This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.theguardian.com/uk-news/live/2018/nov/06/information-commissioner-to-levy-fines-against-leave-eu-live

The article has changed 10 times. There is an RSS feed of changes available.

Version 2 Version 3
Arron Banks's firm and Leave. EU fined £135,000 over data misuse - live Arron Banks's firm and Leave. EU fined £135,000 over data misuse - live
(35 minutes later)
Pow asks what the investigation has highlighted to Denham.
She says it’s revealed “the disrespect for the personal data of voters and prospective voters. The model that is familiar to people in the commercial sector, behavioural targeting, has been transferred into the political arena. That’s why I called for an ethical pause. I don’t think we want to use the same model that sells us holidays and shoes and cars to engage with voters. I think people expect more than that.
Pow: “Lots of people are having personal data harvested about themselves that they’re probably quite unaware of.” She specifically asks about “inferred” data (when, for instance, Facebook surveils a users’ browsing and determines that they have an interest in, say, “homosexuality”), and Denham suggests that the approach to that data may be “wrong in the law.” She argues that such inferred data should be considered personal, and protected as such.
O’Hara asks who should regulate about harm online, if internet companies can’t self-regulate. Denham: “When it comes to internet harms regulation, there needs to be a code that’s backed with statute, extraterritorial reach, sanction – the powers the ICO has, those are the powers that a regulator needs to look at content and conduct online.
But “I don’t think content and conduct online fits neatly in to any existing regulator.”
Conservative Rebecca Pow asks whether the ICO should just embed someone inside Facebook and the line, which Denham says might be “uncomfortable for both sides.”
“I think inspection powers can give you a way in.”
Could you envisage a greater breach than what we’ve witnessed with Cambridge Analytica, asks Brendan O’Hara, of the SNP.
“Can I imagine worse data crimes, a whole system breakdown? There could be some serious contraventions of the law involving police services, or health systems. But there was purposeful, intentional illegal misuse of personal data that was re-used in political campaigning, and I think that is very serious.”
O’Hara asks if this disregard is because of the disregard of tech companies for the ICO. “I think that the fines have not been significant enough, and the impact on their bottom line has not been significant enough,” Denham responds. “I think the public is waking up to the importance of data privacy in a way they haven’t in the past, and that will drive action.”
“The CEOs of other tech companies, Microsoft and Apple, have come forward with strong statements about supporting data privacy and digital ethics.”
Who should regulate misinformation? “There could be a hybrid model between Ofcom and the ICO,” Denham suggests. “No country has tried this yet. It’s quite controversial and the need to balance freedom of expression with internet harms is hard. But the ICO has a lot of experience with regulating these large platforms. We have years of experience with right to be forgotten cases, which balance freedom of speech with privacy rights.
“Name a platform, they know us.”
Should the ICO be funded with a levy on tech companies? “I do think there is merit for the companies paying for some of the changes we need in the environment. Digital literacy and education, for instance, I do think there is a good idea for companies paying for it.
“A tech levy is a fine idea but how that is distributed is one for government.”
Giles Watling, Conservative, asks whether the ICO is “playing catchup” with large tech companies. Until GDPR came in, with larger sanctions, larger fines, and the ability to reach outside the UK and preserve data, “we couldn’t be as effective a regulator as we can be now”, Denham says.
“We’re never going to have the engineers, we’re never going to have thousands of experts, but we do have the power to compel response, to inspect, we have the power to look at the algorithms, so we have the ability to get in and look. And we can do it proactively and reactively. So the reboot of the law we got in May is really important.”
Watling asks whether companies just build in the assumption of a fine to their costs of doing business. Denham says that the 4% of turnover fines allowed by GDPR are powerful, but so too is the ability to demand a company stop processing personal data. That, she says, “will hit their bottom line”.
GDPR led to a 100% increase in complaints, Denham says, but she notes that normal people rarely have the time or inclination to get involved in defending their rights. Most of the work is still done by journalists and civil society groups.
Clive Efford asks how this investigation ranks compares with previous investigations the ICO has run. Denham responds: “This investigation is unprecedented for our office, it’s unprecedented for any data protection office worldwide.
“But what’s at stake is the fundamentals of our democratic processes. People have to be able to trust the systems, so it’s important that we get to the bottom of this.
“And also that government and parliament take up some of the recommendations we’ve made at the policy level, that include a statutory code of practice for political campaigning.”
Had Cambridge Analytica not already gone bust, it would have been issued “a large fine”, Denham says, because their information storage practices were so ineffectual.
“But this is not the end of our work,” Denham says. “You can see there are several strands that will take us into the future.”
The Facebook/Cambridge Analytica data “was gathered and held illegally under UK law, so that’s our concern”, Denham says.
Across the whole system, she adds, the real focus of the report is the “lack of concern and disregard for the privacy and rights of UK voters”. She says that disregard comes from Facebook, data brokers and many others. We need to improve that “because it matters for our democratic process”.
Damian Collins asks about who else may have copies of the Cambridge Analytica/Facebook dataset. “Some are individuals, some are academic institutions […] about half a dozen,” Dipple-Johnstone says.Damian Collins asks about who else may have copies of the Cambridge Analytica/Facebook dataset. “Some are individuals, some are academic institutions […] about half a dozen,” Dipple-Johnstone says.
Collins asks how this can be the case, if Facebook forced people to delete the data. “We found problems with the signing of these authorisations, some of them weren’t signed at all,” Denham says. “We also found evidence that as recently as 2018, spring, some of the data was still there at Cambridge Analytica. So there’s evidence that the follow-up was less than robust, which is part of the reason we fined Facebook £500,000.”Collins asks how this can be the case, if Facebook forced people to delete the data. “We found problems with the signing of these authorisations, some of them weren’t signed at all,” Denham says. “We also found evidence that as recently as 2018, spring, some of the data was still there at Cambridge Analytica. So there’s evidence that the follow-up was less than robust, which is part of the reason we fined Facebook £500,000.”
