The UK’s data watchdog, the Information Commission’s Office (ICO), has still not obtained a warrant to enter and search the servers of the London-based political consultancy, Cambridge Analytica — the company at the center of the data misuse scandal engulfing Facebook — three days on from beginning the process.
The earliest a warrant could now be obtained by the regulator is Friday.
In a statement today the ICO said: “A High Court judge has adjourned the ICO’s application for a warrant relating to Cambridge Analytica until Friday. The ICO will be in court to continue to pursue the warrant to obtain access to data and information to take forward our investigation.”
The information commissioner, Elizabeth Denham, made it public on Tuesday that she was seeking a warrant to search CA’s servers after the company missed a Monday deadline to hand over information her office had requested. (Though in a statement on Tuesday CA claimed to “have been fully compliant and proactive in our conversations with the ICO”.)
She also instructed Facebook to withdraw its own investigators from CA’s offices, warning that their presence could compromise her investigation.
Unlike competition authorities, the ICO does not have legal powers to raid offices without a warrant. And former UK attorney general, Dominic Grieve, has argued the ICO’s legal powers are inadequate — telling the BBC on Tuesday that the Facebook-CA scandal highlighted a need for “greater powers and greater sanctions”.
Greater sanctions are at least incoming — under the EU’s GDPR regime which will apply from May 25, raising the maximum fine for the most serious data protection violations to up to 4% of a company’s global turnover (or €20M, whichever is greater).
But the fact that the data watchdog is forced to sit on its hands waiting to gain access to servers that the companies of interest to its investigation are in control of or able to access raises serious questions about the asymmetry between big data and regulation.
Earlier this month Denham told MPs on the DCMS committee that’s investigating fake news that her office would be pushing for increased transparency around data flows and disclosure rules for digital political advertising — suggesting a code of conduct is needed to regulate the use of social media in political campaigns, referendums and elections.
And while Facebook has claimed it was unaware that ~50M Facebook users’ data was passed to Cambridge Analytica for political targeting purposes, Facebook has itself long been actively encouraging politicians and political campaigns to make use of its tools — at a time when there was a complete lack of regulation for political ads on digital platforms.
Almost a year ago, in May 2017, the ICO announced a formal investigation into the use of data analytics for political purposes — including looking into complaints related to Cambridge Analytica’s use of data for ad targeting.
That investigation remains ongoing. And may well now be further delayed, given the developing nature of the story (and the ICO’s push for a warrant so it can conduct a full audit of CA’s servers).
Although, earlier this month before the latest Facebook-CA revelations hit the headlines, Denham told the committee she hoped to be able to publish the report by the end of May.
Asked by the DCMS committee whether the ICO has adequate powers to carry out its responsibilities Denham flagged a problematic gap in her “information notice powers” — noting that while the ICO can make a formal demand for information, organisations are not compelled to disclose the requested data (though they can be prosecuted for not doing so).
“Without the power to compel it is difficult to secure the desired outcome,” she told the committee. But she added she’s raised the issue with ministers and is hopeful the UK government will remedy this gap.