ICO plans to sanction Facebook with maximum £500,000 fine under 1998 DP Act
On issuing an interim report on its investigation into the use of data analytics in political campaigns, the ICO plans to fine Facebook £500,000 for two breaches of the Data Protection Act 1998. Facebook now has a chance to respond to the Commissioner’s Notice of Intent, after which a final decision will be made.
Information Commissioner, Elizabeth Denham, said that had the breaches in question been discovered after the GDPR applied, the fine could have reached hundreds of millions of pounds.
The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others and why they might be targeted by a political party or campaign.
The ICO says that the government should legislate at the earliest opportunity to introduce a statutory Code of Practice under the Data Protection Act 2018 for the use of personal information in political campaigns. The ICO will work closely with government to determine the scope of the Code.
The ICO’s ongoing investigation involves 11 political parties which have received a warning letter, and notices compelling them to agree to audits of their data protection practices. The ICO will also conduct audits of the main credit reference companies and Cambridge University Psychometric Centre. In addition, an enforcement notice has been served on SCL Elections Ltd to compel it to deal properly with a subject access request from Professor David Carroll; and a criminal prosecution for SCL Elections Ltd for failing to properly deal with the ICO’s Enforcement Notice. An Enforcement Notice has been served on Aggregate IQ to stop processing retained data belonging to UK citizens, and a Notice of Intent to take regulatory action against data broker Emma’s Diary (Lifecycle Marketing (Mother and Baby) Ltd).
The ICO’s investigation, one of the largest of its kind by a Data Protection Authority, is expected to be concluded by the end of October 2018. The ICO will work with the European Data Protection Board (EDPB), and the relevant lead Data Protection Authorities, to ensure online platforms’ compliance with the GDPR. The ICO has now also made enquires with, and interviewed Google, Twitter and Snap.
Under the GDPR, Ireland’s Data Protection Commission is the lead supervisory authority for Facebook Ireland Ltd which is the controller of personal data for UK users. The ICO can act as a ‘concerned authority’ in any future investigations that take place into these issues.