Digital, Culture, Media, and Sport Sub-Committee on Disinformation
Oral evidence: The Work of the Information Commissioner's Office, HC 2125
Tuesday 23 April 2019
Ordered by the House of Commons to be published on 23 April 2019.
Members present: Damian Collins (Chair); Simon Hart; Ian C. Lucas; Brendan O'Hara; Jo Stevens; Giles Watling.
Questions 1-60
Witnesses
I: Elizabeth Denham, Information Commissioner, Information Commissioner’s Office, and James Dipple-Johnstone, Deputy Commissioner (Operations), Information Commissioner’s Office.
Witnesses: Elizabeth Denham and James Dipple-Johnstone.
Q1 Chair: Good afternoon. Welcome to Elizabeth Denham and James Dipple-Johnstone from the Information Commissioner’s Office. It is a pleasure to have you back in front of the Committee again.
This is the first meeting of the new sub-Committee on Disinformation, whose purpose is to be an institutional home and permanent workstream for the Committee regarding the issues that came out of our inquiry into disinformation and fake news. This afternoon we are interested in asking the Information Commissioner about some of the recommendations in our report and some of the themes that have been picked up by the Government in the Online Harms White Paper.
We want to start by asking some specific questions relating to something we covered in our report and that we know you are investigating now, namely the issues around targeted political advertising by shady groups, like Mainstream Network. I appreciate that this is the subject of an ongoing investigation and there may be things you are not able to disclose in public session; the Committee completely understands that, but it would be helpful for us to understand, maybe in general terms, some of the issues that have come out of your investigation so far. We have agreed with the Information Commissioner that we will have a private session at the end of this meeting, when we will be discussing subjects that it is not possible to discuss in open session.
Elizabeth, perhaps you can tell us about the information request you made to Facebook with regard to Mainstream Network and the information you were asking for? Also, in general terms, what information do Facebook have and what are they able to supply?
Elizabeth Denham: If I can back up for a minute, thank you very much for the invitation to appear before the Committee and to address this important issue. The strand of investigation into Mainstream Network and other similar campaigns is an ongoing line of inquiry. It falls out of the broader investigation we have been conducting over the last 18 months into Facebook and Cambridge Analytica. These new lines of inquiry fall out of similar concerns that we have about electoral interference and invisible processing.
We had concerns about Mainstream Network that were raised in November. We have used our formal powers of information gathering to obtain information from Facebook about who is behind the campaign, what kind of data was used and what kind of audiences would have been targeted for the investigation. Following the data takes us to the financing of these campaigns and parties that might be behind that. For further detail in terms of the information notices to Facebook and their response, I will turn to my colleague James to give you some of that detail.
James Dipple-Johnstone: I am going to add some detail to the Commissioner’s statement. We have served two information notices to Facebook. The primary thrust of those information notices, initially, has been to understand how many adverts there were, how they were placed, how they were targeted, what was the response to them and who had access to the account that loaded up those adverts and associated with those pages—as much information as they could tell us. We are at the early stages of the inquiry and this has revealed further lines of inquiry; I cannot share the details because they are live strands of investigation.
At a very high level, our initial focus was on some of the adverts that were identified in the 89up report, which was provided to the Committee. From that, we have identified a group of around a thousand adverts that we have been particularly interested in. We understand that they were placed using the standard advertising tools for the platform—that is, on the basis of the age profile of individuals, but also geolocation, so postcode areas associated with particular localities.
We have also had information on the number of clicks or interactions in relation to that advert. With the advert that was drawn to our attention, you interacted with it and it then took you to another website, and you then clicked on a button that generated an email. In terms of the initial pot of a thousand adverts, or thereabouts, that we were interested in, we know that there were about a million clicks linked to that set of profiles and those adverts. The four examples that we supplied had around 9,000 clicks, so you can see how things have expanded up from there.
We then identified a number of individuals associated with the administration of those Facebook pages and with the payment for those adverts, and those are the lines of inquiry that we are now following up.
Q2 Chair: With regard to the advertising tools being used, were these ads just using the targeting tools that Facebook makes available to any advertiser—as you say, based on location or age profile—or were they using customised audience tools? Were they uploading data about users to form part of a targeting group?
Elizabeth Denham: Our evidence so far is that that it was relatively unsophisticated. The campaign was not bringing a pre-populated set of contacts but instead using Facebook’s basic tools. However, clicking on the ad would actually create an email that, with the bcc line, would allow the harvesting of email addresses and perhaps other personal information by that third party, which could lead to more sophisticated micro-targeting in the future. The harvesting was technically built in to the ad.
Q3 Chair: Have you seen any evidence that the campaign increased in sophistication as it went on?
James Dipple-Johnstone: That is the ongoing nature of our inquiries. Part of that is looking at similar advertisements, because we know that those accounts are associated not just with this sequence of advertisements. We need to look more broadly at a wider set of adverts associated with those accounts, and similarly look to see if there are other spending patterns that match this type of approach.
Q4 Chair: From the work so far, do you believe that the work of the Mainstream Network campaign—it is not like the Mainstream Network is a sort of a physical entity; it is just a name that was used for a campaign that was run on Facebook. Do you believe that the organisation running those adverts is behind adverts being run as part of other campaigns as well, which look different externally but are actually being operated by similar data controllers?
James Dipple-Johnstone: The next phase of our inquiry is to establish that—whether that information was used for that purpose.
