Following an investigation launched in 2017 over the use of political campaigns' use of data, the U.K. Information Commissioner's Office has taken several actions against various parties, including warning letters, audit notices, and a notice of intent to levy a 500,000 GBP fine against Facebook.
In a statement, U.K. Information Commissioner Elizabeth Denham said, "Facebook has failed to provide the kind of protections they are required to under the Data Protection Act. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system."
Specifically, the investigation — which the ICO reports is the largest to date of its kind involving data brokers, social media platforms, campaign groups, academic institutions and political parties — looked at whether data used in the U.K.'s Brexit referendum, as well as the U.S. 2016 presidential election, was misused. It followed allegations that data obtained from Facebook by Cambridge Analytica, its parent company, SCL Elections Limited, and Aggregate IQ was used to target voters.
Responding to the fine levied against the company, The Guardian reports Facebook Chief Privacy Officer Erin Egan said, “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”
Denham said of the investigation's findings, “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes. New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
In an effort to thwart such noncompliance, the ICO has also taken several additional actions related to data sharing and its influence in the EU referendum. That includes "taking steps with a view to bringing a criminal prosecution against SCL Elections Limited for failing to properly deal" with an enforcement notice sent to Cambridge Analytica and SCL Elections Limited. The notice requires SCL to "deal properly" with a subject access request submitted to the company by New School's Parsons School of Design Professor David Carroll, who filed the request last year in an effort to gain insights on how people — specifically, voters — are targeted with ads based on information mined about them.
Cambridge Analytica and SCL shuttered after allegations arose that they used data mined from Facebook to influence the 2016 U.S. presidential elections. The companies began bankruptcy proceedings in May.
The ICO has also sent warning letters to the "main political parties" in the U.K. requiring action and has notified them of audits to be conducted later this year. It issued a "notice of intent for regulatory action" against Emma's Diary, a data broker that provides information to mothers-to-be, and reports it will be performing audits of the main credit reference companies.
As reported by The Guardian, the ICO's Steve Wood said, "We found there were really significant concerns about how Emma’s Diary was gathering the data, particularly involving mothers who were in hospital. We particularly looked at breaches of principle one of the Data Protection Act, covering the lack of transparency and consent from the individuals, in this context, the mothers, and then how that data was subsequently used by the political parties in their profiling, analytics and targeting."
On data brokers' use of information in political campaigns, generally, the ICO said in its report, "Particular concerns include: the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, and use of third party data analytics companies with insufficient checks around consent."
The DPA has also issued an enforcement notice to AggregateIQ, a Canadian political consultancy, "to stop processing retained UK citizen data," according to the office's news release. The ICO says AIQ "had access to personal data of UK voters provided by the Vote Leave campaign. We are currently working to establish from where they accessed that personal data, and whether they still hold personal data made available to them by Vote Leave. We have however established, following a separate report, that they hold UK data which they should not continue hold."
The ICO is looking at whether Vote Leave transferred U.K. citizens' data outside of the country and the legality of that, including potentially unlawful processing. In addition, the ICO is looking at whether insurance companies, specifically Eldon Insurance Services Limited, shared its customer data with Leave.EU for the purposes of political campaigning during the EU referendum.
Finally, the ICO says it will conduct an audit of Cambridge University Psychometric Centre and "recommends that Universities UK work with all universities to consider the risks arising from use of personal data by academics in a university research capacity and where they work with their own private companies or other third parties."
In concert with its regulatory actions, the ICO has published a second report including 10 policy recommendations. Notably, the ICO calls for the U.K government to legislate "at the earliest opportunity to introduce a statutory Code of Practice under the DPA2018 for the use of personal information in political campaigns. The ICO will work closely with Government to determine the scope of the Code." It calls for policymakers, political parties, technology companies and regulators to "take an ethical pause to consider the wider implications of deploying these technologies, in terms of both data protection and ethics."
Reacting to the investigation's findings, the European Data Protection Supervisor tweeted out that it is grateful to the ICO "for this painstaking, ongoing inquiry into abuse of personal data for 'political purposes.' The first of a number of DPAs working to shine a light of accountability into the dark practices behind online political messaging."
European Commissioner for Justice Věra Jourová added to the accolades, tweeting that the investigation "shows the scale of the problem and that GDPR is highly necessary. Social media and political parties are using micro targeting without transparency nor responsibility towards voters."
The investigation is ongoing, and the ICO anticipates its conclusion in October.
photo credit: facebook via Thought Catalog
