The issue of transparency and determining what use will be made of our personal data is central to its use in commerce and as we now know, it’s abuse in the field of politics.
While we may be happy to give our personal information in order to receive delivery of items ordered on the internet, we might not be happy to have the purposes abused and received unrequested marketing materials, or worse still be targeted politically. The question of who holds the data and whether they have been honest about their intended use of it has rightly been the focus of the GDPR 279/2016 and our national version, the Data Protection Act 2018.
Pursuing and fining the commercial entities involved in breaches of data protection is obviously an important enforcement step taken by the ICO (Information Commissioners Office, the data privacy authority in the UK headed up by Elizabeth Denham, in the role of Information Commissioner) in the protection of personal data: unlawful targeted advertising and the use of personal data to “bombard” potential customers with offers and adverts annoys on a daily basis. However, beyond the obvious spamming and commercial sales angle (leading to the wholesale review of company marketing lists in 2018), the use of personal data in the political arena has an even more worrying effect, relevant in these days running up to Brexit.
Data privacy breaches
The latest in data privacy breaches related to political campaigning is the recent fine of £120,000 issued by the ICO against the Leave.EU campaign together with Eldon Insurance Services Limited (which trades as “Go Skippy Insurance”) for their data breaches.
In passing personal data from Eldon Insurance (where it had been gathered from insurance subscribers for the purposes of providing insurance) to the Leave. EU campaign, Eldon Insurance Services Limited breached the Data Protection Act 2018 and the GDPR 2016/279. The data subjects were targeted with almost 300,000 political marketing messages from Leave.EU during the referendum campaign, which resulted in the ICO imposing a £15,000 fine on the Leave.EU campaign. Eldon Insurance Services Limited is owned by Arron Banks, who is the co-founder of the Leave.EU campaign and was a key political donor to UKIP led by Nigel Farage.
Eldon Insurance Services Limited also received data in return from Leave.EU, unlawfully sending over 1 million insurance marketing messages to individuals - resulting in a further fine to Leave.EU of £45,000 (for leaking the personal data) and £60,000 fine to Eldon Insurance (for their use of the personal data). The ICO will now conduct an audit of Eldon Insurance and the leave.EU campaign, to look at the data protection practices of each – the findings of these audits will be made public.
In the same vein, the ICO has issued an enforcement notice against the Canadian firm, Aggregated IQ Data Service Limited (“AIQ”), for their involvement in the well-known Facebook-Cambridge Analytica scandal widely reported in 2018. AIQ was the provider of software tool used for the management of data in voter targeting on behalf of the UK political campaigns, Vote leave and BeLeave. The complaints against AIQ are that under their contract with the political parties, they supplied personal data that was then used to target individuals with political messages, purposes for which the data subjects had not given consent, of which they were not aware and for which they would not have reasonably expected their data to be used. AIQ is now being fully investigated and may be fined up to 20 million Euros (or 4% of its total annual turnover, whichever is the higher). Facebook was fined £500,000 by the ICO in 2018 for its involvement in the scandal.
“Democracy disrupted?” is the title of the publication by the ICO in July 2018, in which it presents its findings on the use of data analytics and behavioural models of advertising in political campaigning; the ICO acknowledges that to retain the trust and confidence of the electorate and the integrity of the elections itself, organisations involved in political campaigning must use personal information lawfully, in transparent ways understood by people. The ICO’s report states that both political parties and social media platforms have not been clear enough about their use of personal data in this respect.
Aside from continuing to enforce the Data Protection Act as far as possible in practice, in both commercial and political spheres, with fines and audits and public statements, what else can the Information Commissioner do?
The Information Commissioner has formally written to 11 political parties in the UK, that the ICO will conduct an audit of their use of personal data and the ICO pledges going forward to monitor political parties and their online platforms in an attempt to manage targeted campaigning and ensure it is lawful. The ICO has also called on the government to legislate “at the earliest opportunity” to introduce a statutory code for the use of personal information in political campaigns.
Most recently, on Monday 18th February, the House of Commons Select Committee known as “The Digital, Culture, Media and Sport Committee” (DCMSC) (established in 1997) published their final report on disinformation and fake news, calling for the government to act rapidly.
In their report, they note that the UK government and recent elections are vulnerable to covert digital influence and asks the government whether “current legislation to protect the electoral process from malign influence is sufficient”, calling for tougher legislation regulating data use, foreign influence and the liabililty of online (social media) platforms for illegal activity online conducted by un-transparent groups. The criticism is that electoral law has failed to move on from billboards and flyers previously used in political campaigning to online campaigns, that big tech companies and platforms are failing in their duty of care to their users to act against harmful content or misuse of personal data.