Q5 Chair: And whether information or data gathered by the Mainstream Network campaign could have been used in other campaigns subsequently?
James Dipple-Johnstone: That is correct, yes.
Elizabeth Denham: Part of our investigation is looking at individuals associated with that campaign and the relationships that they have with others. Following the data and the individuals or companies associated with it, previous activities or other ads is all part of following through on what is quite a complex investigation.
Q6 Chair: I believe that the Mainstream Network campaign started in July, or around that time, last year. Have you seen evidence of activity earlier than that?
James Dipple-Johnstone: We have been looking at the question of when the adverts were placed. We know that the accounts were active between 2017 and 2018. We have initially started looking at that short period in late 2018, but we are working back to see quite how far back those kinds of adverts go.
Q7 Chair: The Committee discovered the Mainstream Network accounts and adverts through the reports supplied to us by 89up, and there was a degree of chance that they came across them. They all seemed to be dark ads; unless someone who received one of those adverts decided to report it in some way, they were very difficult to otherwise notice. The extent of the campaign could be far wider than we were able to examine through the report that 89up supplied to us. Certainly, from what you said, if this campaign generated a million clicks, that would suggest that it is probably bigger than we thought it was.
James Dipple-Johnstone: The lack of openness and transparency is one of those areas of concern, because that is something we have seen in terms of short-lived advertisements and accounts then being pulled.
Q8 Chair: Would it be fair to say that you are looking at whether campaigns such as We are the 52% and Britain’s Future may also be connected to the work of the mainstream network?
James Dipple-Johnstone: We are looking at concerns across a wide range of campaign groups on both sides of political opinion in terms of the referendum campaign.
Q9 Ian C. Lucas: On that point, to be absolutely clear, some of this does not have to be paid-for advertising; for example, it can be dissemination of information through Facebook groups, which may not be paid for, but where data may be passed on. Would that be incorporated into the inquiry that you are carrying out?
James Dipple-Johnstone: Yes. There are two principal strands of our inquiry. The first is looking at the data protection issues, irrespective of the purpose of the data. Is data being gathered around political views; what data is being gathered; what information is being provided to data subjects about that information and how it will be used; how securely is that information being held; and is it being transferred to others? That is the data protection strand. We are also looking at the office’s powers around the advertising strand, which are linked to what that personal information is used for. So we are looking at both of those aspects. However, you are absolutely right: the advertising of itself is just one strand. We are looking at the broader use—it could just be general misuse of personal data.
Q10 Ian C. Lucas: May I briefly turn to something that was referred to in our final report? The Information Commissioner’s Office issued an enforcement notice against AIQ to delete data. That was referred to in paragraph 175 of our report. Has that now been done?
Elizabeth Denham: No, the data has not been deleted yet. We have a commitment for the data to be deleted, but we have to wait until the Canadian authorities have completed their investigation, because some of that information might be relevant to their enforcement of Canadian law. There is therefore a pause on the deletion of data, but we have a commitment that the data will be deleted and we will be following through in a timely way.
Q11 Ian C. Lucas: That is a commitment from AIQ?
Elizabeth Denham: Yes. We are also working closely with our Canadian colleagues on their AIQ investigation.
Q12 Ian C. Lucas: On the AIQ repository, if I may call it that, which Mr Vickery raised with us in our discussions, I am particularly interested in the different groups that were referred to, specifically Change Britain, Vote Leave, the DUP and Veterans for Britain. What I want to try to get an answer to, if I can, relates to the point you made earlier about sophisticated use of information. You said earlier that the Mainstream Network information had been relatively unsophisticated, because they had not been using pre-presented datasets. Is there any evidence that you are aware of that pre-presented datasets were used by AIQ in delivering advertisements through Facebook?
James Dipple-Johnstone: We would have to write to you with the detail around the repository email addresses. In terms of the purchasing of datasets from AIQ, I would have to check back into the inquiry. My understanding is that they were working on behalf of others and using equipment here in the UK with other companies in order to be able to do their work, but I will have to check whether that was linked to individual purchases of advertisements.
Q13 Ian C. Lucas: But is it right, for example, that Vote Leave would present data to AIQ and they would then use Facebook as a method of dispersing messages through that dataset? Is that how it worked?
James Dipple-Johnstone: We will have to double-check whether they had used particular adverts from that dataset. I do not have that detail, but those were the areas we were looking at as part of that original investigation.
Elizabeth Denham: We can write with that detail.
Q14 Ian C. Lucas: Did you find any evidence of datasets from one organisation being used by AIQ on behalf of another organisation to disseminate information through Facebook?
James Dipple-Johnstone: We looked at the sharing of those datasets and I do not think we found that kind of sharing, but I will double-check the file.
Q15 Ian C. Lucas: So how was the information disseminated through Facebook? Was it only through datasets that were presented by one organisation? For example, would Vote Leave disseminate information only through a dataset that they provided?
James Dipple-Johnstone: Potentially, yes.
Q16 Ian C. Lucas: So if there was dissemination through a dataset presented, for example, by the DUP, that would be a data breach. Is that right?
James Dipple-Johnstone: Potentially, depending on the circumstances of the dataset.
Q17 Ian C. Lucas: And that is the evidence that you do not think you have at the moment.
James Dipple-Johnstone: Yes, but I will double-check.
Q18 Ian C. Lucas: Can you explain what would be the benefit of using a single company such as AIQ for different organisations seeking to disseminate information through Facebook? Why were all these businesses using AIQ?
