The Information Commissioner’s Office (ICO) announced its plan to fine Facebook £500,000 over the Cambridge Analytica data scandal.
On 10 July, the ICO published a progress report on its investigation into the Cambridge Analytica incident. The report, entitled “Investigation into the use of data analytics in political campaigns,” explained that the ICO had sent a Notice of Intent specifying its plan to fine Facebook £500,000.
The United Kingdom’s independent authority tasked with upholding the public’s information rights said that the penalty reflects Facebook’s “lack of transparency” as well as “security issues relating to the harvesting of data.” The ICO explained that those latter matters violated two of the data protection principles outlined in the United Kingdom’s Data Protection Act 1998. In particular, it said they breached the first principle, which specifies how data is to be treated fairly, and the seventh principle, which requires the implementation of measures designed to uphold the security of collected personal data.
Facebook may respond to the Notice of Intent before the end of July. If it does, the ICO will take Facebook’s concerns into consideration and will use them to finalize its decision.
Information Commissioner Elizabeth Denham offered her thoughts on the penalty in a statement:
New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.
Towards that end, the ICO released another report entitled Democracy disrupted? Personal information and political influence. The agency made 10 recommendations in the publication to help better protect ordinary people in the age of data-driven politics. These included requiring political parties to both work with the ICO and apply due diligence when obtaining personal information from third-party sources in order to confirm that the data was obtained with permission.