A three-year investigation into the misuse of personal data for political campaigning has been concluded, the Information Commissioner has said.
The probe, centred around the activities of consulting firm Cambridge Analytica, led to big fines for Facebook and two pro-Brexit campaign groups, Vote Leave and Leave.EU.
Elizabeth Denham said the watchdog had completed its “main lines of inquiry”.
It had found “systemic vulnerabilities in our democratic systems”, she warned.
Cambridge Analytica was accused of amassing the data of millions of Facebook users without their consent and using it in political campaigns, including the 2016 US Presidential campaign and 2016 Brexit referendum.
The ICO seized materials from the now defunct firm’s headquarters during a high-profile search in 2018.
The investigation led to the firm’s collapse and its boss, Alexander Nix, being banned from being a director for seven years by the Insolvency Service.
The regulator fined Facebook a record £500,000 penalty for not doing enough to protect its users from their data being “harvested” for political purposes, a failing which it said caused a “serious risk of harm”.
Vote Leave, the main pro-Brexit campaign group whose supporters included Boris Johnson and Michael Gove, was fined £40,000 for sending out almost 200,000 unsolicited text messages in the run-up to the 2016 vote.
And Leave.EU, the Arron-Banks led group which also campaigned to exit the EU, paid a £15,000 fine for unlawful marketing in relation to emails sent to its subscribers and those of Eldon Insurance, another firm run by Mr Banks.
As part of its wider inquiry, parenting advice site Emma’s Diary was fined £140,000 after it was accused of illegally collecting data and selling it on for use by the Labour Party, which used it to profile new mothers.
In a letter to the Culture and Media Select Committee, Ms Denham said the investigation has provided “new understanding about the use of personal data in the modern political context and has transformed the way data protection authorities around the world regulate data use for political purposes”.
“Where there was evidence of breaches of the law, we have acted. And where we have found no evidence of illegalities, we have shared this openly.
“This further work confirms my earlier conclusion that there are systemic vulnerabilities in our democratic systems.”
The regulator said it had seen evidence that Cambridge Analytica and its parent company SCL Elections had been drawing up plans to relocate its data offshore to avoid regulatory scrutiny but was unable to do so before it ceased trading.
On the wider issue of the integrity of the 2016 referendum, the regulator said it had not identified any “significant breaches” of the privacy and electronic marketing regulations or data protection legislation by either Remain or Leave groups “which met the threshold for formal regulatory action”.
Ms Denham said while the question of alleged Russian interference in the 2016 vote was outside the remit of the inquiry, the regulator had not found “any additional evidence” of Russian involvement in its analysis of material contained in computer servers seized from Cambridge Analytica and SCL Elections.
The watchdog said its probe had led to an improvement in how political parties handle personal data.
It said an audit of parties’ compliance with the rules had been completed and would be published shortly and its guidance for parties on political campaigning would also be updated.