Thirty organisations, including Facebook, are being investigated by the Information Commissioner’s Office (ICO) as part of its probe into the use of personal data for political purposes.
A day after the social media giant said 87 million people – including nearly 1.1 million Britons – could have seen their profile information “improperly” shared with Cambridge Analytica (CA), Information Commissioner Elizabeth Denham said the body was investigating how the data had been collected and shared with the political research group.
Ms Denham added the ICO was also “conducting a broader investigation into how social media platforms were used in political campaigning” and said she would be “making clear public policy recommendations to help us understand how our personal data is used online and what we can do to control how it’s used”.
The body – which has the power to prosecute or fine any companies that it believes to have breached data protection laws – said it was not releasing a full list of the organisations under investigation, but confirmed that CA and Aggregate IQ were also among the 30 organisations.
Ms Denham added: “Facebook has been co-operating with us and, while I am pleased with the changes they are making, it is too early to say whether they are sufficient under the law.”
Shortly before the announcement, Culture Secretary Matt Hancock tweeted that he would be meeting with Facebook next week and said: “I expect Facebook to explain why they put the data of over a million of our citizens at risk. This is completely unacceptable, and they must demonstrate this won’t happen again.”
CA has been warned it could face compensation claims from affected Facebook users if it is established that it used their data for political purposes “without having a lawful basis for doing so”.
Sean Humber, an information lawyer from Leigh Day, said: “Ultimately, people have a legal right to know if Cambridge Analytica hold information about them and, if they do, what information they hold and what they have done with it (including whether they have passed it on to anyone else). If there is no adequate response to these requests, legal action can be taken to require them to comply.”
CA said it is “not a data controller for any information on UK citizens” and is not in breach of the Data Protection Act, adding that it had deleted all the data from research company GSR, which collected it using a personality app.
“Cambridge Analytica deleted all GSR data and its derivatives after we were told that Facebook’s terms of services had been broken, and we certified this to Facebook,” it said in a statement.
Facebook said it will on Monday begin informing users whose information may have been improperly shared with CA.
Aside from the CA scandal, Facebook is under fresh scrutiny after revealing that “most” of its two billion users could have had their public profile harvested for information after the company said “malicious actors” had abused a feature that allowed individuals to search for people by their phone number or email address.
Though the company has now removed the feature, security researcher Lee Munson, from Comparitech, said the information could already have been used for phishing scams.
Facebook founder Mark Zuckerberg is due to address the US Congress next week but will not appear in front of UK MPs, despite repeated requests to do so by Damian Collins, chairman of the Commons Digital, Culture, Media and Sport Committee.