Britain’s information regulator slapped Facebook with a small but symbolic fine for breaches of data protection law after millions of users’ data was improperly accessed by consultancy Cambridge Analytica.

The 500,000 pound ($663,850) fine is less than 10 minutes worth of revenue for the social media firm worth $590 billion, whose shares were unchanged, but is the maximum amount allowed and represents the first move by a regulator to punish Facebook for the Cambridge Analytica controversy.

Facebook CEO Mark Zuckerberg has faced questioning by U.S. and EU lawmakers over how the political consultancy obtained the personal data of 87 million Facebook users from a researcher. The company has promised to introduce reforms to its policies before local elections in Britain next year.

Ads

Information Commissioner Elizabeth Denham said Facebook had broken the law by failing to safeguard people’s information and had not been transparent about how data was harvested by others on its platform.

“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law,” she said in a statement.

Facebook said it was reviewing the report and would respond soon.

It can respond to the Information Commissioner’s Office (ICO) before a final decision on a fine is made.

“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Erin Egan, Facebook’s Chief Privacy Officer, said in a statement, adding it was working closely with the ICO and authorities in the United States and other countries on investigations into the consultancy.

The fine is the maximum allowed under Britain’s old data protection law, although that was replaced by the European Union’s General Data Protection Regulation (GDPR) in May, where companies can be fined up to 4 percent of revenue for breaches.

Charity Privacy International said that regulators were getting tougher on Facebook.

“Regulators have and are using their teeth. And as Facebook needs no reminding, under the EU’s data protection law GDPR, regulators have much bigger and more significant powers, as well as the ability to issue far larger fines,” said Frederike Kaltheuner, data exploitation program lead at the charity.

The U.S. Federal Trade Commission is still investigating Facebook, and is yet to penalize the company.