Oct 2, 2020 — Throughout this investigation, we have sought to keep the Committee informed of key developments and findings, having produced three written.

139 KB – 18 Pages

PAGE – 1 ============
1 Mr Julian Knight MP Chair Digital, Culture and Media and Sport Select Committee House of Commons London SW1A 0AA Our reference: ICO/O/ED/L/RTL/0181 02 October 2020 Dear Mr Knight, RE: ICO investigation into use of personal information and political influence. 1.Thank you for your letter of 10 September 2020 asking for an update on my was launched in 2017. This follows my last evidence to the predecessor -committee on Disinformation in April 2019. 2.Throughout this investigation, we have sought to keep the Committee informed of key developments and findings, having produced three written reports, the last being in November 2018. T he investigation has been one of the largest and most complex ever carried out by a data protection authority and it is therefore right that Parliament is able to properly scrutinise the evidence we have uncovered and the actions we have taken as a result. The investigation has provided new understanding about the use of personal data in the modern political context and has transformed the way data protection authorities around the world regulate data use for political purposes. Where there was evidence of breaches of the law, we have acted. And where we have found no evidence of illegalities, we have shared this openly. This further work confirms my earlier conclusion that there are systemic vulnerabilities in our democratic systems. 3.Since my last appearan ce before the Committee in April 2019 my office has continued its investigative work, completing the remaining lines of enquiry as far as the evidence took us. This included analysis of materials obtained during the investigation and those seized under war rant. This has, overall, confirmed and reinforced the findings of my previous reports. I have therefore concluded that there is little in the vast volumes of evidence we have now worked through that has changed our initial understanding or identified new l ines of enquiry that suggest they could drive new insight.

PAGE – 2 ============
2 4. The investigation is therefore concluding, and the following letter and Annexes acts as our final written account to Parliament. It provides a summary of the conclusions we have drawn from our analysis of the evidence in the final stages of our investigation, the additional actions we have taken and why, and broader learning we and other data protection authorities can draw on to inform future investigations and regulatory work in the digital er a. In addition, Annex 1 provides the Committee with detailed answers to the specific questions asked by the Committee. Annex 2 provides a deep dive into how SCL Elections / Cambridge Analytica used the personal data it held, whether these methods could be used in the future, and the associated risks to citizens. Findings since April 2019 Outstanding areas relating to processing of data by SCL Elections Ltd and Cambridge Analytica (SCL/CA) 5. Detail of the data processing practices undertaken by SCL/CA is se t out at Annex 2, but, in summary, we concluded that SCL/CA were purchasing significant volumes of commercially available personal data (at one estimate over 130 billion data points), in the main about millions of US voters, to combine it with the Facebook derived insight information they had obtained from an academic at Cambridge University, Dr Aleksandr Kogan, and analytical tools and there was evidence that their own staff were conc erned about some of the public statements the leadership of the company were making about their impact and influence. 6. I have also confirmed my previous understanding about the poor data practices at the company, which, had they sought to continue trading, would likely have attracted further regulatory action against them by my office. I found excerpts of what appears to be examples of the data obtained by Dr Kogan and his company Global Science Research ( GSR) from the Facebook platform at various stages of its processing. 7. From my review of the materials recovered by the investigation I have found no further evidence to change my earlier view that SCL/CA were not involved in the EU referendum campaign in the UK – beyond some initial enquiries made by SCL/CA in relation to UKIP data in the early stages of the referendum process. This strand of work does not appear to have then been taken forward by SCL/CA.

