Oral evidence - Disinformation and ‘fake news’

HoC 85mm(Green).tif

Digital, Culture, Media and Sport Committee

Oral evidence: Disinformation and ‘fake news’, HC 363

Tuesday 6 November 2018

Ordered by the House of Commons to be published on 6 November 2018.

Watch the meeting

Members present: Damian Collins (Chair); Clive Efford; Julie Elliott; Paul Farrelly; Simon Hart; Julian Knight; Ian C. Lucas; Brendan O’Hara; Rebecca Pow; Jo Stevens; and Giles Watling.

Questions 3894 - 4130

Witnesses

I: Elizabeth Denham, Information Commissioner, and James Dipple-Johnstone, Deputy Commissioner, Information Commissioner's Office.

II: Claire Bassett, Chief Executive, Electoral Commission, Bob Posner, Director of Political Finance and Regulation and Legal Counsel, Electoral Commission, and Louise Edwards, Head of Regulations, Electoral Commission.

III: Guy Parker, Chief Executive, Advertising Standards Authority.

Examination of Witnesses

Witnesses: Elizabeth Denham and James Dipple-Johnstone.

Q3894 Chair: Good morning and welcome to this evidence session of the Digital, Culture, Media and Sport Select Committee as part of our investigation into disinformation and fake news. We have invited a number of the regulatory bodies that cover the area of disinformation, fake news, data usage and the internet. Today we want to discuss the response to our interim report as part of our final work of evidence gathering ahead of the publication of a final report before the end of this year.

I should also add for those people who are watching us on the internet that this is the first ever live broadcast via Twitter of a Select Committee hearing of the House of Commons. For people who are watching us online via Twitter, I hope that you enjoy the proceedings and the technology works smoothly.

We are very pleased to be able to start the session today with the Information Commissioner. A lot of the recommendations in our interim report are directed towards your work, but we would like to start off by asking some questions about the report you are publishing this morning on data and politics. The Committee has taken a very keen interest in the ICO’s investigations in this space and in your interim report as well. Indeed, we have covered many of the same topics and issues, so we are particularly interested in your report.

I would like to start with the issues covered in paragraph 3.5.1 of your report, which is the findings in relation to data usage at Eldon Insurance on page 46 of the report. In that report, you say, “We have evidence to show that some customers’ personal data, in the form of e-mail addresses, held by Eldon was accessed by staff working for Leave.EU and was used to unlawfully send political marketing messages”.

If I could start with some of the principles around your investigation, we were told by Arron Banks in particular that Eldon Insurance and Leave.EU were kept as totally separate organisations, that it was not true that staff worked on both campaigns at the same time, nor, you would infer from that, that there could be any sharing of data and information because it was all kept so separate.

From the work you have done, just looking at the policies that were in place at Eldon for data management, do you believe there was any attempt to create a strict division between Eldon and Vote Leave? In the case that you have cited here in your report that customer data in the form of e-mail addresses was used in both Eldon and Leave.EU, is that indicative to you of a failure of policy within the company at the time?

Elizabeth Denham: Yes, we have found that it does indicate a failure to keep separate the data of insurance clients of Eldon and marketing and messaging to potential supporters and voters and Leave.EU data. We have issued notices of intent under the electronic marketing regulation, but also our work on the data protection side to look deeply into the policies or the disregard for separation of the data. That is going to be looked at through an audit, which we have also announced in our investigation. James, did you want to add anything?

James Dipple-Johnstone: The detail of the fines under the Privacy and Electronic Communications Regulations is set out in our report. That shows that certainly the systems were ineffective in separating out the potential for data to become mixed in the way it appears to have been.

Q3895 Chair: From what you could tell, was there any attempt to restrict access for staff who were working on Eldon Insurance business and staff who were working on Leave.EU to different data sets they were working on, or was it commonly accessible from what you could see?

James Dipple-Johnstone: In the detail of the contravention we found here, there was the potential for a member of staff working for one to select a list from the other and, therefore, that has led to this incident where the marketing has taken place without due consent. That would suggest the systems are not effective and, as part of that, that is why we want to audit to see if that is represented at a systems level rather than just an individual member of staff making an error.

Q3896 Chair: I appreciate this is going to be subject to a fuller audit, but from what you are saying it sounds like they were effectively working off one system with different mailing lists on it.

James Dipple-Johnstone: There is the potential for that to have happened, yes.

Q3897 Chair: You said that in addition to those e-mails being accessed, Leave.EU subscribers received GoSkippy advertising as well as GoSkippy customers receiving Leave.EU messaging. That is correct, isn’t it?

James Dipple-Johnstone: Yes.

Q3898 Chair: It worked both ways?

James Dipple-Johnstone: That is why we fined both companies for the two incidents, yes.

Q3899 Chair: The report states on page 47 that there were 1,069,852 e-mails sent that included the GoSkippy banner and a discount offer for GoSkippy to Leave.EU supporters. These were sent after the referendum. Have you seen any evidence of e-mails being used by Leave.EU from GoSkippy customers, not just to send e-mail messages or promotional messages but whether those e-mail addresses could have been used to support targeting on Facebook advertising? Obviously, at that time you only needed someone’s e-mail address to be able to identify them on Facebook and their Facebook profile.

James Dipple-Johnstone: Our investigation about the wider use of personal data in this context is still ongoing. As the Commissioner has explained, those data protection concerns are still being investigated.

Elizabeth Denham: We have the new power to be able to conduct audits and that is going to allow us to go in and do a wider audit, but it is possible that those e-mail addresses could have been used in other ways for political messaging and campaigning on Facebook.

Q3900 Chair: You will be using those new powers to conduct the audit you are going to do. Have you been frustrated in any way in your attempts to gain access to data and information as part of your investigation at Eldon?

Elizabeth Denham: Specifically with Eldon, we used our information notice power to compel it to provide information to us, but now that we have the ability to go in and check through an inspection or an audit, it is going to give us more leeway and more information to be able to make findings under the Data Protection Act. We have concerns about ongoing misuse of personal data, and that is what lets us in the door.

Q3901 Chair: In this case, you have concerns of ongoing misuse of personal data at the Eldon Insurance businesses?

Elizabeth Denham: We do. We need to look at whether or not the processes are working to be able to separate the data from a political campaign from the insurance use.

Q3902 Chair: Otherwise, as would seem to be the case here, it looks like Eldon is trying to make money out of data it has gathered as part of the referendum campaign.

Elizabeth Denham: It is going both ways. The sharing of information obviously has gone both ways, and that is what we found and reported out today.

Q3903 Chair: They are targeting GoSkippy customers with political messaging to try to get their support in the build-up to the referendum and then after the referendum they are also targeting Leave.EU supporters in order to try to promote GoSkippy insurance products to them?

Elizabeth Denham: We need to look at the retention of the data and we need to look at their policies and practices, and that is why we have announced the audit.

Q3904 Paul Farrelly: I want to follow up on those questions. As Damian said, it looked like a two-way thing. If Mr Banks had donated any of his own money, he may well have got some of that back, depending on how many Brexit insurance policies he sold. Would you characterise that as sharp practice or grubby practice?

Elizabeth Denham: It is not in our remit to look at how money was made through insurance practices, but we are following the data. That is what we have done here. We will continue to report out what we find in the audit.

Q3905 Paul Farrelly: You are proposing to fine Leave.EU and Eldon Insurance £60,000 each. Depending on how many insurance policies Mr Banks sold to Brexit supporters or non-Brexit supporters, he may have made a lot more money than that. What sort of comment is that on the state of affairs of your ability to fine?

Elizabeth Denham: Our regulatory action policy requires us to be proportionate and to look at other fines that we have issued. Under the Privacy and Electronic Communications Regulations we have to look at other fines that we have issued. As you know, PECR is a different regime than the data protection regime. As we look at the audit, which will be conducted under data protection law, the fines could be significantly higher if we find misdeeds.

Q3906 Paul Farrelly: Watch this space. If anyone has retained or remembers an e-mail from Eldon Insurance or GoSkippy that they received unsolicited, who should they complain to?

James Dipple-Johnstone: They could let us know that. There is a way of reporting that through our website. If they can give us the details, that would be helpful.

Q3907 Paul Farrelly: There were more than a million of them?

James Dipple-Johnstone: From this incident that we are aware of.

Q3908 Paul Farrelly: Regarding Vote Leave, you say that you have some concerns about electronic marketing and that you are going to report imminently on that. Could you explain what your concerns are and when you are going to report?

James Dipple-Johnstone: Yes. They are similar concerns about the use of data in the context of electronic communications and marketing. Our investigation is ongoing. We expect to be able to report within a matter of weeks.

Q3909 Paul Farrelly: A matter of weeks, okay. There are clearly lots of things still ongoing. I have two questions about two aspects. Mr Nix and Dr Kogan refused to appear for interview with you. Did they give reasons and do you consider them to be valid reasons?

Elizabeth Denham: We asked them to appear for an interview under caution and both of the individuals refused to appear. Parliament has given us new powers, which came into effect in April, that allow us to be a more fit-for-purpose digital regulator. I think that one of the areas that we may be coming back to talk to Parliament and Government about is the ability to compel individuals to be interviewed. We have been frustrated by that aspect of our investigation.

Q3910 Paul Farrelly: When we produced our interim report, the newish holding company for the Cambridge Analytica and SCL entities, Emerdata, was still active. Do you have any investigations into their activities under the title, “What is Mr Nix doing next?”

James Dipple-Johnstone: We are following where the data trail leads us. We have accessed a number of systems and devices and we will continue to follow that data trail. We are looking at the entire structure for Cambridge Analytica, SCL Group and those behind it, and we will continue to pursue that.

Q3911 Paul Farrelly: UKIP has also refused to co-operate with you. What do you think it has to hide?

Elizabeth Denham: I do not know what it has to hide. We had hoped that after the tribunal ruled in favour of our submission it would speak to us, but it has taken that further. It is appealing the first tribunal’s decision. It has been frustrating for us that we have not been able to follow that line of inquiry in our investigation.

Q3912 Paul Farrelly: Is it required to maintain and not destroy data and records that it holds?

James Dipple-Johnstone: Yes. Information covered by an information notice by the Commissioner would be protected and it would be an offence to delete that data or to harm it in any way.

Q3913 Paul Farrelly: I have a final question about what next. We uncovered, through one of the agencies working with us, an organisation called Mainstream Network, which was sending targeted ads to members of this Committee and other MPs telling them to “chuck Chequers”. There are some concerns about whether their activities are lawful in the way they have been gathering e-mail addresses. Have you taken note of that revelation and might you perhaps be pursuing an inquiry as to who is behind Mainstream Network?

Elizabeth Denham: We are investigating those matters and will be looking at whether or not there was a contravention of the GDPR by that organisation in sending out those communications.

Q3914 Clive Efford: Given what you have uncovered, would you put any personal information on a Facebook account?

Elizabeth Denham: I think that Facebook has a long way to go to change practices to the point where people have deep trust in the platform. I understand the social media sites and platforms and the way we live our lives online now is here to stay, but Facebook needs to significantly change its business model and its practices to maintain trust.

Q3915 Clive Efford: The answer to my question is no?

Elizabeth Denham: The answer to your question is that I understand that platforms will continue to play a really important role in people’s lives, but they need to take much greater responsibility. Later in this session I would be interested to have a discussion about future regulation on the internet harms.

Q3916 Clive Efford: Do you see any evidence of a willingness on the part of Facebook to improve its act?

Elizabeth Denham: We have seen some evidence on the voluntary side of Facebook being more transparent—things like the provenance of political ads—but I think that it needs to do more and it should be subject to stricter regulation and oversight. We issued the highest possible fine under the previous legislation that we could impose for its role in Cambridge Analytica’s Facebook breaches.

Q3917 Clive Efford: It published its own requirements on 16 October this year, supposedly to tighten up around political advertisements and to understand the source of that. We have had evidence that there are organisations that you cannot identify that are still paying substantial sums of money to Facebook to advertise through its network. What is your view on that? Have you been able to investigate that?

James Dipple-Johnstone: We are aware of that incident and insofar as it relates to data protection we are looking at that and in particular, given the GDPR, we are in contact with our colleagues in the Irish Data Protection Commission as one of the supervisory authorities at European level. It identifies one of the issues highlighted by our report and our findings against Facebook around the way in which checks are carried out through that system where you load up a URL and the degree to which those systems are effective or not. That is something that we continue to do.

Q3918 Clive Efford: Does it suggest that Facebook is making the right noises about wanting to tighten up around political advertising and who is carrying it out and what they are doing, because it is continuing to make money out of it?

Elizabeth Denham: What needs to happen is regulators need to look at the effectiveness of their processes. That is really at the heart of this. There is a fundamental tension between the advertising business model of Facebook and fundamental rights like protection of privacy. That is where we are at right now and it is a very big job for both the regulators and the policymakers to ensure that the right requirements, oversight and sanctions are in place.

Q3919 Clive Efford: Can I ask a couple of questions about your investigation into Eldon? Do you have all the information that you require and just need more time to go through it or do you need to go back to the company for more information?

Elizabeth Denham: Are you talking about the amount of information that we have gathered in the context of this investigation?

Clive Efford: Yes, already.

Elizabeth Denham: We have seized servers and laptops and mobile phones and devices. We have, I think, 700 terabytes of data, which is equivalent to about 52 billion pages, of information from Cambridge Analytica, information that has been provided to us by whistle-blowers and former employees of the firms. We have a lot of data that we have been working our way through forensically. We have to do it in a certain way because if we are pursuing criminal prosecution we have to retain the information in a certain way and on a certain platform. It takes time. It is not that we need more information, it is that we need the time to finish the inquiry that we are doing.

Q3920 Clive Efford: There is no question that that information could be being disposed of as we speak? You have already gathered that information and it is now a question of sifting through it methodically to extract the information that you need?

Elizabeth Denham: Correct.

Q3921 Jo Stevens: Can I take you back to page 48 of your report on Eldon and Leave.EU? I want to ask a follow-up question. On the second breach, which is the Leave.EU newsletter being sent to Eldon Insurance customers, you say that there was a breach and that Eldon has admitted to this incident of sending out the Leave.EU newsletter incorrectly. Eldon says that it reported the breach to you. You say you have no record of that. When does Eldon say that it reported this to you?

James Dipple-Johnstone: I do not have that date, but we can write to the Committee with that. We did also check with the company to provide any documentation as part of our inquiry.

Q3922 Jo Stevens: I am interested in the time period from it saying that it reported the breach to you and the fact that as of today it has not provided the evidence to you of how it reported that breach, so that would be helpful. Thank you.

My other question is on the proposed audit. Just for my benefit and perhaps for colleagues’ benefit, can you explain to us how the run-up to the audit works and what you do? Is there a notice period? Do you go in unannounced? What are the arrangements?

