The Information Commissioner’s Office (“ICO”) has flexed its muscles by successfully prosecuting a company related to Cambridge Analytica for failing to comply with an enforcement notice it had issued. The case provides a reminder that non-UK citizens and residents have equal rights against UK data controllers to those of people within the country.

Background

SCL Elections Ltd is the UK-based parent company of the SCL Group, whose members include the scandal-plagued Cambridge Analytica - the company that continues to make global headlines for its role (along with Facebook) in having harvested the personal data of millions of data subjects without their consent, for the purposes of influencing public political opinion.

In 2017, SCL Elections received a data subject access request (“DSAR”) from a US-based citizen and academic, Professor David Carroll, who was unhappy with the way his data was being used to target him with political advertising.

In response to the DSAR, SCL Elections provided two files of data relating to how it predicted the way that Professor Carroll might vote in US political elections. In particular, the personal data provided to Professor Carroll included:

  • his core data (name, address, date of birth and voter ID)
  • his election returns, which indicated which political party he was registered with
  • SCL Elections’ profiling models, used to predict his political views on issues such as gun control, healthcare, immigration and the environment.

The profiling models were given in a spreadsheet, but the decision-making process used to create the models was not provided.

The complaint

Professor Carroll complained that SCL Elections had failed to provide all of the personal data it had collected relating to Professor Carroll, without providing an adequate explanation.

The ICO accepted the complaint. It was clear from the profiling models that the profile SCL Elections had built for Professor Carroll could not have been generated without additional data to that which had been disclosed to him in response to the DSAR. SCL Elections had also failed to adequately explain to Professor Carroll where it had obtained the data from and how it intended to use that information.

In responding to a letter from the ICO, SCL Elections denied that it owed any obligations to Professor Carroll because he resided outside the UK. It brashly stated in its (now partially public) response that Professor Carroll was no more entitled to make a DSAR under the UK’s data protection laws “...than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”.

Enforcement notice and prosecution

The ICO issued an enforcement notice, one day after SCL Elections went into administration, directing it to provide Professor Carroll with:

  • copies of the personal data it processed relating to Professor Carroll and a description of that data
  • a description of the purposes for which that data were being processed
  • a description of the recipients to whom the data was disclosed
  • a description as to the source of that personal data.

When SCL Elections (in administration) failed to comply with the enforcement notice, the ICO prosecuted and successfully imposed a fine of £15,000 in criminal proceedings. (The administrators made a guilty plea on the day of the hearing.)

Following this widely publicised win for the ICO, the Information Commissioner Elizabeth Denham stated: "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law. Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply. Organisations that handle personal data must respect people's legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action."

Key takeaways

This matter was prosecuted under the UK’s former data protection laws, before the advent of the General Data Protection Regulation (“GDPR”).

Nonetheless, it demonstrates the ICO’s ferocity in taking court action against serious, high profile, or flagrant breaches of the law.

Data controllers need to consider seriously how they should respond to a DSAR so as to ensure that all of the data subject’s rights are being met. It is well established that the GDPR’s territorial scope can extend outside of the boundaries of the UK and Europe.

While it is no longer a criminal offence to fail to comply with an enforcement notice, the maximum penalty of €20 million or 4% of total annual worldwide turnover in the preceding financial year (whichever is higher) will most likely be a sufficient deterrent. Data controllers should prepare to see far greater fines being imposed for serious or large-scale GDPR breaches than under previous legislation. The €50 million fine recently imposed on Google by the French data authority might just be the tip of the “aggressive regulatory action” iceberg.

Finally, the story of SCL Elections illustrates how heated or “smart” interactions with the ICO might eventually become very public…