Facebook was hit by its first penalty for leaking user data to Cambridge Analytica—a benign £500,000 ($660,000) fine by Britain’s Information Commissioner’s Office (ICO), The Financial Times first reported.
The half-a-million pounds is the maximum fine allowed under the European Union’s old data privacy laws, which were in effect when the actual data leak happened in 2015.
For sure, the fine feels like merely a slap on the wrist for Facebook, which has a market valuation of over $500 billion. Under EU’s new General Data Protection Regulation (GDPR), the most serious violation could result in a fine of up to €20 million ($23 million) or four percent of a company’s annual global sales, whichever is greater. In Facebook’s case, that would have amounted to $1.1 billion.
But the fallout of the Cambridge Analytica scandal is far from over.
In the U.S., Facebook is under investigations by four federal agencies—the FBI, the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and the Justice Department. Once these investigations conclude, industry watchers expect much larger fines to come Facebook’s way.
The FTC, for example, could eventually levy a fine up to $5 billion on Facebook, predicted Stephanie Miller, a senior analyst at Height Capital Markets, a Washington, D.C.-based advisory firm researching regulated industries.
Miller’s estimation is based on how much the FTC is authorized to issue and what would constitute a meaningful penalty for Facebook.
The FTC launched a probe in March of this year (shortly after the Cambridge Analytica revelation) to investigate whether Facebook had violated the agreement Facebook had with the agency to protect user data. (The U.S. doesn’t have privacy laws equivalent to the EU’s.) In such cases, the FTC is allowed to fine up to $40,000 per violation. For Facebook, which compromised the information of over 87 million users in the Cambridge Analytica deal, the fine could theoretically add up to trillions of dollars.
“I don’t think the FTC will swipe Facebook out of business with a $1 trillion fine, given that the largest fine the FTC has ever issued was $100 million,” Miller told Observer. “So something with a $1 billion handle would feel enormous. I think these agencies would also take into consideration Facebook’s cash on hand and revenues, so $5 billion is what I think would be commensurate with Facebook’s size.”
In addition, the SEC, which is investigating Facebook’s public disclosure practices, could fine the company up to $1.8 billion, Miller said.
Her primary reference is Yahoo, which was fined $35 million by the SEC for not disclosing a 2014 data breach to investors for more than two years. After comparing Yahoo’s market capitalization to Facebook’s, Millers estimates that $1.8 billion would be a reasonable equivalent to Facebook in such violations.
“Because this industry is relatively new, there are not many precedents about data breaches. The best one we could find was Yahoo,” she explained.
When multiple media outlets revealed the Cambridge Analytica story in March this year, Facebook didn’t warn its investors about possible reactions of its shares (Facebook shares dropped significantly after the news broke). Facebook has a track record of keeping shareholders in the dark when scandals are about to be made public, such as The Guardian‘s 2015 article about Cambridge Analytica and a similar revelation by the Intercept in March 2017.
“The SEC probably has a case to bring against Facebook for what has happened since. Obviously the stock has completely recovered… but for those investors who took a loss around that March-April timeframe, they probably have a reason to be upset with Facebook executives,” Miller said.