The UK’s privacy watchdog has asked Facebook’s lead EU regulator to look into ongoing data protection concerns about its ad platform — including how its platform is being used to target and spread fake adverts to try to manipulate voters.
Facebook’s international HQ is in Ireland so the regulator in play here is the Irish Data Protection Commission.
The ICO noted the action in a 113-page report to parliament yesterday giving an update on its long-running investigation into the use of data analytics in political campaigns — writing:
We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC. Under the GDPR, the IDPC is the lead authority for Facebook in the EU. We will work with both the Irish regulator and other national data protection authorities to develop a longterm strategy on how we address these issues.
A spokesperson for the watchdog told us these concerns fall outside the remit of that still partially ongoing investigation, which was triggered by the Cambridge Analytica data misuse scandal.
So the issues of concern are not the same issues that the ICO fined Facebook for last month, when it handed the company the maximum possible penalty under the UK’s previous data protection regime. Hence the referral to the Irish DPC.
We’ve reached out to Facebook for comment on the referral.
A spokesman for the Irish regulator told us: “The DPC has yet to receive any information from the ICO.”
Giving one example of its concerns, the ICO’s spokesperson pointed to recent news reports flagging fake political ads that had passed Facebook’s checks and been able to circulate on the platform — until being spotted by journalists, after which they got pulled by Facebook.
Responding to the above ad, badged as being paid for by the now defunct and disgraced data company Cambridge Analytica, Facebook said: “This ad was not created by Cambridge Analytica. It is fake, violates our policies and has been taken down. We believe people on Facebook should know who is behind the political ads they’re seeing which is why we are creating the Ads Library so that you can see who is accountable for any political ad. We have tools for anyone to report suspicious activity such as this.”
Such an obvious fake slipping through Facebook’s checks on political ads — which were only rolled out in the UK a few weeks ago — suggests they can be trivially gamed.
The fake ads issue also highlights how self-styled ‘transparency’ without proper accountability can just further muddy already murky waters — where masses of personal data and opaque ad platforms are concerned.
During a hearing in front of the UK’s DCMS committee yesterday, the UK’s information commissioner, Elizabeth Denham, raised additional concerns about the use of so-called ‘lookalike audiences’ for targeting voters on Facebook — saying a system that makes inferences in order to target people with political ads needs to be looked at closely in light of Europe’s new GDPR privacy framework.
She also told policymakers that Facebook needs to change its business model. And said all platforms “need to take much greater responsibility”.
“I don’t think that we want to use the same model that sells us holidays and shoes and cars to engage with people and voters. I think that people expect more than that. This is a time for a pause, to look at codes, to look at the practices of social media companies, to take action where they’ve broken the law,” she said.
Committee members raised some of their own political ad concerns with Denham, querying the lawfulness of a crop of ads recently circulating on Facebook, targeting MPs and their constituents urging policymakers to ‘chuck chequers’ — a reference to the UK prime minister’s current Brexit proposal to the EU — which are badged as being paid for by an organization called ‘Mainstream Network’, without it being clear who is behind that…
“We are investigating those matters and will be looking at whether or not there was a contravention of the GDPR by that organization in sending out those communications,” Denham told the committee.
But wider concerns about how Facebook’s ad platform operates have now been handed over to the Irish DPC to investigate — a far smaller, less well resourced watchdog than the ICO; the largest such agency in Europe.
Any future audit of Facebook’s platform — as has been recently called for by the EU parliament — would also be led by Ireland, Denham confirmed to the committee.
She was asked whether she had any concerns about the smaller regulator being able to handle its burgeoning caseload. “We can work with,” she replied, noting the ICO likely has greater capacity to conduct technical audits. “We certainly can support them and work with them.”
She noted too that the newly established European Data Protection Board — which is responsible for ensuring consistency in the application of the GDPR — is working on “a more holistic way” to co-ordinate regulating social media platforms across Europe.
“[It] is looking at… what we need to do as a community with Facebook and other social media platforms,” she told the committee, adding that under the GDPR the Irish DPC is the “lead authority on Facebook because that’s where Facebook is based in Europe so they would the lead on an audit that’s going forward in the future”.
“Regulators need to look at the effectiveness of their processes,” she added. “That’s really at the heart of this — and there’s a fundamental tension between the advertising business model of Facebook and fundamental rights like protection of privacy. And that’s where we’re at right now.
“It’s a very big job both for the regulators but for the policymakers to ensure that the right requirements and oversight and sanctions are in place.”