Information Commissioner Elizabeth Denham this week released her office’s updated report into the use of data in political campaigns (10 July 2018).
The Commissioner subsequently announced a record-breaking fine of £500,000 against Facebook, reflecting Ms Denham’s view of the seriousness of Facebook’s breaches.
You will recall that in March 2017, amid some controversy surrounding the use of personal data in political campaigns, the ICO commenced an investigation into whether personal data had been misused by both “Leave” and “Remain” sides of the referendum on EU membership.
In May 2018 the ICO widened the scope of its inquiries. The ICO was now looking at data analytics companies, political parties and the large social media platforms.
The updated report gives more particulars of the individuals and entities under investigation, as well as ICO Enforcement measures to date.
To recap: Cambridge Analytica and Facebook have been at the centre of the inquiry since February this year, when, spectacularly, the scandal broke. In short, evidence came to light that an app had been created and deployed to “harvest”, or gather, the personal data of an estimated 50 million Facebook users across the world. Later this figure rose and is now estimated at 87 million.
The ICO’s inquiry concluded that Facebook broke the law by failing to take adequate steps to safeguard user’s personal data. The ICO went on to state that this failure was compounded by the ICO’s finding that Facebook lacked transparency about how this breach occurred.
Facebook has now been fined £500,000. They will have a right to make representations to the Commissioner’s Notice of Intent. The decision will then be finalised.
The ICO has also undertaken the following enforcement actions [source ICO office 11.07.18):
(1) warning letters to 11 political parties and notices regarding audits of their data protection policies;
(2) Enforcement Notice for SCL Elections Ltd;
(3) Criminal proceedings for SCL Elections Ltd;
(4) Enforcement Notice for Aggregate IQ to cease and desist processing retained personal data of UK citizens;
(5) Notice of Intent against data broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd); and
(6) audits of the main credit reference companies and Cambridge University Psychometric Centre
When interviewed on the BBC Radio 4’s Today programme (11 July 2018), Ms Denham indicated the fine would have been significantly higher had the new GDPR regulations been in force at the time of the breaches.