+44 (0)20 7404 0606
Notable recent decisions from the Information Commissioner's Office
- AuthorPaul Herbert
We report on two notable recent decisions from the Information Commissioner’s Office, one pre and the other post, GDPR.
“Facebook to appeal over record £500,000 fine for data breaches” ran this week’s headlines.
Last month Facebook Ireland Ltd and Facebook Inc. were found by the ICO to have processed their users’ personal data in an unfair and unlawful manner. Although these are respectively Irish and a Canadian companies, the ICO assumed jurisdiction because as the users’ personal data were collected in the context of Facebook UK’s operations.
This was the highest fine levied under the Data Protection Act 1998, and indeed the maximum permitted under that Act. So it was clearly serious stuff.
Between November 2013 and December 2015, Facebook permitted “thisisyourdigitallife”, an App developed by Dr Aleksander Kogan and his company Global Science Research, to obtain personal data from Facebook’s users who had downloaded the App, but also more importantly, also from those users’ friends. The data in question comprised Facebook messages and was not confined to the identity of the parties exchanging messages but included the content of those messages. This enabled the App to generate personality profiles for those users based on that content. Users’ friends who had not downloaded the App were not informed that it gained access to their information.
“Thisisyourdigitallife” was used by 300,000 Facebook users worldwide. But because of the width of the net cast by the App, it facilitated access to no less than 87 million people’s data worldwide.
As is now widely known, in contravention of Facebook’s Platform Policy, these data were shared with other parties in connection with or for the purposes of political campaigning, specifically by Cambridge Analytica to target voters in the US 2016 presidential elections. The ICO believes that in respect of UK Users who were US residents and accessed the Facebook Platform from within the UK, “that risk is very likely to have eventuated”.
Evidence of Facebook’s apparent lack of supervision lies in the fact that it was not even aware of any of this until it was revealed to them by The Guardian in an article published in December 2017.
Facebook has announced that it is lodging an appeal against the fine not, it stresses, because it disputes having made errors but in pursuit of a point of principle. They maintain that the lack of any proven harm to UK citizens means that the ICO has exceeded its authority by apparently taking into account the potential harm to US citizens. Facebook points out that there is no evidence that data relating to UK citizens was shared or used in connection with the 2016 EU Referendum. Facebook is also concerned about the precedential impact of the ICO’s ruling: they argue that the ICO’s reasoning could be applied to restrict forwarding of emails or messages without consent of the original sender.
2. Aggregate IQ Data Services Limited (AIQ)
AIQ is a Canadian company based in Vancouver. During the 2016 EU Referendum campaign, AIQ was engaged by various pro-Brexit organisations such as VoteLeave, BeLeave, Veterans for Britain and DUP Vote To Leave and was provided with UK citizens’ email addresses and names. These data were used to target these individuals with political advertising messages on social media. In response to an information notice served by the ICO, Facebook confirmed that AIQ had created and placed advertisements on its platform on behalf of the above mentioned organisations.
2,529 out of 2,823 ads were created on behalf of VoteLeave. More limited online advertising was conducted on behalf of Beleave. AIQ reported back to BeLeave how many times an ad was shown and how many clicks it generated. In respect of Veterans for Britain, AIQ created and placed ads at its direction and reported back on them.
The ICO found that AIQ had processed personal data in a way that data subjects were not aware of and for purposes they would not have expected. Moreover in a letter sent to the ICO in May 2018, AIQ confirmed that it still held this data.
The ICO considered AIQ’s compliance with the GDPR in the light of this evidence. At issue were Art 5(a) – lawfulness, fairness and transparency; Art 5(b) – the purpose limitation; and Art 5(c) – data minimisation. The ICO also considered whether any of the grounds for processing in Art 6 were present and whether the notification requirements of Art 14 had been satisfied. They found that none of these had been complied with by AIQ. The ICO therefore decided to impose an Enforcement Notice on AIQ requiring the deletion of all data relating to UK individuals held on its servers. Failure to comply with this Notice could result in an administrative fine being imposed.
Amongst other things, this saga is a useful reminder of the extra-territorial reach of the GDPR. As yet there is no indication of any appeal being lodged.
This article was written by Paul Herbert, Partner, Corporate, with assistance from Pauline Pontier, Stagiaire.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.