The UK Information Commissioner’s Office’s Landmark Letter


By Sascha Matuszak
Reporter, SCCE|HCCA

On Friday, May 4, the UK Information Commissioner’s Office (ICO) sent a letter to SCL Elections Limited, Cambridge Analytica’s parent company, demanding the release of information regarding a US voter, David Carroll. Legal experts consider the ICO’s actions—demanding the information and advising Cambridge Analytica that it would be a criminal offense to refuse to comply—to be a watershed moment in the debate regarding how governments can regulate data that is controlled, processed, and transferred across national borders.

“It’s this fascinating situation because when it became apparent that Cambridge Analytica had processed Americans’ data in Britain, it suddenly opened up this window of opportunity,” said Ravi Naik, a human rights lawyer with Irvine Thanvi Natas, the British solicitor who is leading the case, as quoted in The Observer. “In the US, Americans have almost no rights over their data whatsoever, but the data protection framework is set up in such a way that it doesn’t matter where people are: it matters where the data is processed.”

The IOC decision opens up the possibility that as many as 270 million Americans can make similar subject access requests for information on how Cambridge Analytica obtained their data, what the company did with their data, and who else had access to or helped process that data. Not only that, but because the UK will be subject to the GDPR come May 25th (and is already preparing through new legislation, such as the Data Protection Bill and other measures), any person, regardless of citizenship, can theoretically submit a similar subject access request for his/her own data to a company that controls, processes, or transfers data within the UK or EU. It also opens up companies, such as Cambridge Analytica, to class action lawsuits from the millions of people whose personal data are stored on the companys’ encrypted servers.

When in Rome …

Companies who collect, store, or process data in the EU and UK can face the same problems if they fail to adequately protect personal data or cooperate with requests for data management information. That is one reason why Facebook and LinkedIn recently switched the responsibility for managing personal data of non-EU subjects to the US, where data protection laws are much less consumer-friendly. Running from one country to the next seeking “data havens,” as if they were Caribbean offshore banks accounts, is one way companies can seek to remain compliant: Companies across all industries leverage regulatory gaps in order to avoid onerous, regulatory demands and fees; be it manufacturing, mining, or, now, data management. Data is as much a supply chain issue as any other, more “traditional” commodity.

The real question then becomes, how wide-reaching are the effects of the data management scandal that uncovered how vulnerable personal data truly is? Data protection frameworks across the globe are looking to the GDPR and the revised UK laws for guidance and inspiration. South Africa, Japan, Korea, Russia, China, and many others all have robust data protection regulations that are constantly adapting to new conditions presented by technological advances, private sector behavior, and public sector push-back. Europe and the UK are, at this moment in time, setting the standard for how governments will regulate companies that fail to comply with new data protection frameworks. It behooves every company dealing with personal data to perform risk assessments and internal audits, find the gaps in protection, discover exactly which regulations apply, and establish the administrative and monitoring mechanisms to ensure compliance going forward.

In the letter the ICO sent to SCL Elections Limited, they state that the financial penalty for refusing to comply with the order to turn over information is “unlimited.” That should be enough to get your compliance team and IT team sitting at the same table ASAP.