Facebook broke data law and faces £500,000 fine over Cambridge Analytica scandal : The UK’s data protection watchdog found the social media giant guilty of two breaches of the Data Protection Act – failing to safeguard users’ information and failing to be transparent about how people’s data was “harvested” by others. The £500,000 penalty is the maximum punishment available to the Information Commissioner’s Office, but also equates to the revenue Facebook makes every five and a half minutes.

Facebook broke data law and faces £500,000 fine over Cambridge Analytica scandal

The investigation, led by Information Commissioner Elizabeth Denham, found that Facebook had contravened the law by failing to protect people’s data and that the company had also failed to be transparent about how personal data was being used by others. Facebook will have an opportunity to respond before a final decision is made, but the commissioner’s damning preliminary findings are a major blow for a company that has sought to play down the severity of the Cambridge Analytica affair and its role in it.

“Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes,” Denham said. The investigation opened in May and has involved a team of 40 analysing material retrieved from servers and other equipment. The ICO described it as one of the largest ever by a data protection authority.

The £500,000 fine, which forms part of a notice of intent sent to Facebook by the Information Commissioner’s Office (ICO), is the biggest the regulator can issue in its investigation. If the fine is issued to Facebook, it would be the first time the regulator has handed out the largest financial penalty available to it.

“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” said committee chair Damian Collins. “If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.”

The incident took place before the EU’s GDPR came into force on May 25, meaning Facebook will not face a multi-million dollar fine. The 1998 Data Protection Act, which the investigation revolves around, only allows a maximum fine of £500,000.

Facebook’s chief privacy officer Erin Egan has said the company should have done more to investigate claims about Cambridge Analytica when they were first raised in 2015.