Chair's response to the UK Information Commissioners interim report
11 July 2018
The Information Commissioner's investigation into the Facebook data breach has today concluded that the company ‘contravened the law by failing to safeguard people's information.' In response the ICO has issued the maximum fine allowed under the 1998 Data Protection Act, of £500,000.
The ICO is clear that Facebook effectively broke the law by failing to keep users data safe, when their systems allowed Dr Aleksandr Kogan, who developed an app, called ‘This is your digital life' on behalf of Cambridge Analytica, to scrape the data of up to 87million Facebook users. This included accessing all of the friends data of the individual accounts that had engaged with Dr Kogan's app.
Damian Collins MP, Chair of the Digital, Culture, Media and Sport Committee said:
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way. This cannot by left to a secret internal investigation at Facebook. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.
“Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica. The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of their internal investigations known to the ICO, our committee and other relevant investigatory authorities.
“Facebook state that they only knew about this data breach when it was first reported in the press in December 2015. The company has consistently failed to answer the questions from our committee as to who at Facebook was informed about it. They say that Mark Zuckerberg did not know about it until it was reported in the press this year. In which case, given that it concerns a breach of the law, they should state who was the most senior person in the company to know, why they decided people like Mark Zuckerberg didn't need to know, and why they didn't inform users at the time about the data breach. Facebook need to provide answers on these important points. These important issues would have remained hidden, were it not for people speaking out about them. Facebook's response during our inquiry has been consistently slow and unsatisfactory.
“The receivers of SCL elections should comply with the law and respond to the enforcement notice issued by the ICO. It is also disturbing that AIQ have failed to comply with their enforcement notice.”
As the ICO moves to complete its investigation, there are other important questions that need to be answered. In particular:
1) Who had access to the Facebook data scraped by Dr Kogan, or any data sets derived from it?
2) Given Dr Kogan also worked on a project commissioned by the Russian Government through the University of St Petersburg, did anyone in Russia ever have access to this data or data sets derived from it?
3) Did organisations who benefited from the scraped data fail to delete it when asked to by Facebook, and if so where is it now?
The DCMS select committee will be producing its interim report into disinformation and data use in political campaigns later this month.
- For further information and copies of the report, please contact Information Commissioner's Office directly firstname.lastname@example.org
- DCMS Committee Fake news inquiry