James Dipple-Johnstone: In our inquiry, we have not looked at the motivation behind that. Obviously, if somebody were particularly good at the work they did, that might be an incentive for them to be marketing their services to different parties, but the motivation behind why people placed particular contracts was not the focus of our inquiry—it was the basis on which that information was consented to be passed on.
Q19 Ian C. Lucas: So you will come back to me with more information on that.
James Dipple-Johnstone: Yes.
Q20 Ian C. Lucas: Thank you. Can I go back to Facebook groups for a moment? One of the joys of being a Member of Parliament is that you become of interest to certain Facebook groups, and we all have experience of closed groups of which we are not aware disseminating false information about Members of Parliament. We become aware of that information only when someone who is a member of the group contacts us to tell us what is being said. Do you have power to investigate the content of Facebook groups? In other words, do you have sufficient powers at the moment to ask what is going on within closed groups?
Elizabeth Denham: We have powers to compel Facebook or any social media platform to provide information relating to possible data protection contraventions, but we are not the Ministry of Truth—we are not going in there and looking at whether the content of what is being said is false. If it is related to the serving of ads, profiling or personalisation of content, we are in that space—we are operating in that space—but if your question is about whether someone is saying something that could be defamatory, for example, that is not our space.
Q21 Ian C. Lucas: I understand that. The issue really is how one finds out what is being said within confined, hidden groups. You have access for the purposes, really, of issues relating to—
Elizabeth Denham: Privacy and data protection.
Ian C. Lucas: Okay. Thank you.
Q22 Chair: Can I confirm something you said earlier? If the data controllers for Mainstream Network were using data that they had gathered through their campaign and subsequent campaigns, would that be a breach of GDPR?
James Dipple-Johnstone: Potentially, if that data had not been properly consented. One of the issues with some of the screenshots we have looked at of some of these adverts is that there is no information there that tells you what they are going to do with your data once they have it. We are particularly interested in whether that data is then used for other campaigns, or shared with others, or moved overseas. Those would all be breaches of the data protection laws.
Q23 Chair: Indeed, so if it had been used for that purpose, there clearly would not have been any informed consent given.
James Dipple-Johnstone: That is correct.
Elizabeth Denham: It is about consent, transparency, security, onward use and transfer. Those are the issues that we are really looking at when we look at these campaigns that are invisible, and the use of the data is invisible to individuals. That is the problem—that is the data protection problem. I think we are the only regulator in this space that is looking at these issues. Of course, if it is outside the designated election period, the Electoral Commission is not looking at it, so we are the only game in town when it comes to looking at the misuse of data in these campaigns.
Chair: Can you tell us what Facebook can see about these campaigns? That is interesting to us because in our report we looked at the issues around ad transparency in political campaigns. Obviously Facebook have introduced their own platform rules on that as well. One of the complaints about some of the campaigns, such as We are the 52%, is that a named individual is put up as the person who is running the adverts but does not particularly appear to have the resources to be spending the amount of money they are spending on them. What is Facebook able to tell about the nature of these campaigns? What sort of information is it able it supply to you? Can Facebook see that there are others involved in the campaign but allows the campaign to nominate a front person?
James Dipple-Johnstone: I can talk about the categories of information they have been able to supply to us; the actual workings of how their platforms and the algorithms work are beyond what I can share today. Certainly, the lines of inquiry that we have been asking and that they have been co-operating with us on have been about who set up the pages, who has admin rights on those pages, payment for any advertisements associated with those pages and login details over time. One of the issues we sometimes see in some of the transient-type pages is a number of different administrators and moderators coming and going from the pages over a period of time, so we are interested in that, and they have those kind of records.
Then there is also basic information that they have been able to supply around the clicks and the interactions with those pages. In previous inquiries, they have been able to share with us the profile types that were used to identify particular pages, so what categories were used to place particular kinds of advertisements.
Q24 Chair: When different moderators are responsible for running different adverts or different campaigns, are there different sources of funds or different payment types that have been used to place the adverts?
James Dipple-Johnstone: One of the challenges for our investigation is to be able to reconcile those different payments—so what has been the method of payment, who is behind that method of payment and how does that map across to data controller, so who is the data controller and who is the beneficiary? One of the issues with this strand of interest has obviously been the onward forwarding of the material, which is blind copied in, and therefore who is the recipient of that, who is behind that email address, how does that map across to the data controller and who is paying for the adverts? Those are all active lines of inquiry.
Chair: From what you are saying, it would seem that the application of Facebook’s platform policy could lead to some very misleading outcomes, because it gives a public face to a campaign—it names an individual person, who takes responsibility for it—but Facebook can see that there may be multiple people involved in the campaign, so to say that the campaign is the responsibility of that one person would be a very misleading thing to do.
Elizabeth Denham: That is one of the challenges of Facebook’s voluntary transparency tool. One of the challenges in this whole area of electoral interference and lack of transparency in political ads is that you cannot leave it to an individual company to put in place what needs to be a more robust and effective transparency tool. Obviously, one of the recommendations in your report and the White Paper is that there needs to be regulation that stands behind that and requires companies to have effective, robust audits and auditable systems in place to be able to give real transparency, but even with that, I think you still have to have investigations that reveal who is the beneficiary of the data that is harvested from these advertising campaigns.
Q25 Chair: From what you have said so far, it is simply not true to say that the individuals who are put up as the front of these campaigns are the sole source of funds or the sole administrators of these campaigns.
