The Information Commissioner’s Office in the UK has announced its intention to fine Facebook more than $600,000 for its “lack of transparency and security issues” related to third party data harvesting. The ICO is also taking steps toward bringing criminal action against SCL Elections, the now-defunct parent company of the political consulting firm Cambridge Analytica, which harvested the data of millions of Americans without their knowledge before the 2016 election.
The announcements come as part of the ICO’s sweeping investigation into data privacy violations, which began in March following a wave of news reports about Cambridge Analytica’s misdeeds. The ICO went public with its initial findings on Tuesday, but noted that the investigation is still ongoing. As part of the probe, the ICO’s team of 40 investigators seized the servers of Cambridge Analytica and have undertaken a transatlantic search to determine how data was used both in the Brexit referendum campaign and the United States presidential election. The initial report includes a slew of regulatory actions the ICO plans to take against a variety of key players, from Facebook and Cambridge Analytica to major data brokers, political campaigns, and the academic institutions that develop data targeting methodology.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law,” Information Commissioner Elizabeth Denham wrote in a statement.
According to the report, the ICO believes Facebook may have violated the UK’s Data Protection Act, which gives UK residents control over their data and requires companies to receive explicit consent from users before collecting that data. Facebook now has until later this month to respond to the ICO’s notice of intent to fine the company, after which point the ICO will decide whether to go forward with the fine. Of course, a fine of less than $1 million isn’t much of a punishment for a company like Facebook, which is valued at more than $584 billion.
“We will consider carefully any representations Facebook may wish to make before finalising our views,” the ICO wrote in a summary of the report.
In a statement, Facebook’s chief privacy officer Erin Egan acknowledged that Facebook “should have done more to investigate claims about Cambridge Analytica and take action in 2015.”
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries,” Egan wrote, adding that the company will respond to the ICO soon.
The Commissioner’s office has also set its sights on Cambridge Analytica and its parent company, SCL Elections, which are undergoing insolvency proceedings in the UK and bankruptcy proceedings in the US. In May, the ICO ordered SCL Elections to hand over all the data it had collected on an American academic named David Carroll. In January of 2017, Carroll requested his data from Cambridge Analytica under the UK data protection law. The response he received included predictions about his political beliefs but few details about the data powering those predictions. In March of this year, a day before the Cambridge Analytica story made front-page headlines around the world, Carroll filed a legal claim against the company. Months later, the ICO followed with its enforcement action, but SCL Elections never complied. Now the ICO says it is “taking steps with a view to bringing a criminal prosecution against SCL Elections.”
Carroll’s lawyer, Ravi Naik, says the decision is “expected.” “The enforcement notice was clear on its terms and we expected nothing less considering SCL’s failure to comply,” he wrote. “The report also vindicates David’s case, confirming that his action has been pivotal to their findings. We continue to push for disclosure and are confident that we will get answers to questions the world wants resolved.”
Naik says he is currently exploring claims against Facebook “on behalf of a class of individuals.”
While the investigation may have kicked off with an inquiry into Cambridge Analytica, its scope has grown as the investigators try to map out the circuitous route data sometimes takes as it moves between the academic, political, and commercial spaces. One key area of inquiry for the ICO is Cambridge University’s Psychometrics Centre, where the methodology that undergirds Cambridge Analytica’s approach to data targeting originated. As the director of the Centre recently told WIRED, researchers there had been collecting Facebook data for academic purposes, using personality profiling apps. That work fueled research that showed how much sensitive information could be gleaned by Facebook likes. Facebook supported the research—that is, until 2015, when news stories revealed that another Cambridge professor named Aleksandr Kogan was using a personality app to collect Facebook data, and then sold the data to Cambridge Analytica.
Facebook has since suspended all of the apps associated with the Centre, pending an investigation of its operations. Now, the ICO says it will conduct an audit of the department and investigate whether Cambridge University has “sufficient systems and processes in place” to ensure academic data is properly protected.
Meanwhile, the ICO continues to investigate the use of data in the UK’s vote to leave the European Union, a decision that is now causing disarray in the upper echelons of British government. In particular, the ICO is investigating a former SCL employee’s claims that the Leave.EU campaign received data from a company called Eldon Insurance and used Eldon’s call center staff to make calls on behalf of Leave.EU.
The ICO is also taking action against a Canadian firm called AggregateIQ, which worked with senator Ted Cruz’s presidential campaign as well as the UK’s Vote Leave campaign. The ICO says it’s found that AggregateIQ has access to British citizen data that it “should not continue to hold.” It’s now investigating whether Vote Leave transferred voter data outside the country, and ordering AggregateIQ to cease processing that data.
What makes the ICO’s investigation more thorough than similar investigations in the United States is that it focuses not just on Cambridge Analytica but on the broader data marketplace. It plans on auditing credit reference companies in the UK and intends to take action against one data broker in particular called Emma’s Diary. It’s also issuing letters to political parties throughout the country, warning of the risks of working with data brokers who may not have received proper consent. Finally, the ICO has developed a list of 10 recommendations for the British government, including the creation of a code of practice under the Data Protection Act that dictates how data can be used in political campaigns.
“Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system,” Denham said in a statement.
The fact that the UK already offers its citizens some core data protections gives the ICO’s investigation teeth. In the United States, no such protections exist.