The Information Commissioner’s Office (ICO) warned Facebook back in July that it was planning to issue the fine. Facebook (FB) then tried to have the fine reduced, but it failed, and on Thursday the ICO announced it was standing its ground.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation,” said Information Commissioner Elizabeth Denham.

A researcher named Aleksandr Kogan used his access to Facebook to harvest the details of up to 87 million people around the world, then shared some of this information with organizations including the SCL Group, the parent company of political consultancy Cambridge Analytica. Privacy advocates had warned Facebook about allowing this sort of access previously, but it only changes its rules in 2014.

If you’re wondering why the fine was so small, the clue lies in the “previous legislation” part of Denham’s quote.

The fearsome EU General Data Protection Regulation (GDPR), which allows fines of up to 4% of a company’s global revenues, only came into effect in May this year. Facebook’s illegal actions—allowing application developers access to users’ personal data without the users’ proper consent—occurred between 2007 and 2014, when the U.K. had weaker privacy legislation with lower potential fines.

“The fine would inevitably have been significantly higher under the GDPR,” said Denham.

However, the regulator also noted that the ICO’s enforcement actions aren’t just about monetary fines (the cash goes to the U.K. Treasury, in case you’re wondering) but also about making companies change their ways.

Facebook said in a statement that it disagreed with some of the ICO’s findings, but it has “said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.” Facebook only suspended Cambridge Analytica and SCL from the social network this year, after the scandal broke.

“Our work is continuing,” said Denham. “There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”