How have politicians used our data? The ICO updates on its largest investigation to date

We look at the ICO's progress report about its ongoing investigation into potential data protection breaches and other offences arising from the use of data analytics in political campaigns.

On 10 July 2018, the ICO issued a progress report in relation to its ongoing investigation into the use of data analytics for political purposes. The investigation, which includes scrutiny of the use of data from Facebook and the role played by Cambridge Analytica in political campaigns, was announced in May 2018 (see our earlier article here). The ICO states that it has evidence that some data brokers from whom political parties purchased data for election and campaign purposes had failed to obtain lawful consent to its use.

The ICO has confirmed that this is the largest investigation of its type by a data protection authority, looking at regulatory and criminal breaches across a number of jurisdictions in conjunction with other agencies. The Information Commissioner has used the full range of her powers, including formal notices under the Data Protection Act 1998 (DPA) and Regulation of Investigatory Powers Act 2000 (RIPA), powers of entry under warrant and audit and inspection powers. The offences being examined by the ICO include failure to comply with the DPA principles, failure to comply with the Privacy and Electronic Communications Regulations (PECR) and s.55 DPA offences (by which it is a criminal offence knowingly or recklessly to obtain, disclose or procure personal data without consent). Other offences are being considered.

The ICO’s update report includes confirmation that:

  • it has issued Notices of Intent to:
    • Facebook, indicating that it will levy a fine of £500,000, for failing to safeguard user information and to be transparent about how data was harvested by other companies. This is the maximum fine available under the DPA and - had the breach occurred under the GDPR - could have been significantly greater. Facebook now has the opportunity to make representations, following which a decision will be announced.
    • to data broker Emma’s Diary, for regulatory action.
  • it is taking steps with a view to bringing a criminal prosecution against SCL Elections Ltd (Cambridge Analytica’s parent company)
  • it has issued an Enforcement Notice to prevent the processing of personal UK citizen data by AggregateIQ in Canada, which had a relationship with Cambridge Analytica or its parent. The ICO has established that AggregateIQ had access to the personal data of UK voters during the EU referendum campaign and still holds UK data which they should not, and
  • the main political parties have been issued with formal warnings about their practices and in particular, the purchasing of information from data brokers without sufficient due diligence and inadequate privacy assessments when using the data.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.