2018 was a controversial year for Facebook. From the moment the Cambridge Analytica scandal came to light in March, the social network’s year was a litany of problems, data breaches, and even accusations of inciting genocide. And these problems also made their way into the company’s finances: in July, the value of its shares fell 20% in just two hours, wiping $120 billion off its market cap.
Fines start to appear
At the start of July this year, the German authorities fined Facebook €2 million for failing to meet transparency requirements in its handling of hate speech complaints.
Facebook received its first fine in relation to the Cambridge Analytica scandal in July 2018. The Information Commissioner’s Office in the UK imposed a £500,000 sanction, the maximum amount permissible under pre-GDPR rules. It also received two fines totaling €10 million from the Italian authorities last December for misleading users about data policies.
Now, the social network has been hit by another European fine: the Autorità Garante Privacy, the Italian data protection organization, has fined Facebook €1 million for its role in the Cambridge Analytica scandal.
In a press release, the organization explained that 57 Italians downloaded the app “This Is Your Digital Life”, which gathered the details of their Facebook contacts without their consent. It is estimated that some 214,077 Italian users were affected. The fine takes into account the size of the affected database, the economic conditions of the network, as well as the total number of Italian and international users affected.
This fine was handed out under the regulation in place before the GDPR, which means that it is not as steep as it could be within the new regulatory framework. However, Antonello Soro of the Autorità Garante Privacy explains that “new, heftier fines will arrive in light of the GDPR.”
Facebook and the GDPR
The GDPR has been in place since May 2018, and only incidents that have happened after that date can be sanctioned within the framework of this regulation. Nevertheless, Facebook has been involved in several incidents since the regulation came into force, which means that the company could soon start to feel its effects.
The most recent of these incidents happened in April this year. Security researchers discovered over 540 million records containing information about Facebook users on a server without a password. This information included comments, user names, likes and reactions. Given the lack of security measures, anyone could have accessed it.
Before this, in September 2018, a vulnerability exposed the accounts of around 50 million users of the social networks.
“This is a high-stakes matter which may become the defining moment of GDPR,” said Toni Vitale, head of regulation, data and information at law firm Winckworth Sherwood. “[…]given the large number of European citizens involved and the number of previous breaches, the eventual fine is still likely to be eye-wateringly large.”
In 2018, Facebook’s turnover was $55 billion. Given that the maximum fine under the GDPR is 4% of annual global turnover, theoretically, the social network could have to face a fine of 2.2 billion dollars (€1.95 billion).
Complying with the GDPR in your company
In the first year of the GDPR, there were 200,000 investigations and €56 million in fines. And these figures are sure to keep rising this year, especially if we bear in mind the fact that only 29% of European companies are fully compliant with the regulation.
Your company probably doesn’t handle as much personal data as Facebook does. The GDPR, however, is obligatory for any company – regardless of its size – that handles the personal data of European citizens. It’s therefore essential to ensure that the personal data that you store is properly protected.
To streamline GDPR compliance, Panda Security has a solution: Panda Data Control, a module of Panda Adaptive Defense. Data Control allows you to discover, audit and monitor unstructured personal and sensitive data on your company’s endpoints: from data at rest, to data in use and data in motion.
It identifies the files that contain personal data (PII) and records any kind of access to it, alerting in real time about leaks, use, and suspicious or unauthorized traffic.
The only way to avoid GDPR fines and the resulting reputational damage is to properly protect the personal data stored by your company. With Panda Data Control, this task is a lot more simple.