In short: Yes, had Facebook’s transgressions happened in the GDPR-era, said U.K. ICO Elizabeth Denham, “the fine would have been much larger. But we’re limited by what was possible with the old Data Protection Act.”

However, the 500,000-pound fine the ICO issued to Facebook today, the maximum allowed under the former Data Protection Act, is not the end of the investigation into the way personal data is being used to influence democracy in the United Kingdom.

“There’s the potential for further activity against a number of other players in the ecosystem,” said Deputy Commissioner James Dipple-Johnstone. “We already have large inquiries underway against some of the data brokers. We’re looking into uses of some of the credit reference data, doing audits of the credit reference agencies. We will be auditing some of the data brokers, and we’ve audited some of the academic institutions that were involved.”

“There isn’t a more important issue for us today than our democracy being disrupted,” said Denham, pointing to a recently released report from the ICO’s office, “Democracy Disrupted?”, which outlines the way personal data has been harvested and deployed to micro-target certain populations and influence their voting.

“There are those looking to change the law, to expose it,” said Denham. “Then there is the political context, with the [Brexit] referendum, and whether there was cheating, and does that make the referendum null and void? That’s a really challenging question.”

In truth, the Facebook-Cambridge Analytica story, which Denham called the “biggest data protection story in the last 10 years,” has two facets. The first is essentially a vendor management issue for Facebook. Between 2007 and 2014, the ICO has found Facebook unfairly processed the personal information of its users by allowing app developers access to the data without getting informed consent. It also failed to keep the personal information secure, as it didn’t take the proper steps to audit which data was being accessed and by which developers.

Finally, even after the issue was discovered, in 2015, the ICO found that Facebook didn’t do enough to remedy the problem, noting that Cambridge Analytica wasn’t even suspended from the platform until 2018.

The European Parliament, in fact, issued a resolution today calling for Facebook to open itself up to auditors from the European institutions. 

However, there is the bigger and more global question of how personal data is being used in electioneering, which made up the greater portion of both the ICO's side even and the Parliament's resolution.

“Our role,” said ICO enforcement head Steve Wood, “is to enforce the law and ensure that it’s complied with, but equally we have an ethical duty to look at where there are gaps in the law posing a risk to the public and make recommendations to ensure the risk we’ve identified can be addressed in the future.”

Particularly, political parties will be under scrutiny going forward, and the ICO recommends the creation of a statutory code of practices covering the use of personal data in political campaigning. “We know it’s a difficult area,” Wood said. “How do we actually ensure that parties take this seriously? How do we provide a level playing field?”

If one party plays by the rules and loses to another that hasn’t, there will hardly be incentive for campaigners to play by the rules unless there is some kind of enforcement or consequences for unethical actions.

“Transparency,” said Wood, “is an easy thing to say, but it can be complicated in practice. In the context of an election, it’s the entire adult population that needs to be notified. … So we’ve made recommendations about how there needs to be more general information, like a general privacy awareness site, that tells them how political parties use data, in addition to notices on political web sites.”

Wood also identified Facebook’s new practice of identifying in North America which ads are paid political ads and who did the paying. Now Facebook plans to roll that out for the U.K., “so people can understand who’s paying for what, and it will go in an archive so you can see all of the ads paid for and by what party or campaign,” said Wood.

Finally, Dipple-Johnstone said the size and scope of the investigation will be a model for the ICO going forward. From establishing command and control structures to gathering evidence appropriately to using a law-enforcement program called HOMES that’s usually used for major organized crime investigations, the ICO greatly buffeted their investigatory skills while looking into the Facebook-app situation.

“We very much think this is the future for the kind of work we do,” said Johnstone, “large whole ecosystem investigations will be the future for us.”

Unfortunately, said Denham, not every DPA can model themselves on the ICO’s lessons learned in this situation. “We were provided with new powers in the 2018 DPA,” she said. “We have the ability to do no-notice inspections, to retrieve information stored in the cloud; we have a quicker process for warrants. These are really important powers that not many of our colleagues in Europe have. And these are important powers for moving fast.”