Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs.
The criminal prosecution may not sound surprising – after all, SCL had failed to comply with an enforcement notice. Clearly the ICO is taking a hard-line approach to enforcement. SCL, however, was in administration at the time of the enforcement notice and therefore a key point to note here is that a company is still required to ensure it complies with its data protection responsibilities, including any enforcement, even when it is in administration.
In January 2017, U.S. citizen Professor David Carroll made a subject access request to SCL. SCL responded disclosing some personal data, but Professor Carroll suspected that SCL had not disclosed everything. The response from SCL also contained inadequate information about where the data had been obtained and how it would be used. He complained to the ICO, who shared his concerns.
The ICO contacted SCL in September 2017 to ask for further information. SCL was not cooperative, incorrectly claiming that Professor Carroll had no legal right to access the data because he was not a UK citizen or based in the United Kingdom. In rejecting SCL’s claim that a U.S. citizen has no legal right to access the data, the ICO confirmed that “anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law.”
The ICO had been investigating the use of personal data for political campaigns, which included an investigation into the use of data by SCL, since March 2018. When SCL announced that it would be immediately shut down and liquidated on 2 May 2018, the ICO released a statement:
The ICO will continue its civil and criminal investigations and will seek to pursue individuals and directors, as appropriate and necessary even where companies may no longer be operating. We will also monitor closely any successor companies using our powers to audit and inspect, to ensure the public is safeguarded.
SCL’s administration commenced the day before the ICO issued its enforcement notice. The enforcement notice gave SCL 30 days to provide Professor Carroll with more information, namely:
- a description of the personal data being processed;
- the purpose for which the personal data are processed;
- whom the personal data may be disclosed to;
- copies of the personal data being processed; and
- the source of the personal data.
SCL failed to comply with the enforcement notice, constituting a criminal offence.
The successful criminal prosecution against SCL demonstrates that personal data rights and enforcement action can survive the administration of a company. Further, it demonstrates that enforcement action can be taken against a company that may no longer be operating.
Whether a company is in administration or not, the ICO wants the prosecution to act as a “warning” that there are “consequences for ignoring the law”.
The ICO has made the extra-territorial scope of UK data protection laws clear – that: “Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply.”