James Dipple-Johnstone: We would serve what is called an assessment notice under the new Data Protection Act. We can either go in at a day’s notice or at a week’s notice. In advance of our audit, we prepare our teams. We focus on what systems we want to look at, what systems we want to access, which members of staff we need to speak to, and what questions we need to put to them. We set that out in an assessment notice to make sure that those members of staff are available to us.

We then attend on site, examine those systems in situ, interview those members of staff with our teams, look at any data we need to look at, and look at how the systems are operating. We can take copies of any material or any system overview that we require as part of our work. We would then come away, analyse that against the information we already hold from other sources and then make our findings in respect of any data protection issues.

Q3923 Jo Stevens: Do you have the power to interview or require to interview staff who may no longer be employees of either organisation? It would seem from the evidence we have heard that there were staff who were doing work on Leave.EU and work for Eldon and GoSkippy.

James Dipple-Johnstone: We certainly have, in other organisations, asked for staff lists and have approached those staff to see if they would speak to us about their relevant time there. We also have had a number of people come forward as part of this inquiry who are ex-members of staff of a number of organisations to offer assistance to us. We cross-reference what we are told by the companies against what members of staff are telling us.

Q3924 Julian Knight: I have a very brief question for Elizabeth Denham. Given the way in which Facebook has bullied journalists, threatening them with legal action, and also at the same time was at Cambridge Analytica’s offices as the net was closing in on them, I want to ask you a very simple question. Should Mark Zuckerberg appear before this Committee, as we have persistently asked him to, in order to answer for his company’s part in this scandal?

Elizabeth Denham: The advantage that we have had in our investigation is that we have dealt with Facebook headquarters, so we have had more action, more information, a better response when we are dealing with headquarters, with Mountain View, rather than dealing with the local representatives of Facebook. We are all about transparency. I think that it would be very useful to have Mr Zuckerberg appear, but it is not for me to say whether he should appear before Parliament. I can say from our own experience it has been critical that we have been connecting with the lawyers, senior staff and vice presidents in Mountain View rather than in Europe.

Q3925 Julian Knight: It is critical to get the top people to appear?

Elizabeth Denham: It has been critical to our investigation that we have the communication and the levers into the highest levels because that is where the decisions are being made.

Q3926 Chair: Can I ask one follow-up question relating to Eldon? You said in your report that you had found evidence of Leave.EU subscribers receiving promotional messages from Eldon. Have you seen evidence of other things being advertised to Leave.EU subscribers, other services, other products from outside of Eldon Insurance?

James Dipple-Johnstone: That is still being looked at as part of the inquiry.

Q3927 Chair: I have been shown an advertisement targeted at Leave.EU subscribers, which was promoting the Master Investor annual conference, whose guest speakers include Arron Banks and his business associate, Jim Mellon. I would be interested to know whether there are other incidents like that and whether there is any data clearance for Leave.EU subscribers to be targeted with events carefully selected by Arron Banks in that way.

Elizabeth Denham: Our audit will reveal more information and will be reporting on that in future.

Q3928 Ian C. Lucas: I would like to ask about GSR and Facebook. First, according to the report on page 33, Facebook was initially alerted to the GSR breach, if I can call it that, by media coverage in 2015. That was in December 2015, I believe. When did the ICO first become aware of this breach?

Elizabeth Denham: We became aware of it through media reports in early 2018.

Q3929 Ian C. Lucas: Yes, so at the same time as this Committee. Is there any obligation at the moment in the event of a serious breach like this for a platform like Facebook to notify authorities like the Information Commissioner of the fact of the breach?

Elizabeth Denham: There is now. Effective May 2018 there is a mandatory requirement for bodies like the platforms and for all agencies to report significant breaches to the ICO, but when this breach occurred there was no legal requirement for Facebook to report this breach to our authority or any other authority.

Q3930 Ian C. Lucas: Do you think that it would have been good practice for Facebook to have done that?

Elizabeth Denham: Absolutely, and I think that if it had been reported to us, we would have been able to encourage Facebook to have a more robust follow-up to chase and retrieve the data and ensure that it was deleted properly.

Q3931 Ian C. Lucas: Do you have any idea who in Facebook dealt with the serious breach concerning GSR in 2015, which individuals? Do you know who dealt with that?

James Dipple-Johnstone: Yes, we do. As part of our evidence, we have secured a number of e-mail exchanges and contacts between the companies at that time.

Q3932 Ian C. Lucas: Will you tell me who dealt with it?

James Dipple-Johnstone: We can write to the Committee separately to set out that timeline if that would be helpful. I do not have the names today.

Elizabeth Denham: It is not in the report, but it is something that we can set out for you.

Q3933 Ian C. Lucas: I am asking that because in February 2018 Facebook gave evidence to this Committee and did not mention the serious breach that had happened in 2015. I have been trying to find out since then which individuals knew about that breach. We have had evidence also in a second session, I think in June, and I still do not know who dealt with the issue and why they felt it inappropriate to tell this Committee about it. Could you send me the details? Was it Mark Zuckerberg?

Elizabeth Denham: We will follow up with the details. They are not in front of us now. They are not in the report.

Q3934 Ian C. Lucas: You do not know whether Mark Zuckerberg knew about this?

James Dipple-Johnstone: Not off the top of my head. I would have to go back and double check with the e-mails and the distribution list on those e-mails. There were some quite large distribution lists.

Q3935 Ian C. Lucas: I am slightly surprised that if you knew this you would not be in a position to tell me that now.

Elizabeth Denham: We just do not want to get it wrong. There is a long distribution list, so it would be helpful if we could give it to you with an evidential back-up.

Q3936 Ian C. Lucas: Okay. In June, Mr Schroepfer from Facebook told me that the buck stopped with Mark Zuckerberg, and Mr Zuckerberg has not yet given evidence to the Committee. It would be very helpful to know whether he was aware of this breach and when he knew.

I also note that you issued an information notice to Facebook concerning the GSR breach and Facebook stated to you—and this is on page 50 of the report—that the e-mail addresses that it had did not originate from data collected through Dr Kogan’s GSR app but came from a different source. Do you know what that source is?

James Dipple-Johnstone: No, we do not know exactly which source it is. We do know that they have reconciled the e-mails to see if those e-mails would generate the same customer audience and it is not a greater than random match.

Q3937 Ian C. Lucas: Is that what Facebook has told you?

James Dipple-Johnstone: That is what it has told us, yes.

Q3938 Ian C. Lucas: Have you checked that?

James Dipple-Johnstone: We cannot recreate how its platform operates, but it told us that in response to a formal information notice.

Q3939 Ian C. Lucas: Do you have any powers to check that? You mentioned the audit that you are doing. Could you do an audit in respect of that information?

James Dipple-Johnstone: We would be able to do an audit if that information was retained. My understanding is that the e-mail lists and the hashes that are applied to them when loading up to the platform may not be an exact match, so we would have to look at that from a technical perspective. I can write to you with the details. I do not know today whether that would be possible in this particular case.

Elizabeth Denham: It is true that we have the powers to enquire further, but we can write to you about the technical details.

Q3940 Ian C. Lucas: What I would like you to do is an audit to check—not with Facebook—on the basis of what you say whether the GSR data was used by Facebook. That is what I would like.

Can I ask you about the GitLab repository and AIQ? You mention on page 51 of the report that AIQ confirmed it had identified some e-mail addresses that were accessible via GitLab by AIQ. They were from Vote Leave, those ones. Is that right?

James Dipple-Johnstone: We understand that they were not from Vote Leave; they were collected by the company from some of its other work.

Q3941 Ian C. Lucas: I am a little confused by that. You say in your report, “We investigated where it accessed that personal data, and whether AIQ continued to hold personal data made available to it by Vote Leave”. Do you know where the e-mail addresses in the GitLab repository came from?

James Dipple-Johnstone: We understand that they came from other work that the company had done for UK companies and organisations and it had been retained by them following those other contracts that it had.

Q3942 Ian C. Lucas: Wouldn’t that be a way of a business like AIQ accumulating data from one source and then using it for another purpose?

James Dipple-Johnstone: Potentially, which is why we have asked them to delete that data as part of the enforcement notice.

Q3943 Ian C. Lucas: Do we know whether that actually happened in 2016? Do we know whether AIQ used that data in the repository for a purpose for which it was not initially collected?

James Dipple-Johnstone: We have looked at whether they should have had that data and retained it and we do not feel they should retain it. That is why we have ordered them to delete it.

Q3944 Ian C. Lucas: That almost sounds like their business model; it sounds like what they were doing.

James Dipple-Johnstone: In terms of whether they have held on to the data, they should not have held on to it. We cannot say what they may have used that data for in the past or where they have sent it to, but we do know that they should not have held that data for any longer than when they originally obtained it. That is why we have ordered them to delete it. We do not know what use they have put that data to hitherto.

Q3945 Ian C. Lucas: Do we know whether in the GitLab account there was information from, for example, Vote Leave or BeLeave or Veterans for Britain? Was there information put in the GitLab account by different organisations?

James Dipple-Johnstone: In our investigation, that was the only UK data that was accessible via that process.

Q3946 Ian C. Lucas: Which was the only data?

James Dipple-Johnstone: Those e-mail addresses, which we do not think came from Vote Leave. They came from other work that the company had done for UK companies—

Q3947 Ian C. Lucas: Did it come from other political organisations?

James Dipple-Johnstone: We know they did some work for political organisations in Canada. Whether that information has come through that process with people inadvertently signing up through surveys and websites, through that route—but in terms of the referendum campaign and the UK organisations, we do not believe so.

Q3948 Ian C. Lucas: In the list of information that we have seen relating to the GitLab account, there are a number of political organisations of the type I have just referred to, Vote Leave and BeLeave, or some of them, that are listed. Are you saying that none of those provided e-mail addresses to the GitLab account?

James Dipple-Johnstone: Our understanding is that they did not and that it was just these e-mail addresses that were retained and accessible by the company.

Elizabeth Denham: This information in our findings has also been confirmed by our Canadian colleagues who are doing a thorough investigation of AIQ at both the federal and provincial levels.

Q3949 Chair: Could I follow up on a few questions relating to Cambridge Analytica? You say in your report at the bottom of page 32, top of page 33, relating to the work of GSR and Aleksandr Kogan, “Once the data had been obtained by GSR”—this being the Facebook data—”it was then modelled and transferred to a secure ‘drop-zone’. From this drop-zone, CA was then able to extract the modelled data relating to data subjects that they were interested in and for whom they had pre-existing data.” Could you explain where the secure drop-zone was?

James Dipple-Johnstone: That was a server that was accessible by both parties and members of staff and witnesses have described the process by which information was added into it from both sides. It was then used to compare the data and for data to be extracted, and it has since been deleted. We understand that it was a shared server between the two organisations.

Q3950 Chair: Was that a server held within the organisation or was it, say, an Amazon cloud storage system?

James Dipple-Johnstone: We understand that it was cloud based.

Q3951 Chair: Do you know who had access to that storage system?

James Dipple-Johnstone: We know some of the members of staff had access from both sides. That is part of a key line of our inquiry and that is ongoing. We are still analysing some of the accesses and some of the e-mails that are passing between the two organisations.

Q3952 Chair: Do you believe that there may have been individuals or organisations who had access to that data who were not employees of either GSR or Cambridge Analytica?

James Dipple-Johnstone: In terms of access to that specific data set, it is too early to tell in our investigation. It is something that we are continuing to look at.

Q3953 Chair: I suppose the fact that you are still investigating it to me would suggest that other people must have had access because otherwise it is a relatively small number of people who would have had access to it from those two companies.

Elizabeth Denham: It is possible and right now we are into the Cambridge Analytica e-mail system. It is going to take us time to get through all of those e-mails to be able to determine who had access to that server.

Q3954 Chair: On page 34 of the report, in the top paragraph, line 3, you say, “We will be making sure any organisations, which may still have copies of the Facebook data and its derivatives demonstrate its deletion”. Are you able to tell us a bit more about the other organisations that you believe may have copies of the Facebook data?

James Dipple-Johnstone: We know that it appears that some individuals and some academic institutions have received parts of the data set. We are examining exactly what data has gone where, but that is the nature of the organisations of concern. Some are individuals and some are academic institutions.

Q3955 Chair: How many individuals and institutions are part of your enquiries at the moment?

James Dipple-Johnstone: At the moment it is about half a dozen.

Q3956 Chair: Are you able to name any of those organisations at the moment?

James Dipple-Johnstone: Not at the moment because we are still pursuing active lines of enquiry.

Q3957 Chair: Do you see any evidence of how Facebook sought to ensure that the Facebook data had been deleted? To my mind, the fact that you are still investigating where the Facebook data is would suggest that it has not been deleted, that it is still out there in some form.

What have you seen from your investigations or what has Facebook told you about the process it has followed to ensure the data had been destroyed?

Elizabeth Denham: They required confirmation in writing by the heads of organisations that they knew had the data or that they thought had the data that they had deleted it, but we have found some problems with the signing of those authorisations. Some of them were not signed at all. Again, we have evidence and it says in our report that Cambridge Analytica may have partially deleted some of the data, but even as recently as spring 2018 some of the data was still there at Cambridge Analytica. The follow-up was less than robust and that is one of the reasons why we fined Facebook the £500,000.

Q3958 Chair: There were Facebook staff in the offices of Cambridge Analytica when you sought to gain access to the Cambridge Analytica building. Do you know what Facebook was doing that evening? What were the contractors who were sent in by Facebook doing?

Elizabeth Denham: It was third-party contractors sent in on behalf of Facebook to look at Cambridge Analytica systems and servers to see whether or not the data still existed. However, we felt that that was going to prejudice our investigation. We made a call to Facebook and asked that the third-party contractors leave the building, which they did. I am not sure how they would have been able to get into those servers and get through all the encryption. We have been dealing with that data for many months, but in any case they did not start that audit that had been undertaken.

Q3959 Chair: You do not believe any data was lost to your inquiry as a consequence of that action?

Elizabeth Denham: We have no evidence that any data was taken, removed or deleted at that time.

Q3960 Chair: Until Facebook sent those contractors in, would it be fair to say that the only enforcement action they took against Cambridge Analytica was really to ask them whether they had deleted the data and to promise that they had?

Elizabeth Denham: That is correct.

Q3961 Chair: Nothing more than that?

Elizabeth Denham: No.

Q3962 Chair: In your report as on page 39, paragraph 5, you reference, “We found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse”.

It has been said that the Facebook data that was harvested by Aleksandr Kogan was not used in the political advertising campaign he was running at the time, understandably because obviously the data was being harvested to support the targeting of adverts in American mid-term elections in 2014. You say that the personal information of at least one million UK users was harvested and consequently put at risk of further misuse. What is your concern about the risk that that UK user data was potentially subject to?