Elizabeth Denham: But you can see that it is also challenging for Facebook to deal with this if there are multiple people or companies behind the person who is buying the ads. These transparency tools are not easy. It is not a simple area. That is why there needs to be a standard of what good looks like in terms of transparency tools, and which regulator has the ability to go in and investigate.
Chair: With Facebook in this case, even if it may have been driven by good intentions, its transparency tool is misleading. It creates the superficial impression of transparency but masks another layer of operation that we cannot see.
Q26 Giles Watling: I want to touch briefly on a point that Ian Lucas made earlier. I accept that, as you quite rightly say, you are not the Ministry of Truth, but where do you go and what do you do if you are confronted in your investigations by something that is possibly a dangerous lie? Do you move it on? How do you operate with that?
Elizabeth Denham: Do you mean misleading information?
Giles Watling: Misleading information—possibly dangerous untruths that you know are untrue.
Elizabeth Denham: I suppose it depends on the context. If somebody misleads the Commissioner or a delegate of the Commissioner in an investigation, that is an offence under data protection law. If we were doing and investigation and found something that was significantly harmful and needed to be disclosed in the public interest and reported to a law enforcement agency, we have the ability to disclose that information. Again, it would have to be context-specific.
Q27 Giles Watling: Right. In our investigations, we have been looking at people who have been deliberately setting out to mislead people on these platforms. Clearly, what you do is assimilate how those platforms work. You do not make judgments on the truth or otherwise—I quite understand that. I suppose the follow-up question to that is, would you like to have other powers to be able to deal with that kind of issue?
Elizabeth Denham: To be the regulator in charge of disinformation?
Giles Watling: Yes.
Elizabeth Denham: I think that is going to be a massive task. It is probably not a task that could be given to any one regulator. It is incredibly challenging to regulate disinformation across the piece. I think our office has the appropriate powers and is focused appropriately on data flows. Tracing the data can lead to all kinds of transparency. Making our investigations public—we will do that in the case of Mainstream Network and the other campaigns that we are following—will help in setting the weather on what appropriate and legal behaviour should look like.
Q28 Giles Watling: So in a nutshell, what you do is lay it out there, and it is for others to decide what that content is and how to deal with it.
Elizabeth Denham: Yes. We are not a content regulator, but we do regulate personal data that is integral to the delivery of that content. It is very difficult to separate content from delivery, and it is very difficult to pull out the regulation of privacy and personal data from internet harms, which is unfortunately what the White Paper does—it puts data protection in a box, and it is difficult to do that. It is also difficult to say, “This will be the regulator of content online.”
Giles Watling: That’s right, because we do not want to enter a Stalinist regime. I understand entirely. Thank you both.
Q29 Jo Stevens: Just over a week ago, Channel 4 showed me some evidence that leave.eu had paid for Facebook adverts to be targeted at supporters of the National Front, the BNP, Britain First and EDL. They broadcast a story about this last week. I was interested in what you said earlier about the serving of advertisements, and using data to do that is obviously within your remit. Have you had any complaints, and are you investigating what leave.eu did around the specific targeting of supporters of those far-right, extreme groups?
Elizabeth Denham: We can investigate the extent to which personal data was used properly or improperly to deliver those ads. Do we have an active investigation into that?
James Dipple-Johnstone: It is one of the areas that we have been looking at and making inquiries into.
Q30 Jo Stevens: Ian talked earlier about closed Facebook groups. Obviously, some of these far-right groups are open groups—you can go on the platforms and look at them if you want to—but there are lots of closed groups as well. If I were Leave.EU and wanted to target those people, how would I do that for closed groups? Could Facebook enable me to target people in closed groups?
James Dipple-Johnstone: I would have to check how far you can do that with the lookalike audiences. Potentially, one of the things you could do if you have a seed list is say, “Give me an audience that looks like this seed list.” That might catch some people who are in closed groups. Otherwise, if you had a membership list of the closed groups from some other party, you could use that directly to target them. We have still got to work through whether that is the particular way that has been used in these instances.
Q31 Jo Stevens: We have also mentioned the White Paper briefly. I was interested in what you thought about the transparency issue of political advertising and campaigning in relation to the White Paper. It does not refer at all, I think, to electoral campaigning. What is your sense of that White Paper and where it might go on transparency of political advertising?
Elizabeth Denham: The White Paper is a really important paper and a huge step forward in a route map to identify harms online, but I was surprised and disappointed that there was not more focus on a huge societal harm, which is electoral interference, and on the need for more transparency in political advertising. Considering the work that has been done by this Committee and by our office, which has been taken up in many other jurisdictions around the world, it is surprising and concerning to me that the Government have not done a comprehensive examination of political advertising and the oversight that is needed in this space. Those are just my initial views, but it is a gap that really needs to be addressed by Government and Parliament. I will be making my office’s views about the White Paper known—it is a significant issue.
I can understand that MPs are hearing from their constituents about safety online for kids, cyber-bullying, terrorism and extremism online. On the issue of electoral interference and the fact that campaigns are now 365 days a year, with many parties involved that are not necessarily overseen by the Electoral Commission or by the ASA, we have a piece there in terms of data, but it is not all-encompassing. That is an area that needs focus, development and inquiry, and this Committee on disinformation is really important in ensuring that there is a focus on it within Parliament, including continuing the international component of your work. I see that you are meeting the International Grand Committee in Ottawa in May, and that is important, because we must have joined-up work internationally to solve this problem. These groups are not all in the UK or Europe, so that is critical.
