Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs.
The criminal prosecution may not sound surprising – after all, SCL had failed to comply with an enforcement notice. Clearly the ICO is taking a hard-line approach to enforcement. SCL, however, was in administration at the time of the enforcement notice and therefore a key point to note here is that a company is still required to ensure it complies with its data protection responsibilities, including any enforcement, even when it is in administration.
In January 2017, U.S. citizen Professor David Carroll made a subject access request to SCL. SCL responded disclosing some personal data, but Professor Carroll suspected that SCL had not disclosed everything. The response from SCL also contained inadequate information about where the data had been obtained and how it would be used. He complained to the ICO, who shared his concerns.
The ICO contacted SCL in September 2017 to ask for further information. SCL was not cooperative, incorrectly claiming that Professor Carroll had no legal right to access the data because he was not a UK citizen or based in the United Kingdom. In rejecting SCL’s claim that a U.S. citizen has no legal right to access the data, the ICO confirmed that “anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law.”