I am going to enter the fray about the data protection events surrounding the EU Referendum and the delayed Parliamentary report into Russian interference; it is only now the full story can be told.
This story contains a few incredible chapters: (a) the breaches of the law with respect to the-use of personal data during the Referendum campaign; (b) non-cooperation by leading actors with Parliamentary Committees and investigations, (c) deliberate obstruction (at best) and lying (at worst) and (d) the reporting of important detail in easy-to-miss footnotes. Sometimes I think, you can’t make this stuff up.
In addition, I doubt very much one main conclusion of the Parliamentary Intelligence and Security Committee Report (the “ISC Report”). This was that no national security agency took responsibility to have a closer look at Russian interference in the EU Referendum and in the subsequent General Elections.
Warnings from the USA’s Presidential Election (2016)
First I want to consider the hacking of the Democratic National Committee (DNC), most likely by the Russians, and the publication by WikiLeaks of the products of that hacking. In GDPR terminology, either the hacking or the publication of personal data would be classified as a reportable data breach.
Additionally, if there is a UK-USA Trade deal (assuming no UK-EU deal) then Ministers have powers in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations to determine adequacy for the USA (via negative resolution procedures with no input from Parliament or the ICO) as part of the deal.
Will Ministers actually use these powers? Well if they are desperate for a trade deal with the USA they might.
So who in the USA are we dealing with? The chronology of relevant events that relate to the DNC data breach could be helpful:
- 22 July 2016: WikiLeaks commence a series of “slow leaks” of embarrassing emails and other information from the DNC that stop in mid-October just before November’s election. Six months later (January 2017), Julian Assange gave interviews where he stated the source of the WikiLeaks emails was not the Russian Government nor a state official.
- 28 July 2016: Republican Candidate Donald Trump publicly invites Russian to find 33,000 missing emails which he accused Hillary Clinton of deleting deliberately. Trump repeatedly draws attention to the DNC data breach during the campaign and encourages more data breaches (e.g. “ I love WikiLeaks”).
- 9 December 2016: a report from the three U.S. Intelligence Agencies (CIA, NSA, FBI) collectively conclude that Russia conducted the cyberattacks and other operations during the 2016 U.S. election. A declassified version of the report (6 January 2017) states that the Russia leadership developed a clear “preference for President-elect Trump”.
- 14 November 2017: it is widely reported in the press that there had been contact between the President’s son (Donald Trump Jnr) and WikiLeaks during the 2016 Presidential campaign. On 19 July 2020, extracts from the Mueller Report that had been previously redacted, shows Roger Stone (a confidential messenger used by the Trump campaign) and Julian Assange had also communicated several times during the 2016 campaign at the time of the release of the WikiLeaks information.
- 19 February 2020: Julian Assange’s legal team claim that President Donald Trump offered Julian Assange a pardon if he went on the record to say that Russia was not involved in a leak of DNC emails (see first bullet above); the claim is dismissed as a “hoax” by the White House.
- 13 July 2020: Roger Stone is pardoned by President Trump for crimes related to obstructing justice, witness tampering and making false statements under oath about his WikiLeaks communications.
I suspect that Privacy Shield was rejected in part because of executive power over the operation of national security legislation (e.g. to determine USA national security access to personal data) rests with the President who is capable of acting in a way described in the chronology.
Finally, note the USA Intelligence Community studied Russian Interference and reported that there were significant risks within 2 months of the Presidential Election result in 2016. So would you expect therefore that the UK’s intelligence community would also look at the EU Referendum result where the UK voted to leave EU (51.9% to 48.1%) also in 2016?
I think the answer is “yes”.
The role of the national security agencies
According to the ISC Report, the national security agencies did not explore the issue of Russian interference in the Referendum result, even though all the USA Intelligence Agencies did so with respect to the Presidential election. If the ISC Report is to believed, the UK national security agencies did not even compare notes about the nature, extent and form of the Russian interference that both countries may have experienced in 2016.
The ISC asked the obvious “what did you do to protect the referendum?” question and reported:
“In response to our request for written evidence at the outset of the Inquiry, MI5 initially provided just six lines of text”.
“The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security Agencies at the thought that they might have any role in relation to the UK’s democratic processes, and particularly one as contentious as the EU referendum” (Paragraph 40)
I do not find this explanation credible. This is because, according to the Security Service Act 1989, it is the express role of MI5 to protect the democratic process:
“The function of the Service shall be the protection of national security and, in particular, its protection against threats from espionage, terrorism and sabotage, from the activities of agents of foreign powers and from actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means (my emphasis of Section 1(2))
According to the Intelligence Services Act 1996, the powers of MI6 and GCHQ are available “in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom” (my emphasis again). As the Referendum was intended to be binding on the Government, it is clear that either outcome of the vote (Leave or Remain) would determine a very significant foreign policy for the Government.
