$660,000 data privacy fine highlights dangers for businesses dabbling in politics

Make sure you have customers' consent for everything you do with their data

Network World: IoT Hacks [slide-06] > Lateral Attacks > Network access via a single breach point
HYWARDS / Getty Images

A year into an investigation into the use of data analytics in political campaigns, the U.K.’s privacy watchdog is hitting companies that shared data with political parties with sanctions including a criminal prosecution and a £500,000 (US$660,000) fine.

The Information Commissioner’s Office also plans to audit the activities of 11 political parties and of the main credit reference companies operating in the U.K., amid concerns that data brokers were allowing the personal data of U.K. and other European Union citizens to be processed for political purposes.

The regulator is concerned that citizens whose data ends up in the hands of political parties and the data analytics firms working for them many not have provided the consent called for by data protection legislation.

An insurance company, Eldon Insurance Services, is also under investigation, suspected of passing data about its clients to an organization campaigning in the U.K.’s EU membership referendum. One angle ICO is pursuing is whether the company sent data to the U.S., and in particular to the University of Mississippi. 

The stakes are high for businesses that, knowingly or unknowingly, allow their customers’ personal information to be used for political purposes without consent.

ICO said Wednesday that it intended to fine Facebook £500,000 for lack of transparency and for security issues relating to the harvesting of personal data it held by Cambridge Analytica.

The fine Facebook faces is the maximum possible under legislation in effect at the time of the events concerned. Since the introduction of the EU’s General Data Protection Regulation on May 25, though, the maximum fine is now €20 million (US$23.5 million) or 4 percent of a company’s worldwide revenue, whichever is greater.

Although ICO’s investigation focused on concerns surrounding the conduct of the U.K.’s 2017 general election and the referendum on leaving the EU, Cambridge Analytica’s involvement in politics has been an issue since the 2016 U.S. presidential election campaign, in which the winning Republican candidate also used the company’s services.

ICO intends to bring a criminal prosecution against Cambridge Analytica’s parent company SCL Elections for its failure to provide U.S. academic Professor David Carroll with details of the information it held about him following a Subject Access Request filed in January 2017.

Another company, AggregateIQ Data Services, is also in ICO’s sights. The regulator has ordered it to "cease processing any personal data of U.K. or EU citizens obtained from U.K. political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes." The company spent around $2 million targeting Facebook advertising at a list of email addresses on behalf of political groups seeking to influence the U.K. EU membership referendum vote.

ICO has also said it intends to take regulatory action against data broker Lifecycle Marketing (Mother and Baby), which distributes a guide called Emma’s Diary to pregnant women.

The net could spread wider, as ICO expects its investigation to continue at least through October.

NEW! Download the Fall 2018 digital issue of CIO