That figure is still a record, however; the highest fine to date under the previous legislation was a £400,000 penalty issued to TalkTalk for security failings that allowed a hacker to access sensitive customer data direct from its systems “with ease”.
In a detailed update of the ICO’s investigation into the misuse of personal data in political advertising, Denham said that Facebook has been served notice of the fine, which will be for two breaches of the 1998 Data Protection Act.
She added: “Facebook has failed to provide the kind of protections they are required to under the DPA. Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
Denham insisted that under GDPR, “they would face a much higher fine”, and, when asked on BBC Radio 4’s Today programme if the fine now would amount to hundreds of millions of pounds, she said it “could”.
The inquiry, described by Denham as “the biggest and most important investigation the ICO has ever undertaken”, has also resulted in warning letters being sent to 11 political parties – every UK party with an MP in the House of Commons as of March 2017, when the investigation began – and notices forcing them to agree to data protection audits.
It has led to a criminal prosecution of SCL Elections, Cambridge Analytica’s parent company, for failing to properly deal with the ICO’s enforcement notice, and an enforcement notice against the same company for not replying to a subject access request from a US citizen whose data it held.
SCL Elections went bust in May but Denham said the ICO was examining whether the company’s directors could be still be pursued.
The investigation also found that Aggregate IQ, a Canadian electoral services company, had significant links to Cambridge Analytica, and may still retain data about UK voters. The ICO has filed an enforcement notice against the company to stop processing that data.
Denham told the BBC: “Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time to sell us holidays, to sell us trainers, to be able to target us and follow us around the web.
“But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum.
“This is a time when people are sitting up and saying ‘we need a pause here, and we need to be sure we are comfortable with the way personal data is used in our democratic process’.”