Q32 Jo Stevens: At the moment we are technically in the regulated period of the European election campaign, but there is no difference between what we have now and what we had in the referendum. Do you have any more resources to be able to pick up inquiries if there are concerns about the European elections?
Elizabeth Denham: We do. We have work under way right now to draft our code on the use of data in campaigning, which we hope will be a statutory code. That was a recommendation that we put forward in our Democracy disrupted? report, and the Committee supported that recommendation. If we had a statutory code, it would go a long way towards clarifying what the rules are—taking account of what the law says, but transferring it into practical steps and standards that all these parties must follow. We are ready with advice to campaigns and political parties for local elections as well as European elections, and we will put the resources into that, including investigations when issues are brought to us.
Q33 Brendan O'Hara: You said you were surprised and disappointed that the White Paper did not propose action on political advertising. To what extent were you involved in the Government’s decision to establish this new regulatory framework that was published last month?
Elizabeth Denham: The Government’s White Paper is the Government’s set of proposals and frameworks. We are not involved in drafting a White Paper. We will be providing comments.
Q34 Brendan O'Hara: Were you consulted in any way, or did it come out of the blue?
Elizabeth Denham: We had some discussions with Government, but when it comes to political interference and political advertising, I believe the Cabinet Office is leading in that area. DCMS and the Home Office were really the two leading Departments on the White Paper.
Q35 Brendan O'Hara: When you had those consultative discussions, did you make the point that you have just made to us about how important action on political advertising would be in the White Paper?
Elizabeth Denham: I have spoken to the Secretary of State and the Digital Minister about our concerns about addressing the use of data in elections and campaigns, and the need to put the code that we are writing on a statutory footing. We have brought those issues up and we are hoping there is time for the Government to take another look at political advertising and electoral interference as a significant online harm.
Q36 Brendan O'Hara: Would it be fair to say, then, that prior to the publication of the White Paper the Government were in absolutely no doubt what your priorities were, particularly about action on political advertising?
Elizabeth Denham: The Government have had our Democracy disrupted? paper and the recommendations. They have seen our investigation into Cambridge Analytica and Facebook and political parties. The White Paper is a good start, but there is a gap that I would recommend that the Government take another look at.
Q37 Brendan O'Hara: That would explain your surprise and disappointment that it was omitted from that.
Elizabeth Denham: We made recommendations. I think it needs to be included in any future regulatory framework for online harms.
Q38 Brendan O'Hara: When he was talking about the White Paper on Radio 4, the Secretary of State highlighted the ability of the ICO to level fines as an example of an effective sanction. Do you think that you have a sufficiently effective sanction?
Elizabeth Denham: We have a number of sanctions, including fines. We have the ability to order an organisation to stop collecting personal data, which could be very effective in shutting down a certain business practice. We were given a pretty dramatic reboot in the law with GDPR in May 2018—a significant increase in our powers. That is very positive and gives us the ability to audit organisations and audit algorithms. We can do no-notice inspections.
We have more powers and more ability to move in this arena, but it is early days with our powers. These investigations, such as that into Cambridge Analytica, take a good deal of time. They are usually after something happens, so we have to follow the trail and make sure that, forensically, we have the information that is going to stand up to scrutiny before a tribunal or a court.
Q39 Brendan O'Hara: When the Government does set up the new regulatory framework, what different or additional powers would you advise that they give that new regulatory body?
Elizabeth Denham: All the regulatory bodies that are working in the space need new powers. They need to be able to have extraterritorial reach, because we are dealing with companies that are based outside the UK. They need to have strong sanctions, such as fines and other penalties. They have to have very deep and robust information-gathering powers. We are struggling with some of our information-gathering powers right now, but that is maybe detail for another day. Information-gathering powers, and the power to disclose and report in terms of transparency reports of how companies are doing—posting audits and investigations—are really important. Also, any new regulator that is regulating user-generated content needs to have detailed statutory codes to be able to enforce against.
Q40 Brendan O'Hara: You are absolutely right, and I think this Committee is a good example of how we can benefit from working with international partners. How important will the ability to work internationally be for the new regulator? What trans-jurisdictional powers will it need, given the global nature of so many of these platforms?
James Dipple-Johnstone: From our experience of working internationally on some of these files, there is, first and foremost, that gateway to be able to share information, in terms of tactics and in terms of personal information that you might need to share internationally. To be able to establish whether the data has gone from the target of the investigation internationally, you need to be able to supply that to your international counterparts so they can trace it through.
You would obviously also want to have the opportunity to utilise each other’s resources and to be able to have colleagues internationally attend head offices, interview people on your behalf and get that information back in real time, rather than working through the MLAT process, which can take quite a bit of time to be able to resolve. Likewise, you would want to be able to offer that from the perspective here and, importantly, to be able to then put right a remedy, whether that is ordering the removal of material, the taking down of material or the deletion of inappropriately obtained personal data—to be able to have that done and verified back to you on an international basis. Those would be a key suite of original powers to have.
Q41 Brendan O'Hara: The White Paper notes that, “under GDPR, the extent of compliance by companies based outside the EEA is still relatively untested”. What advice would you give to this new regulatory body? How does it get around the problem of GDPR and this non-testing? You have been through it with AIQ, of course, haven’t you? What would you advise that the new regulator does to secure that? Also, how ready is the UK to implement this?
