The ICO has sought a warrant to obtain evidence from Cambridge Analytica as part of its investigation into Facebook and related parties for improper use of data; more stringent enforcement powers for the ICO, and potentially group litigation, may well follow.
The Information Commissioner yesterday confirmed that she was seeking an urgent warrant to access the servers of Cambridge Analytica, the political consultancy implicated in the misuse of data from, allegedly, 50m Facebook profiles and influenced, some claim, the outcome of the US presidential election. The data was harvested from Facebook through a personality test called thisisyourlife (the App) that captured the personal information of both the test taker and their circle of Facebook friends, ostensibly for academic purposes. This data was then passed onto Cambridge Analytica, in breach of Facebook’s Terms of Service. The Information Commissioner’s Office’s (ICO) intervention is a timely reminder to data controllers of the risks of providing data to third parties and may be a prelude to an increasingly assertive approach from the ICO following the implementation of the GDPR.
Facebook has said that it knew about the improper use of the data in 2015. It seems, however, that it was satisfied with assurances from the developers of the App and from Cambridge Analytica that the data had been deleted (it is now investigating whether in fact this was the case). However, as well as from the ICO, Facebook is facing pressure from a number of other regulators around the world, including questions as to whether it should have informed them, and potentially Facebook users, about the privacy breach when it happened. These regulators include not only those charged with the supervision of data, but financial regulators and law enforcement agencies. UK law enforcement agencies and, notably, the Serious Fraud Office have, in the past, been vociferous in their contempt for companies conducting their own internal investigations which often have the effect of “trampling over the crime scene”. The ICO’s quick action in requesting that Facebook cease its search of Cambridge Analytica’s premises suggests that it shares the same view. Data controllers looking forward to the GDPR would be wise to pay heed - internal investigations of potential data breaches for reporting purposes may be tracked or swiftly cut short by the ICO.
In light of the election interference at the heart of these allegations, this is perhaps the most high profile and certainly the most politically significant data investigation by the ICO yet. The Information Commissioner has had difficulty getting appropriate engagement from the organisations involved - in particular, Cambridge Analytica, which had failed to respond to her demand, for records and data (made 07 March 2018). She has requested stronger enforcement powers from Parliament, including the power to compel testimony from individuals and impose criminal penalties for failure to comply with a compulsory audit. There is cross party support for the strengthening of the ICO’s powers in the Data Protection Bill, currently being examined by a Public Bill Committee of the House of Commons and scheduled to come into force at some point prior to March 2019. If the ICO obtains the resources to match any new powers, it will pose a considerable law enforcement threat to any organisation controlling or processing data.
An increasingly assertive, and powerful, ICO should not be the only concern to data controllers going forward. We expect to see an increasing number of collective (or quasi-class) actions being brought by data subjects affected by the unlawful processing of their data (following the Court of Appeal decision in Vidal-Hall v Google, pecuniary damage is not necessary for an action to be brought). Whilst it remains harder to bring such actions in the UK than in the USA, where opt-out class actions abound, the risk to companies is increasing. Another spectre is that of claims, already apparently looming for Facebook, by disgruntled shareholders following the collapse in the company’s share price. Our microsite, looking at class actions and collective redress in a range of jurisdictions, is here.