The UK’s data protection watchdog has issued fines against a pro-Brexit campaign, Leave.EU, and an insurance company owned by the largest individual donor to the leave cause, Arron Banks’ Eldon Insurance.
The penalties have been handed down for what the Information Commissioner’s Office (ICO) dubs “serious breaches of electronic marketing laws” during the 2016 referendum on the UK’s European Union membership.
The fines — served under the Privacy and Electronic Communications Regulations 2003, which governs electronic marketing — total £120,000 (~$157k); with Leave.EU fined a total of £60k (covering two incidents) and Eldon Insurance £60k.
The ICO’s investigation found the two entities were closely linked and it says systems for segregating the personal data of insurance customers’ from that of political subscribers’ were “ineffective”.
Leave.EU used Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages, according to the ICO’s probe.
Eldon Insurance was also found to have carried out two unlawful direct marketing campaigns which involved the sending of more than a million emails to Leave.EU subscribers without “sufficient consent”.
The ICO says it will now review how both entities are complying with data protection laws by carrying out audits — to observe how personal data is processed; what policies and procedures are in place; and look at the types of training made available for staff.
Key employees across both organisations will also be interviewed, including directors, staff and their data protection officers.
The ICO adds that it will publish its findings when it concludes the audits.
Commenting in a statement, information commissioner Elizabeth Denham, said: “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened. We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”
The ICO issued a preliminary enforcement notice and three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, last November, as part of a wide-ranging investigation into data analytics for political purposes.
“After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged,” it writes today. “The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.”
Banks and associates connected to his unofficial leave campaign remain under investigation by the UK’s National Crime Agency. Last November the NCA announced an investigation into the source of £8M in funding Banks provided to the Leave.EU campaign — after an Electoral Commission investigation found there were reasonable grounds to suspect he was “not the true source” of the money.
The UK introduced legislation back in the year 2000 to outlaw foreign donations, with donors of even a few thousand pounds needing to be both British citizens and on the UK electoral roll for the donations to be legal.
However since then the rise of social media platforms has provided an unregulated workaround for election spending rules by offering a free-for-all conduit for political ads by the backdoor.
And it’s only since major scandals over election interference, such as Kremlin propaganda targeting the 2016 US presidential election, that tech giants have started to pay attention to the problem and introduce some checks on who can run political ads.
Facebook, for example, recently announced it will set up human-staffed operations centers to monitor political news.
In a few markets it’s also launched tools that offer a degree of transparency around who is buying certain types of political ads. But such measures clearly come far too late for Brexit.
A UK parliamentary committee which spend months investigating the issue of online political disinformation — and slammed Facebook for dodging its questions — came out with a laundry list of recommendations for changes to the law in a preliminary report last year, including calling for a levy on social media firms to defend democracy from disinformation.
Although the government rejected the levy, and most of the committee’s recommendations — preferring a ‘wait and see’ approach. (It has previously committed to legislate around social media and safety, though.)
Last year the UK’s election oversight body issued a series of fines for other leave-backed Brexit referendum campaigns — after finding the official Vote Leave campaign had breached election campaign spending limits by undeclared joint working with a youth-focused Brexit campaign, BeLeave.
Almost half a million pounds in illegal overspending was channeled via a Canadian data firm, AggregateIQ, to use for targeting political advertising pushing pro-Brexit ads on Facebook’s platform.
Facebook later released some of the ads that had been used by Brexit campaigns, which included fake claims and dogwhistle racism being used by leave campaigns to stir up fear among voters about foreigners coming to the UK.
The Facebook Cambridge Analytica data misuse scandal which snowballed into a major global scandal last year, also triggered a major ICO investigation into the use of personal data for political campaigning, parts of which remain ongoing.
The watchdog issued a £500,000 fine on Facebook last year, as part of that probe — saying the company had “failed to sufficiently protect the privacy of its users before, during and after the unlawful processing” by Cambridge Analytica.
Though Facebook has filed an appeal, arguing the ICO did not find evidence that any UK users’ data was processed by CA.
Last year information commissioner Elizabeth Denham also called for an “ethical pause” around the use of microtargeting ad tools for political campaigning — saying there was “a risk of developing a system of voter surveillance by default”.
In the case of Facebook, the platform has generally preferred to continue accepting money for political ads, while it works on expanding self-styled “election security” measures.
Although it did temporarily suspend foreign-funded ads during a referendum in Ireland last year on whether to repeal or retain a constitutional ban on abortion — acting after concerns had been raised. It also fast tracked the launch of an ad transparency tool in the market ahead of the vote.