James Dipple-Johnstone: We have already got some experience through the GDPR in being able to operate internationally. From our side, we have a strong track record of working internationally with other counterparts. We have a set of MOUs and good collaboration agreements already in place. My recommendation to any new regulator would be to engage in those networks and to begin to put in place those informal arrangements while the formal arrangements are being negotiated internationally.
In particular, I recommend being able to understand who your key counterparts are. There isn’t always a direct overlap between agencies in the UK and agencies internationally. Maybe something to be learned from the GDPR is the concept of establishment—having a legal entity and establishment in the jurisdiction that you can engage with. On some of our field, for example, we are in contact with our counterparts in France and in Ireland who have the establishments in their jurisdiction, just as they make requests of us for non-EU organisations who have their establishment here in the UK. We have a mechanism for co-operating and sharing information in real time to enable us to do that. Any new regulator is going to have to have something similar.
Q42 Brendan O'Hara: Finally, how concerned are you about the lack of an adequacy agreement? How will that affect your work?
Elizabeth Denham: An adequacy agreement can only come after the UK becomes a third country. That is when the Commission’s process of assessing the adequacy or essential equivalency of our law, of the regulation of our law and how it works in the round can begin.
Q43 Brendan O'Hara: Yes, technically you are right. How do you address the gap that will exist between leaving and achieving adequacy? What contingency plans do you have for that gap?
Elizabeth Denham: We have done quite a bit of work, as has the Government, in preparing for data transfers from the EU to the UK, for example if there is no deal in place and if there is no transition period. Then, companies and organisations have to find other types of transfer mechanisms to use for data to be able to flow. We have an online tool for small businesses, for example, to put in place standard contractual clauses that will allow data to continue to flow. There are other mechanisms, such as consent, standard contractual clauses and binding corporate rules that allow data to be able to be transferred. It is just that companies and public bodies have to take steps to put those in place until we have an adequacy agreement or in the intervening period.
Q44 Ian C. Lucas: Elizabeth, you stated quite robustly your disappointment about the White Paper not including a reference to the electoral issues and the misuse that we have been exploring for a very long time. That is interesting because I attended a meeting recently, which the Chair was also at, at the Oxford media forum, where the previous chief executive of the Electoral Commission, Claire Bassett, was outspoken about the need for urgent action relating to electoral regulation and changes, again because of the matters we have been discussing for what feels like the last two years. Given your position, and Claire’s position, and also given that, as you say, there has been a lot of pick-up from overseas jurisdictions of the issues that we have been discussing, can you think of a reason why the Government haven’t so far come forward with proposals relating to electoral changes?
Elizabeth Denham: I hope that proposals will come. I know that the Cabinet Office is doing work in this area. I don’t want to guess or come up with an explanation of why a comprehensive examination of these harms is not in the White Paper. As you know, a lot of work has been done in this jurisdiction around these issues. They are incredibly complicated, and perhaps they are more complicated by balancing the interests of politicians and office holders, who must be able to properly engage with the electorate while still protecting people’s privacy and making these tools transparent.
The world has moved quite quickly into digital campaigning. Although traditional parties have a desire to get this right, the campaigning period runs 365 days a year. There are new ways for data to be harvested—more ways than ever before. People have a lack of understanding of how social media audiences and the intricacies of these platforms work. What is the difference between a custom audience and a lookalike audience? These issues are not widely understood by officials and policymakers, but this Committee, our office and some of our colleagues around the world have done work on them. The European Commission has moved. They have policy proposals out there and requirements for the EU elections. It is challenging and technical, and there are competing rights to be balanced in this area.
Q45 Ian C. Lucas: Can I add another—
Elizabeth Denham: You are going to add another complexity.
Ian C. Lucas: I am going to ask you a straight question. Do you think the current political situation is preventing the Government—specifically the Government—from addressing the serious issues that we have been raising?
Elizabeth Denham: I think it is challenging, because there is not enough legislative time to make some of the changes and improvements that we know would protect our democratic institutions and processes.
Q46 Ian C. Lucas: I think the Government’s approach is inhibited because of the political controversy linked to these issues. That is what is preventing the Government from acting. Don’t you agree?
Elizabeth Denham: I can’t comment on that. I am saying that these are really important long-term issues that need to be addressed. I think there has been a lack of focus and legislative time to take anything forward, including our proposal for a code of practice for the use of data in political campaigns, even if it is linked to an existing statute and regulator.
Q47 Chair: May I just follow up on one or two things that have been covered? In our report, we picked up on the use of inferred data in political campaigns, which you raised with us when you gave evidence to the Committee in the autumn. That wasn’t mentioned in the White Paper, but I think it should have been because it is not really a Cabinet Office issue around election communication; it is a data issue, on which DCMS should have been able to give a policy response. Have you raised with the Government the concerns you raised with the Committee about the use of inferred data and whether that is a breach of GDPR—particularly the protected characteristics of things like political data?
Elizabeth Denham: In our view, inferred data is personal data. There may have been some confusion in responding to questions in the past about whether inferred data is personal data that is covered by the GDPR. We believe it is, and we advised all political parties that it was. That has a pretty significant impact on the kind of data that is being used and collected by credit reference agencies, political parties and data brokers, for example. We don’t believe that there needs to be a change in law; we think there needs to be a clearer interpretation by our office, which would definitely be in the political code, to give clarity to this issue. If inferred data is not personal data, it is completely unregulated.
