Leave.EU and Arron Banks’s Eldon Insurance face fines of £135,000 for data misuse during the 2016 EU referendum, a report by UK data watchdog Information Comissioner’s Office has concluded.

Part of the ICO’s investigation into the use of data analytics in political campaigns, the organisations will be fined following “serious breaches of the Privacy and Electronic Communications Regulations 2003”.

Both Leave.EU and Eldron, trading as GoSkippy, will receive fines of £60,000 for data misuse, with Leave.EU receiving a further £15,000 for breaching email regulations.

This follows revelations that Leave.EU used personal data from the customer database of insurance firm Eldon, owned by Arron Banks, co-founder of the Leave.EU campaign and one of its largest donors, to send unsolicited political marketing messages as part of the Leave campaign.

The ICO has been investigating the matter, along with others, since May 2017, and has already issued a £500,000 fine to Facebook for failing to protect users’ personal information.

This comes after the news that Arron Banks is being investigated by the National Crime Agency, looking into claims that a “number of criminal offences may have been committed” related to Banks’ donations to the Leave campaign of  £8.4m.

What the report found

Today, the ICO published an interim report on its ongoing investigation into the use of personal data to target political messages to individuals, described by Information Commissioner Elizabeth Denham as “unprecedented”.

As well as having evidence to show that personal data belonging to Eldon customers was unlawfully accessed by Leave.EU, including the sending of a Leave.EU newsletter to more than 319,000 of its customers in 2015, the ICO has also found that 169,852 marketing emails for GoScippy were also sent to Leave supporters.

The report found that Leave.EU staff had access to GoSkippy customer data, due to a system which was “ineffective in separating out the potential for data to become mixed in a way that it appears to have been done”, deputy commissioner James Dipple-Johnstone told MPs at the Digital, Culture, Media and Sport Committee hearing.

The ICO has also called for parliament to take up some of the recommendations made in the report, including a statutory code of practice covering the use of data in political campaigns, to be given the same statutory footing as other codes of practice in the Data Protection Act 2018.

The watchdog has issue a preliminary enforcement notice to Eldon, requiring immediate action to ensure that it is compliant with data protection law, and will carry out an audit to “look deeply into the politics or the disregard of the separation of the data”. Publication of the final report is scheduled for the end of this year.

The ICO said it was still investigating the Remain campaign and its handling of personal data and has not issued any fines at this stage.

3 Things That Will Change the World Today

In Brexit latest ICO highlights risk to trust

A blogpost from Information commissioner, Elizabeth Denham said that there had been a “disturbing disregard” for voters’ privacy from across the political spectrum:

“Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups and political parties.”

The blogpost continued:

“We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes.”

“This must change. People can only make truly informed choices about who to vote for if they are sure those decisions have not been unduly influenced.

Will they be fined under GDPR?

Although the new General Data Protection Regulations that came into effect in May this year has given the ICO greater power to investigate data misuse, the fact that the incidents being investigated occurred before GDPR means that the fines are issued under the old law, The UK Data Protection Act.

During the parliamentary hearing, the Information Commissioner explained that this has limited the fines that can be imposed on Leave.EU, Eldon and Facebook:

“The contraventions happened at the end of the previous regime, so therefore we only have the maximum fines available under the previous regime…inevitably [the fine]would  be much larger if we were under the new regime.”

Joseph Carson, chief security scientist at Thycotic believes that it is unlikely that the organisations will be fined under new laws:

“It is very unlikely that Leave.EU and Eldon Insurance will receive any serious fines under the EU GDPR and it will more likely be under its predecessor, The UK Data Protection Act, which imposes maximum fines of up to £500,000 and is what Equifax recently received as a result of their serious data breach.

“However, serious breaches of campaign funds and data protection should be taken more seriously moving forward and these recent examples are avoiding severe financial penalties as a result of luck and timing.”

However, the ICO is due to carry out an audit under data protection laws, and Denham has said that fines could be “significantly higher if we find misdeeds”.