momius - stock.adobe.com
Much of the commentary about the European Union’s (EU’s) General Data Protection Regulation (GDPR) involves the increased fines that the Information Commissioner’s Office (ICO) can levy. There was an assumption that the ICO would use these powers regularly and punitively.
But the decision by the ICO to issue Facebook the maximum available fine – as this was a breach under the 1998 law, £500,000 is the maximum available fine, but a similar breach under GDPR could have resulted in a fine exceeding £1bn – has reignited the debate on the topic.
The GDPR and ICO in context
The context of GDPR is that now technology produces and allows access to a lot of personal data and people have little control or knowledge over how others use their personal data. Put simply, GDPR asks each organisation to 1) consider the data it processes and how and why it processes the data, and 2) question the data’s vulnerability – can third parties access the data, for example?
The enhanced powers have been given to individuals by GDPR to encourage the public to ask organisations these two questions. If the ICO suspects that any organisation is not compliant, it can then use the communication it will have with disappointed customers to follow up.
The ICO cannot keep the fines, so it relies on central government funding. Only one data protection authority in the EU, Spanish regulator Agencia Española de Protección de Datos, can keep the money and it is the most prolific issuer of fines.
The ICO’s role as a regulator is to observe behaviours and to target industries and practices of which it does not approve. The ICO is more likely to issue enforcement notices and ask for undertakings rather than fine. The ability to fine will be used as a deterrent for those who choose not to cooperate. For 18 years, the ICO has had the power to fine £500,000, but it has done so only now.
The ICO website lists the regulatory action it has taken and the current list largely comprises organisations that have permitted nuisance calls and direct marketing emails or where the actual IT system was vulnerable to hacking. The list includes fines and the enforcement action taken.
The Facebook fine
In this article, I do not set out the background to this story, but in May 2017 the ICO announced a formal investigation into the use of data analytics for political purposes.
In parallel with that investigation, the Digital, Culture, Media and Sport (DCMS) select committee has been conducting their own inquiry into “fake news”, which includes use of personal information in political campaigns.
The ICO believes action is required to improve each of the political parties’ compliance with privacy law, in particular in relation to use of personal data from the Electoral Register, when micro-targeting on social media, and using software to screen people’s names for likely ethnicity and age.
The ICO has formally written to 11 UK political parties detailing the outcome of the investigation and the steps that need to be taken.
A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign. While people on Facebook can block advertising from parties, they cannot block advertising about political issues. The ICO is also prosecuting Cambridge Analytica’s parent company for its activities.
It is the largest investigation of its type by a data protection authority. The investigation has identified a total of 172 organisations of interest that required engagement, of which around 30 organisations have formed the main focus of the enquiries. These include political parties, data analytics companies and major social media platforms.
This investigation is complex and my summary is selective, but a lot of major data brokers (organisations such as credit referees that hold valuable, structured personal data) and social media players are also being investigated – it’s not just about Facebook and the 2016 referendum.
The investigation will produce a regulatory framework governing how electioneering can legitimately use the opportunity created by social media. So the investigation is ongoing – the next phase will conclude in autumn.
For organisations whose business is to provide a platform where people share personal data or host personal data that is used by third parties, the lesson is that these organisations will have to be vigilant to ensure that other third parties (whether data harvesters or hackers) cannot access that data for their illegitimate interests.
These organisations need to thoroughly and continually risk assess their practices so they can always answer the two questions referred to at the start of this article to the satisfaction of the ICO.
For the majority whose businesses are less data centric – either in the collation or the exploitation of personal data – the ICO has made it clear that it will not use GDPR to declare war on small businesses. The ICO also recognise that GDPR compliance is ongoing and that organisations should never stop asking themselves the above two questions.