This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.theguardian.com/uk-news/live/2018/nov/06/information-commissioner-to-levy-fines-against-leave-eu-live

The article has changed 10 times. There is an RSS feed of changes available.

Version 3 Version 4
Arron Banks's firm and Leave. EU fined £135,000 over data misuse - live Arron Banks's firm and Leave. EU fined £135,000 over data misuse - live
(35 minutes later)
Farrelly asks about Facebook’s new code of conduct for political campaigning in the UK, which comes into effect tomorrow.
Bassett notes that the EC doesn’t have any powers outside of an electoral period, but says that they’re “very keen to make sure that we’re asking the right questions. It’s good that Facebook is at least talking to us, and coming forward with some solutions, but it’s reaching the point that we need to set out as a statutory minimum what is expected of them.”
Farrelly: “You’ve called for greater fining powers, similar to other bodies. What response have you had?”
Bassett: “The Government is open to consider it, but at the moment, not. They responded to our 2017 General Election report last week, and in that response I don’t think they’re convinced that that’s the most appropriate route. We’ve not yet had the opportunity to discuss it with him.
“Their response seems to suggest we should be referring more people to the police, but that conflates civil and criminal law.
“We continue to think that the £20,000 maximum fine is very low, in relation to the sums that campaigners are spending.”
Has anyone fined by the EC over wrongdoing in the referendum paid the fines yet? No, says Edwards. The fines are being appealed, which means they don’t have to be paid yet.
Rebecca Pow asks whether it is important that the NCA finish its investigation before March 29, 2019. Bassett says she doesn’t think she can answer that, but Pow pushes. What if on March 30, the NCA finds massive wrongdoing? “I don’t think that’s something we can comment on, it’s a matter for parliament.”
“You certainly shouldn’t be assuming that the illegal activity had an effect on the outcome of the referendum,” Bassett says. “There have been some studies, but there isn’t any strong evidence.”
Bassett asked about social media regulation by Clive Effort: “We remain concerned that we need all of the different social media platforms to be engaged and not just some of them and that will probably need further regulation,” she says.
“When does an issue get on the political agenda, when does it become political campaigning. We need to do it in a way that balances freedom of speech with protection of data, that side of it, and make sure it doesn’t create burdens that inhibit people who have the right to say things.”
Giles Watling asks whether the £8m in impermissible loans from the Isle of Man came from Russia. Bassett says that the Electoral Commission can’t answer that question.
Collins asks about Banks’ claims, on TV over the weekend, that the EC hadn’t asked for records of Rock Holdings. “Unfortunately, that’s outside the jurisdiction of the UK, and our powers don’t allow us to request them,” Edwards says.
Bassett also emphasises, in contrast to some of Banks’ other claims on TV, that the Electoral Commission has already fined Leave.EU for offences around reporting staffing cost. “What I do know is that the staffing costs that Leave.EU reported were reported incorrectly,” Edwards adds.
Collins notes “he does seem to specialise in constructive – well, unconstructive – ambiguity.”
Bassett reminds the committee that “we are limited in what we can say to you because we don’t want to prejudice any future investigations,” but hands over to Edwards to discuss the information the EC found to suggest criminality on the part of Leave.EU, resulting in a National Crime Agency investigation.
“What we did was ask Mr Banks for quite a lot of information… we looked at other sources of information and banking records. Having analysed that, we concluded that we suspect that Mr Banks was not the true source of either the £6m loans to Leave Eu or £2m to better for the country. We think that one of the sources was Rock Holdings, which is not a permitted actor because it is based in the Isle of Man.
“Because of all this, we suspect that number of criminal offences may have been committed.
“Last week, we handed all our evidence to the NCA, and last week, we published a report explaining what we’d done.”
Collins opens by asking how the Electoral Commission and the ICO work together. “We’ve been sharing our views around some of these areas. I think there’s a commonality of views around the need for regulation,” says Bassett.
Edwards adds that most of the work is about trying not to “tread on each others’ toes”.
