“We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries,” Egan wrote, adding that the company will respond to the ICO soon.

The Commissioner’s office has also set its sights on Cambridge Analytica and its parent company, SCL Elections, which are undergoing insolvency proceedings in the UK and bankruptcy proceedings in the US. In May, the ICO ordered SCL Elections to hand over all the data it had collected on an American academic named David Carroll. In January of 2017, Carroll requested his data from Cambridge Analytica under the UK data protection law. The response he received included predictions about his political beliefs but few details about the data powering those predictions. In March of this year, a day before the Cambridge Analytica story made front-page headlines around the world, Carroll filed a legal claim against the company. Months later, the ICO followed with its enforcement action, but SCL Elections never complied. Now the ICO says it is “taking steps with a view to bringing a criminal prosecution against SCL Elections."

Carroll's lawyer, Ravi Naik, says the decision is "expected." "The enforcement notice was clear on its terms and we expected nothing less considering SCL's failure to comply," he wrote. "The report also vindicates David's case, confirming that his action has been pivotal to their findings. We continue to push for disclosure and are confident that we will get answers to questions the world wants resolved."

Naik says he is currently exploring claims against Facebook "on behalf of a class of individuals."

'New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.' Information Commissioner Elizabeth Denham

While the investigation may have kicked off with an inquiry into Cambridge Analytica, its scope has grown as the investigators try to map out the circuitous route data sometimes takes as it moves between the academic, political, and commercial spaces. One key area of inquiry for the ICO is Cambridge University’s Psychometrics Centre, where the methodology that undergirds Cambridge Analytica’s approach to data targeting originated. As the director of the Centre recently told WIRED, researchers there had been collecting Facebook data for academic purposes, using personality profiling apps. That work fueled research that showed how much sensitive information could be gleaned by Facebook likes. Facebook supported the research---that is, until 2015, when news stories revealed that another Cambridge professor named Aleksandr Kogan was using a personality app to collect Facebook data, and then sold the data to Cambridge Analytica.

Facebook has since suspended all of the apps associated with the Centre, pending an investigation of its operations. Now, the ICO says it will conduct an audit of the department and investigate whether Cambridge University has “sufficient systems and processes in place” to ensure academic data is properly protected.

Meanwhile, the ICO continues to investigate the use of data in the UK’s vote to leave the European Union, a decision that is now causing disarray in the upper echelons of British government. In particular, the ICO is investigating a former SCL employee’s claims that the Leave.EU campaign received data from a company called Eldon Insurance and used Eldon’s call center staff to make calls on behalf of Leave.EU.

The ICO is also taking action against a Canadian firm called AggregateIQ, which worked with senator Ted Cruz’s presidential campaign as well as the UK’s Vote Leave campaign. The ICO says it’s found that AggregateIQ has access to British citizen data that it “should not continue to hold.” It’s now investigating whether Vote Leave transferred voter data outside the country, and ordering AggregateIQ to cease processing that data.

What makes the ICO’s investigation more thorough than similar investigations in the United States is that it focuses not just on Cambridge Analytica but on the broader data marketplace. It plans on auditing credit reference companies in the UK and intends to take action against one data broker in particular called Emma’s Diary. It’s also issuing letters to political parties throughout the country, warning of the risks of working with data brokers who may not have received proper consent. Finally, the ICO has developed a list of 10 recommendations for the British government, including the creation of a code of practice under the Data Protection Act that dictates how data can be used in political campaigns.

“Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system,” Denham said in a statement.

The fact that the UK already offers its citizens some core data protections gives the ICO's investigation teeth. In the United States, no such protections exist.

1 Update: 10:03 AM EST 07/11/2018 This story has been updated to clarify the timeline of the ICO investigation.

More Great WIRED Stories