Watchdog slams political data slurpers' 'disturbing disregard' for voters' privacy

ICO's second report into data analytics in campaigning lands with a thud

8 Reg comments Got Tips?

Facebook heads to the naughty step

Denham made a number of withering comments about Mark Zuckerberg's enterprise during the committee hearing, saying that Facebook had a long way to go, and needed to significantly change their business practices, to earn people's trust.

She also indicated broad support for the committee's efforts to speak to the boss himself for its inquiry – the CEO has rebuffed every attempt to bring him in so far, and the firm hasn't responded to The Register's queries about whether the promise of an "international" inquiry will change that.

When asked if Zuck should appear, Denham said that being able to deal with Facebook HQ, Mountain View, had provided the ICO with "more information and a better response" than local reps. "We are all about transparency," she said. "I think it would be very useful to have Mr Zuckerberg appear, but it's not for me to say whether he should."


UK Parliament roars: Oi! Zuck! Get in here for a grilling – or you'll get a Tower of London tour


Denham also repeatedly said that the £500,000 fine Facebook was issued with would have been much larger if the incident had taken place under the new GDPR regime.

In particular, the ICO appeared frustrated at the apparent disinterest the firm showed in making sure the data sets were deleted after it found out about the data-harvesting in 2015.

"We've found some problems with the signing of [Facebook-ordered] authorisations [from organisations]; some of them weren't signed at all," she said. "The follow up was less than robust."

As well as the £500,000 fine it handed out this summer, the ICO said it had referred its ongoing concerns to the Irish Data Protection Commissioner (Facebook's European HQ is in Ireland). These relate to Facebook's targeting functions and the ways in which the Social Network™ monitors individuals' browsing habits, interactions and behaviour across the internet and different devices.

cctv camera

Facebook confirms Cambridge Analytica stole its data; it’s a plot, claims former director


However, Denham didn't sound overly keen on handing this high-profile battle over to her Irish counterparts; when asked if she had enough faith in the Irish DPC, she replied that her organisation has "more capacity to do technical audits", and that the ICO was on hand to help the smaller body (the ICO has 700 staff, 600 more than Ireland).

Eyeing up a new regulatory tie-in

When it issued its interim report in July, the ICO called for the government to introduce a statutory Code of Practice for the use of personal data in political campaigns, which it reiterated yesterday.

The body wants it to apply to all data controllers that process personal data for the purpose of political campaigning, which would include anything that relates to elections or referenda, in support of, or against a party, campaign or candidate.

Denham told MPs that this would mean that political parties were all playing by the same rules, and ensure that the public could trust that politicos were engaging with them lawfully.

This, she said, would be one way to work in definitions and rules around inferred data – information that parties used to guess wider traits, or to put people into certain groups – and lookalike audiences that are generated on Facebook.

But Denham also opined on online misinformation, disinformation and illegal content more broadly, saying that the time for self-regulation by tech giants was over.

They are already subject to data protection laws, she said, but need to be made accountable for the way they deal with "internet harms".

"When it comes to internet harms regulation, I think there also needs to be a code that's backed with statute, the power of extraterritorial reach, the powers of sanction – the powers the ICO has – those are the powers that a regulator needs to look at."

A regulator should be ready to look at the effectiveness of systems – for content takedowns, or recognising bots, for example – rather than fielding individuals' complaints.

When asked which regulator should do this, she said that content and conduct online didn't fit neatly into any one existing watchdog – but proposed that Ofcom and ICO "could be a hybrid model" as they have complementary experience.

Apparently keen to stake her claim to the potential new area, she added: "You're not going to be able to take the ICO out of the data issues; we're a horizontal not a sectoral regulator."

The full report is available online here (PDF), and more updates are due before the end of the year. ®


Biting the hand that feeds IT © 1998–2020