The Information Commissioner’s Office (ICO) said “serious breaches of data protection law” had occurred in relation to the Cambridge Analytica scandal.

The fine is the maximum punishment the ICO could impose pre-GDPR when the incidents occurred.

Elizabeth Denham, Information Commissioner, said: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR.

“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

The ICO found that between 2007 and 2014 Facebook “unfairly” allowed app developers access to users’ personal information “without clear and informed consent”.

This led to one developer harvesting Facebook data of up to 87 million people worldwide – including one million UK users – without their knowledge.

Some of this data was shared with Cambridge Analytica, which used it for political campaigning in the US.

The ICO first told Facebook in July that it intended to issue the fine.

In a statement confirming the penalty, the watchdog said: “Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion.”

A Facebook spokesperson said: “We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.

“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica. Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”