The UK data watchdog, the Information Commissioner’s Office (ICO), has ordered the consulting firm Cambridge Analytica to hand over all the personal information it has on US citizen Professor David Carroll, or face prosecution.
Demand Made in May 2017
The consulting firm, which is reported to have ceased operations and filed for bankruptcy in the wake of the recent scandal involving its access to and use of Facebook users’ details is facing the Enforcement Notice and possible legal action (if it doesn’t comply) because it has not fully met a demand made by Professor Carroll early last year.
Who Is Professor David Carroll?
David Carroll is a professor at the New School's Parsons School of Design. Although Professor Carroll is based in New York and is not a UK citizen, he used a subject access request (part of British data protection law) to ask Cambridge Analytica's branch in the UK to provide all the data it had gathered on him. With this type of request, organisations need to respond within 40 days with a copy of the data, the source of the data, and if the organisation will be giving the data to others.
It has been reported that Professor Carroll, a Democrat, was interested from an academic perspective, in the practice of political ad targeting in elections. Professor Carroll alleges that he was also concerned that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.
Sent A Spreadsheet
Some weeks after Professor Carroll filed the subject access request in early 2017, Cambridge Analytica sent him a spreadsheet of information it had about him.
It has been reported that Cambridge Analytica had accurately predicted his views on some issues, and had scored Carroll a nine 9 of 10 on what it called a "traditional social and moral values importance rank."
What’s The Problem?
Even though Carroll was given a spreadsheet with some information, he wanted to know what that ranking meant and what it was based on, and where the data about him came from. Cambridge Analytica CEO Alexander Nix told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix said that there was no legislation in the US that allowed individuals to make such a request.
The UK’s Information Commissioner, Elizabeth Denham, sent a letter to Cambridge Analytica asking where the data on Professor Carroll came from, and what had been done with it. Elizabeth Denham is also reported to have said that, whether or not the people behind Cambridge Analytica decide to fold their operation, a continued refusal to engage with the ICO will still potentially breach an Enforcement Notice, and it will then become a criminal matter.
What Does This Mean For Your Business?
Many people have been shocked and angered by the recent scandal involving Facebook and its sharing of Facebook user data with Cambridge Analytica. The action by Professor Carroll could not only shed light on how millions of American voters were targeted online in the run-up to the 2016 election, but it could also lead to a wider understanding of what data is stored about us and how it is used by companies and organisations.
The right to request personal data that an organisation holds about us is a cornerstone right in data protection law, and this right will be brought into even sharper focus by the introduction of GDPR this month. GDPR will also give EU citizens the ‘right to be forgotten’, and has already put pressure on UK companies to put their data house in order, and prepare to comply or face stiff penalties.
This story also shows that American citizens can request information from companies that process their data in the UK.