Facebook facing £500,000 fine from ICO

The action comes as the ICO published an interim report on the progress of its ongoing investigation into the use of data analytics for political purposes. Facebook and Cambridge Analytica have been at the centre of the investigation since the revelations in February that an app had been used to harvest the data of millions of users.

Facebook contravened the law by failing to safeguard its users’ information, the ICO has concluded. The regulator has ruled that lack of transparency and security issues relating to the harvesting of data constituted breaches of the Data Protection Act 1998.

The company has been issued with a notice of the ICO’s intent to issue the £500,000 fine, and has a chance to respond, after which a final decision will be made, according to the ICO.

The ICO has been investigating the issue since March 2017, when it started looking into whether personal data had been misused by campaigns during the EU referendum. It expanded its investigation in May 2017 to include political parties, data analytics companies and social media platforms.

The watchdog is also looking to bring a criminal prosecution against SCL Elections Ltd, Cambridge Analytica’s parent company, for failing to comply with an enforcement notice the regulator issued in May. The notice required SCL to properly deal with a subject access request submitted by Professor David Carroll, an academic who is trying to reclaim personal data the company may hold about him.

As part of its investigation, the regulator will conduct an audit of Cambridge University’s Psychometric Centre, where the methodology behind Cambridge Analytica’s targeting approach originated, to ensure that data used for academic research is safeguarded and not re-used for commercial purposes. 

The UK’s main political parties have also been sent 11 warning letters and notices compelling them to agree to data protection audits later in the year. The ICO is focusing on the practice of purchasing marketing lists and lifestyle information from data brokers "without sufficient due diligence".

In addition, the ICO has commissioned research from thinktank DEMOS’ Centre for the Analysis of Social Media, examining trends in how data is used in political campaigns, how technology is changing and how it may evolve.

Information commissioner Elizabeth Denham said: "New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.

"Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system."

Among its recommendations outlined in a partner report, the ICO has also called on the government to introduce a statutory code of practice under the Data Protection Act 2018 for the use of personal data in political campaigns. 

The next phase of the investigation is expected to conclude by the end of October 2018.