In other words, protecting the Referendum from Russian interference was the statutory role of ALL three national security agencies. That is what the USA intelligence community understood when it published its collective declassified report in January 2017.
I can see one national security agency making a mistake over its statutory role in a way described by the ISC Report. However, I cannot see ALL three national security agencies making the same mistake over their statutory role.
There is no evidence of….
Paragraph 44 of ISC Report states that:
“The written evidence provided to us appeared to suggest that HMG had not seen or sought evidence of successful interference in UK democratic processes or any activity that has had a material impact on an election, for example influencing results”.
At the bottom of page 16 of the Government’s response to the ISC Report, there is a standalone sentence that states:
“We have seen no evidence of successful interference in the EU Referendum”.
The use of the word “successful” (emphasised in the two quotes above) is curious; does it mean there is evidence of “unsuccessful interference” (i.e. examples of interference that was not successful whatever “successful” interference looks like). The ISC did not report on that issue.
On 11 July 2016, Mrs May won the Conservative Party leadership race with the slogan that unified the Party; readers might remember it (“Brexit means Brexit”). Its use meant that she became Prime Minister two days later and took ultimate responsibility for national security issues. Also as Home Secretary from 2010, Mrs May had developed close links with leading MI5 staff and its role.
One wonders whether a more likely scenario, to that proposed by the ISC, exists. Namely, that the national security agencies collectively decided that there would be a quieter life if they did little and served the Prime Minister’s view of Brexit in a hope that it would put the divisive Brexit debate to bed.
The alternative of doing nothing would be to do something (e.g. open an investigation into a close vote which, if the USA report is to be believed, could produce evidence of Russian influence) and create more controversy.
In other words, by keeping schtum the national security agencies collectively decided not to open a very large can of worms by choosing not to deliver on their statutory duties as described above.
Vote Leave: unlawful breach of DP and Electoral law
There were two main organisations processing personal data for a “leave the European Union” result in the Referendum; they were “Vote Leave” and “Leave.EU”. As will be seen both were fined for breaches of data protection and electoral law, and ignored subsequent Parliamentary inquiries.
Vote Leave was designated by the Electoral Commission as the official campaign in favour of leaving the European Union in the Referendum; its Campaign Director was Dominic Cummings (of Barnard Castle fame). Vote Leave was found to be in breach of Electoral spending laws by the Electoral Commission and fined £61,0000; for breaches of PECR, the ICO fined Vote Leave £40,000. These fines were not challenged.
Vote Leave used a Canadian organization (AIQ) to run 1,390 adverts on Facebook on behalf of the pages linked to the referendum campaign between February 2016 and 23 June 2016 inclusive. AIQ subsequently received and Enforcement Notice for breaches of the GDPR (e.g. Article 6 and Principles in Article 5).
Vote Leave even wanted to take Judicial Review to keep an Electoral Commission report into Vote Leave’s unlawful behaviour a secret. Permission to undertake Judicial Review was refused in the Court of Appeal (on 12 November 2019): Lord Justice Underhill commented that “there is an important public interest in public bodies with an investigatory function being as open as possible about inquiries which they have conducted”. (Reference: [2019] EWCA Civ 1938).
Leave.EU: unlawful breaches of DP and Electoral law
Leave.EU: was an organization wholly financed by Mr. Aaron Banks, who according to the ISC Report, became the biggest donor in British political history when he gave £8million to the Leave.EU campaign (Footnote 50).
Mr. Banks claimed the donations were lawful donations from his companies. However, the Observer reported (8 July 2018) that the Leave.EU campaign team met with Russian embassy officials as many as 11 times in the run-up to the EU referendum; the article inferred that various Russian business opportunities could have been offered as a quid pro quo (a Latin term often used by USA politicians).
On 1 February 2019, Leave.EU was fined £15,000 for sending almost 300,000 unsolicited emails on a single day (September 15, 2015) for which they did not have consent (these emails were from customers for Mr. Banks’ Insurance interests whose data was used to promote Leave.EU purposes) and £45,000 for sending 1,021,000 direct marketing emails without the required consent (these emails were from Leave.EU lists used to promote Mr. Banks’ Insurance interests). Mr. Banks insurance company was also fined £60,000.
Leave.EU was also fined £70,000 in May 2018, by the Electoral Commission for financial irregularities. Electoral Commission noted that in April 2017, it:
“… opened an investigation into Leave.EU. We asked Leave.EU, Mr Banks and Mr Wigmore for information about the matters under investigation, and invited Mr Banks and Mr Wigmore to interview. Mr Banks provided some high level responses but declined an interview. Mr Wigmore did not respond.”
