Facebook could be liable for millions in compensation following ICO report

The announcement by the Information Commissioner’s Office (ICO) that it has fined Facebook the maximum penalty of £500,000 under the Data Protection Act 1998 (DPA) for breaching the DPA by enabling an app to harvest personal data from 87 million users worldwide has prompted speculation that ensuing compensation claims could run into many millions.

The third party app thisisyourdigitallife, operated by Dr Aleksandr Kogan and Global Science Research Ltd (GSR), harvested a variety of personal data not just from those Facebook users who signed up to it but also from their friends and those who messaged the users via the app. The harvested data was then shared with Cambridge Analytica and other companies. The ICO has found that this data is likely then to have been used in political campaigning. Facebook has insisted that any political use was only in the USA. The ICO has been unable to determine categorically whether or not that is correct, but has noted that at very least there was a serious risk of political use elsewhere.

The ICO considered the breaches of the DPA to be of a kind likely to cause “substantial distress” to affected users.  Its principal findings are threefold:

Firstly the collection of personal data relating to Facebook users who were Facebook friends of the app’s users and/or who exchanged Facebook messages with the app’s users was unfair because they were not aware of it and had not given consent to it.  This amounted to unfair processing by Facebook because Facebook permitted the app to operate in this way and did not prohibit such data collection in Facebook’s platform policy.

Secondly Facebook unfairly processed the personal data of Facebook users who were users of the app, Facebook friends of the app’s users and individuals who exchanged Facebook messages with the app’s users by failing to take adequate steps to monitor whether the app was being used in breach of the Facebook platform policy, thereby unfairly exposing them to a serious risk that their personal data would be used in breach of the policy.

Finally, Facebook had failed to take adequate steps to guard against the unlawful activities of Dr Kogan and GSR: Facebook didn’t review the terms and conditions of the app to assess whether they were consistent with the Facebook platform policy and an undertaking given by Dr Kogan/GSR, have a system in place for such monitoring, or monitor whether the app was being operated in compliance with the platform policy and undertaking.  This was confirmed by the fact that Facebook was not aware that the app was being operated in breach of the platform policy and undertaking until the Guardian newspaper published an article on 11 December 2015.

The law firm Leigh Day has called for UK Facebook users who have been notified that their data was misused to sign up to take group action seeking compensation and for Facebook to set up a compensation fund to prepare for this.