Cambridge Analytica owner fined £15k for ignoring data access request

The company falsely believed that US citizens were blocked from requesting copies of data under UK laws

Cambridge Analytica's parent company SCL Elections has been fined 15,000 by the Information Commissioner's Office for failing to a data access request from a US citizen.

The company was said to have been in breach of the Data Protection Act after it ignored an enforcement notice issued by the authority, which it has since pleaded guilty to, according to the Guardian.

US citizen David Carroll first requested copies of data held on him from the company back in 2017, however, SCL Elections provided him with only basic information, including predictions of his political stance and other personal data. When he requested further information, including any data that was used to create the predictions, SCL ignored this request.

Carroll submitted a complaint to the ICO, which then agreed with his case and demanded the company comply with the request in May 2018. However, the company challenged that order, maintaining that because Carroll was not a UK citizen he had no more right to request access to data "than a member of the Taliban sitting in a cave in Afghanistan".

Advertisement - Article continues below
Advertisement - Article continues below

However, it appears SCL fundamentally misunderstood the law as, because it is a UK-based company, SCL is legally obligated to operate under the terms of the then Data Protection Act (now GDPR), and as such those protections apply to all data it holds.

As well as fining the organisation, the ICO also said SCL Elections must respond to the request and provide the full records as requested by Carroll.

SCL Elections went into administration following Cambridge Analytica's Facebook scandal in May last year, a day before the enforcement notice was issued, however as the request was made prior to that, the company must still honour its obligations.

"This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law," said Information Commissioner Elizabeth Denham. "Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply."

"Organisations that handle personal data must respect people's legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action."

  • General Data Protection Regulation (GDPR)
Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020