebook’s finances. In the second quarter, the company generated revenue at a rate of nearly $100,000 per minute. That means it will take less than seven minutes for Facebook to bring in enough money to pay for the fine.
But it’s the maximum penalty allowed under the law at the time the breach occurred. Had the scandal taken place after new EU data protection rules went into effect this year, the amount would have been far higher — including maximum fines of 17 million pounds or 4 percent of global revenue, whichever is higher. Under that standard, Facebook would have been required to pay at least $1.6 billion, which is 4 percent of its revenue last year.
The data rules are tougher than the ones in the United States, and a debate is ongoing on how the U.S. should respond. California is moving to put in regulations similar to the EU’s strict rules by 2020 and other states are mulling more aggressive laws. That’s rattled the big tech companies, which are pushing for a federal law that would treat them more leniently.
Facebook CEO Mark Zuckerberg said in a video message to a big data privacy conference in Brussels this week that “we have a lot more work to do” to safeguard personal data.
About the U.K. fine, Facebook responded in a statement that it is reviewing the decision.
“While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015. We are grateful that the ICO has acknowledged our full cooperation throughout their investigation.”
Facebook also took solace in the fact that the ICO did not definitively assert that U.K. users had their data shared for campaigning. But the commissioner noted in her statement that “even if Facebook’s assertion is correct,” U.S. residents would have used the site while visiting the U.K.
EU lawmakers had summoned Zuckerberg in May to testify about the Cambridge Analytica scandal.
In their vote on Thursday, they said Facebook should agree to a full audit by Europe’s cyber security agency and data protection authority “to assess data protection and security of users’ personal data.”
The EU lawmakers also call for new electoral safeguards online, a ban on profiling for electoral purposes and moves to make it easier to recognize paid political advertisements and their financial backers.