With that, Denham and Dipple-Johnstone are done.
Next up, Claire Bassett, Bob Posner, and Louise Edwards of the Electoral Commission.
“If you’re targeting people on the basis of inferred data, that is personal data”, says Denham.
Collins notes that Facebook doesn’t treat it as such. Denham focuses on one specific type of inferred data, “lookalike audiences”, and says: “The use of lookalike audiences should be made transparent to individuals. They need to know that a political party is making use of lookalike audiences.”
Asked whether that is legal under GDPR, she says “we need to look at it in detail. I’m suggesting that the public is uncomfortable with lookalike audiences, and we need to be transparent.”
Pow asks what the investigation has highlighted to Denham.Pow asks what the investigation has highlighted to Denham.
She says it’s revealed “the disrespect for the personal data of voters and prospective voters. The model that is familiar to people in the commercial sector, behavioural targeting, has been transferred into the political arena. That’s why I called for an ethical pause. I don’t think we want to use the same model that sells us holidays and shoes and cars to engage with voters. I think people expect more than that.She says it’s revealed “the disrespect for the personal data of voters and prospective voters. The model that is familiar to people in the commercial sector, behavioural targeting, has been transferred into the political arena. That’s why I called for an ethical pause. I don’t think we want to use the same model that sells us holidays and shoes and cars to engage with voters. I think people expect more than that.
Pow: “Lots of people are having personal data harvested about themselves that they’re probably quite unaware of.” She specifically asks about “inferred” data (when, for instance, Facebook surveils a users’ browsing and determines that they have an interest in, say, “homosexuality”), and Denham suggests that the approach to that data may be “wrong in the law.” She argues that such inferred data should be considered personal, and protected as such. Pow: “Lots of people are having personal data harvested about themselves that they’re probably quite unaware of.” She specifically asks about “inferred” data (when, for instance, Facebook surveils a users’ browsing and determines that they have an interest in, say, “homosexuality”), and Denham suggests that the approach to that data may be “wrong in the law”. She argues that such inferred data should be considered personal, and protected as such.
O’Hara asks who should regulate about harm online, if internet companies can’t self-regulate. Denham: “When it comes to internet harms regulation, there needs to be a code that’s backed with statute, extraterritorial reach, sanction – the powers the ICO has, those are the powers that a regulator needs to look at content and conduct online. O’Hara asks who should regulate about harm online, if internet companies can’t self-regulate. Denham says: “When it comes to internet harms regulation, there needs to be a code that’s backed with statute, extraterritorial reach, sanction – the powers the ICO has, those are the powers that a regulator needs to look at content and conduct online.
But “I don’t think content and conduct online fits neatly in to any existing regulator.” But: “I don’t think content and conduct online fits neatly in to any existing regulator.”
Conservative Rebecca Pow asks whether the ICO should just embed someone inside Facebook and the line, which Denham says might be “uncomfortable for both sides.” Conservative Rebecca Pow asks whether the ICO should just embed someone inside Facebook, which Denham says might be “uncomfortable for both sides”.
“I think inspection powers can give you a way in.”“I think inspection powers can give you a way in.”
Could you envisage a greater breach than what we’ve witnessed with Cambridge Analytica, asks Brendan O’Hara, of the SNP.
“Can I imagine worse data crimes, a whole system breakdown? There could be some serious contraventions of the law involving police services, or health systems. But there was purposeful, intentional illegal misuse of personal data that was re-used in political campaigning, and I think that is very serious.”
O’Hara asks if this disregard is because of the disregard of tech companies for the ICO. “I think that the fines have not been significant enough, and the impact on their bottom line has not been significant enough,” Denham responds. “I think the public is waking up to the importance of data privacy in a way they haven’t in the past, and that will drive action.”
“The CEOs of other tech companies, Microsoft and Apple, have come forward with strong statements about supporting data privacy and digital ethics.”
