Britain’s privacy commissioner plans to fine Facebook for violating data protection laws and bar Canada’s AggregateIQ from handling data belonging to British citizens as part of a sweeping investigation into how personal data have been used during election campaigns.
The country’s Information Commission Office has spent months investigating how political consultants at Cambridge Analytica obtained personal data from 87 million Facebook users and then used that information to target voters during elections in the United States and Britain. In a report on its findings to be released Wednesday, the agency said it is targeting Facebook with a £500,000 ($871,000) fine for failing to properly handle personal data and for failing to respond in a robust way when the company found out about the scale of the data harvesting.
The ICO’s findings represent the first action by a national regulator against Facebook over the Cambridge Analytica scandal.
The ICO is also issuing an enforcement notice to AggregateIQ, a Victoria-based company that helped process the Facebook data for Cambridge Analytica. The notice orders the company to stop handling data belonging to British citizens.
The report offers a stark warning about the use of personal data by political parties and the ICO is urging governments around the world to take action. “I think this is a time when people are sitting up and saying we need a pause here and we need to make sure that we’re comfortable with the way personal data is used in our democratic processes,” said Information Commissioner Elizabeth Denham, who came to Britain in 2016 after serving as the information and privacy commissioner for British Columbia. “And I think for us, looking at the entire ecosystem, it’s helpful for other jurisdictions to take a look at their own laws, and their own practices, to get this right, including Canada.”
The ICO is now planning to audit the data-protection practices of every political party in Britain and it’s calling on the government to enact rules for how parties use data during campaigns. It has also pledged to crack down on data brokers who sell personal information to political parties. “We need [parties] to think about the digital campaigns of the future and take an ethical pause and think about the way that they are processing data because I think it would be a surprise to voters to see the breadth and the extent of the data,” Ms. Denham said.
The ICO investigation was launched under Britain’s 1998 data protection legislation, which was replaced in May by the European Union’s General Data Protection Regulation (GDPR). The maximum fine under the old British law was £500,000, but the GDPR includes powers to fine companies up to 4 per cent of global revenue for data breaches. Facebook revenue is US$40.65-billion, meaning a fine under GDPR of 4 per cent would be US$1.63-billion.
The fact that the ICO imposed the highest fine possible under the old law “sends a clear signal that I consider this to be a significant issue, especially when you look at the scale and the impact of this kind of data breach,” Ms. Denham said.
The ICO said Facebook will have an opportunity to respond to the proposed fine before the agency makes a final decision on the penalty. Facebook’s chief privacy officer Erin Egan said the company is reviewing the ICO findings. “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” she said. “We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the U.S. and other countries. We’re reviewing the report and will respond to the ICO soon.”
Facebook is also under investigation by privacy commissioners in Canada and Australia. In the United States, the social media giant faces a joint probe by the Justice Department, the Federal Bureau of Investigation and the Securities and Exchange Commission over its relationship with Cambridge Analytica. Facebook chief executive Mark Zuckerberg has vowed to tighten the company’s privacy policies.
The scale of Cambridge Analytica’s operation came to light this spring after former staffer Chris Wylie, who is from Victoria, exposed how the company obtained the Facebook data from a Cambridge University researcher named Aleksandr Kogan. Mr. Kogan has said he had no idea Cambridge Analytica planned to use the data he gathered for targeted political advertising. Cambridge Analytica filed for bankruptcy in May along with its British parent company SCL Group. Ms. Denham said the ICO is looking into how researchers at Cambridge University and other institutions protect data.
Mr. Wylie also played a role in creating AggregateIQ in 2013 and the company became a major contractor for Cambridge Analytica. AIQ’s role in the Brexit campaign has come under scrutiny by British election officials as part of a probe into illegal campaign financing. The company has denied any wrongdoing.
Ms. Denham said the ICO’s investigation isn’t over.
With a report from Tamsin McMahon