The full report can be accessed here.
In her introductory message, Elizabeth Denham, the
Information Commissioner, states:
The invisible, ‘behind
the scenes’ use of personal data to target political messages to individuals
must be transparent and lawful if we are to preserve the integrity of our
election process. We may never know whether individuals were unknowingly
influenced to vote a certain way in either the UK EU referendum or the in US
election campaigns. But we do know that personal privacy rights have been
compromised by a number of players and that the digital electoral ecosystem
needs reform. …
uncovered significant issues, negligence and contraventions of the law. Now we
must find the solutions. What can we do to ensure that we preserve the
integrity of elections and campaigns in future, in order to make sure that
voters are truly in control of the outcome?
The Executive Summary of the Report is as follows:
The Information Commissioner announced in May 2017 that she
was launching a formal investigation into the use of data analytics for
political purposes after allegations were made about the ‘invisible processing’
of people’s personal data and the micro-targeting of political adverts during
the EU Referendum.
The investigation has become the largest investigation of
its type by any Data Protection Authority – involving online social media
platforms, data brokers, analytics firms, academic institutions, political
parties and campaign groups.
This is the summary report of our investigation. It covers
the areas we investigated, our findings and our actions to date. Where we have
taken regulatory action, the full details of our findings are – or will be –
set out in any final regulatory notices we issued to the parties being
A separate report, Democracy
Disrupted? Personal Information and Political Influence was published in
July 2018, covering the policy recommendations from the investigation.
One of the recommendations arising from this report was that
the Government should introduce a statutory code of practice for the use of
personal data in political campaigns and we have launched a call for views on
We will continue to pursue any actions still outstanding at
the time of writing. Regulatory action taken to date:
- We sent 11 warning letters requiring action by the main
political parties, backed by our intention to issue assessment notices for
audits later this year.
We have concluded that there are risks in relation to the
processing of personal data by many political parties. Particular concerns
include the purchasing of marketing lists and lifestyle information from data
brokers without sufficient due diligence, a lack of fair processing and the use
of third party data analytics companies, with insufficient checks around
Cambridge Analytica and SCLE Elections Limited
- Cambridge Analytica (CA) is a trading name of SCLE Elections
Ltd (SCLE) and so the responsibilities of the companies often overlapped. Both
are subsidiaries of SCLE Group (SCLE). For ease of reading we will be referring
to all the company entities using Cambridge Analytica.
- We issued an enforcement notice requiring the company to
deal properly with Professor David Carroll’s Subject Access Request.
- Despite the company having entered into administration, we
are now pursuing a criminal prosecution for failing to properly deal with the
- While we are still conducting our investigations and
analysis of the evidence we have recovered so far, we’ve already identified
serious breaches of data protection principles and would have issued a substantial
fine if the company was not in administration.
- We are in the process of referring CA to the Insolvency
- We issued Facebook with the maximum monetary penalty of
£500,000 available under the previous data protection law for lack of
transparency and security issues relating to the harvesting of data. We found
that Facebook contravened the first and seventh data protection principles
under the Data Protection Act 1998 (DPA1998).
- We are in the process of referring other outstanding issues
about Facebook’s targeting functions and techniques used to monitor
individuals’ browsing habits, interactions and behaviour across the internet
and different devices to the Irish Data Protection Commission, as the lead
supervisory authority for Facebook under the General Data Protection Regulation
Leave.EU and Eldon Insurance
- We issued a notice of intent to fine both Leave.EU and Eldon
Insurance (trading as GoSkippy) £60,000 each for serious breaches of the
Privacy and Electronic Communications Regulations 2003 (PECR), the law which
governs electronic marketing. More than one million emails were sent to
Leave.EU subscribers over two separate periods which also included marketing
for GoSkippy services, without their consent. This was a breach of PECR
- We also issued a notice of intent to fine Leave.EU £15,000
for a separate, serious breach of PECR regulation 22 after almost 300,000
emails were sent to Eldon Insurance (trading as GoSkippy) customers containing
a Leave.EU newsletter.
- We have issued a preliminary enforcement notice to Eldon
Insurance under s40 of the DPA1998, requiring the company to take specified
steps to comply with PECR regulation 22. We will follow this up with an audit
of the company.
- We are investigating allegations that Eldon Insurance
Services Limited shared customer data obtained for insurance purposes with
Leave.EU. We are still considering the evidence in relation to a breach of
principle seven of the DPA1998 for the company’s overall handling of personal
data. A final decision on this will be informed by the findings of our audit of
We have also begun a wider piece of audit work to consider
the use of personal data and data sharing in the insurance and financial
Relationship between AggregateIQ, Vote Leave and other leave
- We issued an Enforcement Notice to AggregateIQ to stop
processing retained UK citizen data.
- We established the contractual relationship between
AggregateIQ and the other related parties. We also investigated their access to
UK personal data and its legality. And we engaged with our regulatory
colleagues in Canada, including the federal Office of the Privacy Commissioner
and the Office of the Information and Privacy Commissioner, British Columbia to
assist in this work.
- We are still looking at how the Remain side of the
referendum campaign handled personal data, including the electoral roll, and
will be considering whether there are any breaches of data protection or
electoral law requiring further action. We investigated the collection and
sharing of personal data by Britain Stronger in Europe and a linked data
broker. We specifically looked at inadequate third party consents and the fair
processing statements used to collect personal data.
- We conducted an audit of the Cambridge University
Psychometric Centre and made recommendations to ensure that the university
makes improvements to its data protection and information security practices,
particularly in the context of safeguarding data collected by academics for
- We also recommended that Universities UK work with all
universities to consider the risks arising from use of personal data by
academics. They have convened a working group of higher education stakeholders
to consider the wider privacy and ethical implications of using social media
data in research, both within universities and in a private capacity.
- We issued a monetary penalty in the sum of £140,000 to data
broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Limited), for a
serious breach of the first principle of the Data Protection Act 1998.
- We issued assessment notices to the three main credit
reference agencies – Experian, Equifax and Call Credit – and are in the process
of conducting audits.
- We have issued assessment notices to data brokers Acxiom
Ltd, Data Locator Group Ltd and GB Group PLC.
- We have looked closely at the role of those who buy and sell
personal datasets in the UK. Our existing investigation into privacy issues
raised by their services has been expanded to include their activities in