The little regulator at center of Facebook's big data fight

Register now

(Bloomberg) -- A little-known U.K. regulator is taking Silicon Valley head-on, finding itself at the heart of a scandal that has shaken governments and caused Facebook Inc.’s shares to plummet.

The Information Commissioner’s Office may get a warrant as early as Wednesday to search Cambridge Analytica -- the British firm at the center of a dispute over the misuse of Facebook Inc. users’ data -- after the company failed to respond to an access request.

Now the data-protection watchdog is facing down the company linked to ex-U.S. presidential adviser Stephen K. Bannon and major Republican donor Robert Mercer as public outrage over the use of internet data is growing. U.K. Information Commissioner Elizabeth Denham will be under pressure to act, but has limited means to do so, with the current fine capped at 500,000 pounds ($700,000). Still, she can use her bully pulpit to order improvements to data protection, and prosecute companies that fail to meet the standards. U.K. politicians want to give the ICO more authority.

“Historically, the ICO hasn’t had a lot of power,” Vanessa Barnett, a solicitor at Keystone Law in London, said in an interview. “It’s a matter for Elizabeth Denham now, so we’ll wait and see her next move with anticipation.”

Denham oversees the several hundred employees of the ICO from its headquarters in Wilmslow -- a leafy commuter town outside the old mill city of Manchester in the north of England.

The watchdog is taking the lead of the European probe into what went wrong with Cambridge Analytica, which was accused by London’s Observer newspaper of taking data of more than 50 million Facebook users as part of a plan to develop ways to predict voter behavior. The agency can prosecute those who commit criminal offenses under the U.K.’s Data Protection Act.

Denham said Monday that the Cambridge Analytica breach started a “a complex and far-reaching investigation for my office.” Two days earlier, she said the agency will help the public become “fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy.”

Denham, who took the ICO’s reins in 2016, has become one of Europe’s more outspoken privacy regulators and is not new to taking on U.S. tech giants.

Just last week, her office squeezed a promise out of Facebook’s messaging service WhatsApp that it wouldn’t share any personal data with its parent until some privacy concerns are addressed. The decision concluded the U.K. part of a series of investigations by regulators in Europe. The ICO was also one of the first to investigate Uber after hackers stole the personal data of 57 million customers and drivers in 2016.

Still, most privacy regulators, including Denham, have limited power under EU privacy rules. Several national agencies don’t have any fining powers, while others, such as the French regulator, can levy penalties under 150,000 euros ($184,000).

This will radically change May 25, when a law -- the General Data Protection Regulation -- takes effect across the 28-nation bloc that will allow fines of as much as 20 million euros or 4 percent of annual sales for the most serious violations.

“The ICO will have quite a lot of clout when it comes in,” said James Castro-Edwards, head of data protection at Wedlake Bell. The Cambridge Analytica breach “shows exactly” why we need the new EU rules, he said.

The GDPR will also strengthen the ICO’s ability to carry out a compulsory audit if it suspects a company is breaking data rules.

“Right now I do not have the ability to do a compulsory audit, and that audit is a very powerful tool,” Denham told members of Parliament investigating fake news in March.

Bloomberg News