The UK’s data protection watchdog plans to fine Facebook £500,000 over the Cambridge Analytica scandal.
It would be its biggest ever penalty. The social network has yet to decide if it will to try to reduce the sum.
In addition, the regulator said it intended to bring a criminal action against Cambridge Analytica’s defunct parent company SCL Elections.
It also said Aggregate IQ – which worked with the Vote Leave campaign – must stop processing UK citizens’ data.
And it said it had also written to the UK’s 11 main political parties compelling them to have their data protection practices audited.
This, the Information Commissioner’s Office explained, was in part because it was concerned they could have bought lifestyle information about members of the public from data brokers, who might have not have obtained the necessary consent.
In particular, the ICO raised concern about one data broker: Emma’s Diary. The firm offers medical advice to pregnant women and gift packs after babies are born.
The ICO said it was concerned about how transparent the firm had been about its political activities.
It said that the Labour Party had confirmed using the firm, but did not provide other details at this point beyond saying it intended to take some form of regulatory action.
The service’s owner Lifecycle Marketing could not be reached for comment. But it has told the Guardian that it does not agree with the ICO’s findings.
Why fine Facebook?
The ICO’s action comes 16 months after it began an ongoing probe into political campaigns’ use of personal data during the Brexit referendum campaign.
Over the period, it emerged that Facebook had failed to ensure that a London-based political consultancy – Cambridge Analytica – had deleted personal data harvested about millions of its members in breach of the platform’s rules.
Before its collapse, Cambridge Analytica insisted it had indeed wiped the data after Facebook’s erasure request in December 2015.
But the ICO said it had seen evidence that copies of the data had been shared with others.
“This potentially brings into question the accuracy of the deletion certificates provided to Facebook,” it said.
Looking wider, the ICO noted that Facebook had been the biggest recipient of digital advertising by political parties and campaigns to date.
Yet, it said, the US firm had neither done enough to explain to its members how they were being targeted as a consequence, nor given them enough control over how their sensitive personal data was used.
As a result, it said, Facebook was guilty of two breaches of the Data Protection Act.
The tech firm’s chief privacy officer has issued a brief response.
“As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015,” said Erin Egan.
“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”