Facebook has been fined £500,000 for "serious breaches of data protection law" following the Cambridge Analytica privacy scandal.
It is the maximum penalty that can be issued by the Information Commissioner’s Office, the UK data watchdog.
It follows an investigation between 2007 and 2014 that found Facebook processed the personal information of users unfairly by allowing app developers access to users' information without sufficient consent. App developers were able to access their information even if they had not downloaded the that particular app, but were simply "friends" with people who had.
The ICO also ruled that Facebook failed to keep the personal information of users secure because it did not undertake suitable checks on apps and developers using its platform.
The security failures meant that developer Aleksandr Kogan and his company GSR were able to harvest Facebook user data of up to 87 million people without their knowledge.
This data was then shared with other orgnisations, including Cambridge Analytica’s parent company, SCL Group.
Elizabeth Denham, the information commissioner, said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data.
"A company of its size and expertise should have known better and it should have done better."
Cambridge Analytica’s then chief executive, Alexander Nix, wrote in Campaign in 2016 about how his company was heavily involved in political campaigning in the US presidential election.
Nix also claimed that Cambridge Analytica had teamed up with Leave.EU and helped to "supercharge" the Brexit campaign in the 2016 Brexit referendum.
He denied this in a select committee hearing earlier this year after Cambridge Analytica’s data misuse was exposed in March by The Observer through the whistleblower Christopher Wylie. The company ceased trading in May following the scandal.
A Facebook spokesperson said the company is currently reviewing the ICO's decision:
"While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.
"We are grateful that the ICO has acknowledged our full co-operation throughout their investigation and have also confirmed they have found no evidence to suggest UK Facebook users' data was in fact shared with Cambridge Analytica.
"Now that their investigation is complete, we are hopeful that the ICO will now let us have access to
CA servers so that we are able to audit the data they received."
Analysis: Spectre of GDPR looms large amid challenging times for Facebook
By Omar Oakes, Campaign's global tech editor
Facebook’s £500,000 fine is, obviously, a drop in the ocean for a company whose revenue passed the $40bn (£31bn) mark in 2017.
But the damage that the Cambridge Analytica scandal has done to the social media giant’s brand comes at a particularly sensitive time ahead of Facebook reporting its third-quarter financial earnings next week.
Facebook’s share price dropped dramatically after its previous earnings disclosure in July, when it reported that user numbers had fallen in Europe for the first time in nine years.
Investors are worried that Facebook demand is now saturated in its most lucrative markets in North America and western Europe. And, this week, Morgan Stanley said that it thinks Facebook will have lost another million users in Europe over the past three months.
Three months ago, Facebook blamed the decline in daily active user numbers on GDPR, because of the way people had to sign a new approval agreement to comply with the European regulations.
But imagine if Facebook was liable for data misuse under the new GDPR rules, which came into effect this year. Instead of facing a maximum £500,000 fine from the ICO, Facebook would be on the hook for a potential €20m.
Companies all over Europe have had to take GDPR extremely seriously because of the prohibitive revenues that can be imposed – a maximum 4% of revenues or up to €20m if you’re as big as Facebook.
Julian Saunders, chief executive and founder of Port.im, a software maker that helps companies comply with GDPR, warned that the regulations have slipped off the agenda since they came into effect in May.
Today’s decision should "act as a wake-up call" against the dangers of complacency, Saunders warned: "A seemingly invincible company has been substantially weakened by a loss of consumer trust because they have had such a cavalier approach to collecting and using personal data."
Facebook remains by far the world’s dominant social media business and has become, alongside Google, an online superpower of digital advertising. There are those, such as VaynerMedia founder Gary Vaynerchuk, who believe social media advertising is still underpriced and that Facebook can grow even further.
But this remains a challenging period for a business that is fighting on several fronts. Even with Nick Clegg now fighting its corner.