Elizabeth Denham: We have evidence of very poor data practices at Cambridge Analytica and the very fact that that data was held gives us deep concern about how it could be used in other campaigns or for other commercial purposes. We found, as we say in the report, a lot of poor data management and information management practices and very poor security practices. Had the company still been operational, we would have issued a large fine just from a data protection perspective for their lack of security and controls.

Q3963 Chair: Is your concern that the UK user data that was gathered from Facebook by Aleksandr Kogan could have been used in other campaigns? Is that something you are still investigating?

Elizabeth Denham: We are still investigating and, as I said, we still have a lot of data to crunch through and to examine to get to the bottom of this. This is not the end of our work. This is an update report to tell the Committee and the public where we are with it. You can see that there are several strands that will take us into the future.

Q3964 Chair: Just because that Facebook user data was not used in the American election campaign that they were working on does not mean it could not have been used for other things and it does not mean that how it was gathered and how it was stored should not still be a cause for concern to us now because we just do not know the extent to which it was used or not?

Elizabeth Denham: It was gathered and held illegally under UK law, so that is our concern.

Q3965 Chair: Clearly, the gathering, storage and use of that data is a matter of concern for the Information Commissioner. Do you think that that should still be a matter of concern for this Committee as well?

Elizabeth Denham: I think it should. The major concern that I have in this investigation is the very disturbing disregard that many of these organisations across the entire ecosystem have for the personal privacy of UK citizens and voters. If you look across the whole system, that is really what this report is about. We have to improve these practices for the future.

Q3966 Chair: When you are saying that there is a lack of concern for the data privacy of UK citizens, are you including Facebook among those organisations?

Elizabeth Denham: Facebook, data brokers, political campaigns, data companies. As you know, we are looking at political parties and their use of data. We need to tighten up controls across the entire ecosystem because it matters to our democratic processes.

Q3967 Chair: A final question from me on this. In the comments given by the Information Commissioner’s Office relating to your interim report, it was said that you were investigating whether Aleksandr Kogan’s data had been accessed from people in Russia. Is that still an active line of investigation?

Elizabeth Denham: It is an active line of investigation. What we said in July was that there were some IP addresses that were found in that data and that server associated with Aleksandr Kogan that resolved to Russia and associated states. That is information that we have passed on to the authorities. It is not in our remit to investigate any further than that, but we have passed that on to the relevant authorities. That is all I can say right now.

Q3968 Chair: Just so I am clear, with those IP addresses that originate from Russia, are those IP addresses that had access to the drop-zone where the data was being stored?

James Dipple-Johnstone: No, there was a separate system linked to the Cambridge University Psychometrics Centre, which included a wiki that had some Facebook data and some research reports on it. Some witnesses explained to us that there was information available on GitHub, which had credentials that allowed access to that system, and that those credentials had been used to access that system from a number of points.

Some of those IP addresses resolve to IP addresses in Russia but also to IP addresses of concern through alleged cyber attacks in the past and at least one Tor entry point, which is a device for people to hide their identity online, which causes concern for us. We have secured that and passed that information on to the relevant authorities, but it is a different system to that linked to Cambridge Analytica.

Q3969 Chair: Could the Facebook data that was being stored at Cambridge University include some of the data that was gathered by GSR?

James Dipple-Johnstone: We do not believe at this point that it was data gathered through the GSR app. We think that it was data that had come from an earlier app at the Cambridge University Psychometrics Centre, which was a forerunner to the GSR.

Q3970 Chair: From the myPersonality app or one of those other apps?

James Dipple-Johnstone: Yes, it is one of that range of apps.

Q3971 Chair: Just so I am clear about what you said there, are you saying that some of the IP addresses that come from Russia have also been linked to other cybersecurity breaches in the past?

James Dipple-Johnstone: That is what we understand.

Q3972 Chair: These are not just IP addresses linked to academics at Saint Petersburg University that they work with, these are other people?

James Dipple-Johnstone: We do not know who is behind those IP addresses. What we understand is that some of those appear on lists of concern to cybersecurity professionals by virtue of other types of cyber incidents.

Q3973 Chair: People from Russia, yet to be determined, were accessing Facebook profile and user data being stored at Cambridge University that could have been gathered from UK citizens?

James Dipple-Johnstone: We are still examining exactly what data that was, how secure it was and how anonymised. It is part of an active line of enquiry.

Q3974 Chair: The scenario I outlined is part of the investigation?

James Dipple-Johnstone: That is part of it, yes.

Q3975 Ian C. Lucas: Just on that point, could you say when that was?

James Dipple-Johnstone: There are a number of access points of concern spanning a number of months right the way up to when it is identified in 2017-18. We are looking back through the detail of all of those, so I would not want to tell you exactly when it started and finished.

Elizabeth Denham: We could write to the Committee.

James Dipple-Johnstone: We can write with the details at the appropriate point, but it is part of our investigation.

Q3976 Clive Efford: On the scale of things, how does what you are investigating at the moment compare with things you have investigated prior to this?

Elizabeth Denham: The scale of it or the importance of it? Both?

Clive Efford: Yes.

Elizabeth Denham: This investigation is unprecedented for our office. It is unprecedented for any data protection authority I think worldwide in terms of the type of information we are examining, the numbers of organisations, the numbers of individuals, the cost of the investigation and the expertise that is required.

What is at stake is the fundamentals of our democratic processes. People have to be able to trust the systems, so it is very important that we get to the bottom of this and also that Government and Parliament take up some of the important recommendations that we have made at the policy level, which includes a statutory code of practice for political campaigning. I think that the rules need to be sharpened; they need to be clear; they need to be fair across all organisations involved in political campaigning.

Q3977 Clive Efford: Are the sanctions that are available to you, even the new ones that you have been given, sufficient?

Elizabeth Denham: We want to see with the GDPR and the Data Protection Act 2018 how it beds in. I have already identified a power that I think we probably need in the future, but the sanctions are strong. We have up to 4% of global turnover for a potential fine for a company. We also have the ability to enforce a stop processing order, which arguably could be more harmful for a company’s bottom line than a fine. We do have new powers that make us a fit for purpose regulator, but it has been a very short period of time with our experience in these new powers.

Q3978 Clive Efford: The monetary penalties that you have issued, the maximum one is on Facebook, £140,000 on Emma’s Diary, £60,000; admittedly, these are on PECR. Are what you have issued there sufficient—setting aside the Facebook one, which is the maximum you could—Emma’s Diary £140,000, given the scale of what has gone on?

Elizabeth Denham: It is the cap that was available to us. The £500,000 was the maximum under the old regime, and the other fines had to be consistent with fines that we have issued in the past.

Q3979 Clive Efford: But you have just said that it is unprecedented?

Elizabeth Denham: This is an unprecedented situation in an unprecedented investigation, but the contraventions happened under the previous regime. Therefore, we have only the maximum fines available under the previous regime. I can say that the Facebook fine would inevitably have been much larger if we were under the new regime.

Q3980 Clive Efford: Can I ask you one question about personal data? Is it feasible to have a method whereby I could issue a notice and insist that an organisation provide me with the data that they have on me? There is no one place you can go that would allow you to access that sort of information, but if I as an individual have control over my data and can demand to be told who has it and why and ask for it to be erased, would that be a game changer or is that not feasible?

Elizabeth Denham: You have stronger rights—everybody has stronger rights—under the GDPR to obtain details about what data is held about you, how it has been shared, how long it has been stored, and you also have a right to erasure or right to correction. You have stronger rights under the GDPR to find out who is processing data about you and a 20-day maximum period with oversight by our office. There are stronger rights for subject access requests.

I am not sure how practical it would be to build a single portal to access all of the companies, websites, social media sites and data that is held on you. It also might be a honeypot for cyber hackers if you think of the size of that kind of data. You do have stronger rights under the GDPR.

Q3981 Clive Efford: You said one of the things you took into consideration when you issued your fines was the fact that you had not received many complaints. Does that say something about you?

Elizabeth Denham: I can say that the complaints that we have received since GDPR came into place are 100% higher than they were the year before.

Q3982 Clive Efford: They can be infinitely higher if you had none before, of course.

Elizabeth Denham: No, we get a lot of complaints. We have over 200,000 complaints a year. This was an own-motion investigation, so our decision to take on this investigation was our decision. We did not receive complaints. I think that one of the reasons why we do not receive complaints about something as complex as Cambridge Analytica, Facebook and data brokers is that people do not necessarily have the time to understand or enquire. A lot of our complaints or concerns come from journalists, civil society and policymakers.

Q3983 Clive Efford: Is that sufficient? Shouldn’t people be more active in this process? Do you think that there is more that could be done by bodies like yourselves to educate people to their rights?

Elizabeth Denham: Yes. We have been running a Your Data Matters campaign since April of this year. It is an active campaign and I think that it has driven more people to file more complaints against companies as well as to us.

The other thing that I think is really important in this space, especially when you think about internet harms, is digital education. It is going to be very important that an agency or agencies help the public to understand their rights but also to make citizens more digitally literate so that they know how to navigate the internet and be able to exercise their rights. We have a role in that but we do not necessarily have the resources we need to be able to do that work.

Q3984 Chair: We will talk more about resources and future issues a bit later on. I have one follow-up on my question from earlier on. With cloud storage systems like Amazon Web Services, the server is based in the United States. Do you have the right to ask Amazon Web Services whether it has records of who had access to certain cloud storage files and whether it has retained that information? Can you do that?

Elizabeth Denham: Yes, we do. We have the ability to reach outside of our borders. We have extraterritorial authority.

Chair: In the scenarios that we were discussing earlier on, in theory they should retain data relating to who has had access to cloud storage systems that they control, yes. Thank you.

Q3985 Giles Watling: Would it be fair to say that organisations like yourselves are always playing catch-up with these large companies that are moving forward with data manipulation and usage? You said that the companies seem to have disregard for people’s personal data. Is that because you are always behind the curve and playing catch-up, if you see what I mean?

Elizabeth Denham: The new powers that were given to us under the GDPR and the DPA 2018 will help us enormously to be able to be a fit for purpose regulator in this space, but until we had the larger sanctions, the larger fines, the ability to digitally preserve the data that we need, the ability to reach extraterritorially into the US servers, whatever we needed to do, we could not be as effective a regulator as we can be now.

In terms of playing catch-up, we are never going to have the resources available to us in technologists and engineers. We are never going to have thousands of these experts around us, but what we do have is the powers to compel a company to respond. We do have the powers now to inspect. We have the powers to be able to look at algorithms. We are working on methodology for transparency in algorithms. We have the ability to get into the companies and look; we can do it proactively and reactively. The reboot of the law that we got in this country in May of this year and throughout Europe is really important.

Q3986 Giles Watling: What concerns me is that these large tech companies would build into their business model the fines that you might be able to levy on them. That is where the disregard lies. Are you saying that once you have greater powers, greater fines that you can impose, you think that you will be able to get rid of that disregard to a certain extent?

Elizabeth Denham: I think that the 4% of global turnover has more of an impact than our previous maximum of £500,000. I also think that our ability to order a company to stop processing data is a very powerful tool. If we use that order, again I think that affects their bottom line.

Q3987 Giles Watling: Moving on, in our interim report we recommended that major investment in ICO was needed. It was a recommendation that there should be a levy on tech companies to help pay for that work. What do you say to that? Do you think that is a good way to go?

Elizabeth Denham: We are funded by fees that data controllers pay now. There is a new fee regime that took effect earlier this year. Ultimately a tech levy and how it funds various regulators is one for Government and Parliament, but I do think there is merit in the companies paying for some of the changes that we made in the environment. I talked about digital literacy and education. I think that that is a good way for companies to have to pay for digital literacy. It will help us going forward if citizens have those skills. I think that a tech levy is a fine idea, but how that is distributed is one for Government and Parliament.

Q3988 Giles Watling: Certainly. Whose role do you think it is to regulate disinformation?

Elizabeth Denham: Disinformation is a phenomenon of the internet and there are lots of different internet harms. We have talked about them; your Committee is talking about the misinformation and disinformation.

Q3989 Giles Watling: Is that under your auspices?

Elizabeth Denham: In terms of data it is. Disinformation is distributed according to the use of personal data. To the extent that personal data is used to deliver or distribute disinformation, then we are in the mix.

Q3990 Giles Watling: Do you think that the platforms themselves should have responsibility in this matter?

Elizabeth Denham: I think that the platforms have a huge responsibility to be able to have the systems in place to identify disinformation, bots, and fake accounts. They absolutely should have that responsibility, but I think that you need a regulator that is a backstop to ensure that the companies have the right systems and that the systems are effective in identifying and taking down disinformation.

Q3991 Giles Watling: Do you see the ICO as being that regulator?

Elizabeth Denham: I see the ICO as being in that space. I do not think that you can take the ICO out of it entirely because data and personal data runs through the creation of internet harms. There could be a hybrid model, for example, between Ofcom and the ICO in dealing with some of these internet harms, misinformation, disinformation, taking down harmful and offensive user-generated content. It is a very complex area. No country has tackled this yet. Germany’s law is a step, but it is quite controversial. The need to balance freedom of expression with internet harms is very challenging for policymakers.

Q3992 Giles Watling: Freedom of speech is one of the big mantras.

Elizabeth Denham: Freedom of speech, yes, so I think it is challenging. The ICO has a lot of experience in regulating these large platforms. We have had years of experience in right to be forgotten cases where there is delinking and balancing privacy rights with freedom of speech and freedom of expression. These are difficult areas.

Q3993 Giles Watling: It is a minefield.

Elizabeth Denham: It is a minefield, but I think that the ICO is in the mix. We have certainly had the experience in dealing with WhatsApp, Facebook, Google, Uber; name a platform, they know us.

Q3994 Giles Watling: The word to use is “harm”, isn’t it, if there is harm?

Elizabeth Denham: Harm.

Q3995 Brendan O’Hara: I have a quick follow-up question to Mr Watling’s. GDPR obviously gives you scope to impose a much larger fine, 4% of global turnover. Can you envisage circumstances beyond what we are seeing right now with Facebook where you would have used that fine? Would you conceivably have fined Facebook, knowing what you know now, had you had the power to do so, that 4%?

Elizabeth Denham: Inevitably, the fine would have been significant. Whether it would have been 2% or 4%, I did not have that available to me because I was looking at contraventions that happened before 25 May 2018. I was tied to the former regime, but it was serious and significant. The breaches affected 87 million individuals. The breach was in the context of political campaigning, protected information, sensitive information, so the fine would have been significantly higher.

