The ICO found fault with the access Facebook allowed third party app developers to obtain to the data of users and their Facebook 'friends', and the steps the social networking giant had taken to keep the data secure.
According to the ICO (27-page / 5.59MB PDF), Facebook breached provisions of UK data protection laws that required the company to ensure the personal data it was responsible for was processed fairly and that appropriate technical and organisations measures were in place to guard against unauthorised or unlawful processing of the data.
The ICO's enforcement action comes during an ongoing investigation it has entered into on data analytics for political purposes. It said the data protection law breaches Facebook was responsible for opened the door to users' data being shared with a company involved in political campaigning.
"These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge," the ICO said. "A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US."
"Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018. The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse," it said.
The £500,000 fine is the maximum the ICO could impose for the breaches under the UK's previous data protection regime, the Data Protection Act 1998, which was applicable during the time that the breaches occurred.
Had the same breaches occurred after the General Data Protection Regulation (GDPR) began to take effect, the fine imposed on Facebook would have been "significantly higher", UK information commissioner Elizabeth Denham said.
Denham said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better."