Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

UK Data Watchdog Fines Leave.EU, Eldon Insurance

The UK data protection regulator (the Information Commissioner’s Office – ICO) launched a wide-ranging investigation into the use of personal information for political purposes following the Facebook/Cambridge Analytica affair. It resulted in the publication of a lengthy report titled ‘Democracy disrupted? Personal information and political influence’ in July 2018, and a fine on Facebook set at the maximum amount possible – £500,000 ($645,000).

The UK data protection regulator (the Information Commissioner’s Office – ICO) launched a wide-ranging investigation into the use of personal information for political purposes following the Facebook/Cambridge Analytica affair. It resulted in the publication of a lengthy report titled ‘Democracy disrupted? Personal information and political influence’ in July 2018, and a fine on Facebook set at the maximum amount possible – £500,000 ($645,000).

In one sense, the Facebook fine was a side-effect. The ICO’s primary intention was to investigate the possible misuse of personal information by the Leave campaign ahead of the Brexit referendum within the UK. This investigation has continued. In November 2018, Information Commissioner Elizabeth Denham issued preliminary enforcement notices stating that it would fine the Leave.EU organization and Eldon Insurance a total of £135,000 ($176,000).

The action against Facebook was taken in relation to the Data Protection Act 1998, now replaced by the Data Protection Act 2018 (the UK’s implementation of GDPR). The action against Leave.EU and Eldon Insurance is under the Privacy and Electronic Communications Regulations 2003 (PECR), the laws which govern electronic marketing.

Since November, the ICO has heard representations from the two organizations, and has today (February 1, 2019) made its notices formal. It found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers from that of political subscribers were ineffective. It is also worth noting that Eldon Insurance is controlled by Aaron Banks, who donated £8 million to the Leave campaign. Leave.EU and Eldon share the same corporate address, and there is a cross-over of staff between the two organizations. Banks is under separate investigation by the National Crime Agency over whether he was the true source of his donation.

In a series of formal notices published today, the ICO has issued three separate fines (totaling £15,000 less than the initial intention). Leave.EU has been fined £15,000 for using Eldon Insurance customer details unlawfully to send almost 300,000 political marketing messages. Eldon Insurance has been fined £60,000, and Leave.EU a further £45,000, for two direct marketing campaigns that sent over one million emails to Leave.EU subscribers without sufficient consent.

The ICO has also announced its intention to audit both organizations. “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened,” announced Denham. “We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

These audit assessment notices give the ICO access to Leave.EU and Eldon’s joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.

In its announcement, the ICO says, “The ICO’s audit team will be looking at data protection practices including observing how personal data is processed, considering what policies and procedures are in place and looking at the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers. The ICO’s audit findings will be made public at the conclusion of its work.”

So, while the current notices have been issued under PECR, the ICO is now going to examine internal practices in relation to the Data Processing Act (GDPR). The earlier fine it levied against Canadian firm AggregateIQ (AIQ) shows that the pre-GDPR date of the incidents in question (Facebook/Cambridge Analytica for AIQ, and the Brexit referendum for Leave.EU and Eldon) will be overridden by any post-GDPR continuation of bad practices.

It is not necessarily all over yet for Leave.EU and Eldon Insurance.

Related: UK Regulators Search Cambridge Analytica Offices 

Related: Would Facebook and Cambridge Analytica be in Breach of GDPR? 

Related: Facebook Suspends Trump Campaign Data Firm Cambridge Analytica 

Related: Brexit: What Does it Mean for Cybersecurity and Privacy? 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.