The UK’s data protection watchdog the Information Commissioner’s Office (ICO) has released the findings of its investigation into the use of data analytics for political purposes, revealing the unlawful use of data by various groups during the Brexit referendum.

Its investigation into Brexit data misuse, as well as the 2017 General Election, was triggered in early 2017 by the Observer’s discovery that Cambridge Analytica illegally used data to target Leave voters.

The ICO started with 172 organisations, before narrowing its scope to 30 for the main focus of its investigation. During the course of its investigation, the ICO analysed 700 terabytes of data, equivalent to 52 billion pages.

In its 113 page report to parliament, the ICO described it as “the most complex data protection investigation we have ever conducted”.

Information Commissioner Elizabeth Denham presented her findings to Parliament this morning. In a blog post on the ICO website, she said:

“Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups and political parties.”

Here are the groups that the ICO focused its efforts on, what they are responsible for and the penalties they face. In some cases, fines have been issued and criminal prosecution is being pursued.

Cambridge Analytica

While the company that prompted the investigation is now in administration, the ICO is pursuing criminal prosecution over the company’s Brexit data misuse.

Cambridge Analytica, owned by hedge fund billionaire Robert Mercer, harvested some 87 million Facebook profiles to create personality profiles that could be used to target leave voters during the Brexit referendum.

Speaking to the Observer, Cambridge Analytica whistleblower Christopher Wylie said:

“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Its data misuse crosses borders, with the data analytics firm working with Donald Trump’s election campaign.

3 Things That Will Change the World Today

The ICO is continuing its investigation, but noted that the breaches discovered so far are so serious that it would have issued a “substantial fine if the company was not in administration”.

Facebook

The ICO issued the maximum penalty of £500,000 in October for allowing Cambridge Analytica to collect data of up to 87 million users through third-party apps.

More than one million British users were subsequently used by Cambridge Analytica to target and influence voters during the Brexit referendum.

Data was also used to profile and target voters ahead of the 2016 United States presidential election.

Facebook was fined under the older Data Protection Act 1998, which meant the social media avoided a potential GDPR fine stretching to $1.6bn.

The ICO is referring further “outstanding issues” to the Irish Data Protection Commission.

Leave.EU and Eldon Insurance

Brexit financier Arron Banks has been issued with two fines by the ICO for unlawfully using data from his company Eldon Insurance (trading as GoSkippy) to send emails to unofficial leave group Leave.EU, and vice versa.

The ICO found that more than one million GoSkippy marketing emails were sent to Leave.EU subscribers without their consent over two separate periods. Both companies now face a £60,000 fine.

Leave.EU faces a further £15,000 fine for sending almost 300,000 emails to Eldon Insurance customers containing a Leave.EU newsletter.

Both Leave.EU and Eldon Insurance now face an audit by the ICO.

Banks has also been accused of leaking the report’s findings ahead of their release to BuzzFeed to lessen its impact.

Banks, Leave.EU and Eldon Insurance deny any wrongdoing.

Vote Leave, AggregateIQ and other leave campaigns

The ICO did not find any evidence that the official leave campaign, Vote Leave, transferred or processed the data of UK citizens unlawfully or without consent.

However, it is still investigating whether Vote Leave used electronic marketing communications unlawfully and will report its findings “imminently”.

The Electoral Commission has referred individuals from Vote Leave and BeLeave to the police to investigate whether there was a breach of electoral rules.

Political consultancy AggregateIQ placed adverts on Facebook on behalf of the DUP Vote to Leave campaign, Vote Leave, BeLeave and Veterans for Britain.

BeLeave did not submit an electoral return on these ads.

AggregateIQ received approximately £1.5m for placing 2,823 ads, of which 2,529 were on behalf of Vote Leave.

Remain campaign

The ICO is still investigating the Remain side of the Brexit referendum and the associated campaign groups, such as Britain Stronger in Europe.

During its investigation, it found that the Liberal Democrats sold personal data of its party members for around £100,000 to Britain Stronger in Europe.

The Liberal Democrats deny any wrongdoing and insist that it carried out a “simple enhancement service” to data it was entitled to access, such as adding phone numbers.

The report said that it is “specifically looking at 11 inadequate third party consents and the fair processing statements used to collect personal data” around Britain Stronger in Europe and a linked data broker.

Cambridge University

The ICO carried out an audit of Cambridge University’s Psychometric Centre, which carries out psychometric testing to measure personality traits.

Academics at the centre created an app called ‘My Personality’, which used Facebook data and the results of the online quiz to create personality profiles.

From matching their results to “as few as 68 Facebook ‘likes’, they were able to predict with a high degree of accuracy a number of characteristics and traits, as well as other details such as ethnicity and political affiliation.”

It is these models that Cambridge Analytica used to target voters.

The ICO has advised the university to improve its data protection practices.

Data brokers

The ICO found that several data brokers operating in the UK sold data to political parties without lawful consent for it to be used in that way.

Emma’s Diary, which offers pregnancy advice and products, was found to have illegally sold the personal data of more than a million people to Experian Marketing Services.

It was then used by the Labour party during the 2017 General Election to profile and target new mothers.

Emma’s Diary was issued with a £140,000 fine in July for its role.

In a separate investigation, the ICO is also examining the behaviour of credit rating agencies Experian, Equifax and Callcredit for their role in political campaigns.

Brexit data misuse raises wider concerns about technology and democracy

The ICO has also issued formal warnings to the Conservatives, Labour, Lib Dems, Greens, SNP, Plaid Cymru, DUP, Ulster Unionists, Social Democrat, Sinn Féin and UKIP for worrying data practices.

The extent of Brexit data misuse revealed by the ICO raises serious questions about how technology can be used to influence elections at a large scale.

While none of these breaches can be pursued under GDPR, the harsher penalties that it threatens has put a spotlight on data privacy and data misuse.

“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes,” said Denham.

“This must change. People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.”

Denham has called for the UK government to “consider where there are regulatory gaps in the current data protection and electoral law landscape to ensure we have a regime fit for purpose in the digital age.”