When Facebook got hit with a pretty small fine last month over its part in the Cambridge Analytica scandal, that wasn’t the end of the matter. The U.K. privacy regulator, which wished it could have fined Facebook more than that paltry £500,000 ($645,000) sum, has now set in motion a process that could lead to a much, much larger penalty for the social network.
The reason for the fine’s lack of girth was that, when Facebook’s lax data-protection policies allowed millions of people’s information to end up in the hands of the political consultancy Cambridge Analytica, the U.K. had to enforce an old privacy law that only allowed for a maximum fine of £500,000. The fearsome EU General Data Protection Regulation (GDPR,) which allows for a fine of up to 4% of global revenue, only came into effect this year.
This, however, may have changed. In a report issued Tuesday, the U.K. Information Commissioner, Elizabeth Denham, said that Facebook may be breaking the new law too, through the way it tracks people around the Web. Consequently, because Facebook’s European operations are based in Ireland, the British regulator has asked its Irish counterpart to look into the matter.
“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behavior across the internet and different devices to the [Irish Data Protection Commission,]” the Information Commissioner said. “We will work with both the Irish regulator and other national data protection authorities to develop a long term strategy on how we address these issues.”
This is not Facebook’s only investigation under the GDPR. On the very day that the new regime came into effect, privacy campaigners filed official complaints about the company—and Google too—over the railroading of users into consenting to the processing of their data, in return for using their services.
Twitter, too, is being investigated in Ireland over the way it tracks people as they surf the web.
The U.K. Information Commissioner’s report is intended to bring the country’s parliament up to date on the use of data analytics techniques in political campaigns.
“Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system—from data companies and data brokers to social media platforms, campaign groups and political parties,” Denham said in a blog post.
“Whilst voluntary initiatives by the social media platforms are welcome, a self-regulatory approach will not guarantee consistency, rigour or shore up public confidence. That is why I am calling for views for a code of practice covering the use of data in campaigns and elections.”
Facebook had not responded to a request for comment at the time of writing.
Along with the release of the report, Denham’s office issued a £135,000 fine against the pro-Brexit campaign group Leave.eu and the insurance company owned by its founder, Arron Banks. The campaign had emailed supporters to market the insurance company’s services, in breach of data protection law.
Banks and Leave.eu are also under criminal investigation over the funding for the campaign. Some have said the investigation should prompt a delay to Brexit, although Leave.eu was not the official campaign for the U.K.’s divorce from the European Union.