I think it's been a frustrating process dealing with Facebook. When we started our inquiry, we asked them for evidence of Russian interference in the referendum, and they refused to look. They said that unless we could find evidence that there had been, they wouldn't look to check for themselves. The frustration we've had is that if the Facebook ad-checking team allowed ads to be bought using foreign currency from a foreign country in elections in breach of election law—in America certainly, and to a very small extent that happened in the U.K. as well—why weren't they looking there too?
As you rightly say, there was no disclosure to the Information Commissioner in the U.K. of a data breach involving potentially up to a million U.K. citizens. If it hadn't been for the Guardian article, I don't think Facebook would have asked any questions themselves about this. All they did then was write to the people concerned and ask them to delete the data. They didn't notify the users who had been affected. Chris Wylie said that even when they were made aware of this, he wasn't contacted by Facebook for six to nine months asking if he'd still got the data and whether he should delete it. When they became aware of the fact that Cambridge Analytica was working on Ted Cruz's campaign and the Trump campaign, and yet they'd potentially have access to this dataset they shouldn't have had, there seems to have been no checking or double-checking to see whether or not they'd actually destroyed the data.
You see a pattern of behaviour that I think looks like a company seeking to turn a blind eye rather than get to the bottom of it.