The UK data protection regulator (the Information Commissioner’s Office – ICO) launched a wide-ranging investigation into the use of personal information for political purposes following the Facebook/Cambridge Analytica affair. It resulted in the publication of a lengthy report titled ‘Democracy disrupted? Personal information and political influence’ in July 2018, and a fine on Facebook set at the maximum amount possible – £500,000 ($645,000).
In one sense, the Facebook fine was a side-effect. The ICO’s primary intention was to investigate the possible misuse of personal information by the Leave campaign ahead of the Brexit referendum within the UK. This investigation has continued. In November 2018, Information Commissioner Elizabeth Denham issued preliminary enforcement notices stating that it would fine the Leave.EU organization and Eldon Insurance a total of £135,000 ($176,000).
The action against Facebook was taken in relation to the Data Protection Act 1998, now replaced by the Data Protection Act 2018 (the UK’s implementation of GDPR). The action against Leave.EU and Eldon Insurance is under the Privacy and Electronic Communications Regulations 2003 (PECR), the laws which govern electronic marketing.
Since November, the ICO has heard representations from the two organizations, and has today (February 1, 2019) made its notices formal. It found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers from that of political subscribers were ineffective. It is also worth noting that Eldon Insurance is controlled by Aaron Banks, who donated £8 million to the Leave campaign. Leave.EU and Eldon share the same corporate address, and there is a cross-over of staff between the two organizations. Banks is under separate investigation by the National Crime Agency over whether he was the true source of his donation.
In a series of formal notices published today, the ICO has issued three separate fines (totaling £15,000 less than the initial intention). Leave.EU has been fined £15,000 for using Eldon Insurance customer details unlawfully to send almost 300,000 political marketing messages. Eldon Insurance has been fined £60,000, and Leave.EU a further £45,000, for two direct marketing campaigns that sent over one million emails to Leave.EU subscribers without sufficient consent.
The ICO has also announced its intention to audit both organizations. “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened,” announced Denham. “We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”
These audit assessment notices give the ICO access to Leave.EU and Eldon’s joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.
In its announcement, the ICO says, “The ICO’s audit team will be looking at data protection practices including observing how personal data is processed, considering what policies and procedures are in place and looking at the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers. The ICO’s audit findings will be made public at the conclusion of its work.”
So, while the current notices have been issued under PECR, the ICO is now going to examine internal practices in relation to the Data Processing Act (GDPR). The earlier fine it levied against Canadian firm AggregateIQ (AIQ) shows that the pre-GDPR date of the incidents in question (Facebook/Cambridge Analytica for AIQ, and the Brexit referendum for Leave.EU and Eldon) will be overridden by any post-GDPR continuation of bad practices.
It is not necessarily all over yet for Leave.EU and Eldon Insurance.