Brazil's Ministry of Justice has stepped in to fine Facebook for the improper sharing of data arising out of the Cambridge Analytica case, which involved the profiling of individuals on their political preferences. Reuters reports as follows:
Brazil’s Ministry of Justice said on Monday it fined U.S. tech giant Facebook Inc 6.6 million reais ($1.6 million) for improperly sharing user data.
The ministry’s department of consumer protection said it had found that data from 443,000 Facebook users was improperly made available to developers of an App called “thisisyourdigitallife.”
The data was being shared for “questionable” purposes, the ministry said in a statement.
Facebook said in an emailed statement that it was evaluating its legal options regarding the case.
(Privacy press clipping sourced via Reuters)
This is the latest enforcement action arising out of the Cambridge Analytica case. It appears that the Brazilian Ministry of Justice has used general statutory powers to enforce a fine in respect of a breach of the privacy of individuals resident in Brazil. It is not clear whether Facebook will appeal or not. Facebook has appealed smaller fines in the past (see the UK’s ICO fine, below, which was resolved by settlement in 2019).
This fine sits in the middle to lower range of what can be expected under a general statute. The United Kingdom’s ICO, last year, resolved a fine of GBP 500,000 against the Facebook companies – which is smaller than the BRL 6.6 million fine imposed by Brazil. The ICO would no doubt have liked to impose a larger fine, and likely would have done so, if the GDPR-penalty provisions had been in effect. The U.S. Federal Trade Commission recently fined Facebook USD 5 billion, for wide-ranging deceptive practices in respect of how user data is processed by the social media platform. Canada, on the other hand, does not have the legal framework in place to support similar fines, a situation decried by British Colombia’s Privacy Commissioner Michael McEvoy.
This fine, documented in our database, comes ahead of the introduction of a more substantive privacy law framework in Brazil in 2020, which is said to be modelled on the GDPR.