In July 2018, the U.K. Information Commissioner’s Office released its first report on the use of personal data in political campaigns. As Colin noted in his Privacy Perspectives post last July,  "Democracy Disrupted" outlined the scale and complexity of the issue, made a series of policy recommendations and signaled the ongoing investigations into a variety of organizations. Its overall purpose was to pull back the curtain on voter analytics and shed some light on the technological and organizational complexities of contemporary campaigning.

The ICO's second report, released Nov. 6, summarizes the results of these investigations, and the enforcement actions taken to date. Overall, the investigations “found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system.”

In this more recent report, the ICO claims to have engaged in the largest-scale investigation in the history of data protection. In 18 months the ICO spent £1.4 million, deployed 40 investigators, identified 172 organizations of interest, spotlighted 30 of these organizations, collected 700 terabytes of data, some of which was recovered from destroyed hardware, and filed one criminal prosecution. It also describes the fines, the notices of intent, the enforcement and assessment notices, as well as the areas where no evidence of wrongdoing was found. 

The scope of this investigation is impressive. The ICO capitalized on the Cambridge Analytica conflict to unearth multiple instances of data abuse. Social media companies, data brokers, credit-reporting agencies, and universities have all been put under scrutiny. Additionally, eleven political parties from across the political spectrum, as well as organizations from both sides of the Brexit campaign were investigated. So there can be no concerns about partisan favoritism.

The scope of this investigation is impressive. ... Social media companies, data brokers, credit-reporting agencies, and universities have all been put under scrutiny. 

The public and media interest in the ICO’s investigation has also been unprecedented from the moment that agents of the ICO stepped out from behind their desks, clad in windbreakers adorned with the ICO logo, and raided the offices of Cambridge Analytica. 

All main political parties investigated were issued warnings for their failure to comply with the GDPR. Going  forward, parties must submit a data protection impact assessment to process data. The parties have three months to comply, and the ICO is also recommending a statutory code of practice for the use of personal data in political campaigns.  

Cambridge Analytica was found to have a fundamental disrespect for data protection law. The ICO is pursuing a criminal prosecution for failure to adhere to the enforcement notice regarding David Carroll’s data subject access request. The criminal trial has been set for January 9, 2019; the ICO is also referring CA to the Insolvency Service.

Facebook has been fined £500,000, the largest amount permissible under the 1998 Data Protection Act, for their failures to adhere to the first (fair and lawful processing) and seventh (security) data protection principles. Outstanding issues regarding Facebook’s targeting functions and monitoring practices have been referred to the Irish Data Protection Commission.

Eldon Insurance and Leave.Eu both face a £60,000 penalty for sharing email lists and cross promotion without consent. Eldon insurance (trading as GoSkippy) is still under investigation for allegedly sharing customer data with Leave.EU.

This report is also telling of what’s still to come. Several data-brokers and credit reporting agencies have come under the scrutiny of the ICO. Assessment notices have been issued to Experian, Equifax, and Call Credit, and all are currently being audited. Likewise, Acxiom, Data Locator Group, and GB Group PLC have all received assessment notices. The ICO will be issuing a report on their findings on these groups later this year, which will hopefully shed light on an industry that has long operated in the dark.  

Some organizations were partially exonerated. The ICO has found no evidence of illegal processing of U.K. data by the Canadian firm AIQ; but investigations by the federal and British Columbia privacy commissioners are ongoing. The investigation found no evidence that Big Data Dolphins ever functioned or transferred data to the University of Mississippi as was once alleged; nor did it find any evidence that Cambridge Analytica completed work on the Brexit referendum.

Political parties are on the hook for not ensuring data brokers provide a record of adequate consent. Emma’s Diary faces monetary penalties for selling data to Experian without consent, which was then purchased by the Labour Party. 

The ICO’s past, current and future work on personal data in the electoral context has widespread international implications.

The ICO report recognizes that digital campaigning is here to stay. In the highly contested field of politics, digital campaigning is cheaper and arguably more effective at engaging especially younger voters during a time of low turnout rates. It cautions that the rate of change in voter targeting has “been so rapid that many voters are unaware of the scale and context in which they are being targeted.” The report is quick to caution however that without transparency and trust, “we are at risk of developing a system of voter surveillance by default”.

The ICO’s past, current and future work on personal data in the electoral context has widespread international implications. It demonstrates the disturbing climate of data-driven campaigns in U.K. politics, and offers some clues to what might happen in other parliamentary systems such as Canada. These ICO reports will continue to provide compelling evidence that political parties everywhere should be subject to the oversight of data protection authorities.   

More generally, this work obviously represents a significant shift in the discourse about privacy. The risks are a lot more obvious. Elections can be won and lost depending on how data is captured, used and disseminated.

Above all, the Cambridge Analytica scandal, and its many ramifications, have elevated the debate about data protection to a new level: The illegal processing of personal data in the electoral context is now not just about privacy, it's also about the integrity of the democratic process. 

Top image from Channel 4 News interview.