Cambridge Analytica’s parent company ended up in court this week for failing to adhere to an ICO enforcement notice.
That the ICO had to resort to criminal prosecution at all sheds valuable light on the broad contempt for data privacy that persists in large sections of the economy and the continuing enforcement challenges that the regulator faces.
The criminal prosecution concerned an American academic’s request for data that the firm held on him - the exercise of a statutory right known as a data subject access request.
Cambridge Analytica failed to satisfactorily meet that request and, when repeatedly challenged by the ICO over the course of lengthy correspondence, treated the regulator with continuing contempt, stating at different points in the correspondence that:
the complainant was no more entitled to make a subject access request “.. than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”; and
that subsequently they did “…not expect to be further harassed with this sort of correspondence [from the ICO]”.
Cambridge Analytica entered into administration over the course of the investigation. That change of control underlines the egregious nature of Cambridge Analytica’s non-engagement with the ICO, demonstrating that not one, but two different sets of the most senior decision makers available decided that the ICO was a regulator not to be taken seriously.
Some may trumpet this criminal prosecution as evidence of the ICO’s teeth. On the contrary, it points to the historically weak position of the ICO and the uphill struggle that remains for the regulator to be taken seriously as an enforcer of the data protection rules.
Finally, it should be noted that this action took place under the data protection regime that preceded the GDPR. Nonetheless, these procedural issues raise difficult questions for the regulator, irrespective of the regime that it is required to enforce.
Ohalo builds tools to automate data governance. The Data X-Ray scans for sensitive data on a regular basis so that you are always up to date with where your sensitive data is. Simply sign up here. Once you have established a baseline of where your most sensitive data is, you can track where that data is going with the blockchain-based Data Protection Router in order to assist your clients in Data Subject requests like access, rectification, erasure, and breach notification.