£15K Fine For Ignoring Data Access Requests

SCL Elections, the parent company of the now defunct Cambridge Analytica which was famously involved in the Facebook profile harvesting scandal, has been fined £15,000 for failing to respond to a data access request from a US citizen, and for ignoring an enforcement notice by the UK’s Information Commissioner’s Office (ICO).

Data Protection Act

The fine was made for a breach of the Data Protection Act which was in force for all at the time of the data request, which was originally made back in 2017.  GDPR, which came into force on 25th May 2018 (to replace the Data Protection Directive) covers the data protection rights of EU citizens.

The person who made the data request in this case, however, was US citizen Professor David Carroll, and SCL Elections wrongly believed that because he was not a UK citizen, he had no more right to request access to data “than a member of the Taliban sitting in a cave in Afghanistan”.

What Happened?

Professor David Carroll, who was based in New York in May 2017 at the time of his original data request under UK Data Protection Act, asked SCL Elections’ Cambridge Analytica branch in the UK to provide all the data it had gathered on him. Under that law, SCL Elections should have responded within 40 days with a copy of the data, the source of the data, and stating if the organisation had given / intended to give the data to others.

Professor Carroll, a Democrat, was reported to have been interested from an academic perspective in the practice of political ad targeting in elections and believed that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent Basic Information On A Spreadsheet

Some weeks after Professor Carroll’s subject access request in early 2017, SCL Elections sent him a spreadsheet of basic information that it held about him.

However, that information contained accurate predictions of Professor Carroll’s views on some issues and had scored Carroll a nine 9 out of 10 on what it called a “traditional social and moral values importance rank”.

Wanted To Know How

This prompted Professor Carroll to submit a second request to SCL Elections, this time to find out what that ranking meant and what it was based on, and where the data about him came from. This second request was ignored by SCL.

The CEO of Cambridge Analytica at the time, Alexander Nix, told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix (mistakenly) said that there was no legislation in the US that allowed individuals to make such a request.

ICO Involved

The ICO then became involved with the UK’s Information Commissioner, Elizabeth Denham, sending a letter to SCL Elections (Cambridge Analytica) asking where the data on Professor Carroll came from, and what had been done with it.  A section 40 enforcement notice was also issued in May 2018 to SCL Elections, thereby making it a criminal matter if they failed to comply by responding to the request and by providing the full records as requested by Carroll. No records were forthcoming, which resulted in the recent prosecution, the first against Cambridge Analytica.

During the case at Hendon Magistrates Court, it was revealed that SCL Elections had a turnover of £25.1m and profits of £2.3m in 2016.  The judge fined SCL Elections £15,000 for failing to comply with the section 40 enforcement notice from the ICO and ordered the company (whose affairs are being handled by administrators, Crowe UK) to pay a contribution of £6,000 to the ICO’s legal costs, and a victim surcharge of £170.

Some Mitigating Circumstances

Although Counsel for SCL Elections’ administrators acknowledged that SCL elections had failed to respond to the section 40 enforcement notice, they did highlight some mitigating circumstances, such as the company’s computer servers being seized by the ICO following a raid on the SCL Elections premises in March 2018.

What Does This Mean For Your Business?

This case shows that ignorance of data protection law is not a defence and that businesses and organisations need to protect their customers, stakeholders, and themselves by making sure that they fully understand and comply with data protection laws. This is particularly relevant in the UK since the introduction of GDPR.

As pointed out by Information Commissioner Elizabeth Denham in this case, companies and organisations that handle personal data need to respect people’s legal privacy rights and to understand that wherever a person lives in the world, if their data is being processed by a UK company, UK data protection laws apply. This case has also highlighted the fact that where there is no compliance with the law, and where ICO enforcement notices are ignored, action will be taken that could be very costly to the subject of that action.