Credit reference agencies also facing ICO audit
The UK’s Information Commissioner’s Office (ICO) has slapped Facebook with a £500,000 fine “for lack of transparency and security issues”, demanded a shakeup of data management practices by 11 UK political parties, and will also be conducting audits of leading credit reference companies like Equifax.
The UK’s data watchdog this morning released both the interim results of a 14-month investigation into the use of data in political campaigns – triggered by the Cambridge Analytica/Facebook scandal – and published recommendations resulting from the investigation in a partner report, “Democracy Disrupted?”
The fine is equivalent to less than 0.001 percent of Facebook’s 2017 revenues and unlikely to leave the social media giant cowering. It is the maximum allowed, however under the Data Protection Act 1998; the legislation in force when the breach occurred.
The ICO’s investigation has also triggered criminal proceedings meanwhile against Cambridge Analytica’s parent company SCL Elections.
ICO: “We Are At a Crossroads”
Information Commissioner Elizabeth Denham said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.”
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”
She added: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
Her 40-strong team’s investigation looked into 172 organisations of interest, interviewed over 100 individuals and has identified a total of 285 individuals relating to its investigation, which was triggered by Carole Cadwalladr’s award-winning reporting for the Guardian Media Group about the relationship between Cambridge Analytica (CA) and the Leave.EU campaign during the EU referendum.
“We were significantly concerned around the nature of the data that the political parties had access to,” Deputy Information Commissioner Steve Wood said, “and we followed the trail to look at the different data brokers who were supplying the political parties.
The ICO said in its second report: “We opened this report by asking whether democracy has been disrupted by the use of data analytics and new technologies.”
“Throughout this investigation, we have seen evidence that it is beginning to have a profound effect whereby information asymmetry between different groups of voters is beginning to emerge. We are a now at a crucial juncture where trust and confidence in the integrity of our democratic process risks being undermined if an ethical pause is not taken.”
Sending warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices, the ICO added: “We have concluded that there are risks in relation to the processing of personal data by many political parties. Particular concerns include: the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, and use of third party data analytics companies with insufficient checks around consent,” the report emphasises.
On the “Leave” side of the Brexit referendum, the ICO said: “We are investigating whether and to what extent Vote Leave transferred the personal data of UK citizens outside the UK and… whether that personal data has also been unfairly and unlawfully processed. We expect to take decisions on potential formal enforcement action within the next three months.”
On the “Remain” side, the ICO noted: “We are investigating the collection and sharing of personal data by the official Remain campaign, the In Campaign Limited, trading as Britain Stronger in Europe (BSiE), and a linked data broker. We are specifically looking at inadequate third party consents and the fair processing statements used to collect personal data.”
Since 25 May 2018, when GDPR came into force, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. It also has new strengthened powers