Today, the Information Commissioners Office (ICO) has published a number of detailed reports as part of the ICO’s formal investigation into the role of data analytics in political purposes. These reports include an interim progress update on the continuing investigation, and regulatory action being taken, relating to Cambridge Analytica, SCL Elections Limited, Aggregate IA and Facebook. There are details of the Notice of Intent to issue a fine, under the Data Protection Act 1998 as the investigation predates the introduction of the GDPR, of £500,000 to Facebook for a “lack of transparency and security issues”.
The report also provides a detailed account on the discussions the ICO is pursuing with others including Cambridge University, eleven political parties and a number of data broker organisations as part of the investigation. It highlights that this is the largest investigation ever conducted by a data protection authority and has raised a number of different lines of enquiry. The report makes it clear that the investigation is still live with many questions left unanswered at this time, including as to whether the data protection and privacy procedures in place within UK Universities are sufficient. With the investigation continuing the ICO will produce a more detailed final report with its final conclusions later this year.
In addition, the ICO has published a separate report that outlines ten key policy findings and recommendations that have emerged from the investigation so far. The aim of the Democracy Disrupted? Personal Information and Political Influence report is to “draw back the curtain” and shine a light on how personal information is being used in political campaigning today. This highlights the need for greater transparency and information on information processing to retain trust and confidence of citizens in the integrity of political campaign and elections. The key policy recommendations outlined include:
- Political parties to work with the ICO and others to develop a “Your Data Matters” campaign before the next General Election
- Introduction of a statutory Code of Practice for the use of personal data in political campaigns
- Centre for Data Ethics and Innovation to hold a citizen jury on data analytics in political campaigns
- Call for online platforms providing adverts to political parties to ensure sales teams have data protection expertise
- ICO to work with the European Data Protection Board (EDPS) to ensure online platforms compliance with GDPR requirements to ensure users understand how data is processed in targeted advertising
- All platforms cited in the report to urgently roll out planned transparency features in relation to political advertising
- Government to conduct a review on gaps in regulations in relation to political advertising online
In addition, a key policy recommendation being made in the ICO’s report is the need for an “ethical pause” in the way new technologies are being used in political campaigning to allow Governments, Parliament, political parties and citizens time to reflect on the impact of technologies, including AI, and to consider responsibilities and requirements in relation to personal data. This recommendation seems to have emerged from the ICO’s work exploring current and emerging trends in the use of technologies including social media, data analytics and AI in campaigning. As part of this analysis the ICO commissioned the thinktank DEMOS to conduct a study on current and emerging trends in the use of technology in political micro targeting. The results of this study is a report on “The Future of Political Campaigning” which is also released today.
In response to the publication of the ICO’s reports Antony Walker, Deputy CEO techUK said:
“These detailed reports on what is a very complex issue highlight the importance of having a strong and well-resourced data protection regulator. They demand careful reading and consideration. There is a very clear message from the ICO that everyone involved in data has a responsibility for building and retaining the trust and confidence of the people who use their services. Trust, however, cannot be given. It must be earned. Compliance with the law and GDPR is just the starting point.
“This is an issue that goes beyond compliance. The ICO’s report raises real ethical questions around truthfulness, fairness and respect. techUK stands ready to help the ICO, and the new Centre for Data Ethics and Innovation, in developing effective policy approaches to ethical questions related to the use of data driven technologies in political campaigning.”