PAGE – 3 ============
3 Investigation into the data practices of organisations on both sides of the EU referendum campaign 8. I have concluded my wider investigations of several organisations on both the EU. I identified no significant breaches of the privacy and electronic marketing regulations an d data protection legislation that met the threshold for formal regulatory action. Where the organisation continued in operation, I have provided advice and guidance to support better future compliance with the rules. Evidence of Russian involvement 9. Dur ing the investigation concerns about possible Russian interference in elections globally came to the fore. As I explained to the sub -committee in April 2019, I referred details of reported possible Russia -located activity to access data linked to the inves tigation to the National Crime Agency. These matters fall outside the remit of the ICO. We did not find any additional evidence of Russian involvement in our analysis of material contained in the SCL / CA servers we obtained. Securing the data obtained by Dr Kogan and GSR 10. There was concern that data and derived data from Facebook had been shared outside of GSR and SCL/CA. My investigation found data in a variety of locations, with little thought for effective security measures, which appeared to have come from GSR and SCL/CA . We found that individuals of interest to the investigation held data on various Gmail accounts. Data was also found in servers and appeared to have been shared with a range of parties, for example there was evidence that data had been shared with staff at SCL/CA, Eunoia Technologies Inc, the University of Cambridge and the University of Toronto. 11. Some of the individuals who worked for these organisations used their personal email accounts for work purposes. However, the data itself wa s sometimes shared using secure drop /file sharing sites. It was not always possible to identify if all this data was from GSR/Dr Kogan and derived from the app he built to gain access to Facebook data which he called thisisyourdigitallife. We also identified evidence that in its latter stages SCL /CA was drawing up plans to relocate its data offshore to avoid regulatory scrutiny by ICO. We have followed up their complex company structure with overseas counterparts and have concluded that whi le plans were drawn up, the company was unable to put them into effect before it ceased trading. We

PAGE – 4 ============
4 have required those we contacted during the investigation to certify deletion of the data they held. Action taken and follow up since April 2019 12. In our w ritten update to Parliament in November 2018 and our oral evidence session in April 2019 we reported several actions we had taken against organisations for breaches of the law. 13. The following organisations have now paid the penalty notices levied on them: Facebook (£500,000) paid 04 November 2019 Vote Leave (£40,000) paid 29 April 2019 Leave.EU (£15,000) paid 15 May 2019 14. In addition, we successfully prosecuted SCL Elections for their failure to comply with my Enforcement Notice. We fined them £18,000. 15. My office also made a referral to the Insolvency Service about various conduct issues within the SCL and its group of companies. We worked together and shared relevant information and intelligence with the Ins olvency Service arising from our investigation. Mr Alexander Nix, a Director of SCL Elections Ltd, is now disqualified from acting as a director for a period of seven years. Appeals of my notices to the First Tier Tribunal 16. As the Committee will be aware, my actions are subject to judicial oversight by the First Tier Tribunal (General Regulatory Chamber). Appeals were made against my decision to issue the Liberal Democrats with an Assessment Notice (a formal notice allowing my office to audit an organisati compliance with data protection legislation). UKIP similarly appealed an Information Notice (a formal notice requiring provision of information to my office) I had served upon them. Eldon Insurance (trading as GoSkippy) and Leave.EU also appealed thei r Assessment Notices, and some of the Monetary Penalty Notices. The First Tier Tribunal has dismissed all these appeals. I ther appealed to the Upper Tribunal but subject to the outcome of the appeal and COVID -19 restrictions, it remains my intention to complete the audits as soon as is practicable. Facebook also appealed the Monetary Penalty Notice served on

PAGE – 5 ============
5 them. However, th eir appeal was withdrawn based on a settlement agreement. Facebook paid the full monetary penalty. Audits of organisations involved in supply and use of personal data for political purposes. 17. My audit teams have also concluded audits of data protection compliance at 14 organisations associated with the original investigation, including: the main political parties, the main credit reference agencies and major data brokers, as well as Cambridge U made significant recommendations for changes to comply with data protection legislation. Closing the investigation and follow up 18. In accordance with the terms of the search warrants, I have started the ensured that any data, models and derivatives are safely destroyed. Several items obtained have been subseque ntly disowned and we are taking measures via our forensic technology provider to destroy these safely ourselves. 19. A small number of follow up enquiries remain, and these will be taken forward as business as usual over the coming months. Subsequent complai nts or issues about political use of personal information in other political campaigns are being triaged and investigated in line with my Regulatory Action Policy. 20. It should also be noted that we will shortly be publishing the reports of our findings of o ur audits of the main political parties, the main credit reference agencies and major data brokers, as well as Cambridge University Psychometrics Centre. We will write separately to the Committee on those issues. Wider impact of the investigation and conclusion. 21. This has been a complex and wide -ranging data protection investigation, touching on some of the most contentious and widely debated issues of recent times. At all times we have sought to follow the data and being transparent in our methodology an d findings and acting only where there was a public interest to do so. We are continuing to work to address the systemic vulnerabilities we identified, working alongside other agencies.

PAGE – 6 ============
6 22. What is clear is that the use of digital campaign techniques are a pe rmanent fixture of our elections and the wider democratic process and will only continue to grow in the future. The COVID – 19 pandemic is only likely to accelerate this process as political parties and campaigns seek to engage with voters in a safe and soci ally distanced way. 23. I have always been clear that these are positive developments. New technologies enable political parties and others to engage with a broad range of communities and hard to reach groups in a way that cannot be done through traditional campaigning methods alone. But for this to be successful, citizens need to have trust in how their data is being used to engage with them. 24. I believe that the findings of my investigation and the work we have done with the political parties through the au dits has led to improvements to data handling across the political parties in the UK (which will be detailed in my audit report). 25. Much of the learning from this investigation was applied in the recent UK election, in which my office scrutinised political campaigning groups, tactical voting apps and the actions of individuals or political parties. The investigation led to extensive cooperation from a variety of social media platforms and collaboration with the Electoral Commission. This resulted in advice being provided to five data controllers to improve their compliance with the legislation during the election. 26. A final version of the updated political parties guidance that was published in draft before the general election, will be issued in the near fut ure and will support political parties to use data protection legislation as an enabler to the transparent and lawful use of personal data in political campaigns as new techniques continue to come on board. 27. The impact of this investigation has also had international reach. I have been asked to brief parliaments and governments across the world and I have shared the learning from this investigation with election oversight and privacy regulators internationally . The prominence of the use of personal data in political influence has grown significantly, and several international counterparts have since undertaken similar work, as is appropriate to safeguard their national democratic structures. 28. A number of paral lel international investigations of these issues have also concluded, including those in Canada, at which point the deletion of UK data held by AggregateIQ (AIQ – a company associated with SCL/CA) and covered by my Enforcement Notice on the company has bee n confirmed to

PAGE – 8 ============
8 Annex 1: Update to questions from the sub-committee on disinformation hearing on my work on 23 April 2019. 1. During the April 2019 hearing there were several questions which required further detail to be checked against the evidence in the investigation and I said we would report back to you about these. Below, you will find the responses to all the outstanding q uestions from these previous hearing, which I hope is helpful to the Committee. 2. response at the time and our update. All references are from Hansard April 2019. 3. The sub -committe e have previously asked; Is there any evidence that you are aware of that pre -presented datasets were used by AIQ in delivering advertisements through Facebook? [Q12] Our Response: We confirmed that we would need to check on this point. Update: To confirm; whilst there was evidence in some cases of using pre -presented datasets, this was dependent on the request of the client and type of campaign. s was created based on visitors to www.voteleavetakecontrol.org . AIQ used different methods of targeting for different campaigns. Some by age, location, gender and interests while others used datasets provided by the campaigns themselves to create lookalike audiences using Is it right, for example, that Vote Leave would present data to AIQ a nd they would then use Facebook as a method of dispersing messages through that dataset? Is that how it worked? [Q13] Our Response: We confirmed that we would need to check on this point. Update: To confirm my investigation found that Vote Leave provided personal data to AIQ. This data was used by AIQ to create lookalike

