Information & Ethics Committee on May 10th, 2018

Good morning, and hello from Manchester.

Thank you, Chair and committee, for the invitation to appear before you today.

I'm the Information Commissioner of the United Kingdom. I regulate data protection and freedom of information as well as a host of other personal information-related legislation.

I'm pleased to have the opportunity to speak to you today about the work of my office in investigating the use of personal data for political campaigning purposes.

I've watched some of the earlier sessions of your inquiry with great interest, and based on that, I need to set out something clearly at the outset.

In the U.K. and across the EU, information about individuals' political opinions is considered a particularly sensitive category of personal data to which additional safeguards under data protection law are applied. What that means, therefore, is that political parties and campaigns are subject to a combination of data protection, direct marketing, and electoral law when engaging in processing of data for electoral purposes with oversight by my office and the electoral commission. This has always been the case since data protection legislation was first introduced more than two decades ago, and it's simply accepted as a cultural norm.

These rules are there to ensure free and fair elections, and they do not undermine democratic engagement in the U.K. Instead, political parties have to engage with voters in a manner consistent with that law. Recognizing the special place of political parties in a democratic society, they've been given special status under U.K. data protection law to allow parties to carry out their campaigning activity.

In my complaint-handling role, I consider complaints from individuals against political parties when they think that their data has been misused. The number of complaints has never been particularly high. Other than a spike at election time, political parties have not, in the main, been a sector generating a high proportion of complaints. My office has maintained an ongoing dialogue with parties, meeting with them regularly and issuing bespoke guidance on how they can comply with the law when they are campaigning.

However, the EU referendum in the U.K. in June 2016 was an unusual exercise by British norms. Instead of being fought by established political parties, the referendum was led by campaign groups that were, in some cases, fuzzily constituted coalitions of like-minded bodies. The U.K. law on data protection is written to take account of political parties, but in a country where few referendums take place, the law has less to say about non-party campaign groups. This is made, considering potential breaches of the law during the referendum campaign, more challenging for my office.

We were concerned about some of the campaigning practices that we heard about and the provenance of the personal data used by campaign groups to target individuals. That's why in May 2017, I announced a formal investigation into the use of data analytics for political purposes. The original goal of the investigation was to pull back the curtain on how personal information was used in modern political campaigns.

At its heart, data protection law requires organizations to process data fairly and transparently, but rapid social and technological developments in the use of big data means that there's limited knowledge of or transparency around data processing techniques, including analysis, algorithms, data matching, and profiling to micro-target consumers and voters.

I think these techniques are attractive to political parties in campaigns as it enables them to target individual voters with messages in keeping with their political interests and values, but this isn't a new game played by different rules. The law continues to apply whether campaigning is conducted offline or online.

My investigation now involves over 30 organizations, including political parties and campaigns, data companies, and social media platforms. Among those organizations is AggregateIQ, which was used by a number of U.K. campaign groups, a company that this committee has already heard from.

What we didn't expect at the outset of our investigation was to be looking at the what, when, how, why, who of a reported 87 million Facebook profiles alleged to have been mined by an academic and passed on to a U.K. political consultancy working on the U.S. 2016 election and other political campaigns, plus multiple other lines of inquiry that I can't talk about at this time. This naturally raised concerns both in the U.K. and abroad and officers of Facebook and Cambridge Analytica have been called to account in various national parliaments.

I'm sure you understand that I can't speak about the particulars of an active investigation. The investigation is progressing at pace. Enforcement activity is ongoing, so it wouldn't be appropriate for me to comment further.

What I can say, though, is a number of organizations have freely co-operated with our investigation. They've answered our questions and they've engaged with us. But others have attempted to undermine the inquiry by failing to provide comprehensive answers to our questions, refusing to co-operate altogether, or challenging the process. In these situations we've been forced to use our statutory powers to make formal demands for information.

Some of my lines of inquiry are more developed than others, but an update on the entire investigation will be provided in a report issued by my office in the coming weeks. Whilst my colleague, Commissioner Therrien, is conducting his own investigation into Facebook, there are areas of joint interest that cut across both of our investigations. As Commissioner Therrien noted, the ICO and the OPC have a co-operative relationship and we can share information if it's necessary for our investigative purposes in the public interest.

When I think about your committee's work, I can see two distinct lines of inquiry: first, the immediate concern of Facebook, AggregateIQ, and others and whether existing laws in Canada have been broken, and then a second longer-term line of inquiry, a wider consideration of public expectations of the use of their data in the political context and whether the law needs to be changed. This inquiry is rightly looking not just at data protection law but also at other areas, such as electoral law, to see how these issues can be addressed.

