ICO intends to fine Facebook £500,000 and calls for statutory Code of Practice to regulate use of personal information in political campaigning

July 10, 2018

The ICO has published two reports arising from their investigation into the use of data analytics in political campaigns, an investigation which began in March 2017.

An investigation update sets out their findings so far and reports on the resulting enforcement action.

The report concludes that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others. Accordingly they have issued a  Notice of Intent to fine the company £500,000, the maximum available under the DPA 1998. A final decision will be made once the ICO has received a response from Facebook later this month. The report notes that a Notice of Intent would not normally be published but the Commissioner decided to do so on this occasion given the public interest. 

Other regulatory action set out in the report comprises:

  • warning letters to 11 political parties and notices compelling them to agree to audits of their data protection practices;
  • an Enforcement Notice for SCL Elections Ltd to compel it to deal properly with a subject access request;
  • a criminal prosecution for SCL Elections Ltd for failing to properly deal with the ICO’s Enforcement Notice;
  • an Enforcement Notice for Aggregate IQ to stop processing retained data belonging to UK citizens;
  • a Notice of Intent to take regulatory action against data broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd); and
  • audits of the main credit reference companies and Cambridge University Psychometric Centre.

The investigators also found that there is room for improvement in the way that universities handle the data collected by their researchers. While there are clear structures in place to handle ethical issues, the same cannot be said for data protection.

The investigation is expected to continue until October 2018 as there is a considerable amount of relevant material to review from retrieved servers and equipment, more people to interview and a need to audit organisations linked to the investigation to examine their systems for traces of Facebook data. 

The other report looks more widely at the use of personal data in political campaigning. Democracy disrupted? Personal information and political influence 

’intends to ‘draw back the curtain’ on how personal information is used in modern political campaigns. It summarises the policy findings from our data analytics investigation, making recommendations in respect of the transparent and lawful use of data analytics in political campaigns in the future’

The Information Commissioner announced the need for the report in May 2017 after the reviewing the allegations in the initial investigation and it runs alongside the Culture and Media select committee’s own investigation into ‘fake news’ with whom the ICO has been sharing their findings. The report itself provides a useful overview of how data is used to profile and target individuals and the concerns that political parties are insufficiently transparent in how they obtain data and what consent they have obtained for its use in political activities.  

The report makes ten recommendations, including that the Government should legislate at the earliest opportunity for a statutory Code of Practice for the use of personal information in political campaigns under the DPA 2018. Others include requirements for political parties to conduct data protection impact assessments when sourcing third party data or using software to profile voters. Accordingly, the ICO has written to 11 political parties outlining what needs to be done and requesting a response within 3 months.  

Both reports are available in full from the ICO website.