Q3996 Brendan O’Hara: Could you envisage a greater breach than what we have currently witnessed? You said it is unprecedented. At what point would you have used the powers currently available to you to their maximum? Is this what you would regard as almost the worst imaginable case?

Elizabeth Denham: It is certainly one of the largest breaches that we have seen. Can I envision worse data crimes? A whole system breakdown. There could be some serious contraventions of the law involving police services or our health system. There could be some other significant breaches, but there was purposeful, intentional, illegal misuse of personal data that was reused in political campaigning, and I think that that is very serious.

Q3997 Brendan O’Hara: Do you think that the reason or part of the reason why they did it—and, as you say, with this complete disregard for people’s data—is that the tech companies had a complete disregard for the ICO?

Elizabeth Denham: Google, Facebook and others have dealt with the ICO. They have dealt with the Federal Trade Commission in the US on privacy issues. They have dealt with other data protection authorities around Europe. They have been fined and they have been sanctioned. I just think that the fines have not been significant enough and the impact on their bottom line has not been significant enough. I think that the public is waking up to the importance of data privacy in a way that they haven’t in the past, and that will drive the platforms to do a better job.

Q3998 Brendan O’Hara: How seriously do you think that the actors out there took you and other regulators? Did they see you as a mild inconvenience that you could work around with a paltry fine? Was that the regime that was working out there?

Elizabeth Denham: I cannot say what was in Facebook’s mind. It will be interesting to see how it responds to the fine that we have given it, whether it pays the fine or whether it appeals the fine. I also know that the CEOs of other tech companies—Microsoft, Apple and others—have come forward with pretty strong statements about supporting data privacy and digital ethics. I would like to think that we are moving into a new phase of more respect for people and their rights.

Q3999 Brendan O’Hara: Would you agree that the tech companies have shown that they are incapable of policing themselves? What powers would you wish to have in order to proactively police the tech companies who have abjectly failed to do so themselves?

Elizabeth Denham: I think that the time for self-regulation is over. That ship has sailed. Tech companies are already subject to data protection law, but when it comes to the broader set of internet harms that your Committee is speaking about—misinformation, disinformation, harm to children and their development, all of these kinds of harms—I think that what is needed is an accountability approach where Parliament sets the objectives and the outcomes that are needed for the tech companies to follow and a code of practice is developed by a regulator, backstopped by a regulator.

What is really important is that the regulator is looking at the effectiveness of systems like take-down processes, recognising bots and fake accounts and disinformation rather than the regulator taking individual complaints. It needs to be a system approach.

Q4000 Brendan O’Hara: You have produced the report “Democracy Disrupted?” Looking at what has come from that report, what do you think are the most immediate issues that the Government should move to tackle right now? As of today, what should the Government be doing? What should the priority be?

Elizabeth Denham: From our report, what the Government can do to move forward to make the next election or the next campaign fair for citizens is to support our call for a statutory code of practice for all of the actors in the political campaigning space. I think that would be a good step forward.

When it comes to internet harms regulation, there also needs to be a code that is backed by statute and a regulator with the powers of extraterritorial reach, the powers of serious sanction, the kind of powers that the ICO has. Those are the powers that you need for a regulator that is going to be looking at conduct and content online.

Q4001 Brendan O’Hara: Looking to the future, are you sufficiently resourced to be that regulator?

Elizabeth Denham: I do not think that content and conduct online fits neatly in any existing regulator, but both Ofcom and the ICO have experience and skills in this way. There could be a hybrid model between the two. You are not going to be able to take the ICO out of the data issues because we are a horizontal, not a sectoral, regulator.

Q4002 Rebecca Pow: On that point of saying we should call time on the self-regulatory approach, do you think there is a case for putting an ICO officer, a compliant representative, into a company like Facebook to keep their eye on things at the horse’s mouth?

Elizabeth Denham: It is really important that a regulator has proactive and reactive inspection powers. Being sat in the midst of Facebook might be uncomfortable for both sides, but I do think—

Q4003 Rebecca Pow: It might be effective, though.

Elizabeth Denham: I think that they have to understand how the platforms work. Our data protection work has given us a good insight into how these platforms work technically. It is really important for a regulator to understand that and not sit in an ivory tower, but inspection powers can give you a way in.

Q4004 Rebecca Pow: I want to ask your general view. In all of the assessments you have made, were you surprised and then concerned at the quantity of personal data that these platforms hold on us?

Elizabeth Denham: We were astounded by the amount of data that is held by all of these agencies, not just social media companies but data companies like Cambridge Analytica and political parties, the extent of their data, the practices of data brokers. We also looked at the universities and the data practices in the Psychometrics Centre, for example, at Cambridge University. I think that universities have more to do to control data between academic researchers and those same individuals who are running commercial companies. There is a lot of switching of hats across this whole ecosystem and there needs to be clarity on who the data controller is and limits on how data is shared. That is a theme that runs through our whole report.

Q4005 Rebecca Pow: Would you say you have basically opened up a can of worms?

Elizabeth Denham: Yes, indeed. This work will go on for some time before we finish off all of our enforcement notices, our enforcement work and our audits.

Q4006 Rebecca Pow: I wanted to talk a bit more about that personal data because we discovered from our own inquiry that lots of people are having personal data harvested about themselves that they are probably quite unaware of. In your other report, the July “Democracy Disrupted” report, you referred to this personal data as “inferred data”, perhaps. I wanted to get your views on whether more consideration should be given to all that extra data, what is happening to it and how it is handled.

Elizabeth Denham: In terms of the data that is held by whom?

Rebecca Pow: It seems that lots of political parties are not regrading this extraneous data that is gathered as personal information because it is not called “factual”, as such. I want to know what your views are on that.

Elizabeth Denham: That view is wrong in law. If you are collecting information that infers a characteristic of an individual, it is personal data and it is caught and subject to the Act.

Q4007 Rebecca Pow: Would you want to change that?

Elizabeth Denham: I want to work with the political parties under a code of practice to make sure that everybody is playing by the same rules and that political parties are using political data to engage with voters in a way that is lawful, transparent and fair. That is why a code of practice is going to be a practical tool so that everybody knows what the rules are. A code of practice involves consultation with the political parties, the other actors and the other players.

Q4008 Rebecca Pow: Do you think there should be a definition for this inferred data or this extra personal data?

Elizabeth Denham: Yes, we can work on that. Once again, the code is a way through that.

Q4009 Rebecca Pow: Finally on Facebook, allegedly some people have labelled Facebook as basically a crime scene. Do we need a whole data audit of everything about Facebook?

Elizabeth Denham: The European Data Protection Board, of which we are a member, is looking in a more holistic way at what we need to do as a community with Facebook and other social media platforms. Under the GDPR, the Irish Data Protection Commission is the lead authority on Facebook because that is where Facebook is based in Europe, and so they would be the lead on an audit that is going forward in the future.

Q4010 Rebecca Pow: Do you have enough faith in them?

Elizabeth Denham: We can work with them. They are a smaller authority than we are. We are the largest data protection supervisor in Europe with 700 staff. Ireland has 100 staff. We certainly can support them and work with them. We have more capacity to do technical audits.

Q4011 Rebecca Pow: Can you sum up in one sentence for me what this whole report and the investigation you have been undergoing has highlighted to you?

Elizabeth Denham: A disturbing amount of disrespect for personal data of voters and prospective voters. What has happened here is that the model that is familiar to people in the commercial sector of behavioural targeting has been transferred—I think transformed—into the political arena. That is why I called for an ethical pause so that we can get this right.

We do not want to use the same model that sells us holidays and shoes and cars to engage with people and voters. People expect more than that. This is a time for a pause to look at codes, to look at the practices of social media companies, to take action where they have broken the law. For us, the main purpose of this is to pull back the curtain and show the public what is happening with their personal data.

Q4012 Rebecca Pow: You are pausing, but all those other companies are just carrying on. Until you say, “You have done something wrong” and give them a fine, no one else is pausing.

Elizabeth Denham: The politicians and policymakers need to think about this too, with stronger rules and stronger laws.

Q4013 Clive Efford: I was thinking about the answer you have just given. The purpose has to be that the data people collect is used for the purpose that people gave them access to it and that it is not misused. But are you going beyond that and saying that if you have legitimate access to that data—say a political party and they use that data to target a message at parents with children because that message is relevant to parents with children—it is wrong? Are you saying that that sort of targeting should not be allowed at all?

Elizabeth Denham: No, I am saying the rules are unclear to a lot of people when you transpose the law into the political ecosystem. Let us be clear about that. But I am not saying that that is wrong. I am saying that the use of the data should be transparent. If a political party has obtained information from a data broker, for example, to use, that data should have been consented for that purpose. Let us just make sure that the law is complied with and that it is transparent because then you will take the people with you in all your messaging and people will trust the system.

Q4014 Ian C. Lucas: AIQ was used by the Democratic Unionist Party in the run-up to the referendum. Why is it not listed in the relevant section of the report that lists Vote Leave, BeLeave and Veterans for Britain?

Elizabeth Denham: We will check that but, yes, they were.

James Dipple-Johnstone: We have looked at that.

Elizabeth Denham: We have looked at it.

Q4015 Chair: I would like to pick up on something coming out of the questions that Rebecca Pow asked you about inferred data. Elizabeth Denham, you said you felt that inferred data about people’s political opinions gathered from their profile data on a site like Facebook and then that inferred data being used to target people based on their political opinions without their knowledge or consent was already legal. Did I hear that correctly?

Elizabeth Denham: If you are targeting people based on inferred data, that is personal data. I think that was the question: is it personal data or not?

Q4016 Chair: At the moment Facebook effectively allows this because you can use its target audience tools to identify people based on their personal data on Facebook, and the tools are getting their likely political beliefs for you.

Elizabeth Denham: You are talking about a lookalike audience.

Chair: Exactly, a lookalike audience, yes.

Elizabeth Denham: Lookalike audiences are a complex area that I would suggest needs to be tackled in a code. But at this point the use of lookalike audiences should be made transparent to the individuals. They would need to know that a political party or an MP is making use of lookalike audiences. The lack of transparency is problematic.

Q4017 Chair: Yes, but the changes to Facebook’s political advertising rules do not include that, do they? They are not proposing to notify people that they are being targeted in that way.

Elizabeth Denham: They are not, but my suggestion is that they should. This is the work that needs to be done with a code so that everybody understands what the rules are and that it is practical.

Q4018 Chair: This is the question we put to Mike Schroepfer from Facebook when he gave evidence. If I am a Facebook user and I have deliberately chosen not to say publicly what my political affiliations are because I do not want that information to be shared, but nevertheless Facebook is inferring from my personal data what my political views are and then selling me to an advertiser with a lookalike audience so that they can run out at me, they do not have to tell me they are doing it and I cannot stop receiving the adverts. Do you feel that that is legal under GDPR?

Elizabeth Denham: We have to look at it in detail under the GDPR, but I am suggesting that the public is uncomfortable with lookalike audiences and it needs to be transparent.

Chair: It is a good example of how the way in which people are sold shoes and holidays should be different from the way in which they are sold politics. Thank you. That concludes the questions from the Committee for this panel. Thank you very much.

Examination of Witnesses

Witnesses: Claire Bassett, Bob Posner and Louise Edwards.

Q4019 Chair: Thank you and welcome to this second panel as part of our evidence session this morning.

Claire Bassett, there are lots of overlapping areas with your work and the work of the Information Commissioner, particularly when we are talking about political communications and disinformation. Could you tell us about how you work together and whether there are any active lines of inquiry that you are working on with the ICO?

Claire Bassett: If you take the broad picture first, we have worked together all the way through a range of different investigations, which we have been hearing about and which we have published. We have also been sharing our views of some of these areas we have been talking about. There is a commonality of themes in particularly a need for transparency for voters on what they are seeing on social media, a need for regulation that can match that and be fit for purpose in the modern age. Perhaps I will ask Louise to fill you in specifically on the investigations.

Louise Edwards: There is some overlap in the investigations but not a huge amount because we are looking at different areas. Primarily it has been about making sure that we do not get in each other’s way when we are dealing with the same actors, the same parties or the same individuals, rather than necessarily sharing evidence. There has been some evidence shared back and forth but that is on live matters and so I am not able to talk about it in any great detail. The overall point I would make is that we very much know what each other is doing and are co-operating and liaising where necessary.

Q4020 Chair: One of the active areas of your recent inquiries where you have a common interest has been Leave.EU and Eldon Insurance. You will have heard the evidence from the Information Commissioner about her investigation on data usage at Eldon. You said in your statement from the Electoral Commission last week that you did not believe that Arron Banks was the true source of the £8 million that was donated to Leave.EU. Could you explain a little bit more about the reasons for that view?

Claire Bassett: Yes. I will ask Louise in a minute to talk you through that. I will caveat by reminding the Committee that this is subject to a live investigation by the NCA now and so we are limited in what we can say to you because we do not want to prejudice any future investigations. But that does not stop us explaining what we have done to a certain extent and so I will ask Louise to do that.

Louise Edwards: In about April 2017, we opened an investigation into Leave.EU. One of the areas we were looking at was the £6 million loan that it reported from Mr Banks. We looked at various documentation during that investigation and we concluded that the claim that the money came from Mr Banks and was loaned straight to Leave.EU clearly was not right. There were other companies involved in that chain, Rock Services and Better for the Country being two of them.

That prompted us to look at Better for the Country in a little bit more detail. Better for the Country made some substantial donations to a number of other campaigners as well. Having looked at Better for the Country, we then decided in November last year that it warranted an investigation in its own right to work out where the money had come from that it then gave to various campaigners and used to pay for Leave.EU’s campaign. Better for the Country told us that on top of the £6 million that Leave.EU reported, it also got an additional £2 million loan from what it said was Mr Banks and his group of insurance companies, and so we were looking at the full £8 million. We asked Mr Banks for quite a lot of information. We got information from the various companies involved: Leave.EU, Better for the Country, Rock Services. We looked at other sources of information. We looked at banking records for those companies.

Having analysed all that information, we concluded, as we said last week, that we suspect that Mr Banks was not the true source of either the £6 million loan to Leave.EU or the £2 million to Better for the Country. We suspect that one of the parties to those loans was Rock Holdings, which under electoral law is an impermissible lender because it is based in the Isle of Man. We suspect that the true details of those financial transactions were concealed from us by Mr Banks and others involved in those companies and, as a consequence of all of this, we suspect that a number of criminal offences may have been committed.

As both the seriousness of this matter and the need to gain evidence from outside of the UK—notably Gibraltar and the Isle of Man—became apparent, we started talking to the National Crime Agency. That conversation culminated a few weeks ago in a formal referral to them and we set out exactly what our concerns were. They have picked up that referral. They agree with us that it warrants a criminal investigation and they have now opened a criminal investigation. Last week we handed all our evidence to them and so they now have all of it. With their agreement, we decided to publish a report explaining what we have done. The NCA has now confirmed that it has its investigation open and we will wait to see where that takes us.

