Please enable javascript in your browser to view this site

Why the ICO’s Facebook investigation demonstrates the power regulators now have

On 10 July 2018, the UK Information Commissioner Office (ICO) published an update on its investigation into data analytics in political campaigns i.e. the Facebook-Cambridge Analytica scandal. The ICO has decided to fine Facebook £500k – the maximum possible amount under pre-GDPR data protection rules. The fine would have been much higher had GDPR applied. It also sent warning letters to 11 political parties, requiring them to accept audits of their data protection practices, among other actions.

The ICO’s statement might not be particularly significant for Facebook given the size of the fine proposed, it does however show how much importance the regulator is attaching to transparency in use of personal data for political uses; and that companies and political parties will be under greater scrutiny in the years to come. That said, markets are not yet sending clear signals to businesses which engage in misbehaviour. Users too are not abandoning platforms due to data breaches, and share prices have shown to make relatively rapid comebacks once the scandal passes.

The fine on Facebook may only be £500k, but GDPR now allows the ICO to use more powerful remedies

In its statement, the ICO announced a notice of Intent to fine Facebook for failing to safeguard users’ information, and to be transparent about how their data was harvested by third parties. The ICO’s intended fine for Facebook is of GBP500k. This is significantly lower than what could have been under GDPR, because the breaches relate to a time when GDPR was not in force. Had GDPR applied to the case, the fine could have been up to 20% of the company’s annual turnover. It is also worth noting that the ICO refers to a notice of Intent – in other words, it has not yet made a final decision on the fine. Facebook will now be able to respond, and try to convince the ICO it does not deserve such a fine. The ICO rarely announces fines before they are finalised; in this circumstance, the regulator must have seen this as an issue of public interest, warranting an early statement.

While the fine on Facebook can appear insignificant and convey the impression of a toothless regulator, the ICO has also used powers it now has because of the new rules. One example is the enforcement notice against Aggregate IQ, to stop processing retained data belonging to UK citizens. This is a point the Commissioner made explicitly in a recent parliamentary hearing before the DMCS Committee, noting that the order to stop processing can hit companies hard in their business model, and as such can be a very effective remedy. Going forward, it is likely that the impact of recent scandals, combined with stronger tools in the hands of regulators, will be a sufficient deterrent for companies to put in place better safeguards and avoid a repeat of similar situations.

The ICO’s statement also bears a warning for political parties

Together with the update on its investigation on the use of data analytics in political campaigns, the ICO has strikingly published a partner report with an eloquent question in its title (“Democracy Disrupted?”). This report includes findings and recommendations arising out of the investigation, and is aimed at institutions and political actors. Among the recommendations, the ICO calls for a statutory Code of Practice for the use of personal data in political campaigns and for an “ethical pause” for all stakeholders involved to reflect on their responsibilities.

The report is a clear message to parties across the political spectrum, that more transparency on use of citizens’ personal data is necessary to restore confidence: “Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes”. In other words, we should expect regulators to continue to closely look at the relationship between big data and political advertising, so that voters can take political decisions in an informed and aware fashion as much as possible. This will also require parties to minimise the risk of conflict of interests, whereby they have to legislate to protect citizens’ interest while at the same time they relish the idea of using latest technology to deliver their message more effectively.

Twitter’s good behaviour is noted by the ICO, but markets are not yet punishing companies for their misbehaviour

A noteworthy point in the ICO’s report relates to how platforms other than Facebook approached advertising. Twitter’s approach stands out; the company stated it did not provide access to Cambridge Analytica for its data products, and took the decision to ‘offboard’ all advertising from accounts operated by the firm. This was because Twitter determined that Cambridge Analytica operated a business model that inherently conflicted with “acceptable business practices” for Twitter Ads. In other words, Twitter saw something that Facebook could not see, and decided to pay the price of reduced short-term profit. This could play to Twitter’s advantage in terms of reputation, as the company comes out as one less invasive and exploitative of users’ personal data.

On the other hand, the reputational damage of similar scandals for social media firms continues to be far from clear. Not only has Facebook not suffered in terms of a meaningful drop off in user base; it also appears to have overcome the losses in share price it faced after the Cambridge Analytica scandal first broke out in February, and continued in March. Since the end of 1Q18, the company’s share price has been on the rise, and is now at its highest in the last year. Enforcing sound privacy practices will continue to be difficult if markets do not start sending signals of mistrust as a result of such privacy violations.