The revelations surrounding Cambridge Analytica’s use of personal data and involvement with the Vote Leave campaign raised serious questions about the use of personal data in the EU referendum campaign and more widely by technology companies in general.

The subsequent investigation by the Digital, Culture, Media and Sport Select Committee (the “DCMS Select Committee“) has drawn attention to the activities of technology companies and the widespread use of digital personal data in political campaigning. It has been the catalyst for multiple investigations into a range of issues, including the extent to which electoral law is fit for purpose, the use of data analytics in political campaigns and policy recommendations concerning personal information and political influence.

The DCMS Select Committee published its final report (the “Report“) on 18 February 2019 (available here).

Concurrent investigations

Alongside the DCMS Select Committee’s investigation into disinformation and “fake news”, the UK data protection regulator (the “ICO“) is also conducting a formal investigation into the use of data analytics in political campaigns and published a summary report of that investigation in November 2018.

Report conclusions and recommendations

The Report contains a number of conclusions and recommendations. In particular, from a data perspective:

  • Data use and data targeting: The Report specifically criticises the data practices of Facebook and calls for the ICO to carry out a detailed investigation into the practices of the Facebook platform, its use of users’ and users’ friends’ data, and the use of ‘reciprocity’ of the sharing of data.
  • Data and competition convergence: The Report also calls for the UK Competition and Markets Authority to conduct a comprehensive audit of the advertising market on social media and investigate whether Facebook has been involved in anti-competitive practices. This appears to align at least conceptually with the recent German competition authority investigation into Facebook, details of which are available in our blog post here.
  • AggregateIQ: The Report refers to insecure data found on the AggregateIQ website and the analysis of data stored in a vast repository as evidence that AggregateIQ collected, stored and shared data belonging to UK citizens in the context of its work on the EU referendum. Again, this aligns with the ICO’s own investigation, as a result of which the ICO has issued its first extra-territorial enforcement notice under the GDPR against AggregateIQ.

However, the widespread use of data by large tech companies has also led to other significant and far reaching implications and recommendations in the report. For example:

  • Regulation of tech companies: The Report calls for clear legal liability to be established for tech companies to act against harmful or illegal content on their sites. To this end, the Report recommends introducing a new compulsory code of ethics for technology companies. Failure to comply with this code would be met with significant fines, enforced by a new and independent regulator. The regulator would be backed by statutory powers to launch legal action against companies in breach of the code and would be funded by introducing a levy on technology companies.
  • Electoral law overhaul: The Report finds that current electoral law is not fit for purpose and calls for a significant overhaul of such law, including absolute transparency of political campaigning, with clear banners on all paid-for political advertisements and videos, identifying the source and the advertiser. The Report also recommends that the Electoral Commission should be given more powers including the legal right to compel organisations it does not regulate, such as social media companies, to provide information. It should also have the power to increase the size of fines to reflect a company’s turnover.

In summary, the investigation and resultant Report confirms the apparent pervasive nature of data collection and processing in all aspects of society. Despite significant new data regulation across Europe last year, in the form of the GDPR, the Report suggests that we should expect further regulation in the future, both from the specific perspective of political campaigning, but also more broadly from the perspective of regulating data/content controlled by the large tech companies.

The Government is expected to respond to the Report within two months (i.e. by mid-April 2019).

Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378