Q4021 Chair: At the weekend, Arron Banks seemed to state repeatedly that you had not asked for financial records related to Rock Holdings during the investigation. Is that correct? If so, what was the reason?

Louise Edwards: I am not able to go into a huge amount of detail about the evidence that we do and do not have because we have been asked not to by the National Crime Agency, but we have looked at the banking records for a number of the companies associated with Mr Banks.

Q4022 Chair: Does that include Rock Holdings?

Louise Edwards: It does not include Rock Holdings because, unfortunately, that is outside the jurisdiction of the UK and our powers do not allow us to get those statements.

Q4023 Chair: You have not asked for them because you do not have the powers to request them?

Louise Edwards: Not from the banking institutions, no.

Q4024 Chair: But the NCA presumably does and so this will be a matter for the NCA to follow up?

Louise Edwards: Yes.

Q4025 Chair: The other point that Mr Banks made at the weekend in his interviews was relating to the use of Eldon Insurance staff. Despite the fact that he said it was a complete lie that Eldon Insurance staff worked on the Leave.EU campaign when he gave evidence to the Committee, he seemed to change his story at the weekend and said that staff would be contracted over from Eldon to work on Leave.EU and that this had all been declared to the Commission. I wanted to clarify whether this tallies with your recollection.

Claire Bassett: I will let Louise come in, but just to give it some context, remember that in our findings from the first investigation into Leave.EU, we found that it had incorrectly reported the staff details there. We have found an offence that it has been fined for in this area already.

Louise Edwards: In fact, we found two offences in relation to the way that Leave.EU reported staffing costs. One of those was around failing to provide the supporting documentation that was needed and the other was around failing to include the management fee that it paid Better for the Country, as a consequence of which Leave.EU exceeded its statutory spending limit.

In the Leave.EU investigation, we looked at staffing costs provided by Better for the Country and there was about £79,000 to £80,000 worth of those costs in Leave.EU’s spending returns. We looked at that and concluded certain offences around that.

Mr Banks did not clarify, as far as I am aware, at the weekend exactly what company he said those staff were seconded to. There is some lack of transparency there and we will look at whether we need to write to him about that.

Q4026 Chair: You do not believe, though, that there has been a full declaration made about the transferring of contracted staff from the insurance business to work on the political campaign during the referendum?

Louise Edwards: I do not know what the contractual arrangements were between Eldon Insurance and Better for the Country because I do not know if that is exactly what Mr Banks was talking about. I do know that the staffing costs were reported incorrectly by Leave.EU.

Q4027 Chair: Putting to one side the contractual nature of their engagement, he seemed to be suggesting at the weekend that they effectively stopped their employment at Eldon to take up short-term contracts at Leave.EU for the purposes of the campaign or maybe they ran the contracts consecutively. That was not at all clear from what he said. But the issue here is the value of the benefit that the campaign derived from these staff working on the campaign. You do not believe that that was correctly reported?

Louise Edwards: We know it was not correctly reported in respect of the staffing costs incurred by Better for the Country because we know Leave.EU paid a significant management fee to Better for the Country that was not reported. But you are entirely right there that if a staff member works a proportion of their time for the registered campaigner, that proportion of their time needs to be accounted for. You are also right that it is not terribly clear exactly what Mr Banks has said has happened and that is something we will look at.

Q4028 Chair: Yes, he does seem to specialise in constructive ambiguity and probably not very constructive—unconstructive ambiguity. His assertion at the weekend that all of this had been declared correctly to the Electoral Commission and therefore is not an issue, as far as you are concerned, is not true?

Claire Bassett: We have found that they incorrectly declared it and we fined them for that.

Q4029 Jo Stevens: Can I ask you about Rock Services? In answer to a question when Mr Banks gave evidence to this Committee, he described Rock Services as a service company, effectively. In the accounts for Rock Services for 2016, it shows that it charged Eldon £39.1 million or 83% of Eldon’s £47 million of expenses that year. That is 83% of Eldon’s turnover. Eldon’s total staff costs for that year were £12.8 million. Were you able to identify what Rock Services was charging for?

Louise Edwards: I am afraid we are entering the realms here where I am going to have to say I cannot answer because there is an ongoing criminal investigation.

Q4030 Giles Watling: When Mr Banks appeared before us earlier, I asked him one very direct question and he was not ambiguous at all. I said, “Did the £8 million come from Russia?” He said, “No, it did not”. Was he lying or was he being economical with the truth?

Claire Bassett: I cannot answer that.

Q4031 Giles Watling: Do you think there was any degree of truth in that?

Claire Bassett: That is an ongoing investigation. We looked at what was in our remit here. We have handed it over to the NCA. We cannot speculate.

Q4032 Chair: To clarify on that, part of the ongoing investigation is where the funds that went to Rock Services may have come from and they may have come from outside of the insurance businesses?

Claire Bassett: We have handed over what we have found and we have told the NCA that we have a reasonable suspicion that the money did not come from where we were told it came from. It is for the NCA to scope out its future investigation and to decide what that does. It would be wrong for us to comment on that.

Q4033 Chair: Just so that I am clear on that, you are not convinced that the money came from Rock Services and that the money paid by Rock Services may have come from somewhere else?

Claire Bassett: Yes.

Q4034 Ian C. Lucas: Is it correct that political donations must be disclosed in the directors reports of companies?

Bob Posner: Yes, it is.

Q4035 Ian C. Lucas: Is it correct that there is no disclosure in the accounts of Rock Services of this payment?

Bob Posner: I believe that to be correct. I cannot say 100% but I think that is correct. We need to be careful.

Claire Bassett: We need to be clear that we cannot start talking about what we have looked at and what we have seen in—

Q4036 Ian C. Lucas: But this is about looking at the past and just—

Claire Bassett: Yes, but you are asking us to discuss the elements of our investigation that we have handed over.

Q4037 Clive Efford: You did have full access to Companies House records, though?

Claire Bassett: Yes.

Q4038 Clive Efford: Given what you know, can people have trust in what is targeted at them on Facebook and who is behind it?

Claire Bassett: That is a much bigger question. We would agree with the previous evidence from the Information Commissioner. What people need is transparency to know where that information is coming from, who is saying it to them and what data is being used. We would absolutely support that and agree with the calls to improve that transparency. There have been some welcome moves in that direction, particularly by Facebook, but we would like to see wider and more statutory reforms made as well.

Q4039 Clive Efford: Facebook has introduced tighter reporting requirements—I will not call them “regulations”—from people who are paying for political ads through the platform, but we have had evidence that it is not applying them. In one case, a significant sum of money was paid for advertising and the organisation or body that paid for that advertising cannot be identified and yet it is being targeted through Facebook that they are customers. Would you say that Facebook is talking about tightening up in this area but is not doing enough?

Claire Bassett: We are having an ongoing conversation with Facebook. We are particularly keen to see that the changes that have been made and the additional things that have been created work for us as regulators as well. We need to be able to interrogate them and get the right information back to give us confidence in what we are finding. We have raised that and we have been working with them. Our view is that we need to be very clear about what is needed—and it probably needs legislative intervention to set that out—so that we are all working in the same direction.

Q4040 Clive Efford: Would you say that self-regulation is not working and it requires a framework of regulation?

Claire Bassett: We welcome the progress that has been made, but we remain concerned that we need all the different social media platforms to be engaged, not just some of them, and that probably will need further regulation.

Q4041 Clive Efford: Do you think there should be a register of political advertising requiring all political advertising work to be listed for public display?

Claire Bassett: The devil is in the detail on that one. It can be difficult. First, we are the elections regulator, not the regulator of all political advertising. That means that our remit applies only around election periods or referendum campaign periods.

For example, activity being undertaken at the moment, which is outside one of those regulated periods and does not fall within other rules like the non-party campaign rules, is not regulated by us as it currently stands. There would be some quite significant shifts to try to have a register of all political campaigners. You would have some real challenges with definition.

It is important that that is balanced with freedom of speech. If you take, for example, some of the concerns raised by charities and non-party campaigners, if they are campaigning day in and day out on a particular issue and that issue gets on the political agenda, when does it become political campaigning as opposed to their bread-and-butter activity? We are open to being part of any policy discussions about developing measures and things that can be done there, but we need to do it in a way that balances freedom of speech with protection of data and does not create burdens that inhibit people who have a right to say things.

Q4042 Clive Efford: For clarification, is it £8.2 million from Mr Banks or is it £8 million?

Claire Bassett: It is £8 million.

Q4043 Clive Efford: £2.9 million of that was spent during the official campaign?

Claire Bassett: Yes.

Q4044 Clive Efford: How much of that was in excess of the £7 million cap on the spend of the official campaign?

Claire Bassett: This is donations, not spending. There is not a cap on donations. It was split.

Louise Edwards: Some £2.2 million was donations to other campaigners. Better for the Country was running the campaign for Leave.EU, which was not the designated lead campaigner and so it had a spending cap of £700,000. On our estimate, Leave.EU broke that spending cap by at least £55,000, if not more, and a substantial portion of that was the failure to declare the management fees that it paid Better for the Country. That gives you an idea of the scale.

Q4045 Simon Hart: This is slightly tangential. When you are looking into the type of offences that may have been committed and the manner in which the political advertising may have been deployed, do you or does anybody else make an assessment of the effect that it has had? Has any of this stuff we are talking about, as far as you are aware, changed the outcome of any of the elections or referenda we are talking about?

Claire Bassett: We do not look at that. Our regime is entirely predicated on the money. We regulate by looking at where money comes from and how money is spent in political campaigns around elections.

Q4046 Simon Hart: Presumably because you think that if people have illegally spent more than they should have done it might have had some impact on the outcome. I am trying to get to whether anyone ever assesses what that impact is.

Claire Bassett: There have been some academics who have sought to look at that. I am not sure that there is any conclusive evidence about the impact that different elements of this had. It is quite difficult to measure because you cannot just distil down to one particular set of tweets or one particular bit of social media activity because voters are exposed to a whole lot of things.

Q4047 Simon Hart: The suggestion being made is that whoever was responsible for the illegal activity, it distorted the outcome of the referendum one way or the other. There is no evidence to back that claim up?

Claire Bassett: You certainly should not be assuming that it does have that impact. The evidence is limited.

Q4048 Simon Hart: Does it exist at all?

Claire Bassett: There are individual academics who have looked at it and there are bits of studies around it. I would not say there is a comprehensive indicator of the impact.

Q4049 Rebecca Pow: On the back of that, how important is it that the National Crime Agency comes out with its conclusions by or on 29 March?

Claire Bassett: That is not for me to say or that I should comment on that. It is important that the National Crime Agency does a proper and thorough investigation that helps to build on that confidence.

Q4050 Rebecca Pow: Given some of the things that you have said about the findings and how you believe crimes have already been committed and that there might potentially allegedly be an overspend of £50,000 to Leave.EU and all those things, what if the NCA comes out on 30 March or 1 April with some shocking announcements and we have gone ahead with leaving the EU?

Claire Bassett: That is not something for me to comment on. That would be a matter for Parliament. Referenda and when they are called and what is done as a result of actions on them is a matter for Parliament not for us.

Q4051 Jo Stevens: Can I ask you about the investigation into Vote Leave and BeLeave, which you have concluded? You fined Vote Leave £61,000 and you fined Darren Grimes £20,000. Have either of them paid those fines yet?

Louise Edwards: No, they have not. They have both appealed the findings. When you appeal a finding, the fine is stayed until the appeal is heard.

Q4052 Jo Stevens: When is the appeal being heard?

Louise Edwards: I believe it has been scheduled for some time in the summer next year.

Q4053 Paul Farrelly: We recommended—and it is not something we usually do and we have to think about these things carefully—a reference to the National Crime Agency because we were unclear whether what we were being told was the truth, and so congratulations on taking the step. It is quite feasible that the NCA and the CPS might decide either that there is no prosecution on the evidence or that it is too hot a political potato and for whatever reason it is not in the public interest to prosecute. In that scenario, having handed it over, is the role of the Electoral Commission now finished in this respect or might there be threads that you would or could still pick up in those circumstances?

Claire Bassett: There are some options open to us and there are some sanctions available to us if we are to go on to find some offences. I will let Bob explain about that. One of the reasons we have passed this on is the breadth of the potential criminal offences and our part in that is more limited. We had a discussion about when it was appropriate to hand this over before we did it. We feel that the breadth of it and the further investigations that are needed warrant the NCA doing that. It will be for the NCA to follow that up and for whatever action flows out of that to take place. The only real option for us is to go for a forfeiture order and there is nothing stopping that happening later.

Q4054 Paul Farrelly: Do you understand my question? There might be something still left in your remit if—

Claire Bassett: Yes, and there is nothing stopping us coming back to that if we felt that was appropriate at that time.

Bob Posner: We work closely with all other law enforcement agencies, including the NCA. We will work in support of them in their work now as that may assist them. If at the end of the process there is something that falls within our remit and it is appropriate for us to pursue that, we will pursue it.

Q4055 Paul Farrelly: My colleague Jo has just talked about Vote Leave. You fined them £61,000, BeLeave £20,000 and Veterans for Britain £250. In the scale of things, given the momentous decision that they were seeking to influence, that is chicken feed. You have called for greater fining powers similar to those of other bodies. What response have you had from the Government to that request?

Claire Bassett: We have not had a response to the request in our “Digital Campaigning” report, where we wrote that. We have made that request elsewhere in other post-electoral reports. The Government are open to considering it but at the moment not from the post-2017 election. They responded to our 2017 general election report this week or at the end of last week and in that—

Paul Farrelly: That is very nice of them!

Claire Bassett: —I do not think they are convinced that that is the appropriate route. We have not had an opportunity to discuss it with the Government. That part of the report is slightly confusing because it appears to be arguing that we should be referring more people to the police rather than fining them, which seems to conflate civil and criminal law. We need to understand that better and have discussions with officials about it, but we continue to feel very strongly that the £20,000 maximum fine is very low when we look at the sums of money that some campaigners are spending. We are continuing our work, talking to other people and looking at that, and we will be bringing forward some more formed views about what that final regime could look like if it were changed.

Q4056 Paul Farrelly: Should the Government be a bit quicker to respond to you than the case you have just mentioned since last year’s election?

Claire Bassett: Yes. It is important that these things are taken seriously. In times when there are so many challenges and so much in the public domain about these things, it is important that we challenge the law and, when we make recommendations for change, they are taken seriously.

Q4057 Paul Farrelly: Perhaps we might repeat the recommendation and ask the Government to respond to us.

