Facebook continues to face fallout over the Cambridge Analytica scandal, which revealed how user data was stealthily obtained by way of quizzes and then appropriated for other purposes, such as targeted political advertising. Today, the U.K. Information Commissioner’s Office (ICO) announced that it would be issuing the social network with its maximum fine, £500,000 ($662,000) after it concluded that it “contravened the law” — specifically the 1998 Data Protection Act — “by failing to safeguard people’s information.”

The ICO is clear that Facebook effectively broke the law by failing to keep users data safe, when their systems allowed Dr Aleksandr Kogan, who developed an app, called “This is your digital life” on behalf of Cambridge Analytica, to scrape the data of up to 87 million Facebook users. This included accessing all of the friends data of the individual accounts that had engaged with Dr Kogan’s app.

The ICO’s inquiry first started in May 2017 in the wake of the Brexit vote and questions over how parties could have manipulated the outcome using targeted digital campaigns.

Damian Collins, the MP who is the chair of the Digital, Culture, Media and Sport Committee that has been undertaking the investigation, has as a result of this said that the DCMS will now demand more information from Facebook, including which other apps might have also been involved, or used in a similar way by others, as well as what potential links all of this activity might have had to Russia. He’s also gearing up to demand a full, independent investigation of the company, rather than the internal audit that Facebook so far has provided. A full statement from Collins is below.

The fine, and the follow-up questions that U.K. government officials are now asking, are a signal that Facebook — after months of grilling on both sides of the Atlantic amid a wider investigation — is not yet off the hook in the U.K. This will come as good news to those who watched the hearings (and non-hearings) in Washington, London and European Parliament and felt that Facebook and others walked away relatively unscathed. The reverberations are also being felt in other parts of the world. In Australia, a group earlier today announced that it was forming a class action lawsuit against Facebook for breaching data privacy as well. (Australia has also been conducting a probe into the scandal.)

The ICO also put forward three questions alongside its announcement of the fine, which it will now be seeking answers to from Facebook. In its own words:

1. Who had access to the Facebook data scraped by Dr Kogan, or any data sets derived from it?
2. Given Dr Kogan also worked on a project commissioned by the Russian Government through the University of St Petersburg, did anyone in Russia ever have access to this data or data sets derived from it?
3. Did organisations who benefited from the scraped data fail to delete it when asked to by Facebook, and if so where is it now?

The DCMS committee has been conducting a wider investigation into disinformation and data use in political campaigns and it plans to publish an interim report on it later this month.

Collins’ full statement:

Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way. This cannot by left to a secret internal investigation at Facebook. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.

Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica. The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of their internal investigations known to the ICO, our committee and other relevant investigatory authorities.

Facebook state that they only knew about this data breach when it was first reported in the press in December 2015. The company has consistently failed to answer the questions from our committee as to who at Facebook was informed about it. They say that Mark Zuckerberg did not know about it until it was reported in the press this year. In which case, given that it concerns a breach of the law, they should state who was the most senior person in the company to know, why they decided people like Mark Zuckerberg didn’t need to know, and why they didn’t inform users at the time about the data breach. Facebook need to provide answers on these important points. These important issues would have remained hidden, were it not for people speaking out about them. Facebook’s response during our inquiry has been consistently slow and unsatisfactory.

The receivers of SCL elections should comply with the law and respond to the enforcement notice issued by the ICO. It is also disturbing that AIQ have failed to comply with their enforcement notice.

Facebook has been in the crosshairs of the ICO over other data protection issues, and not come out well.