The Information Commissioner’s Office (ICO) has published its report to Parliament bringing the ICO’s investigation into the use of data analytics in political campaigns up-to-date. It is the largest investigation of its type undertaken by any supervisory authority and the report covers areas investigated, findings and actions to date.
Particular concerns surrounding voters’ personal privacy include the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing and the use of third party analytics companies with insufficient checks around consent. The enforcement actions taken include:
• Fining Facebook the maximum penalty for serious breaches of the first and seventh principles of the Data Protection Act 1998.
• Instigating criminal proceedings against SCLE Elections Ltd (trading as Cambridge Analytica) for failing to properly deal with an enforcement notice dated 4 May 2018, in relation to a data subject access request. A trial is set for 9 January 2019 at Hendon Magistrates’ Court.
• Issuing a notice of intent to fine both Leave. EU and Eldon Insurance (trading as GoSkippy) £60,000 each for serious contraventions of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (SI 2003 2426) (PECR).
• Issuing a notice of intent to fine Leave.EU £15,000 for serious contraventions of regulation 22 of the PECR.
• Issuing formal warnings to 11 political parties requiring action, backed by an intention to issue assessment notices for audits, from January 2019.
The ICO has also made recommendations including asking the government to consider whether there are any regulatory gaps in the current data protection and electoral law landscape to ensure that the UK has a regime fit for purpose in the digital age. The ICO has recommended that a Code of Practice for the use of personal information in political campaigns be put on a statutory footing to help combat unlawful campaigning tactics and has launched a consultation.
The ICO started its investigation in May 2017, after allegations about “invisible processing” of people’s personal data and micro-targeting of political adverts during the EU Referendum.