On 6 November 2018, the Information Commissioner's Office (the "ICO") reported to the UK Parliament on its investigation into the use of data analytics in political campaigns.1 The ICO has deemed this to be the most complex data protection investigation they have ever conducted and the largest investigation of its type by any Data Protection Authority. 30 organisations formed the main focus of the investigation. These included social networking sites (notably Facebook) and data brokers to political parties and other interest groups. The investigation was launched in May 2017 after allegations were made about the 'invisible processing' of individuals' personal data and the micro-targeting of political adverts during the referendum on the UK's continued membership of the EU (the "Referendum"). A separate report was also published by the ICO in July 2018 entitled 'Democracy Disrupted? Personal Information and Political Influence'2, which explores the risks of interference with democratic process stemming from the misuse of personal data.
The primary focus of the ICO's investigation were the events surrounding the Cambridge Analytica data breach scandal in 2017. Investigations carried out by The Observer newspaper revealed that Facebook was enabling the processing of personal data of Facebook users for purposes to which users did not consent. An app referred to as "thisisyourdigitallife" which was developed by Dr Aleksandr Kogan and his company Global Science Research, harvested the data of up to 87 million global Facebook users, including one million in the UK. Some of this data was then used by the data broker Cambridge Analytica (the trading name of SCLE Elections Ltd) to assist the Leave.EU campaign during the Referendum by micro-targeting voters. Dr Kogan had previously worked at the Psychometric Centre at Cambridge University where he and other academics had developed a number of apps, including an app called "My Personality" based on the OCEAN3 model. The academics found that by referring to as few as 68 Facebook "likes", they were able to predict with a high degree of accuracy a number of characteristics, including ethnicity and political affiliations.
Facebook's policies in force during the relevant time period permitted third-party apps to obtain user's personal data who installed the app, and in some circumstances, the data of the user's friends. However its policies sought to impose limits on what this data could be used for, namely for providing enhanced user experiences, and not for commercial purposes. Any terms of service changes used by app developers were supposed to comply with Facebook's policies and developers should have been aware of this.
The ICO found that Facebook users who accessed the app, together with friends of those Facebook users, were not made aware that their personal data would be: (1) provided to Cambridge Analytica, (2) used for the purposes of political campaigning, or (3) processed in a manner that involved drawing inferences about their political opinions. Therefore the processing of personal data could not be deemed lawful under the UK Data Protection Act 1998 (the "DPA1998") and the ICO found that Facebook did not take sufficient steps to prevent apps from unlawfully collecting personal data.
Facebook was issued with the maximum monetary penalty of £500,000 available under the DPA1998 for lack of transparency and security issues relating to the harvesting of data. The Commissioner has stated that this sum would be significantly greater had the infringements taken place after the coming into force of the General Data Protection Regulation ("GDPR"). As of the date of the report, the ICO was in the process of referring other outstanding issues about Facebook's targeting functions and techniques used to monitor individuals' browsing habits, interactions and behaviour across the internet and different devices to the Irish Data Protection Commission as the lead supervisory authority for Facebook under GDPR. Cambridge Analytica is now in administration but a 'substantial fine' would have issued had the company not entered administration. Despite this, the ICO is now pursuing a criminal prosecution against the company for failing to properly deal with an enforcement notice requiring the company to deal with a subject access request. The ICO issued two separate notices of intent to fine Leave.EU £60,000 and £15,000 for contraventions of regulation 22 of the UK Privacy and Electronic Communications Regulations 2003.
The ICO's report details a number of other investigations and regulatory actions which are being pursued due to misuse of personal data during the Referendum campaign. This includes an investigation into allegations that Eldon Insurance Services Limited (trading as GoSkippy) shared customer data obtained for insurance purposes with Leave.EU. 11 warning letters requiring action by the main UK political parties were issued by the ICO and audits of Cambridge University and its psychometric centre have also been conducted.
Elizabeth Denham, the current UK Information Commissioner, acknowledges from the outset that it may never be known with certainty whether 'individuals were unknowingly influenced to vote a certain way' in the Referendum but what is certain is that personal privacy rights have been seriously compromised by a number of players. The report has, according to its authors, uncovered 'a disturbing disregard for voters' personal privacy' at a time when 'multiple jurisdictions are struggling to retain fundamental democratic principles in the face of opaque digital technologies'. The powers of the ICO were strengthened by the Data Protection Act 2018 but the organisation has called for further enhancement of its powers following this investigation. The central recommendation of this report is the establishment of a mandatory Code of Practice relating to the use of personal data in campaigns and elections. Whilst welcoming recent voluntary initiatives by social media platforms, the ICO concludes that 'a self-regulatory approach will not guarantee consistency, rigour or public confidence'. Ms Denham envisages that the ICO's investigation will provide a blueprint for other jurisdictions in the context of data privacy investigations. No doubt the Irish Data Protection Commissioner will be closely watching developments across the water following the launch of its own formal investigation into the Facebook data breach.4
3 The model identifies personality traits based on Openness, Conscientiousness, Extroversion, Agreeableness and Neuroticism.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.