Facebook handed maximum UK fine for Cambridge Analytica data breach

By AdNews | 13 July 2018

Facebook will be fined the maximum £500,000 for breaches related to the Cambridge Analytica data scandal under UK law.

An investigation by the Information Commissioner’s Office recommended the penalty as well as other measures to curtail how personal information is used online in political campaigns.

Figures from the UK Electoral Commission show that political parties spent £3.2 million on direct Facebook advertising during the 2017 general election. This was up from £1.3 million during the 2015 general election. By contrast, the political parties spent £1 million on Google advertising.

Amongst the recommendations is that there is an ethical pause on microtargeting advertising tools for political campaigning.

In a report, 'Democracy Disrupted? Personal Information and Political Influence', the ICO says that “social media companies have a responsibility to act as information fiduciaries, as citizens increasingly live their lives online”.

The report added: “A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign.”

The ICO also found that despite a significant amount of privacy information and controls being made available, Facebook did not effectively inform users about the likely uses of their personal information and this information should have been made available at the first layer of their privacy policy.

“Whilst users were informed that their data would be used for commercial advertising, it was not clear that political advertising would take place on the platform.”

Another recommendation is that that online platforms providing advertising to political parties and campaigns should “include expertise within the sales support team who can provide political parties and campaigns with specific advice on transparency and accountability in relation to how data is used to target users”.

The 10 policy recommendations 

1) The political parties must work with the ICO, the Cabinet Office and the Electoral Commission to identify and implement a cross-party solution to improve transparency around the use of commonly held data.

2) The ICO will work with the Electoral Commission, Cabinet Office and the political parties to launch a version of its successful Your Data Matters campaign before the next General Election. The aim will be to increase transparency and build trust and confidence amongst 5 the electorate on how their personal data is being used during political campaigns.

3) Political parties need to apply due diligence when sourcing personal information from third party organisations, including data brokers, to ensure the appropriate consent has been sought from the individuals concerned and that individuals are effectively informed in line with transparency requirements under the GDPR. This should form part of the data protection impact assessments conducted by political parties.

4) The government should legislate at the earliest opportunity to introduce a statutory Code of Practice under the DPA2018 for the use of personal information in political campaigns. The ICO will work closely with government to determine the scope of the Code.

5) It should be a requirement that third party audits be carried out after referendum campaigns are concluded to ensure personal data held by the campaign is deleted, or if it has been shared, the appropriate consent has been obtained.

6) The Centre for Data Ethics and Innovation should work with the ICO, the Electoral Commission to conduct an ethical debate in the form of a citizen jury to understand further the impact of new and developing technologies and the use of data analytics in political campaigns.

7) All online platforms providing advertising services to political parties and campaigns should include expertise within the sales support team who can provide political parties and campaigns with specific advice on transparency and accountability in relation to how data is used to target users.

8) The ICO will work with the European Data Protection Board (EDPB), and the relevant lead Data Protection Authorities, to ensure online platforms’ compliance with the GDPR - that users understand how personal information is processed in the targeted advertising model and that effective controls are available. This includes greater transparency in relation to the privacy settings and the design and prominence of privacy notices. 

9) All of the platforms covered in this report should urgently roll out planned transparency features in relation to political advertising to the UK. This should include consultation and evaluation of these tools by the ICO and the Electoral Commission. 

10) The government should conduct a review of the regulatory gaps in relation to content and provenance and jurisdictional scope of political advertising online. This should include consideration of requirements for digital political advertising to be archived in an open data repository to enable scrutiny and analysis of the data.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

Read more about these related brands, agencies and people

comments powered by Disqus