How did you vote in the EU Referendum? Chances are that you may have been targeted by advertisements on social media that were from or related to political campaigns (from either side of the fence).

In March 2017, the Information Commissioner’s Office (ICO) began an investigation into whether personal data had been misused by social media platforms, companies such as Cambridge Analytica and/or political parties to sway voters in relation to the referendum on UK membership of the EU. The ICO has issued an interim report – available here along with a paper on the use of personal data in political campaigns – available here.

Why did the ICO decide to investigate?

Over the last two years, there has been a lot of media attention and concern about the role of data analytics (such as profiling and targeted advertisements etc.) in political campaigns and the harvesting of data from social media platforms for use by political parties/organisations to target potential voters.

What are the Data Protection issues the ICO are concerned with?

Generally, the ICO is investigating the role data analytics have played within political campaigns over the last few years. The ICO have been looked into whether data has been misused by political parties and campaigners in a way that is contrary to data protection legislation.

The ICO has recommended to the government that steps are taken to introduce a Code of Practice for political campaigns and/or parties when using personal data to ensure data protection laws are adhere to, and the rights of data subjects respected.

The ICO are concerned with the lack of transparency to users about how their data will be used and the illegal sharing of such data between organisations, including political parties to profile potential donors for targeted campaigning purposes.

What action has been taken by the ICO?

Although the ICO is still actively conducting its investigation, to date the ICO has taken the following action:

(1)    Warning Letters have been issued to 11 political parties asking them to agree to an audit of their data protection practices by the ICO;

(2)    Criminal prosecution of SCL Elections Ltd (a company connected to Cambridge Analytica) for failing to comply with a previous Enforcement Notice issued by the ICO;

(3)    Enforcement Notice to Aggregate IQ to stop them from processing UK citizens data;

(4)    Notice of Intent to take action against the data broker Emma’s Diary (the intention is to fine Emma’s Diary £140,000); and

(5)    Notice of Intent to take action against Facebook (the intention is to fine Facebook £500,000 – the highest penalty that can be imposed by the ICO under the Data Protection Act 1998).

What have Facebook and Emma’s Diary done?

The ICO, during their wider investigation into the use of data analytics in political campaigns, have focused in on two organisations who have been found to have breached the Data Protection Act 1998.

Facebook have been found to have breached two principles of the Data Protection Act 1998 – (i) they failed to safeguard the information of their users from such harvesting/use by third party companies; and (ii) they failed to be transparent and open with users about how their data would be used by third parties (including that this may be used for targeted advertisements or political campaigns).

Facebook, along with Cambridge Analytica, have been the focus of the ICO investigation since it emerged that an app had been used to harvest the data of around 87 million users.

Emma’s Diary are alleged to have sold data from its website and lifestyle app to the Labour party which was then used in political campaigns to target voters. The sharing of this data was in breach of data protection laws and therefore unlawful as users were not informed that this would be done. Transparency and greater control for data subjects is a theme of the new GDPR and likely to form the focus of many investigations to come.

What is likely to happen next?

The ICO’s investigation is still ongoing. The interim progress report was issued to comply with timescales set by the government’s report into Fake News.

The ICO are continuing to investigation many companies and individuals in relation to potential breaches of the Data Protection Act 1998 (the new General Data Protection Regulation or Data Protection Act 2018 does not apply to these offences as they occurred before 25th May 2018).

It is likely that the ICO will issue more Notices of Intent and/or Enforcement Notices in connection with this investigation. The ICO has indicated that the next phase of the investigation is likely to be completed around October 2018.

Facebook and Emma’s Diary have been fortunate that such breaches occurred before 25th May as, under GDPR, the maximum fine that can be issued by the ICO changes from £500,000 to £17 million! It is likely that such serious breaches as have been found in these cases, would have attracted fines running into several million pounds.

Both companies will have a chance to respond to the Notice of Intent before a final decision is made by the ICO.

We await more information from the ICO on this matter and how the government may tackle such issues in future political campaigns and elections.

If you require advice and assistance in relation to the GDPR international transfers or any other data protection matters, please contact our IP, Technology & Commercial Team.