Ohalo Logo

Cambridge Analytica - ICO Struggles to Impose the Rule of Law

Cambridge Analytica’s parent company ended up in court this week for failing to adhere to an ICO enforcement notice.

 Anonymising safety incidents records data
  • Type: Insights
  • Date: 11/01/2019
  • Author: Ed Goold
  • Tags: ICO, Investigation, Enforcement, Data Privacy

Cambridge Analytica’s parent company ended up in court this week for failing to adhere to an ICO enforcement notice.

That the ICO had to resort to criminal prosecution at all sheds valuable light on the broad contempt for data privacy that persists in large sections of the economy and the continuing enforcement challenges that the regulator faces.


The criminal prosecution concerned an American academic’s request for data that the firm held on him - the exercise of a statutory right known as a data subject access request.

Cambridge Analytica failed to satisfactorily meet that request and, when repeatedly challenged by the ICO over the course of lengthy correspondence, treated the regulator with continuing contempt, stating at different points in the correspondence that:

  • the complainant was no more entitled to make a subject access request “.. than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”; and

  • that subsequently they did “…not expect to be further harassed with this sort of correspondence [from the ICO]”.


Cambridge Analytica entered into administration over the course of the investigation. That change of control underlines the egregious nature of Cambridge Analytica’s non-engagement with the ICO, demonstrating that not one, but two different sets of the most senior decision makers available decided that the ICO was a regulator not to be taken seriously.

Some may trumpet this criminal prosecution as evidence of the ICO’s teeth. On the contrary, it points to the historically weak position of the ICO and the uphill struggle that remains for the regulator to be taken seriously as an enforcer of the data protection rules.

Finally, it should be noted that this action took place under the data protection regime that preceded the GDPR. Nonetheless, these procedural issues raise difficult questions for the regulator, irrespective of the regime that it is required to enforce.

Subscribe to our newsletter

Subscribe now