The British privacy watchdog, the Information Commissioner’s Office (ICO,) said Wednesday that intends to fine Facebook the maximum possible fine for the data protection violation. However, because the abuse took place before the introduction of the EU’s new General Data Protection Regulation, which allows fines of up to 4% of global annual revenues, the ICO is only able to fine Facebook £500,000 ($663,610,) which is the limit under older British data protection law.
The regulator said Facebook broke the law because it failed to protect people’s information, and because it wasn’t transparent about how its users’ data was being harvested by third parties. The ICO also hit Cambridge Analytica’s defunct parent company, SCL Elections, with a criminal prosecution.
The ICO isn’t just looking at Facebook and Cambridge Analytica—indeed, it folded this affair into a pre-existing investigation into the use of data analytics in political campaigns. That probe is still ongoing, but the watchdog released a progress report on Wednesday, plus a separate report containing recommendations about the issue of personal information and political influence.
So British political parties also got a warning in Wednesday’s broadside, regarding the way they buy marketing lists and “lifestyle information” from data brokers, in order to find out how to better influence people. The issue here is that the people whose data is being bought may not have consented to being exploited in this way.
“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes,” said the information commissioner, Elizabeth Denham. “New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”
The Leave.EU campaign, which pushed for the U.K. to leave the EU in the Brexit referendum, is also being investigated for exploiting personal data that people had given to a company for insurance purposes. The ICO is also probing another pro-Brexit campaign group, Vote Leave, for sending personal data on U.K. citizens to a Cambridge Analytica-like (and possible Cambridge Analytica-affiliated) company called AggregateIQ, which Facebook has kicked off its platform.
But the anti-Brexit Britain Stronger in Europe campaign is also being investigated over its collection and sharing of personal data. So nobody appears to be clean in this mess.
The ICO said it expects to have wrapped up these investigations by the end of October.
Facebook, which gets to “make representations” to the ICO before the regulator finalizes the fine, had not responded to a request for comment at the time of writing.
Normally, the ICO would not publicize the fact that it has warned a company about an imminent fine. However, it did so today because a parliamentary committee is also probing the issue of Facebook, Cambridge Analytica and political influence, and the ICO wanted to help inform the committee’s work.
Cambridge Analytica got the data of tens of millions of Facebook users from an academic who scraped the information with a personality quiz app. Facebook changed the policies that allowed this scraping in 2015, and told Cambridge Analytica to delete the data in the same year. However, the incident was only made public this year thanks to a whistleblower, and the ICO believes Cambridge Analytica not only failed to delete the information as requested, but indeed shared it with others.