Q48 Chair: Yes. Can I ask about Professor David Carroll’s case against Cambridge Analytica, of which I know you will be aware? He has been unsuccessful in his appeal. What grounds are there, when someone has made a data request to a data holder and that request appears to be lawful, but that company has gone into administration? What should be the mechanism for retrieving data in a situation like that?
James Dipple-Johnstone: As far as possible, it depends on where that data has gone to, where it resides and how those residual assets of the administration are dealt with. As data becomes more and more valuable, that is probably something that the insolvency law is going to have to look at, in terms of the other assets of an organisation. In respect of his individual case, we have obviously prosecuted the company successfully and have achieved a fine through the courts. We continue to analyse the information that we hold from the company. One of the purposes of that is, as far as possible, so that we are able to identify, if not his specific data, at least that piece which the company was not able to provide, which is the narrative as to how the data was used and how it moved through the sequence of algorithms within Cambridge Analytica. We hope to be able to produce that in due course.
Q49 Chair: So, relating to David Carroll’s case—
James Dipple-Johnstone: If we can do it at an individual level, that will be great, but at least in terms of being able to describe the process in more detail in terms of how the data moved through the various stages.
Q50 Chair: So you believe you will be able to do that?
James Dipple-Johnstone: We have people working at it: I would not want to put words in their mouth as to how accurate they will be. It is a complicated task. We have large sets of data, some of which is combined US electoral data, but also some of the ocean data examples that others have given evidence on. It is more likely that we will be able to tell the narrative, rather than pinpoint an individual’s journey through that process. But that is certainly something we haven’t given up on and continue to pursue.
Q51 Chair: Are you able to give the Committee any update on the investigation into who had access to Dr Kogan’s data that was collected at Cambridge Analytica from his app? When you gave evidence to us in November, it was discussed then; you were following up various leads about remote access to that data and who may have had it. Are you any nearer to completing that investigation?
James Dipple-Johnstone: In terms of overseas access to some of that data, we have taken it as far as we can in terms of resolving those IP addresses that we are aware of. We have shared the output of our investigation with the relevant authorities so that it can inform their broader work, but we have taken it as far as we can from a regulatory perspective, in terms of those access points. One of the strands of this work has been looking at university datasets and research datasets. We have audited the Psychometrics Centre at Cambridge University as part of this inquiry. From that we have made a number of recommendations to the university authorities about how those datasets should be better managed in future.
Q52 Chair: Do you think you will be able to make a report that says, to the best of your knowledge, what happened to the Facebook data that was scraped by Dr Kogan? It has been raised before that it was not all destroyed, and various aspects of the dataset remained and were being used by other people. Do you think it will be possible to say who else was using the data, whichever institutions had some of it—and with regards to the IP addresses of locations where it has been remotely accessed, where those were and who those people were?
James Dipple-Johnstone: Yes. We hope to be able to provide a report in the autumn setting out as much as we know. We are coming to the end of reviewing the materials on the servers that we seized and the equipment that we obtained, both from Cambridge University and the various premises of Cambridge Analytica. We have technicians and investigators working through that process and we are down to the last few servers. We have analysed hundreds of thousands of documents over the past few months. Some of that explanation will come from the email trail we have recovered, from statements from employees of the companies and the research institutions. Some of it will come from trying to unwind the data to be able to look at its present resting state and try to work back on the basis of what we know. It is not an easy task; we are trying to do the best we can. We hope to be able to provide the best narrative that we can.
Q53 Simon Hart: First, I am really sorry that I was not here earlier on—the question that I was going to ask has probably been asked and answered already. If it has been, just say so and we will move on. It was on the very basic bit of the conversation on political advertising, electronic campaigning and, in particular, Facebook. I suspect that most of us in this room have noticed in the last few months a significant increase in the hurdles that we as individuals need to get over in order to be able to use Facebook in the manner that we used to. I wonder whether you had been asked and had answered the question during the bit of the meeting that I was not in, but are you suggesting that we have to go a lot further than the current conditions laid down by Facebook, or are you reasonably satisfied—notwithstanding the legal elements—that the new terms and conditions imposed by Facebook are sufficient?
Elizabeth Denham: We have not really discussed that. Are you asking me whether I think that Facebook’s current requirements for an individual to place political ads are sufficient, or whether they will need to get stronger?
Simon Hart: Yes.
Elizabeth Denham: I think Facebook have voluntarily put in place more rigour on political advertising than they had in the past. I think Facebook said to this Committee that in the past they did not treat political ads any differently from any type of commercial ad—it was all the same to them. I know that there have been some shifts. The issue is that without a backstop of regulation in this area, the changes that Facebook and other platforms are making—they are not the only ones—are piecemeal and ad hoc, and could change tomorrow. What we need in this space is sustainable, system-wide and clear requirements for the online platforms to be able to take on political advertising, and clarity on what they need to do to know that disinformation campaigns are happening on their platforms and to take action against them.
Q54 Simon Hart: I take your point. Is that the same thing as saying that what you seek to do is to align offline and online—to bring online activity up to the current level of offline activity in transparency—or to go beyond that?
Elizabeth Denham: I don’t think that, in terms of advertising, the offline world and the online world are a complete match; they are different spaces. When it comes to political advertising, we need clear standards and rules, and consistency on how platforms allow advertising online and how they monitor content and conduct. I am saying that we need to have a level playing field on political advertising for all online platforms.
