Cambridge Analytica demonstrably non-compliant with data protection law
Over the past couple months, PersonalData.IO has helped at least a dozen individuals exercise their right of access to data processed by Cambridge Analytica, with great difficulty. We even wrote a guide about it, to help others do such requests. We are pleased to say that we can put anyone who has experienced similar difficulties in touch with pro bono legal help (reach out to us below, or at contact@PersonalData.IO). But first, a little recap…
According to the UK Data Protection Act 1998 implementing EU Data Protection Directive 95/46/EC, any individual whose data is processed in the UK has the right to access it (Article 7), regardless of nationality. The UK Information Commissioner has formulated a code of practice, providing guidelines for compliance when individuals seek to exercise that right.
Dec 3rd 2016 onwards: Swiss and German individuals start filing Subject Access Requests on PersonalData.IO (not public). Cambridge Analytica objects to their use of a third-party site (private reports), in violation of UK ICO Code of Practice for Subject Access Requests.
Dec 15th 2016: I finally get a response through social media that Cambridge Analytica needs name, address and birthday to assess my request, and that if they hold data there might be a small charge to get access to it. I am also told to re-address my request to firstname.lastname@example.org (presumably because all the PersonalData.IO requests were landing in the wrong mailbox). Later, through private channel, I am again told to re-address that to email@example.com (typo correction).
Eventually, I myself received a response to my request: they didn’t have any data about me. Given that I am based in Switzerland, this was not surprising. Beyond my own case, my goal was actually to help US and UK individuals in the process, which turned harder and harder.
Around Feb 14th 2017: No American has received a response yet. