The UK’s data protection watchdog intends to fine Facebook £500,000 for data breaches – the maximum allowed.
The Information Commissioner’s Office said Facebook had failed to ensure another company – Cambridge Analytica – had deleted users’ data.
The ICO will also bring a criminal action against Cambridge Analytica’s defunct parent company SCL Elections.
And it has raised concerns about political parties buying personal information from “data brokers”.
Specifically it named one company, used by the Labour Party, called Emma’s Diary, a company that gives medical advice and free baby-themed goods to parents.
Facebook said it would respond to the report “soon”.
The ICO also said another company – Aggregate IQ – which worked with the Vote Leave campaign in the run up to the EU Referendum – must stop processing UK citizens’ data.
- Facebook-Cambridge Analytica data scandal
- Facebook reveals its data-sharing VIPs
- Cambridge Analytica boss spars with MPs
Kyle Taylor, director of campaigning group Fair Vote UK said “Under new GDPR (General Data Protection Regulation) laws, the ICO could fine Facebook £479m.
“Unfortunately, because they had to follow old data protection laws, they were only able to fine them the maximum of £500,000. This is unacceptable,” he said.
Information Commissioner Elizabeth Denham said “this is not all about fines” adding that companies were also worried about their reputation.
She said the impact of behavioural advertising, when it came to elections, was “significant” and called for a code of practice to “fix the system”.
Such a code, she argued, would ensure that “elections are fair and people understand how they are being micro-targeted”.
The action comes 16 months after the ICO began its probe into political campaigners’ use of personal data following concerns raised by whistleblower Christopher Wylie, among others.
Mr Wylie, a former employee of Cambridge Analytica – a London-based political consulting firm – told the Observer and New York Times his company had made unauthorised use of personal data harvested from millions of Facebook users.
The ICO found that Facebook had breached its own rules and failed to make sure that Cambridge Analytica had deleted this personal data.
While Cambridge Analytica insisted it had indeed wiped the data after Facebook’s erasure request in December 2015, the ICO said it had seen evidence that copies of the data had been shared with others.
“This potentially brings into question the accuracy of the deletion certificates provided to Facebook,” said an ICO spokesperson.
Responding to the ICO report, Mr Wylie said: “Months ago, I reported Facebook and Cambridge Analytica to the UK authorities.
“Based on that evidence, Facebook is today being issued with the maximum fine allowed under British law.
“Cambridge Analytica, including possibly its directors, will be criminally prosecuted.”
The ICO has also written to the UK’s 11 main political parties compelling them to have their data protection practices audited.
It is concerned the parties may have bought lifestyle information about members of the public from data brokers, who might have not have obtained the necessary consent.
In particular, the ICO raised concern about one data broker: Emma’s Diary. The firm offers medical advice to pregnant women and gift packs after babies are born.
The ICO said it was concerned about how transparent the firm had been about its political activities.