UK regulator indicts data ecosystem, fines Facebook maximum possible amount, and warns UK political parties against exploiting people's data

Yesterday the UK's Information Commissioner's Office (ICO) - which is responsible for ensuring people's personal data is protected - announced it intends to fine Facebook the maximum amount possible for its role in the Cambridge Analytica scandal.

This decision highlights of how serious and rampant misuse and exploitation of data is. Facebook is responsible and failed to comply with data protection 101: be upfront and honest about what you are doing with people's data.

Importantly, the ICO's recent reports were a status update in a much larger investigation, and the fines so far are a strong indicator that we are going to see further action in the future - and not just in the UK. The ICO says that it is considering criminal prosecution against SCL Group, has issued 11 warning letters to political parties, and is investigating two EU referendum campaigns - Vote Leave and the official Remain Campaign.

The sheer scope of the ICO's investigation is a reminder that data exploitation is both rampant and systemic. In addition to the above, the ICO plans to conduct audits of the main credit reference companies, is investigating Eldon Insurance, and has issued an enforcement notice to Aggregate IQ. The ICO even intends to fine a parenting blog, called Emma's diary, which has been sharing data with political parties. Privacy International is also currently investigating a range of similar companies.

Regulators including the ICO, have and are using their teeth. And as Facebook needs no reminding, under GDPR, regulators have much bigger and more significant powers, as well as the ability to issue far larger fines.

Social media and political parties are using data without transparency nor responsibility towards voters. The fact that political parties and campaigns in the UK do not appear to meet these minimum standards is troubling. Abuse of data for political purposes has implications for people's rights and the democratic process around the world.

This is why the use of people’s personal data must be strictly regulated, particularly in the political arena. Leading up to the UK Data Protection Act, Privacy International urged Parliamentarians to delete the wide exemption, open to abuse, that allows political parties to process personal data "revealing political opinions" for their political activities. PI wrote to all of the UK's main political parties and asked for them to publicly commitment to not using the exemption provided in the Act to target voters — both online and offline — in any local and national forthcoming elections or by-elections. We received 0 responses.

This is regrettable since political parties should be a role model in how to use data responsibly and lawfully.

While scandals come and go, data exploitation persists and the ICO's investigation shows that corporate talking points and PR campaigns are not good enough.