When you entrust your data to a social network, or a credit rating agency, or even a mother and baby club you probably don’t expect it to be exploited for political purposes.
But a fascinating new report from the UK’s data protection regulator describes in some detail how that happens. On the Tech Tent podcast this week, we discuss the global implications of this trade in data.
The Information Commissioner’s investigation began more than a year ago with a mission to look into how personal data may have been misused during the EU referendum.
But it acquired a new focus as it emerged the political consultancy Cambridge Analytica had harvested the Facebook data of 87 million people.
Now the social media giant is facing a fine of £500,000 for failing to protect its users’ data or to be transparent about what happened. That is a pinprick in the finances of a company that had revenues of nearly $41billion (£31bn) last year, but it was the maximum allowed under the old data protection laws.
Under the new act, which mirrors the EU’s GDPR, Facebook could be fined as much as 4% of global turnover. By my calculations that is more than a billion pounds.
But whatever the size of the penalty, Frederike Kaltheuner of Privacy International tells the programme, the watchdog’s action sends a signal about what is acceptable behaviour.
“Facebook failed to comply with a basic principle of data protection law, which is transparency: to be very clear and transparent about what they are doing with people’s data,” she says.
She explains how the report highlights wider concerns about a variety of organisations, from the credit reference agency Experian to the parenting blog Emma’s Diary, which is accused by the regulator ofhanding over the data of a million peopleto the UK’s Labour Party.
“This is not consent. The idea that you sign up to a parenting blog and the data ends up with a political party is completely bizarre,” she says. “Anyone who cares about democracy should be really worried about what’s happening to their data at the moment.”
And Ms Kaltheuner says it is a “dangerously persistent myth” that we are handing over our data for these purposes. She points out that a lot of what organisations such as Experian collect comes from data that is automatically recorded about us – and political inferences and patterns can be drawn from that without our knowledge.
Experian sent the BBC the following statement about the ICO report: “As a highly regulated business, we work closely with regulators and strictly comply with all data protection laws. Privacy is at the heart of what we do and the way we work, and we remain vigilant when it comes to data security and integrity. This includes our own commitment to strict compliance regarding permissible uses of data.”
There is plenty more to come from the Information Commissioner, Elizabeth Denham. She is due to reveal the final conclusions of her investigation in October.
We may then learn more details about just exactly what went on during the EU referendum campaign. The regulator has confirmed that she is looking at whether another source of data – the motor insurance business of Arron Banks, the founder of the campaign group Leave.EU – was used for political purposes.
The data analytics activities of Vote Leave and the Remain campaign are also under the microscope.
When her initial report was published, Elizabeth Denham told me that her aim was to “pull back the curtain” and show people what data brokers, social media firms and political parties are up to with their data.
Be prepared for more eye-opening revelations as her inquiry continues.