The UK’s Information Commissioner’s Office (ICO) has presented its report to Parliament into the invisible processing and misuse of personal data for political purposes—and it’s not pulling any punches.

Ongoing investigation: An enquiry launched in May 2017 by the ICO has already inspected 30 organizations, carried out 33 interviews with individuals, and analyzed 52 billion pages worth of data. Its 113-page report was published today.

Wrist slapped: The ICO has fined Brexit campaign group Leave.EU and an insurance company owned by Leave.EU’s main funder, Arron Banks, £135,000 ($176,000) for breaching UK data laws. More than a million e-mails sent to Leave.EU subscribers included marketing for Eldon Insurance, a company owned by Banks. The ICO is also investigating claims that Eldon Insurance shared customer data with Leave.EU for insurance purposes.

Disturbing disregard: The UK information commissioner, Elizabeth Denham, said: “We found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups, and political parties.”

Facebook on the naughty step: The firm has already been hit with a paltry £500,000 fine—the highest possible at the time—for its involvement in the Cambridge Analytica scandal. Speaking to UK politicians today, Denham agreed that Mark Zuckerberg should be made to give evidence. “I think it would be very helpful to have Mr. Zuckerberg appear,” she said.

What’s next?: Denham is seeking views on a code of practice for the use of data in campaigns and elections. The code should have legal force, like the UK Data Protection Act 2018, and should simplify the rules and give assurances about the use of personal data in politics, she said.