An insurance firm owned by Arron Banks, as well as the Leave.EU campaign he founded, face fines totalling £135,000 from the UK's data watchdog.
Banks's Leave.EU Brexit campaign and his company Eldon Insurance (trading as Go Skippy) were each given notice of fines of £60,000 by the Information Commissioner's Office (ICO) for serious breaches of the Privacy and Electronic Communications Regulations 2003 (PECR), the law which governs electronic marketing.
Leave.EU was slapped with a further £15,000 fine for a "separate, serious breach of PECR regulation 22" after almost 300,000 emails containing a Leave.EU newsletter were sent to Eldon Insurance customers.
More than 1m emails were sent to Leave.EU subscribers over two separate periods which also included marketing for GoSkippy services, without their consent. This was a breach of PECR regulation 22.
Information commissioner Elizabeth Denham presented a detailed report about the ICO's investigation into the use of data analytics in political campaigns to parliament today, stating allegations that Eldon Insurance shared customer data obtained for insurance purposes with Leave.EU were still being investigated.
"We were concerned about invisible processing – the behind the scenes algorithms, analysis, data matching and profiling that involves people’s personal information," Denham said.
"Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning ecosystem — from data companies and data brokers to social media platforms, campaign groups and political parties."
Leave.EU co founder Arron Banks defended himself on Twitter:
Gosh we communicated with our supporters and offered them a 10% brexit discount after the vote ! So what ? https://t.co/OYIZaCOmh5— Arron Banks (@Arron_banks) November 6, 2018
The investigation looked into the activities of 30 organisations and interviewed 33 individuals.
The watchdog identified 71 witnesses of interest, and is in the process of working through analysis of 700 terabytes of data, the equivalent of 52bn pages.
"We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or the in US election campaigns," Denham said. "But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform."
Denham stressed that various strands of the investigation were still ongoing.
The ICO's report also confirmed it was looking into how the Remain side handled personal data during the 2016 referendum.
"We are still looking at how the Remain side of the referendum campaign handled personal data, including the electoral roll, and will be considering whether there are any breaches of data protection or electoral law requiring further action," it said.
It said it had probed the collection and sharing of personal data by Britain Stronger in Europe and a linked data broker. "We specifically looked at inadequate third party consents and the fair processing statements used to collect personal data," it said.
The report also revealed that the ICO is in the process of referring Facebook to the Irish Data Protection Commission, which will probe "other outstanding issues about Facebook’s targeting functions and techniques used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices" under the General Data Protection Regulation (GDPR).
In October, Facebook was fined the maximum ICO penalty of £500,000 for failing to protect user's personal information.
Leave.EU and Facebook were not immediately available for comment.