Britain's data protection watchdog fined Facebook 500,000 pounds (645,000 dollars) on Thursday for "serious breaches of data protection law" in connection with the Cambridge Analytica scandal.
Between 2007 and 2014, Facebook processed user data "unfairly" by allowing app developers to access the data without explicit and informed consent, according to the Information Commissioner's Office.
"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data," Elizabeth Denham, Britain's information commissioner, said in a statement.
"A company of its size and expertise should have known better and it should have done better," Denham said.
Denham's office launched its investigation in the wake of Facebook's admission that it improperly shared the personal data of millions of users with Cambridge Analytica, a data analytics firm based in London.
Cambridge Analytica used the data in 2016 to support the campaign for Britain to leave the European Union, as well as for U.S. President Donald Trump's election campaign.
App developer Aleksandr Kogan and his company GSR, which collaborated with Cambridge Analytica, were able to harvest the Facebook data of at least 1 million users in Britain and up to 87 million worldwide without their knowledge as a result of Facebook's failure to secure the data, the watchdog said.
Kogan, a psychology professor at Britain's Cambridge University, told the BBC earlier this year that he was being "used as a scapegoat" by Facebook and Cambridge Analytica over the misuse of the data.
Facebook said on Thursday that it disagreed with some of the watchdog's findings but accepted that it should have taken action on the claims related to Cambridge Analytica much earlier.
"We are currently reviewing the ICO's decision," A Facebook spokesperson said in an emailed statement. "While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015."
Facebook added that it hoped the watchdog would allow access to Cambridge Analytica servers "so that we are able to audit the data they received."
The watchdog said some of the harvested Facebook data was later shared with the SCL Group, the parent company of Cambridge Analytica, and other organizations.
Facebook failed to take proper action to halt the practice even after the misuse of the data was discovered in December 2015, it said.
The social media giant only suspended SCL Group from its platform this year, the watchdog said, adding that personal data harvested from at least one million British users had been "put at risk of further misuse."
The British watchdog said it applied the maximum fine possible under old rules that applied before the EU introduced a new General Data Protection Regulation in May.
The Irish government announced earlier this month that it is investigating possible breaches of the GDPR rules by Facebook.