The UK information watchdog says its investigation into the nexus between data analytics, social media and political campaigning is now “the largest of its type by any data protection authority”.
All of Britain’s main political parties, the various factions in the Brexit referendum campaign — including an insurance company owned by prominent Leave supporter Arron Banks — data brokers and management businesses, and even a company that provides advice and gift packs to mothers-to-be, are part of the probe.
So far Facebook has been fined £500,000 by the Information Commissioner’s Office for the leak of users’ data to Cambridge Analytica — the maximum financial penalty under previous data protection laws in force during the period in question.
But the ICO has fired warning shots against several other entities as it voices fears of “voter surveillance by default”.
Elizabeth Denham, the information commissioner, said the ICO had been “astounded” by the amount of personal data in the possession of the UK’s major parties.
According to the report, many political parties bought marketing lists and lifestyle information from data brokers “without sufficient due diligence” as to their activities. They also used third-party data analytics companies without checking if users had given consent for their personal information to be passed on and used for political purposes.
The ICO’s concerns are set out in more detail in a parallel report entitled “Democracy Disrupted? Personal information and political influence”. These focus less on the volume of information gathered and more on whether it has been processed lawfully and the “data subjects” knew their personal details were going to be used for political purposes.
This is especially relevant to information such as age, ethnicity and political leanings, some of which may count as sensitive data that requires additional legal safeguards.
The ICO has sent 11 letters of warning to the main political parties and told them to expect data audits — focused particularly on the issue of consent — later this year.
The rival Brexit campaigns
The report has more to say about groups that campaigned for the UK to leave the EU, although the Remain side does not escape unscathed.
The ICO said it has established that AggregateIQ, a Canadian company used by Donald Trump’s team during his US presidential bid, “had access to UK voter personal data provided from the Vote Leave campaign”. Vote Leave was the official pro-Brexit group.
It is also looking into “whether and how Vote Leave transferred the personal data of UK citizens outside the UK and whether this was in breach of the Data Protection Act 1998, and whether that personal data has also been unfairly and unlawfully processed”.
The regulator is further examining claims that Cambridge Analytica was paid for “work on Ukip data in 2015, and that Leave.EU paid for this work”. Leave.EU was the main unofficial pro-Brexit group. The ICO served an information notice on Ukip but Ukip appealed to the information tribunal. That appeal has been dismissed and the regulator is awaiting Ukip’s response.
As for Remain, the ICO is still looking into the collection and sharing of personal data by the official Remain campaign, better known as Britain Stronger in Europe, and “a linked data broker”. The concerns are similar and centre on consent and fair processing. Britain Stronger In Europe has denied “any impropriety” and said it is co-operating with the ICO.
The ICO said it is investigating allegations that Eldon Insurance Services shared customer data with Leave.EU for campaigning purposes during the Brexit referendum, potentially breaching data protection law. Eldon Insurance is run by Arron Banks, who co-funded Leave.EU.
This claim, previously made by a former member of Cambridge Analytica, has been denied by Leave.EU, which has said it was a lie used to attack Mr Banks and his Brexit group.
The regulator also said it is looking into whether Eldon call centre staff used customer databases to make calls on behalf of Leave.EU, which would be in breach of privacy laws.
Leave.EU said on Wednesday the call centre claim was “total rubbish” and that no Eldon data had been used by the campaign.
Perhaps the most unexpected organisation to be named is Lifecycle Marketing (Mother and Baby) Ltd, trading as Emma’s Diary, a company that distributes informational materials, free gifts and vouchers to new mothers in exchange for registering with the group.
In a notice of intent to fine the company £140,000, the ICO said it supplied the credit reference group Experian with more than 1m records under an agreement in which the opposition Labour party was listed as Experian’s client.
Another organisation that crops up is NationBuilder, an online campaigning platform the ICO said was used by up to 200 political parties or campaign groups during the UK 2017 general election. NationBuilder has a “match function” allowing parties to match their own databases with social media data from public profiles, which the regulator said could be happening without the people affected knowing.
NationBuilder did not respond to requests for comment. Political clients listed on its website include French President Emmanuel Macron, the Women’s Equality Party in the UK and US Republican senator Rob Portman.
A Russia connection?
The report itself does not mention Russia but Ms Denham told the FT that “some information was accessed from other countries, including Russia”.
But she added: “That said, right now we are doing an investigation to see if the access was legitimate or not — many of the players in this story did work in Russia.”
The ICO’s investigation report is, in fact, a progress update that is meant to inform an parliamentary inquiry into fake news. The regulator’s final report is expected in October.
Apart from the promised data audits, the regulator has set out 10 recommendations to the government in its parallel report.
These include a call for a statutory code of practice for the use of personal data in political campaigns; independent audits after referendums to make sure campaigns delete personal data; and all digital political advertising to be archived in an open repository so that the data underpinning it can be analysed.
“If we can get the political parties to ensure their data protection responsibilities are carried out, then . . . we can fix things in a systematic way,” said Ms Denham.
But she also warned: “Without a high level of transparency — and therefore trust amongst citizens that their data is being used appropriately — we are at risk of developing a system of voter surveillance by default. This could have a damaging long-term effect on the fabric of our democracy and political life.”
Additional reporting by Henry Mance.