Facebook came out with a new code of conduct that it is intending to roll out. We highlighted the activities of an anonymous organisation called the Mainstream Network a few weeks ago. I do not subscribe to its views but I have followed it since then and I have received ads. I have tried to use the Facebook reporting mechanism and have found that there is no political category there for me to report. I have to report it under “something else” and so it does not look to be terribly effective. What do you think of how Facebook has responded so far to concerns about targeted ads and use of data?

Claire Bassett: Many of these changes that Facebook has introduced are very recently and are only just getting tested. We are certainly interested in your experience of that. We do not have any powers outside of an electoral period, but it is still learning that we will be looking to use. We will also be looking to the experiences in the US and how the changes made there are working with the midterms. We are very keen to make sure that we are asking the right questions and providing the right challenge.

It is good that Facebook is at least talking to us and coming forward with some solutions, but we need all the social media companies to be engaged with this. We are probably reaching the point now where we need to set out a statutory minimum of what is expected of them.

Q4058 Paul Farrelly: When do you expect to set that out?

Claire Bassett: That is not really for us to do. It is something we have encouraged the Government to do in our “Digital Campaigning” report. We picked it up there. There is a range of things that need to happen. There is making it very clear that we need to improve our rules around clarity of reporting, for example, in the spending category, matched by the transparency of information and data on social media platforms, available in a way that we can interrogate and analyse, and then that we have the powers and the enforcement we need, for example, to get data from people to test that. That range of changes that we have been asking for is set out in the “Digital Campaigning” report.

Q4059 Paul Farrelly: During an election, in the long campaign before 2015 and in both short campaigns in 2015 and 2017, I can generally track what opposition parties have spent because we will get copies of leaflets and copies of direct mail. I can cost it as to what it would cost us to see whether their spending in their electoral returns matches what they have done in known activity. Clive has just mentioned a repository for political advertising. With the growth of online, you cannot do that matching and checking unless there is that repository because you will not necessarily see the ads yourself.

In the march for transparency, what gets totally muddied is if people do not fill out your electoral expense return forms line by line, declaring names and addresses, or even your new social media advertising category, but simply put in one sheet of paper lumping everything together in notional expenditure. I have flicked through your new codes on which you are consulting and I did not find anything to do with reforms of the use of notional expenditure.

Claire Bassett: There are two parts to this. First, the codes have to build on the existing law. We cannot use codes to bring in new things that we would like to see. We would dearly like to have written a code that addressed all those things and in the “Digital Campaigning” report we are calling for changes in the categories, invoice detail, how things are reported, the speed of it and that sort of thing. The codes that we are currently consulting on have to elucidate the current position. They cannot change it. That is why they are limited to what they are.

Q4060 Paul Farrelly: You provide helpful model forms that we all download for different elections. Some of us fill them out line by line; some do not. Some just stick a sheet of A4 on the back saying, “I spent £500 less than the permitted maximum”, strangely enough, “and it was all donated by a local political party organisation”. How does that aid transparency?

Claire Bassett: It does not. These are things we have been asking to change. There is a number of issues. You are talking about candidate spend and that is different to party spend. It is under a slightly different regime and is reported differently. We have recommended that that should change.

In the current campaigning world, it makes much more sense for party and candidate spend to be looked at together and for that to be made available and transparent in the same way because, as you all know, candidate spending is not always as easy to make public. Then we have all the other things about how that is reported as well that we would like to see changed. These are things that we have called for and we await the Government’s response to the “Digital Campaigning” report.

Q4061 Paul Farrelly: You are not totally divorced from candidate spending, are you? You can look into that.

Claire Bassett: We can look at it and we use the evidence to test our application of the rules around party spending, for example, and so we will cross-check that when spending appears in different places to make sure it collates. But we do not have the power over candidate spending in the same way we do over party spending.

Bob Posner: We have no investigatory role with candidates. That is for the police or the CPS. But one of our recommendations is to bring the two regimes together. We should regulate both.

Q4062 Simon Hart: On that point, Paul Farrelly’s example is quite commonplace. I would dispute whether it is a lack of power on your part. The way the forms are filled in by candidates when they make their post-electoral declarations simply ignores the existing rules but nothing is ever done about it.

Claire Bassett: All we could do in that case would be to ask the police to investigate. The police would then to investigate that and take action forward.

Bob Posner: To be clear, we have recommended that we should take that role from the police. We should do the very thing that you are talking about and regulate that area. There should be a civil sanctions regime that applies. If candidates or agents get their forms not quite right, perhaps there should be a fine. If it is a serious matter, then it is a criminal matter. It would be a much better regime to bring it all together.

Q4063 Simon Hart: At the moment, if a candidate submits a form and it is limited in the information given, if it is pretty sketchy and if you are looking at it and cannot read anything into the declaration at all, it is a police matter rather than a Commission matter?

Bob Posner: Yes.

Q4064 Clive Efford: Can I clarify an answer you gave earlier about Rock Holdings? Over the weekend Mr Banks said that the money originated with Rock Holdings and then was passed on via Rock Services. He accused you of not asking for those bank statements. Is it your understanding now that if you ask for those bank statements they would be handed over?

Claire Bassett: That would be a matter for the NCA.

Q4065 Clive Efford: It has now been passed on completely to the NCA and your investigation is on hold?

Claire Bassett: Yes.

Q4066 Clive Efford: If he were to supply those bank statements and it turned out that that was the source of the money and so it had been a company based in the Isle of Man, what happens criminally? You may not be able to comment on that, but what would happen in your jurisdiction?

Louise Edwards: I cannot comment on that case but, hypothetically speaking, a company that is incorporated in the Isle of Man is called an impermissible or non-qualifying company under electoral law. There is a number of offences associated with referendum campaigners and particularly the responsible person for that campaigner who enters into, fails to extract themselves from, facilitates, and so on, transactions to which a non-qualifying party is a party.

Q4067 Clive Efford: What is the maximum sanction that that would incur?

Bob Posner: There are different offences. It may be one or two years in prison, fines and those sorts of levels. The courts deal with them.

Claire Bassett: There can be a forfeiture. We can seek a forfeiture order of the amount of money that was impermissibly donated.

Q4068 Brendan O’Hara: You said earlier that after an investigation you had a reasonable suspicion that Arron Banks was not the true source of the £8 million and you it referred to the NCA. Then you told Mr Lucas that you could not discuss your investigation into that issue.

Can I ask you about another source of money that appeared in the EU referendum campaign, the Constitutional Research Council? That is an unincorporated organisation based in Scotland that gave £435,000 to the DUP. The DUP has admitted that it spent £425,000 of that on the referendum campaign.

Did you investigate why an unincorporated body in Scotland gave the DUP almost £500,000 that was then spent on the referendum campaign, particularly on advertising in a newspaper in London?

Claire Bassett: Can I start this answer by explaining some of the context in which we come to this? It is context that we do not really want to be in, and it is deeply regrettable. But on the issues about the lack of transparency and donations in Northern Ireland, we are restricted by law on what we can say about any donations made before 2017. We can probably answer some of that but I am going to ask Louise to do it. I want to make it clear that we are as frustrated as everyone else by the parliamentary decision not to take this back to 2014, which was an option and would have allowed us to be much more open and transparent about this.

Louise Edwards: What I can say is that the Democratic Unionist Party as a registered party in Northern Ireland needed to continue to supply quarterly donation reports to us throughout the referendum period, which it did. We are under a duty to verify the contents of donation reports for Northern Ireland parties and that is a duty we take very seriously and we do it.

If we discover that a donation in one of those reports is in fact impermissible, the restrictions that Claire mentions are lifted and we can talk about that donation. We cannot talk about donations to the DUP from that period because, having verified those reports, the donors on them were permissible.

Q4069 Brendan O’Hara: I am going to plough on with this. I understand that I will be frustrated by your answers, but I want to plough on anyway.

Did you, as the Electoral Commission, do everything you could to check that the money from the Constitutional Research Council that went to the DUP was not of foreign origin and that it was permissible in UK law?

Claire Bassett: Yes, we were satisfied that the donors were permissible.

Q4070 Brendan O’Hara: Have you been told or given an explanation as to where the money came from?

Louise Edwards: I am afraid we are not able to discuss it any further.

Q4071 Brendan O’Hara: Were you given an explanation of where the money came from? Even if you cannot share where the money came from with me, can you tell me whether you were given an explanation as to where it came from?

Claire Bassett: We have an overall requirement to look at the returns and to satisfy ourselves that those returns are accurate and we are satisfied that the donors were permissible.

Q4072 Brendan O’Hara: Who gave you that information?

Louise Edwards: A range of sources was used to verify that information.

Q4073 Brendan O’Hara: When did you receive that explanation?

Louise Edwards: I am afraid we are reaching the point again where I am not able to answer that question.

Q4074 Brendan O’Hara: Did you accept at face value the explanation you were given?

Claire Bassett: To go back to the big picture, we have a requirement to challenge and look at those returns. It is not to just accept returns at face value. We do not do that. As I said, we are satisfied in this case that we have done our duty correctly and that they are permissible donors.

Q4075 Brendan O’Hara: Was the person who made this donation known to you?

Claire Bassett: We cannot answer that.

Q4076 Brendan O’Hara: Somebody is permitted by UK law only in Northern Ireland to give money to a political campaign and to have it remain secret from you and from—

Claire Bassett: No, it is not secret from us.

Q4077 Brendan O’Hara: Sorry, secret from Parliament and the country.

Claire Bassett: Yes. That was a decision taken by Parliament and there was an opportunity this year when the rules changing it from 2017 onwards were made to take that back to 2014, which was not taken. This is an explicit decision by Parliament to do exactly what you just said. It is as frustrating to us as it is to you.

Q4078 Brendan O’Hara: Who would be able to tell us exactly the source of the money that went from the Constitutional Research Council to the DUP?

Claire Bassett: Under law we cannot, as we have just explained. I guess that leaves the people who might be involved making a decision to put it into the public domain.

Q4079 Brendan O’Hara: The only people who can inform Parliament and MPs and the public of the source of this £435,000 would be the Constitutional Research Council?

Claire Bassett: Unless Parliament decided to enact the rule that could take it back to 2014 and then we could.

Bob Posner: Or potentially the courts.

Paul Farrelly: Or the DUP because it would have had to satisfy itself that it was permissible.

Q4080 Brendan O’Hara: The BBC’s Northern Ireland “Spotlight” team did a documentary on this issue, as you know, and revealed the relationship between the Constitutional Research Council, the DUP and Vote Leave. Are you still satisfied that there was no common plan between the Constitutional Research Council, the DUP and Vote Leave?

Louise Edwards: I am not able to comment on the Constitutional Research Council, I am afraid, but after that programme we looked at whether there was evidence of a common plan between Vote Leave and the DUP. We asked the BBC for the evidence underlying its programme and we looked at what we had evidence for or against that as well. We took the view that there was insufficient evidence to conduct an investigation into that.

Q4081 Brendan O’Hara: You do not think there was any common plan between the Constitutional Research Council giving the DUP £435,000 and then the Constitutional Research Council booking an advert for £280,000 in Metro on behalf of Vote Leave? You think there was no common plan there or nothing that warrants an investigation?

Louise Edwards: There is not a way for me to answer that question that does not put me in breach of the law, I am afraid.

Q4082 Brendan O’Hara: This is almost an intolerable situation. We are trying to get to the truth and we are obstructed. I am most certainly not blaming you personally, but this is an intolerable situation when we are trying to get to the truth of something.

Claire Bassett: We have raised this repeatedly and we do at every opportunity. We have pressed the Government to make the changes.

Q4083 Brendan O’Hara: Have you investigated the Constitutional Research Council at all outwith this passing on of money?

Louise Edwards: I am afraid, frustratingly, I have to give the same answer, which is that I cannot answer that question without breaking the law.

Q4084 Chair: Without wishing to continually ask you more questions you cannot answer, in terms of our understanding of permissibility of donations, is that a question of the normal rules on permissibility and whether it is a UK-registered individual or organisation?

Claire Bassett: Yes, the rules are the same.

Q4085 Chair: In terms of the campaign co-ordination, does it raise a flag if, say, an individual or organisation that had given money to Vote Leave also gave money to the DUP as part of the same side of the referendum? Does that raise any questions on permissibility or not?

Louise Edwards: It would not raise questions on permissibility. Whether that raised any flags would probably depend on the facts. Should that happen, we would need to look at the rest of the intelligence that we held and the rest of the information that we held to establish whether it was something that needed looking at further. But it would very much be on the facts of that case.

Q4086 Chair: If you were looking at whether there was co-ordination, in this case between the DUP and Vote Leave, and a common campaign, you could consider whether they had had common donors as part of evidence gathering on that? Even if the donation was permissible, you could still consider that as evidence?

Claire Bassett: Yes.

Q4087 Chair: I have a few final questions and then we are finished for this panel. I want to look at some of the recommendations the Committee has made on advertising.

Do you think there needs to be more of a role for the Electoral Commission to determine on advertising outside of the regulated period? The case of Mainstream Network is a good example. It is not a registered political party; it is clearly advertising for a political purpose; it is lobbying Members of Parliament to do something in response to the advertising; but it seems to sit in a completely unregulated space at the moment. We need to acknowledge that technology is changing the nature of political communications and the regulation needs to keep pace.

Claire Bassett: I am very sympathetic to the challenge and what you are experiencing. It would be a significant change because it would take us from an electoral regulator to a political regulator in a much broader sense. The requirement on us as an organisation would be very big.

We perhaps need to come back to what we want to achieve in freedom of speech and protecting individuals and the balances there. Some of this goes to broader issues of internet regulation and internet harm. The attack is on you because it is of a political nature, but there are similar attacks on other people that are not political that are the same thing. It is important not to have scope creep of the Electoral Commission into areas that are about broader internet regulation and internet harm, which other regulators or other potential organisations would be better placed to do.

Q4088 Chair: The distinction between freedom of speech and political advertising is that freedom of speech might be organic when people are expressing an opinion. That is different from someone wanting to create an audience for their political opinion by spending money against it as a form of advertising. Probably historically most political advertising took place during election periods, but now it makes it easier for it to take place throughout the year.

Do you think there should be common standards that apply to the transparency around who political advertisers are that exist throughout the year and not just during the regulated period?

Claire Bassett: We would be really interested in being part of the discussion that looks at that. I am being a little cautious because there are some real challenges of definition, as I mentioned earlier, within that and there are some real challenges about how to do it. That does not mean we should not try and we should not be thinking about it. We would be very keen to be part of any discussion that does that, but we would need to think it through. Any code like that also would have to be statutory because, if it is voluntary, the very people whom you want to catch probably would not engage.

