ICO and Facebook reach agreement regarding misuse of data in political campaigns

October 30, 2019

The ICO has issued a statement on an agreement reached between Facebook and the ICO following the ICO’s investigation about the misuse of personal data in political campaigns.

In 2017 the Information Commissioner’s Office commenced a formal investigation into the misuse of personal data in political campaigns.

As part of that investigation, the ICO issued a monetary penalty notice under for £500,000 under section 55A of the Data Protection Act 1998 against Facebook Inc and Facebook Ireland Limited. The MPN identified suspected failings related to compliance with UK data protection principles covering lawful processing of data and data security.

Facebook appealed against the MPN. In June 2019, the Tribunal issued an interim decision holding that procedural fairness and allegations of bias on the part of the ICO should be considered as part of the appeal, and that the ICO should be required to disclose materials relating to its decision-making process regarding the MPN. The ICO in turn appealed that interim decision.

An agreement has now been reached between the parties, under which Facebook and the ICO have agreed to withdraw their respective appeals. Facebook has agreed to pay the £500,000 fine but has made no admission of liability in relation to the MPN. 

Further, the agreement enables Facebook to retain documents disclosed by the ICO during the appeal for other purposes, including furthering its own investigation into issues around Cambridge Analytica. Parts of this investigation had previously been put on hold at the ICO’s direction and can now resume.

The ICO considers that this agreement best serves the interests of all UK data subjects who are Facebook users. Facebook and the ICO have expressed a commitment to continuing to work to ensure compliance with applicable data protection laws.