The verdict fell on Wednesday 11 July: Facebook may be fined £500,000 – the maximum fine possible – for breaking British data protection law. This is one of the conclusions of the progress report of the UK data protection authority (ICO) on its investigation concerning the use of data in the framework of political campaigns.
Readers may recall that the ICO started to look at the subject in March 2017, before putting Facebook at front and centre of its investigation when the 'Cambridge Analytica' scandal broke (see EUROPE 12054).
The ICO's investigation concluded that “Facebook contravene the law by failing to safeguard people's information. It also found that the company failed to be transparent about how people's data was harvested by others”, the British regulator writes.
Since the general data protection regulation (GDPR) entered into force, the European data protection authorities are free to impose higher fines – the maximum fine can be as high as €20 million or 4% of turnover.
However, due to the timing of the events, the previous law applies and limits the financial penalty in civil cases in the UK to just £500,000, or around €560,000.
However, the UK Information Commissioner, Elizabeth Denham, considers that this is not the be-all and end-all. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system”, she explained.
The ICO explains that Facebook has the option to respond to this formal notice before a final decision is made. Erin Egan, privacy officer for Facebook, observed in a press release that the group was examining the ICO's conclusions and would respond in the near future.
Warning letters to eleven British political parties and opinions calling on them to accept verifications of their data protection practices will furthermore be sent.
The investigation underway is also looking at link between Cambridge Analytica, its parent company SCL Elections Ltd and Aggregate IQ in the framework of the referendum on the withdrawal of the UK from the EU and the US presidential election of 2016.
The ICO is considering taking legal action against SCL Elections Ltd for having ignored a number of requests for information and intends to issue a notice of execution against Aggregate IQ for the immediate cessation of the processing of the data of British citizens.
The British regulator also has her sights set on the anti-EU British party UKIP. She is also examining whether and how Vote Leave transferred the personal data of British citizens outside the UK and whether that constituted a breach of UK data protection law. On this point, the ICO may return a decision in the next three months.
The report has been welcomed by the European Commissioner for Justice, Vera Jourova. “We will now assess what we can do at the EU level to make political advertising more transparent and our elections more secure”, she said.
In the case of 'Cambridge Analytica', the fine is only the beginning. In the UK and elsewhere in Europe, investigations continue. The ICO plans to conclude these investigations by the end of October 2018.
The report is available at: https://bit.ly/2KOJ67V . (Original version in French by Marion Fontana)