Who should regulate misinformation? “There could be a hybrid model between Ofcom and the ICO,” Denham suggests. “No country has tried this yet. It’s quite controversial and the need to balance freedom of expression with internet harms is hard. But the ICO has a lot of experience with regulating these large platforms. We have years of experience with right to be forgotten cases, which balance freedom of speech with privacy rights.
“Name a platform, they know us.”
Should the ICO be funded with a levy on tech companies? “I do think there is merit for the companies paying for some of the changes we need in the environment. Digital literacy and education, for instance, I do think there is a good idea for companies paying for it.
“A tech levy is a fine idea but how that is distributed is one for government.”
Giles Watling, Conservative, asks whether the ICO is “playing catchup” with large tech companies. Until GDPR came in, with larger sanctions, larger fines, and the ability to reach outside the UK and preserve data, “we couldn’t be as effective a regulator as we can be now”, Denham says.
“We’re never going to have the engineers, we’re never going to have thousands of experts, but we do have the power to compel response, to inspect, we have the power to look at the algorithms, so we have the ability to get in and look. And we can do it proactively and reactively. So the reboot of the law we got in May is really important.”
Watling asks whether companies just build in the assumption of a fine to their costs of doing business. Denham says that the 4% of turnover fines allowed by GDPR are powerful, but so too is the ability to demand a company stop processing personal data. That, she says, “will hit their bottom line”.
GDPR led to a 100% increase in complaints, Denham says, but she notes that normal people rarely have the time or inclination to get involved in defending their rights. Most of the work is still done by journalists and civil society groups.
Clive Efford asks how this investigation ranks compares with previous investigations the ICO has run. Denham responds: “This investigation is unprecedented for our office, it’s unprecedented for any data protection office worldwide.
“But what’s at stake is the fundamentals of our democratic processes. People have to be able to trust the systems, so it’s important that we get to the bottom of this.
“And also that government and parliament take up some of the recommendations we’ve made at the policy level, that include a statutory code of practice for political campaigning.”
Had Cambridge Analytica not already gone bust, it would have been issued “a large fine”, Denham says, because their information storage practices were so ineffectual.
“But this is not the end of our work,” Denham says. “You can see there are several strands that will take us into the future.”
The Facebook/Cambridge Analytica data “was gathered and held illegally under UK law, so that’s our concern”, Denham says.
Across the whole system, she adds, the real focus of the report is the “lack of concern and disregard for the privacy and rights of UK voters”. She says that disregard comes from Facebook, data brokers and many others. We need to improve that “because it matters for our democratic process”.
Damian Collins asks about who else may have copies of the Cambridge Analytica/Facebook dataset. “Some are individuals, some are academic institutions […] about half a dozen,” Dipple-Johnstone says.
Collins asks how this can be the case, if Facebook forced people to delete the data. “We found problems with the signing of these authorisations, some of them weren’t signed at all,” Denham says. “We also found evidence that as recently as 2018, spring, some of the data was still there at Cambridge Analytica. So there’s evidence that the follow-up was less than robust, which is part of the reason we fined Facebook £500,000.”
Does Denham believe that Facebook’s brief attempt to investigate Cambridge Analytica itself – sending investigators to the company’s office before even the ICO was allowed in – harmed the data? “There is no evidence to suggest that”, Denham says.
On Twitter, meanwhile, Arron Banks has dismissed the ICO’s conclusions about data protection breaches by his companies, tweeting: “So what?”
Gosh we communicated with our supporters and offered them a 10% brexit discount after the vote ! So what ? https://t.co/OYIZaCOmh5
Banks’ tweet may be seen as evidence in favour of Paul Farrelly’s assertion that £60,000 fines are too small to have an effect.
Labour’s Ian Lucas asks some pointed questions about the ICO taking Facebook’s testimony as fact. Facebook said it had found that Canadian data science outfit AggregateIQ used different email lists to those taken in the Cambridge Analytica breach, but Lucas wants to know if the ICO had independently verified that. It has not, Dipple-Johnstone says, in part because only Facebook has that data.