Q4089 Chair: Yes, but you would support a new transparency code for political advertising during the regulated period?

Claire Bassett: Absolutely, yes.

Q4090 Chair: Just as there has to be transparency about who is paying to put leaflets through your door, there should be about who is targeting you through the internet?

Claire Bassett: Yes, and imprints would be right at the top of my list on that.

Q4091 Chair: There would be broader questions about whether a system of imprints should apply to any paid-for political communication outside the regulated period as well.

Claire Bassett: Again, imprints is an important thing and we need it quickly but imprints is not a panacea. Why would we want imprints on digital campaigns or digital information? We want it so that the person who is receiving it knows where it has come from, who has paid for it and who has done it. It might be that there are broader ways of achieving that outside the regulated period or electoral periods in a way that works in a much bigger space than just political campaigns.

Q4092 Chair: One of the things we recommended in our report was that during the regulated period you need to be a registered campaign to advertise politically. Spending on ads on Facebook and other platforms should be restricted to campaigns that have registered with the Electoral Commission.

Claire Bassett: There is a challenge with that. At the moment, there is a threshold above which you need to be registered, but if you spend below £10,000 you do not need to be. That threshold was set by the courts when they looked at the balance of freedom of expression and the regulatory burden that is created. That is something that we would need to be thinking about. We need to be careful about unintended consequences for people who are bringing a valuable contribution and expert input to particular topics in the debate. We should not be supressing the legitimate value that is added to the political debate.

It was interesting when we did some research with voters about their opinions on some of this. They were not saying they did not want campaigning. They were not saying they did not want the messaging. Some of them were finding it useful to have information about things they cared about. They wanted that transparency and that side of it. We need to make sure we balance that and we do not suppress the debate too far to achieve the complete regulation.

Q4093 Chair: There is a difference between debate and someone paying to target people through advertising. If I spent £9,000 in an individual parliamentary constituency targeting ads during an election campaign on Facebook, it would be a pretty significant spend.

Claire Bassett: You will find that if you regulate very tightly on paid-for advertising, the activity you are trying to stop will appear somewhere else in a different form through unpaid-for advertising created by rooms full of people and things like that. It has to be thought through very carefully.

Q4094 Rebecca Pow: On these points and the fact that outside an election period there are very few regulations on political advertising, broadcast—which is my world—and print have stringent demarcations but we do not seem to have that online. Should we have a much more stringent system?

Claire Bassett: There are some real challenges about online harm and these issues are much broader. They come to a head around political advertising, but that needs to be seen in the context of the broader review that is going on at the moment. We would welcome contributing our views and experience to that but I am reluctant to be setting the tone on it because there are such broader issues.

Q4095 Paul Farrelly: I wanted to go back to—I am paraphrasing you—the lack of urgency that the Government is showing in responding to your well-considered recommendations. If this Parliament lasts until 2022, the long campaign is not that far away and time will move very quickly. If the long campaign is anything like the last time, I am dreading the floods of direct mail that will come from the Conservative Party. I will have to like the Conservative Party to see its Facebook or tell a naive canvasser that I am voting Conservative.

With a fixed-term Parliament, the one effect of it was that when you were outgunned in resources, the Conservative Party could plan when it wanted to spend its money before the short campaign. Of course, we might have a general election at any time. On the Government’s lack of urgency, are they behaving akin to someone asleep at the wheel or a driver fundamentally not interested in improving how they drive a car?

Claire Bassett: We really welcome the consultation that has just concluded about protecting the debate. That particularly looked at imprints and is real progress. We have been calling for that since 2003 and so we are really pleased to see that coming forward on to the agenda there.

There are other important areas, and I can run through those for you, particularly around some of the changes we would like to see in how spending is reported, the speed with which that is reported, the categories involved. Some of the donations ones are particularly relevant about clarity on who can make a permissible donation and looking at things like shell corporations and the money-laundering rules. We have set that out. We welcome having that debate. It is difficult for the Government because there is a real lack of legislative space to do things.

Q4096 Paul Farrelly: Could we help them reform it?

Claire Bassett: One of the problems is that so much of electoral law is in primary legislation. The Government are making changes where they can through secondary legislation, but the opportunities for that are limited. We have a good piece of work done by the Law Commission looking at electoral administration. That has now been sitting there for nearly three years. We would like to see a more systemic look at campaign regulation as well and an opportunity for much bigger reform. That is highly unlikely in the current legislative timetable.

Q4097 Paul Farrelly: Arguably, there is no legislative timetable whatsoever apart from Brexit and so there is plenty of opportunity for the Government to respond positively and create a cross-party consensus and for those in the Opposition who want change to vote wholeheartedly for sensible plans following your suggestions.

Claire Bassett: I am delighted to hear that.

Q4098 Chair: Finally from me, in the evidence session we had last week with Ofcom, we talked a bit about broadcast regulation and the fact that we have a system of regulation that is licence based and clear for traditional television broadcasters. Then we have internet television broadcasters, which are largely very lightly regulated or not regulated at all. Sharon White’s view was that we should create a common space and a level playing field of regulation. Many of our rules on political advertising during elections are based on the media formats, which are converging. Restrictions on advertising on television and radio sit alongside voters who consume media through YouTube and podcasts. Increasingly, they will do so through the same devices so that the distinction between your favourite YouTube channel and the TV channel you watch does not exist.

Do you think we are going to have the same debate about electoral communications and that the distinctions that were drawn in the past restricting advertising from TV and radio do not work in a world where people get TV and radio through unregulated platforms?

Claire Bassett: Yes, absolutely. To a certain extent, the genie is out of the bottle to put limits on that side of it. It also brings up the challenge of financial regulation in an environment where things are getting increasingly cheaper to do in that way. There is a debate that we need to have. The approach we have encouraged is that we do not start looking at each one of these things in isolation and just treat whatever is most popular. Instead, we try to think about how we bring in regulation that fits right across the board and will be fit for the future in ensuring transparency and ensuring that people who look at that film on YouTube or wherever it is know who has paid for it and where it has come from—that is why imprints are important—and also that they can look at the libraries and see what other messages these people are putting forward, how cohesive that is and what is being targeted at them. That is going to be important alongside some of the other recommendations you have made.

Q4099 Chair: Do you think we are guilty of being asleep at the wheel on this issue and that we should have acted years ago to deal with some of the problems we are desperately trying to catch up with?

Claire Bassett: It is difficult because things have changed very quickly. If I look at the three years I have been at the Commission, what we are dealing with and the nature of what we are investigating has changed significantly.

It is testament to the rules we have that they have largely caught up with that and we have been able to do the investigations, find the offences and fine people in the ways we have done. It is important though that we keep that moving and we keep up with that. “Sleeping at the wheel” is too strong, but it is important that we recognise that it is changing, the nature of politics and campaigning is changing. We need to make sure that we are all aware of that and keeping up with it.

Q4100 Chair: It was striking when you said that the Electoral Commission recommended imprints for online advertising in 2003 before Facebook launched. Paul Farrelly highlighted earlier that there are still issues relating to the referendum that will be going to court three years after the referendum happened. That is interesting, but is almost historical by that point.

Claire Bassett: A lot of the changes we would like to see in the regime could help with that. If we have more real-time reporting or at least not six-month delays between the end of the event and the major campaigners’ reports being put in, there is a lot more opportunity to do that. As we make changes to the way social media providers and platforms are regulated, we need to make sure that regulators are keeping up with that as well to make the most of the opportunity that that provides.

Chair: Thank you very much. That concludes the questions this afternoon. Thank you.

Examination of Witness

Witness: Guy Parker, Chief Executive, Advertising Standards Authority.

Q4101 Chair: Guy Parker, thank you for joining us for this final panel and evidence session today. I would like to start with Rebecca Pow.

Rebecca Pow: Thank you very much. I am not sure if you have had a long wait. I want to launch straight in and talk about the regulations for advertising and the fact that adverts are pretty much self-regulated or co-regulated and there is not anything like as strict a system for advertising online as there is for the broadcast and the written industries. Do you think it is time for a change?

Guy Parker: There is a difference between the behind-the-scenes legislation that applies to broadcasting and everything else. Broadcasting is more tightly regulated through the Communications Act. For example, political advertising is to all intents and purposes banned on broadcasting channels and radio stations as a result of that piece of legislation. Elsewhere, the general law of the land applies, but quite a lot of that relates to advertising.

We regulate advertising in all media, including online, and I do not just mean paid-for advertising online, for example, on the platforms we have been talking about, Google and Facebook in particular; I also mean what we call online advertiser-owned advertising, which is when companies and organisations are making their own advertising claims on their own websites and social media spaces, including YouTube and Facebook, but YouTube and Facebook would draw a distinction between advertising that is generated on those companies’ pages and the paid-for stuff that they are making money from.

The standards we apply through our advertising codes are, almost without exception, the same for broadcast advertising and for non-broadcast advertising including online. That is in no small measure because the underlying law is the same for the two. Around 75% of the work we do is to stop ads from being misleading and to encourage companies to produce not-misleading ads in the first place. The rules that we have in our advertising codes very closely reflect the European law that is implemented into UK law that says that ads must not mislead. While there are differences behind the scenes with the regulatory ecosystems and broadcasters are subject to statutory regulatory oversight through Ofcom, not just for their advertising but also for their programme content and public service broadcasting requirements and so on, the standards between the two are very similar.

Q4102 Rebecca Pow: Probably the broadcast and print media will take issue with you over that. You can lose your licence as a broadcaster for contravening the advertising rules and regulations. I gather that the code you mentioned does not apply to political advertisements.

Guy Parker: That is right. We do not cover political advertising, which we define as advertising whenever it appears—it does not have to appear in an election period—whose principal purpose is to influence voters in an election or referendum. We do not cover political advertising because our system of regulation relies on a substantial proportion of the people we are regulating buying into our regulation. The political parties and big campaign groups have never agreed to comply with our advertising codes.

Q4103 Rebecca Pow: This is where one can potentially get into deep water. How does one know that it is a politically-targeted advert? We have been talking about all the data harvesting and the personal data that is gathered to surreptitiously and subliminally influence people, who might not even know they are being influenced, and those would all be posted on as adverts. How on earth are you dealing with what I would see now as a minefield in the advertising world?

Guy Parker: We look at the content of the piece of communication concerned and make a judgment about whether we think its principal function is to influence voters in an election or a referendum. If we think the answer to that question is yes, we would rule that that is a political advertisement and at the moment is outside our jurisdiction. I talked about it being important that we have sufficient buy-in before we try to regulate. We have never had sufficient buy-in from political parties and campaign groups to regulate political advertising.

There are other factors that pertain to the regulation of political advertising. Everyone thinks political advertising should be regulated, by the way. The difficulty is by who and how. Another thing we would need to do, or anybody who took this on would need to do, is to make sure they had sufficient funding for their regulation so that they could fast track their investigations into political ads that might be a problem under the advertising code. Otherwise, we would end up in a situation where whoever was doing the regulating was publishing rulings after the election or the referendum had happened. That sort of fast-track process is quite expensive, so you need to have mechanisms in place to make sure that whoever is policing a code of practice that relates to political advertising has sufficient funds to be able to do that.

It has been touched on already this morning that there are things one needs to think about around free speech, because free speech is protected. There are limitations, of course, on that protection. Political free speech is more strongly protected and if a regulator was regulating the political parties and campaigning groups whenever those ads were appearing to make sure they complied with a code of practice that had been agreed by the said political parties and campaign groups, it would need to make sure it was very carefully drawing the line between legal and permissible strong expressions of political opinion—and there are lots of those—and straightforward misrepresentations of fact. They are rarer. We can all probably think of one or two examples from recent elections but they are rarer and it is very often the case that one person’s straightforward misrepresentation of fact is another person’s, “No, that is not how I read it at all. I just think it is a strong expression of opinion”.

None of these problems is insoluble and we have been very consistent in saying that we believe we have a lot of experience and expertise we can add to this discussion. If the political parties and campaign groups are serious about writing a code and following it, we would want to help and lend our experience and expertise because we think we could help whoever was taking this on to draw up fast-track procedures. We think we could help them put in place processes that would help decide between straightforward misrepresentations of fact and strong expressions of opinion and so on. We think we have a lot to offer but we cannot take this on ourselves when these important preconditions are a very long way from being met.

Q4104 Rebecca Pow: A great deal of advertising is self-regulated. You have suggested that there is absolutely no problem with the advertising system, no problem with all the check-ups and checks and balances that you carry out and they are the same as the broadcast and print media. But we know for a fact that is not the case.

Guy Parker: I was talking about the standards and rules that we apply. The reason why we have licence to operate—I do not mean “licence” as a technical term—is that the vast majority of commercial businesses involved in producing, placing and hosting advertisements in the UK support the ASA system and are prepared to fund the ASA system, not that there are not some issues with the long-term sustainability of our funding because of the digital revolution and its consequences.

Q4105 Rebecca Pow: That is taking up more and more of your time.

Guy Parker: Yes. It is worth mentioning that we are a very different regulator now from the one we were as recently as February 2011. About half of our regulation now is of online advertiser-owned advertising. It is not appearing in paid-for space. It is effectively self-published, most of it on companies’ own websites. That is about half our regulation now. Last year we removed around 7,100 ads or ad campaigns and we are on over 8,000 in quarter 3 this year. We will beat last year’s record year. About 88% of those relate to online advertising, either paid for or on companies’ own websites.

We have rapidly transformed in the last five years. Last week we published a strategy that focuses absolutely on getting even better at regulating online, because there are still big challenges we have to crack. That is where we are focusing our attentions. Does that mean you are not right to say there are not legal differences between the ways these things are regulated? You are right, there are—absolutely demonstrably there are.

Q4106 Paul Farrelly: I am old tech and I wanted to fully understand the extent of your remit in the online space. Let me take an imaginary example. When I look at my Facebook feed, an advert appears from, let’s say, snoringisboring.com or something similar. I have been hammered by these adverts. I do not know where they had the information that I snored. It is plugging a device that, with a little bit of research, simply does not exist and has a track record from the manufacturers of taking money from people, so it is quite easily demonstrated to be a fraud.

I complain to Facebook and I press the three dots and I get, “Thank you for the feedback. You did the right thing. We looked at the ad you report and even though it does not go against our ad policies and it is not a fraud, we understand you might not want to see it again”. But of course in removing one, there are lots of accounts all plugging the same sort of thing. What do I do? I am not satisfied with Facebook. What do I do about that ad?

Guy Parker: You can complain to us. It is very easy to complain to us on our website. We will look at whether or not it is a UK ad. If it has been served to you, it is very likely to be. I presume this is a paid-for ad that has appeared in your Facebook feed.

Q4107 Paul Farrelly: It has to be a UK ad?

