Facebook was fined in the UK.
Joel Saget / AFP/ Getty Images
The UK Information Commissioner's Office followed through with its plan to fine Facebook £500,000 ($645,000 or AU$912,000) over the harvesting of users' data.
The agency said in its penalty notice that data from at least 1 million British users was "unfairly processed" and that Facebook "failed to take appropriate technical and organisational measures" against that happening.
The fine, tied to the Cambridge Analytica scandal, is the maximum amount allowed under the Data Protection Act 1998. The ICO issued the preliminary fine back in July.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," Elizabeth Denham, the information commissioner, said in a statement.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR."
Facebook noted that it's reviewing the decision, highlighting the previous admission that it "should have done more" to probe the Cambridge Analytica claims in 2015.
"We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica," a Facebook spokesperson said in an emailed statement.
"Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received."
The fine is indeed a fraction of the amount Facebook could have faced if the General Data Protection Regulation — the EU law that gives citizens more control over their personal data — had been in effect when the data was shared. The GDPR would've allowed for a maximum fine of 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.
Now playing: Watch this: Apple, Facebook support more privacy laws
1:32
The social media giant's annual revenue in 2017 was nearly $40 billion, which would have meant a possible fine of $1.6 billion under the GDPR rules.
The ICO didn't immediately respond to a request for further comment.
On Wednesday, Erin Egan, Facebook's chief privacy officer, told a privacy conference at the European Parliament in Brussels that the company would support comprehensive federal privacy regulation in the US.
First published at 2:10 a.m. PT.
Updated at 3:37 a.m. PT: Added new Facebook statement, with line about Cambridge Analytica servers.
Latest update at 9:30 a.m. PT: Added ICO statement.
