In the UK today, the 25th of October, the ICO fined Facebook a maximum amount of £500,000 under the old Data Protection Act 1998. If the transgressions had occurred under the GDPR, the UK ICO Elizabeth Denham said ‘the fine would have been much larger’. It was also confirmed by the Deputy Commissioner that there was potential for more fines to be issued against other companies.

The Deputy Commissioner also said the size and scope of the investigation will be a model for the ICO going forward. From establishing command and control structures to gathering evidence appropriately to using a law-enforcement program called HOMES that’s usually used for major organized crime investigations, the ICO greatly buffeted their investigatory skills while looking into the Facebook-app situation.

“We very much think this is the future for the kind of work we do,” said Johnstone, “large whole ecosystem investigations will be the future for us.”

Unfortunately, said Denham, not every DPA can model themselves on the ICO’s lessons learned in this situation. “We were provided with new powers in the 2018 DPA,” she said. “We have the ability to do no-notice inspections, to retrieve information stored in the cloud; we have a quicker process for warrants. These are really important powers that not many of our colleagues in Europe have. And these are important powers for moving fast.”

Share This