Ireland's Information Commissioner's Office (ICO) issued a £500,000 ($641,976) monetary penalty to Facebook under section 55A of the Data Protection Act 1998 (DPA) for a severe misuse of their users' personal information before May 25.
The May 25 date is significant in this context seeing that since then the ICO can issue civil monetary penalties (CMP) of up to €20 million (£17 million) or 4% of the data controller's global turnover, whichever is bigger.
As detailed in ICO's monetary penalty notice (.PDF), the number of users whose data was processed and had been affected by the data incident around the globe was estimated by Facebook to have reached 87 million.
"The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had," says the ICO press release.
Furthermore, Facebook wasn't able to properly secure the users' personal information because of misconfigured platform applications and developers security checks.
Facebook received the maximum possible fine under the Data Protection Act 1998 for allowing third parties to use their users' data for political purposes
Following Facebook's failed attempt at securing their users' data, a Dr. Aleksandr Kogan and his company GSR was able to secretly collect and exfiltrate information of roughly 87 million people using the "This Is Your Digital Life" app.
Although the app was supposed to collect personal information from Facebook users who have given their consent, it managed to go way beyond data grabbing the data of all friends in those users' Facebook social networks.
"Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion," says the ICO. "In the case of SCL Group, Facebook did not suspend the company from its platform until 2018."
GSR later shared their illegally obtained data sets with the now famous SCL Group, Cambridge Analytica's parent company who managed to use Facebook's platform to influence voters' preferences habits in the U.S. from 2014 and 2016.
Elizabeth Denham, Information Commissioner, concluded that "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better."