The UK Data Protection Authority concluded its investigation in the wake of the Cambridge Analytica scandal.

What are the allegations? Between 2007 and 2014, Facebook allowed application developers access to users’ information without clear and informed consent. Even if users had not downloaded the app, but were simply ‘friends’ with people who had, their data was exposed. This is how developers like Aleksandr Kogan could obtain data of up to 87m people.

Why is the fine not higher? Because the events date back to a time pre-GDPR. As a result, the ICO had to use the instruments available under the previous Data Protection Act, and issue a fine of £500k – the maximum possible under the previous law. The ICO noted the fine would have been much higher under GDPR, and stated that it took action “to drive meaningful change in how organisations handle people’s personal data”.