On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach occurred following the implementation of the General Data Protection Legislation 2016/679 (GDPR), the social network could have faced a fine of up to £359 million. Facebook now has a chance to respond to the ICO’s Notice of Intent, after which a final decision will be made.

Less than 30 days after issuing a Notice of Intent to fine Facebook, the ICO issued a further penalty as a result of the investigation, this time directed at Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a data broking company which provides advice on pregnancy and childcare. The ICO issued a £140,000 fine against Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people.


Facebook, alongside Cambridge Analytica, has been the focus of an ICO investigation for over a year. The investigation centred around the use data analytics in political campaigns and was spearheaded by Information Commissioner, Elizabeth Denham. The investigation was formally commenced in May 2017 following the unearthing of evidence that personal data from over 87 million Facebook accounts had been illegally harvested. The ICO described it as one of the largest investigations ever undertaken by a data protection authority, this being reflected in the most recent estimate of the cost of the investigation, which has been put at almost three times the level of the fine with which Facebook has been issued. In addition to the fine, the ICO announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for being too slow to adequately respond to an enforcement notice issued in May of this year.

The ICO’s investigation concluded that Facebook had failed to safeguard its users’ personal data and that it had not been sufficiently transparent about how peoples’ data was collected by others.

In the course of the investigation, the ICO also made enquiries of some of the key data brokers operating in the UK supplying data to political parties. It found that Emma’s Diary sold information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile new mums in the run up to the 2017 General Election, thereby enabling the Labour Party to send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children’s Centres.

The ICO investigation found that Emma’s Diary’s privacy policy did not disclose that the personal information given would be used for political marketing or by political parties, which amounted to a breach of the Data Protection Act 1998.

Recommendations for transparency

Within the progress report issued last month, the ICO made 10 recommendations as to how government can improve transparency around online campaigning and the political use of personal data, including:

  • Application of due diligence by political parties when sourcing personal information from third-party organisations, including data brokers. The purpose of this being to ensure that the appropriate consent has been obtained from the individuals concerned and that individuals are effectively informed in line with transparency requirements under the GDPR. The ICO recommended that this should form part of the data protection impact assessments conducted by political parties;
  • Introducing a statutory Code of Practice (Code) under the DPA 2018 by the government at the earliest opportunity for the use of personal information in political campaigns. The ICO declared that it would work closely with the government to determine the scope of the Code; and
  • Third-party audits should be carried out after referendum campaigns are concluded to ensure personal data held by the campaign is deleted, or if it has been shared, that the appropriate consent has been obtained.


From a financial perspective, the ICO’s fine against Facebook will of course have no discernible impact. However, it is the vigour with which the ICO pursued the investigation, the level of resources which were assigned to it, and the media and political storm which has ensued that will together cause other businesses to carefully consider their own approach to the handling of personal data. In taking such a rigorous approach to the investigation, the ICO has very much set the tone for enforcement of the GDPR and the Data Protection Act 2018, which together carry the potential for penalties capable of having a real impact on a business’s financial health.