The ICO has sent warning letters to 11 political parties about the processing of personal data - with particular concern around purchasing lists from data brokers - and has also referred Facebook to Ireland’s data watchdog, having already issued the social network a maximum fine of £500,000 for failing to keep its users’ personal information secure.
Since the ICO began its investigation in May 2017 it has examined 30 organisations, interviewed 33 individuals and is working through forensic analysis of 700 terabytes of data - the equivalent of 52 billion pages.
Whilst the investigation began in early 2017, new revelations surrounding Cambridge Analytica, Facebook and the Leave.EU campaign have also come to the fore. The story is ongoing and complex, with multiple parties involved, but the ICO is essentially worried about the misuse of personal data to influence people during elections and campaigns.
Or as the ICO puts it, it is “concerned about invisible processing” - the “behind the scenes algorithms, analysis, data matching and profiling that involves people’s personal information”.
The ICO has this week published a report to parliament with the full details of its investigations thus far.
Elizabeth Denham, the UK Information Commissioner, said:
“[The report] sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.
“Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups and political parties.
“Where there have been breaches of the law we have acted. We have issued monetary penalties - including the maximum £500,000 (under the previous law) to Facebook – and enforcement notices that compel companies and campaigns to comply with the law. We’ve instigated criminal proceedings against SCL Elections Ltd and referred issues to other regulators and law enforcement agencies. And where we have found no evidence of illegalities, we have shared those findings openly too.”
A full list of all the ICO’s enforcements to date can be found here.
However, the ICO has been clear that its efforts to date are not just about enforcement. Denham said that “we are at a crossroads” and that trust and confidence in the integrity of our democratic processes risks being disrupted because the “average person has little idea of what is going on behind the scenes”.
She said that this must change. Denham said that this is why government regulation is needed - and that social media companies regulating themselves isn’t enough.
“People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.
“What can we do to ensure that we preserve the integrity of future elections? How can we make sure that voters are truly in control of the outcome?
“Whilst voluntary initiatives by the social media platforms are welcome, a self-regulatory approach will not guarantee consistency, rigour or shore up public confidence.”
As a result, the ICO is calling for views for a code of practice covering the use of data in campaigns and elections. Denham said that this will “simplify the rules and give certainty and assurance about using personal data as a legitimate tool in campaigns and elections”.
The code should be given the same statutory footing as other codes of practice in the Data Protection Act 2018, according to the ICO.
Denham is also calling on the UK government to consider where there are regulatory gaps in the current data protection and electoral law landscape or ensure the regime is “fit for purpose in the digital age”.
Furthermore, the ICO acknowledges that this isn’t an issue the UK can tackle on its own. Denham said:
“Finally, this is a global issue, which requires global solutions. Our work has helped inform the EU’s initiatives to combat electoral interference. A Canadian Parliamentary Committee has recommended extending privacy law to political parties and the US is considering introducing its first comprehensive data protection law.
“I am immensely proud of the work of my team and the impact that our investigation has had.
“I hope our investigation provides a blueprint for other jurisdictions to take action and sets the standard for future investigations.”