Bigger than Cambridge Analytica

ORG’s view on the ICO’s personal data and political campaigns investigation.

Three years after it began, last week the ICO published a letter to the DCMS Select Committee on the results of its investigation into the use of personal data in the 2016 EU membership referendum. Some of the most eye catching concerns revolved around the possible involvement of Cambridge Analytica, a political consultancy that were also involved in the 2016 Trump presidential campaign. They claimed to have thousands of data points on each American voter that could be used to manipulate their voting intention.

Although there is no evidence that Cambridge Analytica operated in the EU membership referendum, the words “Cambridge Analytica” have become synonymous with a broad range of concerns about the use and abuse of personal data in elections. The result is that claims and counter claims about voter manipulation are writ large across almost every electoral event, undermining trust in the outcome.

Since the ICO published its letter, much ink has been spilled. At one extreme, some claim that journalists reporting the story swallowed the marketing pitch of a middling political consultancy; namely that data driven profiling “hacked” the minds of US (and possibly UK) voters into voting in ways they otherwise would not have. On the other are claims that those with a vested interest in minimising the fallout from the Cambridge Analytica debacle want to prevent scrutiny of this kind of mass data harvesting and attempted manipulation.

As with most things, the truth likely lies somewhere in between. What is known for certain is that data protection law was broken when Facebook failed to adequately protect user data from being collected. In addition, it is possible that data protection law is still being broken by political actors – namely, UK political parties. Despite the efforts of a good number of MPs to decry data driven attempts at electoral interference, party HQs are still trying to profile every UK voter for their electoral advantage.

This is the uncomfortable reality that the UK still faces, and that ORG has evidenced in our report “ Who do they think we are?”. ORG showed how the Conservative, Liberal Democrat and Labour parties exploit ambiguities in data protection law to collect personal data that goes beyond what most people would likely consider acceptable.

A key piece of the puzzle is the ICO’s data protection audits of UK political parties. These audits, which measure the compliance of the parties with data protection law, were begun in 2018. The ICO has committed to publishing them “shortly”. The ICO also refer to the recommendations that they have made to UK political parties as a result of the audits, although the wording of the letter is not unambiguously clear that these will be detailed in the published documents themselves.

The ICO’s reluctance to enforce data protection law has raised the ire of the privacy community and MP’s. The tenure of Elizabeth Denham, which began with a PR blitz and high profile investigations, is at risk of ending in a whimper. The ICO must publish these data protection audits of political parties (and its finalised guidance on the use of personal data in political campaigning), as soon as possible, at a minimum before the end of the year. In addition, it must publish clearly and in full the recommendations it made to UK political parties. This is vital so that civil society can measure progress, and check compliance. These measures would go some way to restoring trust in the ICO’s willingness to enforce data protection law, and to help bring closure to the democratic instability unleashed by the use of personal data in the EU membership referendum four years ago.