A year into an investigation into the use of data analytics in political campaigns, the UK’s privacy watchdog is hitting companies that shared data with political parties with sanctions including a criminal prosecution and a US$660,000 fine.
The Information Commissioner’s Office also plans to audit the activities of 11 political parties and of the main credit reference companies operating in the UK, amid concerns that data brokers were allowing the personal data of UK and other European Union citizens to be processed for political purposes.
The regulator is concerned that citizens whose data ends up in the hands of political parties and the data analytics firms working for them many not have provided the consent called for by data protection legislation.
An insurance company, Eldon Insurance Services, is also under investigation, suspected of passing data about its clients to an organisation campaigning in the UK’s EU membership referendum.
One angle ICO is pursuing is whether the company sent data to the US, and in particular to the University of Mississippi.
The stakes are high for businesses that, knowingly or unknowingly, allow their customers’ personal information to be used for political purposes without consent.
ICO said Wednesday that it intended to fine Facebook US$660,000 for lack of transparency and for security issues relating to the harvesting of personal data it held by Cambridge Analytica.
The fine Facebook faces is the maximum possible under legislation in effect at the time of the events concerned.
Since the introduction of the EU’s General Data Protection Regulation on 25 May, though, the maximum fine is now US$23.5 million or four per cent of a company’s worldwide revenue, whichever is greater.
Although ICO’s investigation focused on concerns surrounding the conduct of the UK's 2017 general election and the referendum on leaving the EU, Cambridge Analytica’s involvement in politics has been an issue since the 2016 US presidential election campaign, in which the winning Republican candidate also used the company’s services.
ICO intends to bring a criminal prosecution against Cambridge Analytica’s parent company SCL Elections for its failure to provide US academic Professor David Carroll with details of the information it held about him following a Subject Access Request filed in January 2017.
Another company, AggregateIQ Data Services, is also in ICO’s sights. The regulator has ordered it to "cease processing any personal data of UK or EU citizens obtained from U.K. political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes."
The company spent around $2 million targeting Facebook advertising at a list of email addresses on behalf of political groups seeking to influence the UK EU membership referendum vote.
ICO has also said it intends to take regulatory action against data broker Lifecycle Marketing (Mother and Baby), which distributes a guide called Emma’s Diary to pregnant women.
The net could spread wider, as ICO expects its investigation to continue at least through October.
(Reporting by Peter Sayer, CIO)