Facebook will be hit with the maximum fine of 500,000 by the ICO for two breaches of the Data Protection Act 1998 following the Cambridge Analytica scandal.
Information Commissioner Elizabeth Denham published an update of her office's investigation into the misuse of personal data in political campaigns and gave details of some of the organisations and individuals under investigation.
The report also detailed the enforcement actions taken by the ICO, which includes the maximum fine of 500,000 for Facebook. Denham said that fines and prosecutions punish the "bad actors", but her real goal was to effect change and restore trust and confidence in the democratic system.
"We are at a crossroads," she said. "Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.
"New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
The UK's data protection regulator began it's investigation in May 2017, looking into whether personal data had been misused by campaigns on both sides of the EU referendum.
Facebook and Cambridge Analytica became the focus of the investigation in February when it was discovered an app had been used to harvest the data of 50 million Facebook users, which is now estimated at 87 million by the ICO.
The use of personal data by social networks has come under heavy scrutiny ever since the GDPR came into force and Denham has called for an ethical pause to allow regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data and new technologies.
"People cannot have control over their own data if they don't know or understand how it is being used. That's why greater and genuine transparency about the use of data analytics is vital," she added.
Other regulatory actions set out in the report included warning letters sent out to 11 political parties compelling them to agree to audits of their data protection practices. The parties have been issued with a three-month ultimatum to report to the ICO on what actions they will take.
Facebook's chief privacy officer Erin Egan said the social network will respond to the ICO's fine after it has reviewed the report and stressed its regret at not looking into Cambridge Analytica three years ago.
"As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015," Egan said. "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."
Andrew Parsons, a partner at law firm Womble Bond Dickinson, was not impressed with the ICO's action.
"It's rare for the ICO to publicly announce that they intend to fine someone before they actually levy the fine. Given the reputation damage that can be done by a fine, this does not seem a fair course of action before a final decision has been taken," he told IT Pro in a statement.
"It tends to suggest that the ICO is not really interested in what Facebook's response might be. Hopefully this is an exceptional case and not a change of strategy as that would make interacting with the ICO quite difficult."
Image credit: Shutterstock