Q55 Simon Hart: This is my last question. Where there have been examples of abuse, either of offline or online political activity, the time it takes to investigate and conclude is often many months after the election to which they referred. In some cases, it takes a year. I know of one print case in mid Wales, the year after the 2015 or 2017 election. Eventually there was an adjudication that found the advertiser and the paper guilty. Frankly, that is not a lot of use in an election campaign. If this is to have any meaning at all, it has to be pretty instant. I wonder whether you feel confident that we have made enough progress since the last two general elections for us to be able to say, “Yes, we can now deal with that.”
Elizabeth Denham: I think we know more now about the risks and harms in this space than we did two years ago. Political campaigns, and certainly political parties, know more and are more concerned about how data is used. The problem with regulation right now is that it is reactive—it is after the fact. These investigations take many months to conclude, and you could argue that the horse is already out of the barn. I get that. That is why we need clear standards in statute, in codes, so people know what the rules are and can apply them to the real environment, the digital environment we are all living in right now.
Q56 Simon Hart: This is my last question, seriously. I am making up for my absence earlier on. One of the exasperations in the last few months has been that for those of us on the receiving end of pressure from voters on our stance on Brexit, that pressure is often typified by people making accusations about the validity of the referendum and whether one group or another had applied undue and invisible influence to the extent that the outcome should be declared null and void. When we were looking at this, as the Committee did at various stages during the last year, one of the frustrations was that whenever we asked a witness “Can you put your finger on any evidence that demonstrates that the impact of this opaque campaigning was such that the outcome should be declared null and void?”, the answer was “No, it must have been but we cannot actually demonstrate that in any way.” I was wondering if there was a sophisticated way now of being able to identify whether any of this dodgy activity actually works, because there is quite a lot of evidence, I would suggest as somebody who has witnessed it first hand, that it doesn’t really make much difference and most voters see through it.
Elizabeth Denham: The real question is how do we fix the environment and the regulation around electoral interference and political advertising so that when these tools get more sophisticated—and they will and we do need rules around them—we can be sure that they are going to work. Do we have evidence that they had an impact, that people decided they were going to vote a certain way, not vote a certain way, not turn out to the polls? No, we do not have that evidence. But we do know that, if anything, digital campaigning methodology is going to continue. There is going to be more electoral spend on digital campaigns in the future and the tools will get more sophisticated. So let’s make them transparent. Let’s have strong regulation around this so people can trust they are not being manipulated in terms of their vote.
Q57 Chair: Two final questions from me, before we close the public session, linked to the Committee’s other inquiry at the moment on addictive and immersive technology. I noticed that you raised last week concerns about whether the data rights of younger users of social media should be different from those of adults and in particular whether the data around likes in under-18s should be collected. We raised with Snap whether the streak function should be something you can turn off if you don’t want to share data in that way. Can you tell the Committee a little about your thinking on this and how you would propose to take those recommendations forward?
Elizabeth Denham: Government and Parliament had foresight that there needed to be some standards and rules in place for kids online. Our age-appropriate design code—unfortunately named so we’re calling it the children’s code—was a requirement for us that falls out of the GDPR and the Data Protection Act 2018. We were required to write this code and we are now consulting on it. It actually gives life to the legal requirements that kids are special online. For the first time, children, in law, need to be treated differently from adults, because the internet was designed for adults. Well, guess what? Twenty per cent. of internet users in the UK are children. Our code assists with protecting kids online because it treats them as children. Any websites, connected toys, games and apps that are focused on children need to be delivered in a way that they can understand: high privacy settings, geolocation turned off. When it comes to streaks and likes and nudging kids in a certain direction, I can’t see how those are ever going to be in a child’s best interests because they keep their eyeballs online or they nudge them to give out more of their personal information. We think that our age-appropriate design code is very much about protecting kids online and adds to and gives life to some of the online harms that are in the White Paper.
Q58 Chair: Absolutely. When would you hope to see the code go live?
Elizabeth Denham: Our consultation ends at the end of May, and we are hoping that we will be able to have it laid before Parliament in the summer, and to be enforcing against the code by the end of the year.
Q59 Chair: Very good. We have taken evidence from a number of games companies as well. One of the things that has come out of that is that games companies themselves collect quite a lot of data about gameplay to aid the design of the games. Is that something that the ICO has looked at in the past?
James Dipple-Johnstone: It’s not something that we have looked at in the past. We have a number of investigations under way looking at apps particularly targeted at children, at what kind of children’s data is being gathered and what use it is being put to, and at the degree to which personal data forms part of that as opposed to just general user experience data that is being gathered in terms of the gameplay or the app-play itself. We will be able to report back on those investigations later this year.
Q60 Ian C. Lucas: Picking up on that point, presumably a lot of these companies are US-based or from overseas, and so on. Do you think that it is important that we have the ability to speak to the people who are running these businesses in order to make sure that they are complying with issues relating to data protection?
Elizabeth Denham: Absolutely, and we have the extraterritorial reach and the ability to compel and require a response from companies that are delivering services in the UK, no matter where they are headquartered. It is also really important, in our experience in regulating big tech, that we have contact with headquarters. That really has proven to be a critical ingredient in getting the answers that we need from Facebook, Google and others.
Chair: Thank you very much. That concludes the public evidence session. The Committee will now go into a private meeting with the Information Commissioner. I ask the people in the Gallery to make their way out of the room. Thank you.