Brexit data contravention lands Facebook a £500,000 fine

The Information Commissioner’s Office (ICO), UK’s data protection regulator, intends to fine Facebook half a million pounds for its failure to safeguard user data in the run-up to the country’s referendum to leave the EU in 2016.

After more than a year’s investigation, the ICO’s progress report published today (11 July) determined that Facebook breached Data Protection Act 1998 by lacking transparency “and security issues relating to the harvesting of data”. Facebook is due to present its case in front of the ICO later this month.

We asked Facebook for a comment and got this from Erin Egan, its Chief Privacy Officer: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

In addition to penalising Facebook with the highest possible sum in its jurisdiction, ICO has also undertaken actions against a string of parties suspected of having involved in irregularities during the campaign:

• Enforcement Notice to cooperate with investigation was sent to SCL Elections, affiliated with Cambridge Analyica, and steps are being take to bring criminal charges against SCL Elections for its failure to implement the Enforcement Notice;
• Warning letters were sent to 11 political parties on their ways of buying and using voter data. Audits are planned for later this year;
• Enforcement Notice was sent to the Canadian data analytics firm AggregateIQ (AIQ) demanding it to stop possessing UK voters’ data, in cooperation with the Canadian authorities;
• Investigation into both the Leave and Remain campaigns are ongoing;
• An audit on Cambridge University’s policy and process will be conducted. A recommendation to Universities UK was issued demanding the education institutions to be more vigilant on the usage of personal data gathered for academic research purposes vs. academics’ private commercial interest.

In a certain sense, Facebook was fortunate with timing. Had the new GDPR been in place before the referendum, the ICO would have the authority to handout a ticket of up to €20 million (£17 million).