Partly as a result of this non-cooperation, the Electoral Commission then passed the question of Leave.EU’s unexplained multi-million pound donation to the National Crime Agency (NCA) because it suspected a crime under electoral law.
The NCA concluded its investigation (24 September 2019) and reported that no prosecution would occur as “The NCA has not received any evidence to suggest that Mr Banks and his companies received funding from any third party to fund the loans, or that he acted as an agent on behalf of a third party”. (Note by CP: if there were to be a quid pro quo understanding, as inferred by the Observer, there is unlikely to be any documented evidence of a loan or a financial transaction).
That was the end of the criminal investigation. However paragraph 55 of the ISC Report notes that “…the NCA lacks the resources required in terms of financial investigators, technical experts and legal expertise – this must be rectified”.
In summary, questions about the competence of the NCA investigation remain as well as more obvious issues (e.g. did the NCA consult the national security agencies?).
Should the public know the answers? The Government’s answer is “No”.
Vote Leave: non-cooperation with “Fake News” Inquiry
The Parliamentary DCMS Select Committee attempted to understand the role of Social Media by Vote Leave and Leave.EU. It produced two Reports into “Disinformation and Fake News”; a Final Report and Interim Report. Both reports are well worth reading, but I want to focus on the lack of co-operation by Vote Leave and Leave.EU.
Vote Leave ignored the Committee completely. The DCMS Committee, in Footnote 13 stated that:
“Dominic Cummings also refused to give oral evidence to the DCMS Committee. The Committee published its Third Special Report of Session 2017–18, “Failure of a witness to answer an Order of the Committee: conduct of Mr Dominic Cummings, on 5 June 2018”.
“The Report informed the House of Mr Cummings’ failure to report to the Committee. The Committee sought an Order of the House requiring Mr Cummings to agree a date for his appearance before the Committee. The House issued the Order, with which Mr Cummings did not comply. The Matter was referred to the Committee of Privileges on 28 June 2018.”
Committee of Privileges Report (published 27 March 2019) stated that:
“We recommend that the House should admonish Mr Cummings for his contempt. We recommend that, following recent practice the admonishment should take the form of a resolution of the House. This resolution, if agreed to, should be communicated to Mr Cummings by the Clerk of the House”.
A motion approving the Privileges Report took place on 2 April 2019; I presume the “who has been a naught boy then” admonishment was delivered to Mr. Cummings.
Leave.EU: non-cooperation with “Fake News” Inquiry
Leave EU was also immersed in a “Fake News” controversy. For example, in April 2019, Channel 4 News found that an anti-immigration viral video produced by Leave.EU during the campaign was faked, and that the campaign appeared to have staged photos of immigrants attacking women in the United Kingdom.
Leave.EU unlike Vote Leave at least turned up to give evidence. However, this progress was somewhat diminished by the Final Report’s conclusions at paragraph 147:
As set out in our Interim Report, Arron Banks and Andy Wigmore showed complete disregard and disdain for the parliamentary process when they appeared before us in June 2018. It is now evident that they gave misleading evidence to us, too, about the working relationship between Eldon Insurance and Leave.EU. They are individuals, clearly, who have less than a passing regard for the truth. (my emphasis)
Concluding comments
I have three comments.
The Government has announced that it will implement an imprints regime for digital election material; this will ensure greater transparency and make it clearer to the electorate who has produced and promoted online political materials in future elections. However, that does not deal with the events of 2016 and the above story of delay, unlawful processing, non-cooperation and obfuscation.
Given Mr. Cummings’ position in Government as the Prime Minister’s right hand man, the disdain and non-accountability exhibited by Mr. Cummings towards data protection law sits very uneasily with his ability to influence any future policy towards the processing of personal data by Government (e.g. data sharing).
For what it’s worth, my own view can be expressed by Shakespeare’s famous line from Hamlet: “Something is rotten in the state of Denmark”.
Upcoming Data Protection Courses (in Autumn)
Obviously COVID19 has put a spanner in the training works, but the following courses are scheduled for the Autumn now lockdown is unlocked (fingers crossed).
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: London, Starts Sept 22 (6 days)
- Data Protection Foundation: London, Oct 13-15 (3 days)
- Data Protection Practitioner: Edinburgh, Starts Nov 23 (5 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
You should be able to Google all the main references by dates and keywords: (e.g. NCA, Leave.EU); (Stone, pardon) or (Cummings; Barnard Castle). If you have difficulties, contact me by the emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.