The UK’s independent regulator for data protection Information Commissioner’s Office is considering penalizing Facebook an amount of £500,000 (around $660,000) for breaching the Data Protection Act 1998.

Facebook, along with Cambridge Analytica, has been the focus of an investigation since February this year when evidence emerged that an app had been used to harvest the data of users across the world. These were then used to skew the public opinion during the 2016 U.S. elections.  Facebook admitted later that 87 million users were affected by the breach.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how users’ information was harvested by others.

“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law” said Elizabeth Denham, the Information Commissioner.

“People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”

In a written follow- up answers to the EU parliament two months ago, Facebook founder Mark Zuckerberg indicated that he has no intention to compensate EU users. “This was clearly a breach of trust. However, it’s important to remember that no bank account details, credit card information or national ID numbers were shared. Aleksandr Kogan, the app developer in this case, contracted to sell the information of people in the US – not people in the EU – to Cambridge Analytica and Kogan himself testified that he only transferred the data of US users” said Zuckerberg.

Other regulatory action set out in the ICO’s report comprises warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices; a criminal prosecution for SCL Elections Ltd for failing to properly deal with the ICO’s Enforcement Notice and an Enforcement Notice for Aggregate IQ to stop processing retained data belonging to UK citizens; with many other actions.