Greetings from Portsmouth, New Hampshire!
I’m still in North America this week after my stint in Canada but have headed south of the border and am currently in the USA at our international headquarters. As some of you may know, this is an annual excursion for me, and the occasion also includes a retreat where our management team examines how the year has transpired, assesses what we have learned globally across the organization (and the privacy landscape) during the year, and determines our focus for 2019. For me personally, it’s also an opportunity to connect in person with colleagues, which, as you’ll all know from your own professional experience, is a far better alternative to conference or video calls.
On the news front this week, the big story has been the ICO’s findings of their investigation into the use of data analytics in U.K. political campaigns. The ICO has announced that it intends to fine Facebook a maximum fine (pre-GDPR) of 500,000 sterling for its lack of transparency relating to third-party data harvesting. While the financial penalty is small for Facebook, it is the maximum fine that can be imposed under the applicable U.K. Data Protection Act of 1998. This should serve as a stark warning for companies that now face much more severe enforcement fines under the GDPR.
A similar case, prosecuted under the GDPR, would trigger a "maximum fine" for Facebook, of something nearing $1 billion.
There were also additional enforcement measures announced, including a criminal action pursuit by the ICO against Cambridge Analytica’s defunct parent company SCL Elections. Further, the ICO has sent warning letters to 11 political parties and notices compelling them to agree to audits of their data protection policies, including groups that campaigned both sides of Brexit.
Elizabeth Denham's office is decidedly wading into the mainstream political discourse that is consuming the U.K.
What began as an inquiry into the misuse of Facebook data through the platforms of political digital marketing has resulted in a far deeper probe into the complex ecosystem of online advertising and data brokerage models. Digital campaigning has become "de riguer" and increasingly a key component of modern day political campaigning. This probe, which remains ongoing, is also having ripple effects across the pond here in the North America, as the ICO is also taking action against the Canadian firm AggregateIQ, which worked with both U.S. Senator Ted Cruz’s, as well as Donald Trump's, presidential campaign teams (alongside the U.K.’s Brexit Vote Leave campaign).
One question that is consistently being asked of late: What does this do for our democracy (and our information age as a whole)? In the case of Facebook, through its data broker partnerships, political parties — and movements — have been able to target audience by gender, location, interests and behaviors. Heavily targeted messaging playing on bias is now commonplace; data exploitation and the potential for manipulation is now systemic.
ICO Commissioner Elizabeth Denham said, “We are at a crossroads, trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.” The ICO has gone further with additional recommendations, with a call for the U.K. government to introduce a statutory Code of Practice to guide the use of voter data in political campaigns. In addition, the ICO is calling for a broad public ethics debate involving all parties across the spectrum of players to reflect on their responsibility in the era of big data, before the exponential growth of technological expansion goes beyond the point of no return.
The ICO, as a regulator, is tackling some important societal issues here: It will be interesting to see whether other European regulators will follow suit.
If you want to comment on this post, you need to login.