Facebook faces maximum fine for data misuse

Facebook faces maximum fine for data misuse

Media playback is unsupported on your device

Media captionInformation commissioner Elizabeth Denham says Facebook’s fines will damage its reputation

The UK’s data protection watchdog intends to fine Facebook £500,000 for data breaches – the maximum allowed.

The Information Commissioner’s Office said Facebook had failed to ensure another company – Cambridge Analytica – had deleted users’ data.

The ICO will also bring a criminal action against Cambridge Analytica’s defunct parent company SCL Elections.

And it has raised concerns about political parties buying personal information from “data brokers”.

Specifically it named one company used by the Labour Party, Emma’s Diary, which gives medical advice and free baby-themed products to parents.

Facebook said it would respond to the report “soon”.

The ICO also said another company – Aggregate IQ – which worked with the Vote Leave campaign in the run up to the EU Referendum, must stop processing UK citizens’ data.

The fine is modest compared with previous sanctions on Facebook.

In 2017 it was fined 110m euros (£95m) by the European Commission, which in the same year punished Google for 2.42bn euros (£2.1bn).

But information commissioner Elizabeth Denham said companies also worried about reputational damage.

The impact of behavioural advertising, when it came to elections, was “significant” and called for a code of practice to “fix the system”, she said.

Such a code would ensure that “elections are fair and people understand how they are being micro-targeted”.

The action comes 16 months after the ICO began its probe into political campaigners’ use of personal data following concerns raised by whistleblower Christopher Wylie, among others.

The ICO found Facebook had breached its own rules and failed to make sure Cambridge Analytica had deleted this personal data.

While Cambridge Analytica insisted it had indeed wiped the data after Facebook’s erasure request in December 2015, the ICO said it had seen evidence that copies of the data had been shared with others.

“This potentially brings into question the accuracy of the deletion certificates provided to Facebook,” said an ICO spokesperson.

Lifestyle information

The ICO has also written to the UK’s 11 main political parties telling them to have their data protection practices inspected.

It is concerned the parties may have bought lifestyle information about members of the public from data brokers, who might have not have obtained the necessary consent.

Naming Emma’s Diary, the ICO said it was concerned about how transparent the firm had been about its political activities.

Image copyright
Emma’s Diary

Image caption

Emma’s Diary requires users to download an app to get a free bundle of baby-themed goods

It said that the Labour Party had confirmed using the firm, but did not provide other details except that it intended to take some form of regulatory action.

The service’s owner Lifecycle Marketing told the BBC it did not agree with the ICO’s initial findings.

“For over 25 years we have operated with integrity and within the spirit of data regulation,” said a spokeswoman.

“As the ICO investigation continues we will freely cooperate… and cannot comment further at this stage.”

What else has Facebook been fined for here?

Looking wider, the ICO noted Facebook had been the biggest recipient of digital advertising by political parties and campaigns to date.

Yet, it said, the US firm had neither done enough to explain to its members how they were being targeted as a consequence, nor given them enough control over how their sensitive personal data was used.

As a result, it said, Facebook was guilty of a second breach of the Data Protection Act.

Facebook has a chance to respond to the Commissioner’s Notice of Intent, after which a final decision will be made.

The tech firm’s chief privacy officer issued a brief response.

“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” said Erin Egan.

“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

How will Cambridge Analytica be dealt with?

Cambridge Analytica, which claimed it could swing elections, and its parent SCL Elections, shut down in May.

But the ICO said it was still taking legal steps to bring a criminal prosecution.

The basis for this would be that SCL Elections had failed to properly respond to an earlier demand that it give a US academic a copy of any personal information it held on him along with an explanation as to its source and usage.

Image copyright
Getty Images

Image caption

In March, Cambridge Analytica offices were searched by ICO officers

Bearing in mind SCL Elections is now out of business, the ICO said it might consider taking action against the company’s directors.

How is AggregateIQ involved?

The ICO said it had established that the Canadian data analytics firm AggregateIQ – AIQ – had access to UK voters’ personal data provided by the Brexit referendum’s Vote Leave campaign.

It said it was now investigating whether this information had been transferred and accessed outside the UK and whether this amounted to a breach of the data protection act.

The watchdog added that it continued to investigate to what degree AIQ and SCL Elections had shared UK personal data.

And it said it had served an enforcement notice forbidding AIQ from continuing to make use of a list of UK citizens’ email addresses and names that it still holds.

What else is the regulator doing?

Other action includes:

  • an investigation into allegations that Arron Banks’ Eldon Insurance Services illegally shared customer data with the Leave.EU group he co-founded, and used the business’ call centre staff to make calls on behalf of the campaign – claims the firm has previously denied
  • a probe into the collection and sharing of personal data by the official Remain campaign – Britain Stronger In Europe – and a linked data broker
  • an audit of the University of Cambridge’s Psychometrics Centre. The department carries out its own research into social media profiles. The ICO said it had been told of an alleged security breach involving one of the centre’s apps and had additional concerns about its data protection efforts
  • a call for the government to introduce a code of practice limiting how personal information can be used by political campaigns before the next general election
  • efforts to ensure ex-staff from SCL Elections and Cambridge Analytica do not illegally use materials obtained from the business before its collapse

The ICO said it expects the next stage of its investigation to be complete by the end of October.