Brexit campaign group Leave.EU and a firm owned by its founder Arron Banks face fines totalling £135,000 over breaches of data laws.
A report from the information commissioner, Elizabeth Denham, confirmed that Leave.EU and Eldon – trading as GoSkippy – were being fined £60,000 each for “serious breaches” of the law which governs electronic marketing.
More than 1m emails were sent to Leave.EU subscribers over two separate periods which also included marketing for GoSkippy services, without their consent, said the report.
Leave.EU also faces a £15,000 fine for a separate “serious” breach after almost 300,000 emails were sent to Eldon customers containing a newsletter for the Brexit campaign group.
The report added: “We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU.”
A final decision is still to be reached on an alleged breach relating to the company’s overall handling of personal data.
In the report, Ms Denham said that her investigation into the use of data analytics in political campaigns had uncovered “a disturbing disregard for voters’ personal privacy”.
She wrote: “We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or in the US election campaigns.
“But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”
She called on the government to look at gaps in the law protecting data privacy to ensure the UK has “a regime fit for purpose in the digital age”. And she warned that voluntary moves by online companies would not be enough to solve the problem.
“Our investigation uncovered significant issues, negligence and contraventions of the law,” wrote Ms Denham. “Now we must find the solutions.
“What can we do to ensure that we preserve the integrity of elections and campaigns in future, in order to make sure that voters are truly in control of the outcome?
“Updated data protection law sets out legal requirements and it should be government and regulators upholding the law. Whilst voluntary initiatives by the social media platforms are welcome, a self-regulatory approach will not guarantee consistency, rigour or public confidence.”
The report said the Information Commissioner’s Office (ICO) had identified “serious breaches” of data protection principles by Cambridge Analytica (CA), the data firm which used personal information from Facebook users to help target political ads.
The ICO said it would have issued a “substantial fine” against CA had the company not gone into administration.
The ICO conducted an audit of the Cambridge University Psychometric Centre, where academic Aleksandr Kogan developed systems later used by CA for profiling individuals based on online activity.
It made recommendations to ensure that the university “makes improvements to its data protection and information security practices, particularly in the context of safeguarding data collected by academics for research”, the report said.
Giving evidence to the parliamentary inquiry into disinformation and fake news today, Ms Denham said she had “concerns about ongoing misuse of personal data” at Eldon Insurance and Leave.EU.
“We need to look at whether the processes are working to be able to separate the data from political campaigning and from insurance use,” she said.
“The sharing of information has gone both ways” at Mr Banks’ businesses, she added, and “the fines could be significantly higher if we find [ongoing] misdeeds”.
Deputy information commissioner James Dipple-Johnstone told MPs the ICO had “similar concerns” about the use of data for electronic marketing at Vote Leave, the official pro-Brexit campaign group led by Boris Johnson and Michael Gove.
“The investigation [into Vote Leave] is ongoing and we expect to be able to report in a matter of weeks,” he said.
Ms Denham said the scale of the investigation into the misuse of data by businesses and political organisations in recent years was “unprecedented”.
She said: “This investigation is unprecedented for our office. It’s unprecedented for any data protection authority worldwide in terms of the type of information we’re examining, the numbers of organisations, the numbers of individuals, the cost of the investigation and the expertise that’s required.
“But what’s at stake are the fundamentals of our democratic processes.”
She also encouraged MPs to look at revising laws around political campaigns in the digital age.
“People have to be able to trust the systems so it’s very important that we get to the bottom of it and that Parliament takes up some of the important recommendations that we’ve made at policy level that includes a statutory code of practice for political campaigning.
“The rules need to be sharpened, they need to be clear, they need to be fair across all organisations involved in political campaigning,” she said.