Replace the ICO
However, it contended that the personal data of UK users was "put at serious risk of being shared" for political campaigning – and thus issued the enforcement action for failing to do enough to protect that info.
I really don't understand the ICO.
I've sent several complaints, all upheld, and they've never fined the scumbags so much as a bean. In the last case, a FTSE 100 company was deliberately choosing to ignore the law despite my having explained in detail that they were breaking the law and given them specific sections of the act they needed to comply with. They were choosing not to comply because doing so would have been embarrassing to them and would have ensured they lost the court case I filed against them. The ICO's answer to such a wilfull breach? A stern letter.
Farcebook, for all I loathe them and their stupid users, seems not to have provably circulated the data, according to the Reg article. Data put at risk of illegal sharing is not the same thing as data being shared illegally. On the one hand we have the maximum fine being levied, and on the other, where a FTSE100 stalwart repeatedly chose to break the law, the minimum penalty. Why the difference? Scale of law breaking isn't a feature of the act.
Not that I think farcebook should have escaped censure, only that if the ICO insist on continuing to play watchdog, then they are going to have to try a lot harder; where a breach has been deliberate it should always result in at least a midrange penalty. There's no excuse for a company making billions of pounds to flagrantly ignore the law to the detriment of their customers.