Cambridge Analytica’s parent pleads guilty to breaking UK data law

Cambridge Analytica’s parent company, SCL Elections, has been fined £15,000 in a UK court after pleading guilty to failing to comply with an enforcement notice issued by the national data protection watchdog, the Guardian reports.

While the fine itself is a small and rather symbolic one, given the disgraced political analytics firm went into administration last year, the implications of the prosecution are more sizeable.

Last year the Information Commissioner’s Office ordered SCL to hand over all the data it holds on U.S. academic, professor David Carroll, within 30 days. After the company failed to do so it was taken to court by the ICO.

Prior to Cambridge Analytica gaining infamy for massively misusing Facebook user data, the company, which was used by the Trump campaign, claimed to have up to 7,000 data points on the entire U.S. electorate — circa 240M people.

So Carroll’s attempt to understand exactly what data the company had on him, and how the information was processed to create a voter profile of it, has much wider relevance.

Under EU law, citizens can file a Subject Access Request (SAR) to obtain personal data held on them. So Carroll, a U.S. citizen, decided to bring a test case by requesting his data even though he is not a UK citizen — having learnt Cambridge Analytica had processed his personal data in the U.K.

He lodged his original SAR in January 2017 after becoming suspicious about the company’s claim to have built profiles of every U.S. voter.

Cambridge Analytica responded to the SAR in March 2017 but only sent partial data. So Carroll complained to the ICO which backed his request — issuing an enforcement notice on SCL Elections in May 2018, days after the (now) scandal-hit company announced it was shutting down.

The company pulled the plug on its business in the wake of the Facebook data misuse scandal, when it emerged SCL had paid an academic with developer access to Facebook’s platform to harvest data on millions of users without proper consents in a bid to create psychological profiles of U.S. voters for election campaign purposes.

The story snowballed into a global scandal for Facebook and triggered a major (and still ongoing) investigation by the ICO into how online data is used for political campaigning.

It also led the ICO to hit Facebook with a £500,000 fine last year (the maximum possible under the relevant UK data protection law). Although the company is appealing.

The SCL prosecution is an important one, cementing the fact that anyone who requests their personal information from a U.K.-based company or organisation is legally entitled to have that request answered, in full, under national data protection law — regardless of whether they’re a British citizen or not.

Commenting in a statement, information commissioner Elizabeth Denham said: “This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law. Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply.

“Organisations that handle personal data must respect people’s legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action.”

The Daily Beast reports that at today’s hearing, at Hendon magistrates court, the court was told that the administrators of Cambridge Analytica and its related companies had now provided relevant passwords to the ICO. Cambridge Analytica had previously failed to supply these passwords.

This means the regulator should be able to gain access to more of the data it seized when it raided the company’s London offices in March last year. So it’s at least possible Carroll’s SAR might eventually be fulfilled that way, i.e. by the regulatory sifting through the circa 700TB of data it seized.

However Carroll told TechCrunch he’s hoping for a faster route to get to the truth of exactly what the company did with his data, telling us there’s still “a March court event that could yield our end goal: Disclosure”.

The March 18 hearing will address concerns about insolvency and joint administrators, according to Carroll.

“Why would they rather plead guilty to a criminal offense instead of complying with disclosure required by UK DPA ‘98. What are they hiding? Why has it come to this?” he added.

“Testing the Subject Access Request in this way is an important exercise. Do regulators and companies really know how to fully execute a Subject Access Request? How about when it escalates to a matter of international importance?”