Management > Identity

ICO ‘investigating 30 organisations, including Facebook’ over personal data and analytics

David Bicknell Published 06 April 2018

Denham: “Facebook has been co-operating with us and, while I am pleased with the changes they are making, it is too early to say whether they are sufficient under the law”


The Information Commissioner, Elizabeth Denham, has turned up the heat over political campaigners’ use of personal data, warning that her office is now investigating 30 organisations, including Facebook.

In a statement that follows less than two weeks after the organisation executed a warrant to inspect the premises of Cambridge Analytica, Denham made it clear that the ICO is considering enforcement action, as well as issuing public policy recommendations.  

Denham said yesterday , “As part of my investigation into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors, the ICO is investigating 30 organisations, including Facebook.” 

She said the ICO’s office is looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica as well as conducting a broader investigation into how social media platforms were used in political campaigning.

“Facebook has been co-operating with us and, while I am pleased with the changes they are making, it is too early to say whether they are sufficient under the law,” Denham said.

“This is an important time for privacy rights,” she added. “Transparency and accountability must be considered, otherwise it will be impossible to rebuild trust in the way that personal information is obtained, used and shared online.

“This is why, besides my investigation, which could result in enforcement action, I will also be making clear public policy recommendations to help us understand how our personal data is used online and what we can do to control how it's used.”

Facebook this week introduced a new data policy and terms of service that sets out to better explain the information it gathers on its users. "These updates are about making things clearer," said Erin Egan, Facebook's chief privacy officer, and Ashley Beringer, deputy general counsel in a blog post  about the updates.

With exactly seven weeks to the enforcement date for General Data Protection Regulation (GDPR) of May 25 2018, from when organisations in non-compliance may face heavy fines, there is some irony that the ICO is arguably more in the headlines for its investigation into political parties than for the new data protection regulation it will be enforcing in jusr a few weeks’ time. 

Yet the organisation is adamant that it has the resources to be able to conduct investigations across the 11 pieces of legislation it now regulates.

In February, the Treasury provided the ICO pay flexibility for the next three years. It gives the Information Commissioner the ability to attract and retain expert staff to meet the challenges and opportunities that lie ahead.

The ICO is understood to have welcomed around 70 staff in the past 12 months and it has plans for at least another 150 in the next two years. As well as roles in its head office in Wilmslow in Cheshire, there are expected to be opportunities in London, Belfast, Edinburgh and Cardiff.

Denham said at the annual Centre for Research into Information, Surveillance and Privacy (CRISP) lecture on March 15, “We have a budget of £24m, (and) following the introduction of the new funding model this will be £34m in 2018/19. We’ve been busy over the last year recruiting more staff and currently have a headcount of around 500.

“We expect staffing numbers to continue to increase, passing 600 by 2019 increasing to an approximate FTE of 650 during 2019/20.

“To give you a sense of we are fixed now," she said, "we’ve got around 200 case-workers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and engaging with the stakeholders and organisations that need to implement them.”

Denham recently warned that the implications for privacy and data protection must not be forgotten in any rush to embrace artificial intelligence (AI).

In a speech to the Alan Turing Institute as part of its event, “The GDPR and Beyond: Privacy, Transparency and the Law,” Denham discussed how AI developments must take privacy into account, saying, "AI offers a world of pure imagination. Some say it’s a wonder. It’s exciting. Its capabilities may be beyond our wildest dreams. But we can’t afford to go crazy like a kid in a candy store.

“There are questions about whether the use of data is acceptable in one context, but not another. We have to consider the right to autonomy and privacy and understand that the way opaque AI algorithms interpret personal data cannot be addressed by legislation alone.

“We’re in a race to the top with economies like Japan, Singapore and France that are focused on AI and digital. This is not a machine vs human battle. It is a defining moment which requires a sense of responsibility and a long term view.

“Future generations will thank us if the way in which we develop artificial intelligence today looks at the true value it can deliver while respecting data protection and ethical principles.”


We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.