Facebook fined £500m under information commissioner investigation into data use in political campaigning
- 13 July, 2018 14:05
The UK’s Information Commission Office has fined Facebook £500,000 million and called for a new statutory Code of Practice for use of personal information in political activity following its investment into the practice of using data analytics in political campaigns.
The maximum £500,000 penalty issued to Facebook relates to two breaches of the Data Protection Act that occurred as part of the Cambridge Analytica scandal, now estimated to have impacted 87 million consumers globally. It’s one of a number of recommendations made by the ICO aimed at improving transparency and regulation around the use of consumer data in any form of election campaigning.
The ICO’s work kicked off in March 2017 and was first aimed at looking at how personal data had potentially been misused by campaigns on both sides of the Brexit referendum. In May, the watchdog officially launched an investigation encompassing political parties, data analytics firms and major social media platform providers.
In February this year, the spotlight was firmly placed on Facebook after it emerged the social media giant shared the personal data of at least 50 million users with Cambridge Analytica for the purposes of election campaigning.
The ICO said its regulatory action to date also includes warning letters to 11 political parties and notices compelling them to agree to audits of their data protection policies; a notice of intent to take regulatory action against data broker, Emma’s Diary (Lifecycle marketing (Mother and Baby Limited); an enforcement notice as well as criminal prosecution of SCL Elections, the parent company of the now defunct Cambridge Analytica, for failing to deal with the enforcement notice relating to subject access requests; and audits of main credit reference companies as well as the Cambridge University Psychometric Centre.
In announcing the fine, as well as update on ICO’s investigation and a new recommendation report into personal information being used for political influencer, information commissioner, Elizabeth Denham, said the democratic process is at a crossroads.
“Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes,” she stated. “New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual votes. But this cannot be at the expense of transparency, fairness and compliance with the law.
“Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
The ICO labels its investigation one of the largest conducted by a data protection authority and involving 40 staff members. As part of its progress, the group has identified 172 organisations of interest, including 30 for primary focus, as well as 285 individuals relevant to its investigation. In total, 23 information notices have been issued to 17 organisations and individuals including Facebook, CA, Vote Leave, Leave.EU and UKIP.
In its progress report, the watchdog said it had concluded too many risks exist around how personal data is processed by many political parties.
These include organisations purchasing marketing lists and lifestyle information from data brokers without sufficient due diligence; a lack of fair processing and use of third-party data analytics companies without enough consent checks; and questionable practices around assuming ethnicity and age and combining this with electoral data sets.
To combat these, 10 policy recommendations were released by the ICO in its secondary report, Democracy disrupted? Personal information and political influence. These are:
- Political parties must work with the ICO, Cabinet Office and Electoral Commission to identify and implement a cross-party solution to improve transparency around the use of commonly held data.
- The ICO will work with the Electoral Commission, Cabinet Office and political parties to launch a version of its ‘Your Data Matters’ campaign before the next general election aimed at increasing transparency and building electorate trust and confidence.
- A call for political parties to apply due diligence when sourcing personal information from third-party organisations including data brokers, to ensure appropriate consent from individuals in line with GDPR.
- A call for the Government to legislate and introduce a statutory Code of Practice for use of personal information in political campaigns in consultation with the ICO.
- A requirement for third-party audits to be carried out after referendum campaigns are concluded to ensure personal data is then deleted or if shared, has appropriate consent mechanisms in place
- A call for the Centre for Data Ethics and Innovation to work with the ICO and Electoral Commission to conduct an ethical debate in the form of a citizen jury to better understand the impact of new and developing technologies and use of data analytics in political campaigns.
- A call for all online platforms providing advertising services to political parties and campaign to include expertise within the sales support team to provide specific advice on transparency and accountability in relation to how data is used to target users.
- ICO working with the European Data protection Board and relevant lead data protection authorities to ensure online platforms comply with the GDPR, including greater transparency around privacy settings, design and prominence of privacy notices.
- A call for all platforms covered by the report to urgently roll out planned transparency features relating to political advertising in the UK.
- A call for the Government to conduct a review of the regulatory gaps in relation to content and provenance and jurisdictional scope of political advertising online. This includes requirements for digital political advertising to be archived in an open data repository to enable scrutiny and analysis of data.
As a next step, Facebook will be given the opportunity to respond to the ICO’s notice of intent, after which a final decision will be made.
The next phase of the ICO’s work, meanwhile, is expected to be delivered by the end of October.
As part of its global and ongoing response to the Cambridge Analytica scandal as declining consumer trust, Facebook launched a fresh eight-week campaign in Australia, 'Here together', to drive awareness of the changes the social media platform has made to privacy policies and third-party data exchanges.