Facebook is one of 30 organisations in ICO's sights

Profile photograph of the Information Commissioner Elizabeth Denham

The UK's data protection watchdog has confirmed Facebook is one of 30 organisations it is investigating over the use of personal data in political campaigns.

The Information Commissioner's Office (ICO) announced the scale of its probe into the use of personal data and analytics in the UK by political campaigns, parties, social media companies and commercial powers, following news that political consulting firm Cambridge Analytica allegedly took 50 million Facebook users' profiles without their consent to help President Trump win the 2016 US election.

Information commissioner Elizabeth Denham said: "The ICO is looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica.

"We are also conducting a broader investigation into how social media platforms were used in political campaigning."

She added: "This is an important time for privacy rights. Transparency and accountability must be considered, otherwise it will be impossible to rebuild trust in the way that personal information is obtained, used and shared online."

In addition to public policy recommendations, the investigation may lead to enforcement action, with the ICO retaining the power to issue fines, conduct an audit, serve an enforcement notice for organisations to take action, or even prosecute organisations for failure to comply with previous enforcement notices.

Denham noted that while she welcomed changes Facebook has made to its policy around third-party access to people's data, it is too early to assess whether they sufficiently comply with the law.

Details on the terms and scope of the investigation expands on the ICO's initial announcement of the investigation in May 2017 to examine whether whether political groups were using analytics in a way that breached data protection laws.

At the Data Protection Practitioners' Conference over the weekend, Denham told delegates: "Our ongoing investigation into the use of personal data analytics for political purposes by campaigns, parties, social media companies and others will be measured, thorough and independent. Only when we reach our conclusions based on the evidence will we decide if enforcement action is warranted.

"The dramatic revelations of the last few weeks can be seen as a game changer in data protection. Suddenly, everyone is paying attention."

Meanwhile, senior figures linked with the Cambridge Analytica scandal have been summoned to appear before a House of Commons inquiry into fake news and misinformation.

Brittany Kaiser, former director of program development at Cambridge Analytica, will be interviewed by the Digital, Culture, Media and Sport Select Committee on 17 April, followed by Alexander Nix, its former CEO, on 18 April.

Meanwhile Mike Schroepfer, Facebook CTO, will appear before the House of Commons inquiry on April 26, while Mark Zuckerberg is set to appear before Congress next Wednesday.

Damian Collins MP, chair of the DCMS committee, last month called for more powers to be handed to the ICO to investigate data breaches.

Writing in the Evening Standard, he said: "The serious questions that result from the investigations of the past week require us to change our approach to the use of personal data in communications and election campaigns.

"Clearly, the information commissioner needs more powers to check that tech companies are complying with the data protection law. This should include the immediate power to go into tech firms when necessary to review their systems to make sure our data is safe. We can't just take their word for it: someone has to have the power to look behind the curtain to see what they are doing."

Parties at the centre of the scandal have in recent days been coming to terms with their own shortcomings, in a bid to address criticism moving forward.

Facebook announced last week that it is turning off the ability to search for people using phone numbers and emails because most of its more than two billion users may have been at the mercy of "malicious actors" scraping their public profiles this way.

Meanwhile Sheryl Sandberg, Facebook's COO, finally broke her silence in an interview with the Financial Times, admitting the company had underinvested in safety and security measures, but insisted operational attitudes were changing.

Picture credit: Information Commissioner's Office

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.