Facebook failed to protect people’s data and wasn’t transparent about how personal information was being used by others, the UK’s data watchdog has found in a damning report, The Wired writes.
Facebook faces a £500,000 fine for breaking data protection laws following a wide-ranging investigation into the Cambridge Analytica scandal by the UK’s data regulator.
The investigation, led by Information Commissioner Elizabeth Denham, found that Facebook had contravened the law by failing to protect people’s data and that the company had also failed to be transparent about how personal data was being used by others. Facebook will have an opportunity to respond before a final decision is made, but the commissioner’s damning preliminary findings are a major blow for a company that has sought to play down the severity of the Cambridge Analytica affair and its role in it.
“Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes,” Denham said.
The investigation opened in May and has involved a team of 40 analysing material retrieved from servers and other equipment. The ICO described it as one of the largest ever by a data protection authority.
The £500,000 fine, which forms part of a notice of intent sent to Facebook by the Information Commissioner’s Office (ICO), is the biggest the regulator can issue in its investigation. If the fine is issued to Facebook, it would be the first time the regulator has handed out the largest financial penalty available to it.
“Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way,” said committee chair Damian Collins. “If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.”
The incident took place before the EU's GDPR came into force on May 25, meaning Facebook will not face a multi-million dollar fine. The 1998 Data Protection Act, which the investigation revolves around, only allows a maximum fine of £500,000.
Facebook's chief privacy officer Erin Egan has said the company should have done more to investigate claims about Cambridge Analytica when they were first raised in 2015.
The ICO’s investigation centres on a personality test app developed by Aleksandr Kogan for Cambridge Analytica. The app was used to scrape the personal data of up to 87 million Facebook users. In an unusual move, the ICO has released preliminary findings from its report to aid the ongoing parliamentary select committee investigation into fake news.
As part of its wider investigation into the potential subversion of democracy, the ICO has written 11 "warning letters" to political parties. The ICO launched an investigation into political parties use of data in May 2017. The investigation has rapidly expanded as the Facebook and Cambridge Analytica scandal unfolded this year. During the height of the controversy, it took the ICO more than a week to get a warrant to search Cambridge Analytica's offices.
"The purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, and use of third party data analytics companies with insufficient checks around consent," by political parties is worrying, the regulator wrote in its report.
The ICO has also issued the political parties with notices compelling them to agree to a full audit of their data protection practices.
In addition, the ICO has announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for failing to adequately respond to an enforcement notice issued in May of this year.
Both the main Brexit referendum campaigns have also come under fire from the ICO. The regulator said it is continuing its investigation into Remain campaign (officially known as the In Campaign Limited) for not properly seeking consent for the personal data it collected. Leave.EU is being investigated for allegedly using data from an insurance services company called Eldon. There's also the possibility that Eldon's call centres staff may have been making marketing calls for Leave.EU.
Canadian data firm AggregateIQ (AIQ), which spent around $2 million on Facebook Brexit advertisements and had reams of Facebook user data, is also being investigated. The ICO said AIQ may still have personal information it obtained from Vote Leave. "We have however established, following a separate report, that they hold UK data which they should not continue hold," the ICO said.
In an accompanying report, the ICO has made recommendations for how government can improve transparency around online campaigning and the political use of personal data. Foremost amongst these is a call for the creation of a new statutory code of practice for the use of personal data in political campaigns. “People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital,” said Denham.
The ICO said it plans to have completed the current phase of its ongoing investigation by the end of October 2018.