I mentioned my report to be published in the coming weeks. I will be making findings as to whether individuals' rights were infringed, but I'll also be making policy recommendations on how the U.K. government and others could address the failings that I've uncovered, including greater transparency in political campaigning. While every jurisdiction is different, there may be some relevant lessons that could be read across into the Canadian context.

To put my cards on the table, and I say that against a backdrop of fully recognizing the public interest of political parties being able to communicate with voters, which is of course a cornerstone of democratic engagement, I believe that the use of individuals' data by political parties needs to be addressed in Canadian law. Canadians should be able to bring a complaint to an independent regulator.

The law that we have in the U.K. is built on sound foundations and principles and doesn't unnecessarily fetter the democratic process. In the U.K.'s data protection law, political parties have a legal justification for processing the personal data of individuals when carried out for electoral purposes.

My office is only part of the oversight picture in the U.K. The U.K.'s Electoral Commission is responsible for overseeing elections and political spending. Where there is crossover, my office can work with the Electoral Commission or decide which body should take the lead.

This is not to say that everything about the U.K.'s data protection regime is perfect. I said the system works for political parties, and it largely does. The Brexit referendum was a different beast, as I noted earlier. Non-traditional campaign groups either unfamiliar or unconcerned with data protection law may have crossed that line into unlawful activity, and I think the temporary nature of those groups has made pursuing them for the failures of data protection law more challenging.

The U.K. law already equips me with recourse to criminal sanction if a notice from my office goes unanswered. This means that even if a campaign group or an organization winds itself up, I can still have recourse to pursue individual former officers of that group. This might seem like a lot of powers for one body to hold, but as a regulator, I'm answerable to Parliament and I must be able to justify how I go about using my regulatory tools. I think the ICO has always been a proportionate and responsible regulator, and never more so than in the context of political campaigning where we are acutely aware of the inherent public interest in democratic engagement. This approach will continue under the GDPR and the new U.K. data protection bill when it's enacted.

The manipulation of voters via micro-targeting risks undermining our democratic model, and isn't that a major concern for all of us?

Thank you very much. I look forward to answering any questions you may have.

Good morning, Chair, and thank you very much to the committee for the invitation to appear this morning, particularly alongside—it's a great pleasure—my colleague Commissioner Denham from the U.K. In fact, only a few short weeks ago, I was in the U.K. assisting Commissioner Denham with the investigation to which she made reference.

It wasn't long after my return to British Columbia that I was conferring with Commissioner Therrien at the Office of the Privacy Commissioner of Canada agreeing to jointly conduct an investigation into Facebook and the B.C. company, AggregateIQ, a company with which this committee is very familiar. That investigation continues. Of course, I'm not at liberty to disclose much about it until our work is complete in that regard.

What I would like to do this morning is pick up on themes referenced by Commissioner Denham that relate to the broad aspects of your committee's mandate. I'm referring to seeking out legislative remedies that will help assure Canadians of the privacy of their data and the integrity of our democratic and electoral processes.

Beyond investigating companies like Facebook and Cambridge Analytica, which are critical inquiries to be sure, it is also important for Canada's political parties themselves to take some measures for restoring confidence in the democratic processes in our country. I would invite you, as my colleague Commissioner Therrien has, to subject yourselves to accountability measures regarding the way in which you collect and use the information of Canadian voters.

A question worth pondering, I think, is whether the Cambridge Analytica scandal would have happened were it not for the increasing demands on political parties to gather and analyze personal data in the hopes of understanding it and using it to persuade voters. Democracy requires the citizenry to have trust and confidence in the political process, and a significant element of that process concerns how political parties collect and use the personal information that belongs to Canadians.

Parliament and some provincial legislators have created offices that oversee the collection and use of personal information by private and public bodies. Curiously, that oversight, with few exceptions, does not apply to political parties. British Columbia is an exception. B.C.'s Personal Information Protection Act, or PIPA, applies to all organizations in B.C. It is substantially similar to PIPEDA and for that reason generally supplants PIPEDA's authority in my province.

Political parties in my province have been subject to PIPA since its enactment in 2004. In the 14 years that have since passed, I can assure you that democracy has continued to thrive unimpeded in British Columbia. We have not heard concerns or suggestions that laws protecting the personal information of voters restricts the ability of political parties or candidates to engage voters.

Political parties in B.C. can and do collect personal information about voters, but they do so under the same reasonable legal responsibilities and obligations that apply to other organizations.

Generally, this means political parties get information with the consent of voters accompanied by a clear explanation of how and for what purpose that information will be used. I used the words “generally” and “with consent” because there are legislative provisions that allow parties to collect information without consent, specifically to get the voters list and other voter data from Elections BC. These provisions, however, come with a condition that the party receiving the information must provide a satisfactory privacy policy to the Chief Electoral Officer.

