UK’s data protection watchdog plans to slap a fine of 500,000 pounds ($662,501) on Facebook over the Cambridge Analytica data leak scandal. This is the highest permitted fine under Britain’s data protection law.

In its investigation, the Information Commissioner’s Office (ICO) found that Facebook broke British law by failing to safeguard people’s information, and by not revealing how people’s data was harvested by others.

Along with Cambridge Analytica, Facebook has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of an estimated 87 million Facebook users across the world.

In its latest progress report, the regulator also said it intended to take criminal action against Cambridge Analytica’s defunct parent company SCL Elections, the BBC reported on Wednesday.

The regulator also said Aggregate IQ — which worked with the Vote Leave campaign — must stop processing UK citizens’ data. It has also written to UK’s 11 main political parties compelling them to have their data protection practices audited.

This, the Information Commissioner’s Office explained, was in part because it was concerned they could have bought lifestyle information about members of the public from data brokers, who might have not obtained the necessary consent.

In particular, ICO raised concern about one data broker: Emma’s Diary. The firm offers medical advice to pregnant women and gift packs after babies are born.

ICO said it was concerned about how transparent the firm had been about its political activities. The Labour Party had confirmed using the firm, but did not provide other details at this point beyond saying it intended to take some form of regulatory action.

The service’s owner Lifecycle Marketing could not be reached for comment. But it has told the Guardian that it does not agree with the ICO’s findings.

The ICO’s action comes 16 months after it began the ongoing probe into political campaigns’ use of personal data during the Brexit referendum campaign.

Over the period, it emerged that Facebook had failed to ensure that Cambridge Analytica had deleted personal data harvested about millions of its members in breach of the platform’s rules.

Before its collapse, Cambridge Analytica insisted it had indeed wiped the data after Facebook’s erasure request in December 2015.

But ICO said it had seen evidence that copies of the data had been shared with others.

“This potentially brings into question the accuracy of the deletion certificates provided to Facebook,” it said.