PAGE – 9 ============
9 audiences on Facebook, using the standard Facebook processes available at the time. Did you find any evidence of datasets from one organisation being used by AIQ on behalf of another org anisation to disseminate information through Facebook? [Q14] Our response: We looked at the sharing of those datasets and I do not think we found that kind of sharing, but I will double – check the file. Update: Further to our initial response, No. We investigated whether AIQ had used the same datasets to target adverts on behalf of Vote Leave, BeLeave, the DUP and Veterans for Britain. Initial information provided by Facebook had suggested that there were three audiences that were used for targeting by both Vote Leave and BeLeave. However, AIQ subsequently clarified that this was an admin error made by a junior member of staff while creating the BeLeave account. The error was corrected the following day and no information from those campaigns was dissem inated through Facebook in the form of targeted ads. How was the information disseminated through Facebook? Was it only through datasets that were presented by one organisation? For example, would Vote Leave disseminate information only through a dataset that they provided? [Q15] Our response: Potentially, yes. Update: own internal firewall policy prohibited the sharing of data between campaigns. We have not found any evidence to suggest that a ny personal data was shared between Vote Leave, BeLeave, the DUP or Veterans for Britain beyond the error by a staff member identified above. Therefore, our earlier answer is correct. If there was dissemination through a dataset presented, for example, b y the DUP, that would be a data breach. Is that right? [Q16] Our response: Potentially, depending on the circumstances of the dataset. Update: Further to this response, the answer provided to you at the time is unchanged.

PAGE – 10 ============
10 And that is the evidence tha t you do not think you have now? [Q17] Our response: Yes, but I will double – check. Update: To confirm – we have not discovered any evidence to support that such data sharing occurred. Can you explain what would be the benefit of using a single company such as AIQ for different organisations seeking to disseminate information through Facebook? Why were all these businesses using AIQ? [Q18] Our response: In our inquiry we have not looked at the motivation behind that. Obviously, if somebody were particularly good at the work they did, that might be an incentive for them to be marketing their services to different parties, but the motivation behind why people placed particular contracts was not the focus of our inquiry it was the basis on which tha t information was consented to be passed on. Update: Our position on this question remains unchanged. No further evidence that speaks to motives was uncovered during the investigation. However, we understand that the Facebook criteria for audience target ing varied from project to project and will have been informed by AIQ who placed the social media adverts. For example, voters were split into categories of persuadability and targeted on this basis (rather than necessarily by a discrete characteristic or criteria on Facebook). 4. I hope that these final points of clarification are helpful. 5. Additionally, I also refer to your question (Q20/21) over whether the ICO has sufficient powers to be able to establish what is going on in, for example, a closed Facebo ok group. We continually review the value and effect of our powers, particularly in the face of new and emerging technology. For now, the ICO can investigate and enforce whenever personal data is put at risk or misused.

PAGE – 11 ============
11 Annex 2: Reporting back on the activity undertaken by SCL Elections and Cambridge Analytica 1. At the sub -committee hearings and in my earlier reports I explained that we were working through a considerable amount of electronic materials seized in searches and uncovered by the investigati on to understand how data was handled by the parties involved. This included information received from other regulators and provided voluntarily by a number of parties including materials provided by Cambridge University, ex -Cambridge Analytica staff and t heir associates, materials from GSR and others connected with Dr Kogan and his studies at Cambridge University, as well as that provided by some of those directly involved in these matters when interviewed. Several senior figures have continued to maintain their silence and have declined to be interviewed. Our approach and context 2. Since the last hearing the ICO has conducted a reverse engineering exercise to try to identify and confirm as far as possible, how SCL/CA processed the personal data they held. The primary aim of this exercise was to understand how personal data was processed and to determine whether the method used could be repeated and if so, the risks posed to data subjects. Whilst there was a technical aspect to this work my findings were al so informed and corroborated based on accounts obtained from witness interviews and the contents of statements taken during the investigation. 3. During my investigation a large amount of material and equipment was reviewed including; 42 laptops and comp uters, 700 TB of data, 31 servers, over 300,000 documents, and a wide range of material in paper form and from cloud storage devices. 4. Several the devices seized were encrypted or had been damaged or contained anonymised or pseudonymised data. The struc ture and pattern of material recovered confirmed the situation we have previously reported on at the time of the initial reports; there were a number of poor information governance practices within SCL/CA that meant personal data was not always organised o r well -structured, or accurate records of processing kept. 5. In addition, SCL/CA Staff seemed to work interchangeably across several

139 KB – 18 Pages