Guy Parker: Yes. We are a UK regulator so it needs to be a UK ad. We all know the global nature of the internet presents jurisdictional difficulties about who should deal with what. Any of us can follow Kim Kardashian and her Twitter account and sometimes she will do paid-for ads on that. As far as we are concerned, that is something for the Federal Trade Commission and the American regulators to deal with, not us, despite the fact that a small proportion of Kim Kardashian’s however many millions of followers are based in the UK. Of course there are jurisdictional issues.

Q4108 Paul Farrelly: How do you define a UK ad?

Guy Parker: It is an ad that is targeted at UK consumers. There is a number of different ways we will define that. We also have to take into account the country of origin of the company that has delivered the ad, for example with direct mailings. It may entail us working with our equivalent in that country if we have a cross-border complaints arrangement with them. If we do not, we will try to take what action we can.

For the vast majority of the issues we are dealing with, half of our regulation now is online advertiser-owned. More than half is online advertising. These jurisdiction issues are few and far between. Normally these are straightforward UK ads or they are not. The question then is what can we do to sort out any problems with that ad. There are many thousands of occasions every year where we are tackling problems with online advertising that we are regulating. It is a huge part of what we do. When it comes to online advertising, about 90% is to do with misleadingness like the example you just cited.

If it is a scam, then we may not be the right people to deal with it. It might be a question of us referring it to someone who can better tackle fraud and there are obviously agencies in the UK that do that. But very often we will be tackling exactly those sorts of issues.

Q4109 Paul Farrelly: I am a UK consumer seeing this on a device in the UK so under your guidance that counts as a UK ad.

Guy Parker: It is not quite as simple as that, but let us assume it is a UK ad for the purposes of this example.

Q4110 Paul Farrelly: This is a fraudulent company with lots of accounts doing the same thing on Facebook. If you went to the police they would say, “We have far better things to do. We cannot track down companies like this”. We have all this sort of stuff and scams in constituency surgeries. What can you do as the Advertising Standards Authority that clearly I cannot in reporting this to get Facebook not to run them?

Guy Parker: If it is a rogue trader engaged in a scam, we may not be the best organisation to deal with it because we are dealing with mainly responsible businesses whose advertising sometimes needs regulating because they are not doing the right thing.

To give you an example, we have played a role in regulating copycat websites that seek to present to the public as websites where you can get your passport renewed or something like that. They look and feel like the official Government websites and they used to buy paid search advertising to drive eyeballs, to drive people to those websites. You would put your details in and pay the fee thinking that was the fee to renew your passport but it was an inflated fee and little did you realise this was not the official site. They have been a scourge and there has been a lot of activity and action to tackle those. We have had a role in that ruling that some of these websites break the standards in our code and that has contributed to Trading Standards taking action and imprisoning some people and fining them a large amount of money. That is an example of how scam practice can be tackled.

It is not always easy and the internet makes it more difficult to tackle it but the vast majority of the action we take is not to do with that. It is to do with the bread and butter of advertising claims that people have asked us about.

Q4111 Paul Farrelly: A great effort, but your answer does not match the question I am asking. Had you said then with that example that, “As a result of our efforts, Google does not rank it high up their pages anymore”, that would be an answer.

Guy Parker: Google now does not accept advertising for copycat websites. The problem is it is constantly a game of cat and mouse.

Q4112 Paul Farrelly: I understand that. What interaction would you have with Facebook in circumstances like that where it is accepting misleading or fraudulent ads and there is nothing anybody else can do about it but hope you as a regulator and Facebook as a major platform for advertising will do something about it? What can you do?

Guy Parker: Facebook and Google and other large online platforms that are making money out of these ads absolutely should be doing something about that and we will work with them and tell them to take ads down. One of the key parts of our new strategy is focused on improving the systems and processes we have between us and the large online platforms to make that more automatic.

We want to avoid a situation where we are ruling against a claim in an ad like that you have just talked about and a consequence of that is Facebook stops that ad but a substantially similar claim pops up immediately elsewhere. We need to make sure the learning from our rulings is applied automatically across these large online platforms to prevent that from happening and ideally to prevent those sorts of ads being published in the first place. That is going to be a big focus of our new strategy.

Q4113 Paul Farrelly: That is the new strategy. I take it from that that your experience so far has not been terribly encouraging in asking them to take stuff down.

Guy Parker: They do take stuff down when we tell them. The point is if the same or substantially similar thing crops up somewhere else that is obviously not satisfactory because you end up playing a game of “whack ‘em off”. The point is how can we work more closely with the online platforms to make sure the systems and processes are in place to make this regulation more automatic?

Q4114 Paul Farrelly: It needs a lot of improvement.

Guy Parker: It definitely needs improvement, yes. That is a clear focus of our strategy.

Q4115 Paul Farrelly: One thing about advertisements in this digital space, as I have found to my cost, is if you open a newspaper and come across a classified ad there and you respond to it and it turns out to be a scam, you might just think to yourself, “What an idiot”. You report it to the newspaper and it will not run ads like that. These are one-off occurrences, but with online advertising it chases you around. It is relentless. Is there a case for platforms that do not behave in the way that you would like them to behave to incur some liability in law as an incentive to improve their act?

Guy Parker: That might well be necessary and the Government and Parliament may decide that is necessary as part of the work they are doing at the moment into online harms more broadly, touching on advertising harms too.

I go back to my answer to the previous question. We are doing a huge amount of work regulating online advertising on behalf of the UK public. We believe we are doing a lot of good. Does that mean we have cracked every problem? No, of course it does not and there are challenges. We set out last week in our new strategy how we will go about getting better at regulating online advertising. The strategy is called “More Impact Online”. It is all about online advertising.

We expect to be held to account for how successful we are at delivering that strategy. We hope we will get support for the direction of travel we are engaging upon and we do need a step change in commitment from everyone involved in producing and running online ads to deliver this strategy. A lot of it is out of our hands and if we cannot be compelling and persuasive in telling the large online platforms we need to get better.

If we cannot be compelling and persuasive at explaining to online-only businesses who are busy disrupting their markets that they too need to take more responsibility for the advertising they are running, sometimes on their own websites, and they need to contribute to the ASA system with funding, if we cannot make sure the many thousands of micro and MSE businesses that are now advertising online and for whom it is a great boon that they too are not making sure their ads are responsible and they too are not contributing in a fair and meaningful way to the finding of the ASA system, we will find it difficult to deliver our strategy.

Q4116 Paul Farrelly: I am fully with you, so I am not being hostile. I have one final question. After the referendum, let’s say I complained to you about the Vote Leave Turkey advertisements, I would know that the response was going to be, “We do not regulate political advertising. That is for politicians”. Let’s take an organisation and call it the Lame Stream Network that decides to target ads at people who do not like Europe or it thinks it does not like. Then I make a complaint about the Lame Stream Network and these were political ads so were not covered by you, but I point out these Lame Stream ads were advertising the wares of a Lame Stream Network that is a media company, therefore it is advertising itself. If I made a complaint to you that these are hybrid ads, how would you deal with it?

Guy Parker: We would apply the test I talked about earlier. Do we think the principal function of the ad is to influence voters in an election or referendum? That election or referendum does not have to have been called yet. We would apply that test and we would base our decision on whether it was inside or outside the advertising code on the answer to that question: what is the principal function of the ad?

Q4117 Paul Farrelly: Or influencing policy.

Guy Parker: Yes, but influencing policy to influence voters.

Q4118 Chair: I have a couple of questions and then one or two colleagues want to come in as well. We need to conclude at 1.30 pm. Martin Lewis, Money Saving Expert, has made repeated complaints about advertising using his image, fraudulent advertising because he does not allow any advertising. He does not advertise himself and does not allow any advertising of his own image. The ASA has ruled against these adverts but nevertheless Facebook keep on accepting them and running them. There seems to be an issue here where you cannot stop Facebook accepting new ads with Martin Lewis’s image.

Guy Parker: On the ads that reappear in different ads, Facebook stops the ones we rule on. But this is a perfect example of what I was talking about earlier where we need to get better at the systems and processes we build with large online platforms like Facebook to stop these ads from reappearing because we do not want to keep playing “Whack a Mole”.

Q4119 Chair: Is this not a fundamental problem: that Facebook does not accept any real responsibility for preclearance of any ad it accepts? That is why it accepted ads from the Russians to target American voters even though the act of placing the adverts was a federal offence. Here it knows full well that Martin Lewis does not advertise and does not allow his image to be used on anyone else’s adverts. It could easily detect new adverts being posted but because no one has complained about that yet it can still take the money and keep on doing it. It exists outside the norms of the advertising code that affect other media outlets.

Guy Parker: I do not quite see it like that. Google and Facebook sign up to the ASA system. In their ads policies they say advertisers have to comply with the code. There is a genuine question over the extent they just pass on that responsibility to advertisers, to people who spot the advertisers. Hence, going back to my previous answer, we need to build systems and processes to make sure they are spreading the learning from these rulings and applying them to the same or substantially equivalent advertising appearing elsewhere and stopping it.

Q4120 Chair: At the moment have they shown absolutely no desire to take on that responsibility?

Guy Parker: No, I do not think that is true.

Q4121 Chair: But they are not doing it.

Guy Parker: We are talking to them at the moment about how we can build these systems and processes and we expect to continue to do so. I do not know how successful we will be but we would expect to be held to account for whether or not we are successful in making further improvements to how we stop these ads appearing.

On your point that this stuff gets published without being pre-vetted, that is the case almost everywhere. It is not the case with linear broadcaster advertising because the Communications Act places stricter requirements and obligations on broadcasters to make sure the ads they air comply with the rules. Everywhere else, not just online, in all other non-broadcast media a lot of advertising is being published and is appearing without being checked or vetted by media owners and that is just the way the world has gone in the last 20 years.

Q4122 Chair: If you are a newspaper editor, you are liable for all the ads as well as all the copy.

Guy Parker: You have exactly the same responsibility as the ad platforms in that respect.

Q4123 Chair: But Mark Zuckerberg is not being held liable for his company taking fraudulent ads featuring Martin Lewis and Money Saving Expert.

Guy Parker: I think he is and he will be by us. He is being held liable by you now.

Q4124 Chair: He keeps refusing to come, but he sits outside the rules because the way it sits at the moment Facebook has no legal obligation to pre-vet even though those ads should not be running. They take them down if there is a complaint but until someone complains they keep on running and accepting them. You might say we have to design systems here. I would say, given that he controls one of the biggest advertising markets in the world, there is a limit to what the British Advertising Standards Association can do to rein in Facebook unless there is some requirement that it changes. It could easily put in place the technology to identify these adverts and stop them running in the first place but it does not have to.

I think the other issue with Google—it is not just about Facebook—is running ads from Viagogo agents. There are Viagogo ticket touts selling tickets for shows like “Hamilton” that if you go on Google search will come up right at the very top. These tickets are effectively fraudulent. They do not exist. They could never be redeemed by someone who pays for them. The adverts are against the consumer protection law in this country, they are against Google’s own terms of service, and yet it still keeps on running them. It still keeps on taking the money.

Guy Parker: Some of these are questions for Google. If there is a problem with the paid search ad we will look into it. We have banned paid search ads for Viagogo that have appeared on Google for making misleading claims like claiming it is the official seller of the tickets when it is not. It is a secondary ticket seller.

Chair: Some of these adverts that are allowed to run now do not meet the consumer protection law in this country. They do not tell the buyer the ticket number, the seat number or the block number, as legally they should do, and they do not contain other important information that the venue has said there is a no resale policy being enforced for these tickets. Nevertheless, the adverts still run and Google is still getting paid for accepting them.

This seems to be another big breach and we are talking about Google and Facebook combined are bigger than broadcast advertising in the world, in the advertising market. These two big companies seem to operate to very different rules to everyone else and the enforcement against them seems not clear in my mind.

Q4125 Simon Hart: Clearly, at election time the rules are different. There are situations where candidates may make very misleading claims on Facebook, in particular about their own record, the Government’s record or the Opposition’s record, that are absolutely untrue. They can do that free of charge. They can obviously do it by paid advertising too. Do you distinguish between those two opportunities for candidates and, if you don’t, who does?

Guy Parker: No, we do not. Whether it is paid or not, if it is advertising that is intended to influence voters it is outside our remit.

Q4126 Simon Hart: On the definition of advertising, if I put something that is reasonably chatty on my Facebook page but it is nonetheless a very strong political message around election time, I have not paid for it but I have made misleading claims in some people’s eyes, you will deal with that complaint?

Guy Parker: We would if you were a commercial company.

Q4127 Simon Hart: I am a candidate in an election.

Guy Parker: We do not deal with political advertising at all, whether it is that sort of advertising or whether it is clear paid-for advertising.

Q4128 Simon Hart: My point is who does? It is a huge unregulated space.

Guy Parker: Yes, it is unregulated and everyone agrees it is not satisfactory that it is unregulated, but the regulation has to start from there being sufficient intent and buy-in among those doing this advertising, the political parties and the campaigning groups, to be regulated.

Q4129 Jo Stevens: Elizabeth Denham said this morning, “The time for tech companies to self-regulate is over”. We have heard about gross data breaches, breaches around political campaigning and advertising today. Facebook, for example, structures its business so that it avoids paying UK tax and we hear all the time that the regulators—you included—are stretched to deal with all the complaints that arise from its conduct. Is it not time for a substantial levy on tech companies to be introduced so that the UK taxpayer does not have to fund the ASA, the Electoral Commission and the ICO to deal with the mess these companies have created?

Guy Parker: I can only talk with any particular expertise about the area we regulate, which is online advertising. The funding of the ASA system has always relied on a 0.1% levy paid for by companies who are buying advertising.

Q4130 Jo Stevens: Should it not be more?

Guy Parker: The movement of money, of advertising budgets online presents a structural challenge to that funding model. We have—I use the word “we” to talk about various parts of the ASA system including a funding board we have—spent a lot of time trying to crack this problem and we have made some progress in recent years but we are not there yet.

As I said earlier in answer to Paul’s question, if we are going to make as much of a success as we would like with our new strategy of doubling down on our regulation of online advertising, we need everyone to contribute meaningfully and fairly to the ASA system. I do not care so much about how that happens. I do not care about the different methods. I just care that it happens and that is something that clearly we need to keep working on, whether it is a part of a wider levy that also pays for other regulation.

I do not know, but my preference would be for it to be done within the ASA system we have at the moment with more funding from the parts of the digital advertising ecosystem that currently are not contributing meaningfully and fairly to the regulation we are delivering. We are delivering that regulation because people are demanding it, because that is where people are going and seeing adverts and sometimes being misled.

Chair: We will have to call time there. Guy Parker, thank you for your evidence and for patiently sitting through the other evidence sessions as well.