Does Denham believe that Facebook’s brief attempt to investigate Cambridge Analytica itself – sending investigators to the company’s office before even the ICO was allowed in – harmed the data? “There is no evidence to suggest that”, Denham says.Does Denham believe that Facebook’s brief attempt to investigate Cambridge Analytica itself – sending investigators to the company’s office before even the ICO was allowed in – harmed the data? “There is no evidence to suggest that”, Denham says.
On Twitter, meanwhile, Arron Banks has dismissed the ICO’s conclusions about data protection breaches by his companies, tweeting: “So what?”On Twitter, meanwhile, Arron Banks has dismissed the ICO’s conclusions about data protection breaches by his companies, tweeting: “So what?”
Gosh we communicated with our supporters and offered them a 10% brexit discount after the vote ! So what ? https://t.co/OYIZaCOmh5Gosh we communicated with our supporters and offered them a 10% brexit discount after the vote ! So what ? https://t.co/OYIZaCOmh5
Banks’ tweet may be seen as evidence in favour of Paul Farrelly’s assertion that £60,000 fines are too small to have an effect.Banks’ tweet may be seen as evidence in favour of Paul Farrelly’s assertion that £60,000 fines are too small to have an effect.
Labour’s Ian Lucas asks some pointed questions about the ICO taking Facebook’s testimony as fact. Facebook said it had found that Canadian data science outfit AggregateIQ used different email lists to those taken in the Cambridge Analytica breach, but Lucas wants to know if the ICO had independently verified that. It has not, Dipple-Johnstone says, in part because only Facebook has that data.Labour’s Ian Lucas asks some pointed questions about the ICO taking Facebook’s testimony as fact. Facebook said it had found that Canadian data science outfit AggregateIQ used different email lists to those taken in the Cambridge Analytica breach, but Lucas wants to know if the ICO had independently verified that. It has not, Dipple-Johnstone says, in part because only Facebook has that data.
Ian Lucas asks who personally at Facebook dealt with the Cambridge Analytica breach. Dipple-Johnstone says the ICO has that information, but not to hand.
Lucas points out that, when Facebook first gave evidence to the committee, it didn’t mention that breach at all. He wants the information, he says, so that he can work out who knew what, when, and why the breach was hidden from parliament.
“One simple question: should Mark Zuckerberg appear before this committee,” asks Conservative Julian Knight.
“We have dealt with headquarters,” Denham says. “We have more action, a better response, when we’re dealing with Mountain View, than when we’re dealing with local representatives.” [Mountain View is actually Google’s headquarters; Facebook is based nearby, in Menlo Park.]
“I think it would be very useful to have him appear… from our own experience, it’s been critical that we’re connecting with senior staff.
“It’s been critical that we have levers in to the highest levels, because that’s where the decisions are being made.”
“We’ve heard evidence that there were staff who worked for both Leave.EU and Eldon Insurance,” Labour’s Jo Stevens asks. “Have you spoken to them?”
James Dipple-Johnstone says the ICO is interviewing former staff from many companies.
“Regulators need to look at the effectiveness of their processes,” Denham adds. “There’s a fundamental tension between the advertising business model of Facebook and fundamental rights like the protection of privacy. And that’s where we’re at now. It’s a big job on the part of regulators to ensure that the right rules are in place.”
“Would you put any personal information on a Facebook account?” Labour’s Clive Efford asks.
“I think Facebook has a long way to go to change practices to an extent that people have deep trust in the platform,” Denham says. “Social media is here to stay, but Facebook needs to significantly change their business model and practices to maintain trust.”
“We’ve seen some changes on the voluntary side to become more transparent,” she says, highlighting the company’s new rules about political adverts, “but they should be subject to stricter regulation and oversight. We issued the highest possible fine that we could impose for their role in Cambridge Analytica.”
Ukip has also refused to speak with the ICO, Denham says. “It’s been frustrating that they’ve refused to cooperate with our investigation.”
Cambridge Analytica’s Alexander Nix and Cambridge University’s Aleksandr Kogan both refused to appear in front of the ICO for an interview under caution. “Parliament has given us new powers that came into effect in April,” Denham says, but “one of the powers we may be coming back to parliament about is the ability to compel individuals to appear. That has frustrated our investigation.”
“We are looking at the entire structure for Cambridge Analytica and SCL Group,” adds Dipple-Johnstone, deputy commissioner.
Labour’s Paul Farrelly notes that the £60,000 fine against Eldon Insurance seems rather less than the potential revenue raised by the misuse of emails. “We have to look at other fines that we’ve issued,” Denham says, but notes that future fines could be significantly higher as investigations continue.
The committee is up. Damian Collins, the chair, begins by running through the findings of the ICO, focusing on the fine levied against Leave.EU and Eldon Insurance.
“Does the ICO believe that the emails were also used to target adverts on Facebook?”, he asks. “It is possible those email addresses could have been used in other ways,” Denham responds, but notes that she has not yet investigated that possiblity.
A breather from filleting the ICO’s report as we prepare for the DCMS to hear from the organisation directly.
If you want to watch along yourself, good news: the select committee is being broadcast live on Twitter, a first:
LIVE: What role can independent regulators have in regulating social media companies, keeping our data safe and advertising models transparent? We are questioning @ICOnews @ElectoralCommUK and @ASA_UK https://t.co/TpjDxeNwu6