News / Cambridge Analytica fined £15,000 for ignoring ICO’s enforcement notice
Cambridge Analytica fined £15,000 for ignoring ICO’s enforcement notice
10 January 2019 |
A UK court has fined Cambridge Analytica £15,000 as well as a further £6,000 in costs for not responding to an enforcement notice issued by the Information Commissioner's Office in May last year.
In early 2018, Professor David Carroll, a US-based academic, made a subject access request to Cambridge Analytica, asking the firm to provide him details on where his personal information had been obtained from or how it would be used.
Even though SCL Elections Ltd, also known as Cambridge Analytica, gave him some details on 27 March, he claimed that the information was not exhaustive and that the firm did not give him an adequate explanation. Subsequently, he approached the Information Commissioner's Office for assistance with his subject access request and the latter then directed SCL Elections Ltd to provide Professor Carroll with details of how much personal information they had collected on him.
Cambridge Analytica refused to cooperate with the ICO
In response, SCL Elections Ltd claimed that Professor Carroll had no legal entitlement to such details as he was not a UK citizen and that the Information Commissioner's Office did not have the required jurisdiction to direct the firm. The firm went on to tell the ICO that it did not expect to be further harassed "with this sort of correspondence".
Following the company's refusal to share further details with Professor Carroll, the Information Commissioner's Office issued an enforcement notice to the company on 7th May, directing SCL Elections Ltd to provide Professor Carroll with details of his personal data processed by Cambridge Analytica, a description of the purposes for which that data are being processed, a description of the recipients or classes of recipients to whom the data are or may be disclosed, and details of the source of such personal data.
It added that failure to comply with the notice will be considered a criminal offence and in violation of the Sixth Data Protection Principle under Section 7 of the DPA which requires data controllers to comply with requests made by individuals about the status of their personal data.
"The company has consistently refused to co-operate with our investigation into this case and has refused to answer our specific enquiries in relation to the complainant’s personal data – what they had, where they got it from and on what legal basis they held it," said Information Commissioner Elizabeth Denham.
"The right to request personal data that an organisation holds about you is a cornerstone right in data protection law and it is important that Professor Carroll, and other members of the public, understand what personal data Cambridge Analytica held and how they analysed it.
"We are aware of recent media reports concerning Cambridge Analytica’s future but whether or not the people behind the company decide to fold their operation, a continued refusal to engage with the ICO will potentially breach an Enforcement Notice and that then becomes a criminal matter," she added.
SCL Elections faces court's ire
Despite the Information Commissioner's strong statement, SCL Elections Ltd is yet to comply with the enforcement notice and hasn't shared any details with Professor Carroll till date. Taking cognizance of the company's actions, the Hendon Magistrates' Court on Wednesday issued a fine of £15,000 to SCL Elections Ltd for failing to comply with an enforcement notice issued by the ICO, and also asked the company to pay £6,000 in additional costs.
"This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law. Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply. Organisations that handle personal data must respect people's legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action," said Elizabeth Denham in response to the court's judgment.
In July last year, the Information Commissioner's Office also fined Facebook an exemplary £500,000 under the 1998 Data Protection Act for failing to prevent data analytics firms (Cambridge Analytica) from harvesting personal details of millions of users.
Aside from fining Facebook, the ICO also issued warning letters to 11 political parties in order to compel them to agree to audits of their data protection practices, issued an Enforcement Notice to SCL Elections Ltd to deal properly with a subject access request, issued an an Enforcement Notice to Aggregate IQ to stop processing retained data belonging to UK citizens, and announced an audit of the Cambridge University Psychometric Centre.
Latest posts by Jay Jay (see all)
- U.S. Justice Dept investigating theft of trade secrets by Huawei - 17th January 2019
- Collection #1 data breach: 773m emails & 21m unique passwords exposed - 17th January 2019
- Majority of companies cannot detect IoT device breaches, survey reveals - 15th January 2019
- GDPR compliance, phishing emails top concerns for SMEs in 2019 - 15th January 2019
- Widely-used PremiSys access control system features four zero-day vulnerabilities - 14th January 2019