PIPA also gives citizens the legal right to request and correct the personal information that political parties collect from them and to register a complaint if necessary. These complaints are adjudicated by my office. A citizen's right to exert control over their personal information is a fundamental principle of privacy law. It is a principle strengthened by the EU's general data protection regulation, which Commissioner Denham just made reference to, and which comes into effect in Europe in just a few days.

You may be interested to know that my office is now undertaking a broad investigation of how the elected parties in our legislature collect and use voters' personal information. Those parties, I would note, have fully co-operated with our office's investigation. I expect that the investigation will result in recommendations and guidance that will help parties improve their privacy practices.

Of course, I know that recent proposed amendments to the Canada Elections Act will require political parties to adopt a policy to protect personal information and to provide it to the Chief Electoral Officer. These proposals are only a minimal step forward. They attempt to address the principle of transparency, but that is only one element of a proper data protection regime.

The proposed amendments do not require parties to respond to a voter's request for the information the party holds about them, nor does it allow a voter the right to ask a party to correct inaccurate information about them. Perhaps most important, there is no provision for an impartial third party to hear and determine a voter complaint. These basic legal standards have been a part of British Columbia law for years and are the norm in many western democracies. There should be nothing for political parties to fear in any of these legal obligations. In fact, implementation will do nothing but enhance the confidence of citizens in their democratic institutions.

With that, Mr. Chair, we are happy to take any questions you may have.

The answer is yes, we are well engaged with AggregateIQ at this point. Beyond that, I don't want to say much. We are far from complete in our questioning of AggregateIQ.

I think perhaps I will just leave it at that.

In regard to the comments on the warrant, I agree with you that the current provisions in our law don't allow us to move quickly with a warrant. We need to be able to respond to digital crimes and data crimes. The government has just tabled amendments that are going to give us new powers to be able to react more quickly and not have to give long notice periods to organizations. That said, we have been able to seize and secure a great deal of data from Cambridge Analytica, and we have executed two more warrants in this investigation, so we do have a great deal of information. If there are links between one company and another, and if their intellectual property and their data are being used by a new company, then we are able to investigate and continue our investigation. If a company is entering into insolvency, as in this case, then we are in touch with the administrators and we're able to proceed with enforcement action, both criminal and civil.

We have recently received a letter from AIQ that opens the door to better co-operation than we have had. I don't know if that was a result of the testimony and the discussions with your committee; it remains to be seen. Actions will speak louder than words. If we don't receive co-operation, then as I said to my parliamentary committee in the U.K., I will seek other legal steps and actions.

I would rather not respond to that in the public domain, but I will say that we're also exploring options in co-operating with our Canadian colleagues in this investigation.

If I could start, I would say that the Canadian Privacy Commissioner's powers have fallen behind the rest of the world, so having order-making power, having the ability to levy administrative penalties, civil monetary penalties, and certainly the ability to seize material and to act quickly, I think are really important when we're dealing with global data companies and fast-paced investigations.

Even the powers that I have under the current U.K. Data Protection Act were not sufficient in this case. Government has moved really quickly and tabled amendments, which were passed last night, to provide us with even more powers of no notice inspections, streamlined warrants, the ability to make emergency orders, and also criminal sanctions for destruction of records and information.

That's important in the broader context with digital companies and being able to move quickly in the public interest.

Our office is on record as supporting Parliament providing greater powers to the Office of the Privacy Commissioner of Canada.

It's really from the perspective of citizens that I think we need to think about this. Given the matters that you're investigating, Canadians want to have some sense that somebody with some regulatory power has their backs. That can't happen unless the regulator has the appropriate authority to ensure that these kinds of things are properly remedied if there is a concern with or a transgression of the law.

Under U.K. law, and in fact under data protection law across the EU, there has to be a specified purpose for the collection and the use of data. If, for example, somebody was answering a quiz and thinking that they were sharing that information for one purpose, such as academic research, and that data was then used for a different purpose, such as political campaigning or profiling an individual as to their categories and their political leanings, then that would be a contravention of U.K. law. That is precisely what we're investigating.

When somebody releases personal information in an application or on a social media site, there needs to be some notification and clear purposes as to what that information is going to be used for. If there isn't, there is a contravention of law.

At the beginning of my remarks, I said that when it comes to establishing political opinions or political persuasion, that's a special category of personal information that requires explicit consent to use, and that again is a question that's central to our investigation in the U.K.

As you decide to share a certain amount of information with your friends that doesn't make it a free-for-all for the world. It is understandable, I think, for an individual using Facebook who expresses an interest in red cars might get an advertisement about red cars. What would certainly be beyond the expectation of an individual is that they would be psychologically profiled and identified as a candidate for a particular ad because they were open or neurotic or whatever the classification is. I think that goes well beyond what the expectation of an average citizen would be, and that does fall afoul of privacy law.