ICO issues interim findings in Facebook investigation
Alongside all the excitement in the run-up to the implementation of the General Data Protection Regulation (GDPR), data protection was also in the news following revelations around Cambridge Analytica’s harvesting of Facebook user’s Personal Data and the impact on elections. In May the Information Commissioner launched an investigation into the use of data analytics in political campaigns and have now published an update in to their interim findings.
This progress report details some of the organisations that are under investigation as well as the Commissioner’s intention to issue fines and Enforcement Notices.
The Commissioner’s intention is to issue Facebook with the maximum penalty available under the 1998 Data Protection Act of £500,000 which, while a drop in the ocean of Facebook’s finances, demonstrates the ICO’s view that there are significate historic failings in Facebooks protection of Personal Data. Facebook have recently been taking steps to show that they have changed their approach to protecting their users’ Personal Data which is timely as under GDPR they could face fines of up to 4% of global turnover.
The investigation has also looked in to concerns around the sharing of data, issuing a Notice of Intent to fine Emma’s Diary (a ‘baby club’ who, while providing advice and showering new mums with gifts, also act as a data broker) £140,000 for sharing over a million records for commercial gain. While both the new and historic rules do not prevent the sharing of personal data for commercial purposes, Emma’s Diary are alleged to have failed to provide sufficient information of this sharing, that such sharing was unfair as it was outside reasonable expectations, and that consent or legitimate interest (or any other lawful basis) were absent.
Issuing these interim findings suggests that the Commissioner has placed a high priority on investigating the link between data analytics and political campaigns and is willing to take action where appropriate.
While the breaches under investigation pre-date the GDPR and the new Data Protection Act (which came in to effect in May), many of the principles and processes are the same or similar. A key principle continues to be that Personal Data is processed in a way that ensures appropriate security, including against unauthorised or unlawful processing and against accidental loss, destruction or damage. Facebook’s historic approach to third party applications did not satisfy this security requirement.
On data sharing, this can be done where sufficient lawful basis exists and notice is provided (subject to complying with the principles). As with many data protection issues, the key is to clearly set out what you are doing with Personal Data so Data Subjects’ expectations are managed.
Alongside this investigation, the ICO has also been supporting businesses with complying with GDPR and have recently issued fines relating to spam calls and texts. With GDPR now in effect and the ICO working away, data protection is set to maintain its high profile and be a key risk to be managed.