In 2017 ICO launched a formal investigation of the growing misuse of personal data in the context of political campaigns, after which in 2018, ICO fined Facebook for sum of GBP 500,000 for “suspected failings related to compliance with the UK data protection principles covering lawful processing of data and data security.” Facebook then appealed the decision before First Tier Tribunal, whose decision the ICO then appealed. Announced on 30 October 2019, the two parties have reached an agreement, with Facebook paying the fine but not admitting its liability.

James Dipple-Johnstone, ICO Deputy Commissioner, stated, “The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice and agreement to pay the fine. The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy. We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”

The ongoing ICO investigation launched in May 2017 into the misuse of personal data in political campaigns looks at what the Authority defined as “invisible processing”, e.g. profiling, analysis, data matching and algorithms and analysis of the personal information of individuals insofar as such techniques affect the democratic process. The ICO noted that with respect to this issue, “the case for a high standard of transparency is very strong.” The investigation covered 30 organizations including Facebook and  interestingly goes beyond the mere scope of enforcement, also aiming to improve transparency for citizens with respect to how their data are processed and allowing them to vote in a fair and uninfluenced manner. Recital 39 GDPR states that, “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.” Transparency is intrinsically linked to fairness, and organizations, regardless of their scope or size, should always try to be transparent with respect to how and why they use certain personal data in order to ensure that fundamental rights are protected.