The United Kingdom’s independent data authority levied the largest possible fine against Facebook for violating data protection laws and announced a criminal prosecution against the parent company of Cambridge Analytica following a four-month investigation into the disgraced political consulting outfit.
In moves that may have far-reaching consequences for the future of how social media companies can use data related to elections, the UK Information Commissioner’s Office announced a series of new steps in a preliminary report, which included a fine against Facebook of £500,000 for two breaches of the Data Protection Act 1998.
The fine comes in light of the company’s own admission that its loose data-sharing policies with developers led to an app, backed by London-based SCL Elections, obtaining the data of up to 87 million Facebook users without their explicit permission.
Some of that data was later passed on from SCL to its subsidiary Cambridge Analytica, which then used it to develop political advertising in US elections.
On Wednesday, in addition to fining Facebook the largest amount ever for breaching local data laws, UK Information Commissioner Elizabeth Denham said that SCL will face criminal prosecution for failing to comply with an ICO enforcement notice that was issued in May.
“We are at a crossroads,” Denham said. “Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.”
Denham said the ICO’s preliminary report recommended SCL Elections face a criminal charge for its failure to comply with an enforcement notice to hand over the data it held on David Carroll, an American professor who is currently challenging SCL and Cambridge Analytica in UK courts to learn what kind of personal information they had collected on him. The ICO said Wednesday's interim report will inform further parliamentary investigations and that it will continue its investigation until October.
The ICO began examining the misuse of personal data by political campaigns in the Brexit referendum in May 2017. That examination later came to encompass data analytics companies like SCL and Cambridge Analytica in March following stories in the New York Times and the Observer, in which former Cambridge Analytica employee Christopher Wylie detailed how the political consulting outfit questionably obtained Facebook information on millions of people and used it to develop political advertising for clients.
Cambridge Analytica worked with Donald Trump’s 2016 presidential campaign, whose chief executive Steve Bannon sat on the political consulting firm's board. The company, which has now filed for bankruptcy along with SCL, previously denied that any ill-gotten Facebook data was used on the Trump campaign, while other clients, including members of Sen. Ted Cruz's presidential campaign, have questioned the efficacy of its political advertising methods.
In March, the ICO raided Cambridge Analytica’s London headquarters after the company did not previously respond to Denham’s demand for records and information.
The head of the parliamentary committee overseeing an inquiry into data use and fake news, Damian Collins, seized on the ICO’s interim report overnight, renewing his demand for Facebook CEO Mark Zuckerberg to come before the UK parliament and face questioning from British MPs.
To date, the Facebook chief has only submitted to public questioning to US House and Senate committees and made one appearance in front of the Brussels-based European Parliament, while sending deputies to answer questions from UK lawmakers.
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” Collins said. “This cannot be left to a secret internal investigation at Facebook.”
“If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.”
Facebook previously said that it had paused its internal investigation into Global Science Research, the firm that was hired by SCL to harvest Facebook data, to wait for the ICO’s findings. A Facebook spokesperson noted that the company is waiting for the ICO to complete its full investigation, and not just its interim one, before possibly reopening its own internal audit. The company is also currently under investigation by a number of US government agencies including the Justice Department, FBI, Securities and Exchange Commission, and Federal Trade Commission for its role in the Cambridge Analytica scandal.
In a statement, Facebook Chief Privacy Officer Erin Egan noted that the company “should have done more to investigate claims about Cambridge Analytica” in 2015 when the Guardian first revealed that the consulting firm had been improperly using Facebook data.
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries,” Egan said. “We're reviewing the report and will respond to the ICO soon.”
The ICO also issued an enforcement notice telling the Canadian-based data firm AggregateIQ — the company used by the Vote Leave campaign during the 2016 Brexit referendum — to immediately stop processing data on UK citizens.
Along with the specific regulatory actions against Facebook and Cambridge Analytica–linked companies on Wednesday, the ICO went a step further, announcing that it will be pursuing data audits of all the main political parties in the UK.
The ICO’s interim report said “warning letters” would be sent to 11 political parties across the country to expect an audit on the ways they use data.
“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters,” Denham said. “But this cannot be at the expense of transparency, fairness, and compliance with the law.”