As the fine relates to happenings during 2014 and 2015, the maximum was limited by the old data protection laws rather than the current GDPR legislation, which allows a maximum fine of 4% of a guilty company’s global turnover.
The fine could yet be reduced because the Information Commissioner’s Office is still to hear Facebook’s response. "We have taken no final view on the merits of the case at this time and are aware that there are issues which are disputed," the ICO said.
The reason the ICO has disclosed its thinking midway through the process is that it was committed to provide a progress update on its investigation for the purposes of informing Parliament’s DCMS select committee’s work on "fake news" before the summer recess.
Studying the actions not just of Facebook but 30 other organisations, the ongoing probe is "the largest investigation of its type by any Data Protection Authority", according to the ICO. It involves social media platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups.
While it is concentrating on the use of data of political purposes, the investigation may well have implications for the consumer marketing arena, particularly when it comes to policing data brokers.
The ICO said it will be auditing the main credit reference companies and also revealed it has served data broker Emma’s Diary with a notice of intent to levy a £140,000 fine.
"We have looked closely at the role of those who buy and sell personal data-sets in the UK. Our existing investigation of the privacy issues raised by their work has been expanded to include their activities in political processes," the ICO report said.
Emma’s Diary, which operates the eponymous pregnancy and parenting advice website, is judged to have contravened the old Data Protection Act by selling the data of one million individuals to the Labour Party in 2017. Like Facebook, the decision is not yet final.
Emma’s Diary (the trading name for Lifecycle Marketing (Mother and Baby) Ltd) has been invited to comment.
However, the ICO’s investigation is set to make its biggest waves in the world of politics and particularly regarding the conduct of the Brexit referendum, where it is investigating both the Leave and Remain sides.
It is planning to bring criminal prosecutions against SCL Elections, the parent company of Cambridge Analytica, for failing to deal with an enforcement notice.
It is investigating the collection and sharing of personal data by the official Remain campaign, the In Campaign Limited, trading as Britain Stronger in Europe (BSiE), and a linked data broker.
It is also investigating the relationship between Cambridge Analytica, SCL and the Canada-based company Aggregate IQ; the relationship between Cambridge Analytica and the Leave.EU campaign; the relationship between Leave.EU and its backer Arron Banks’ insurance company Eldon Insurance; and whether the other pro-Brexit campaign Vote Leave transferred the personal data of UK citizens outside the EU.
The ICO said it is working to identify where criminal offences may have been committed.
"This includes criminal offences related to the failure to comply with Information Notices or Enforcement Notices issued by ICO as well as other offences for perverting the course of justice. In most cases, these carry significant financial sanction up to and including unlimited fines and terms of imprisonment for individuals. We are looking at both organisations and the actions of individuals controlling them (including directors) during the relevant periods."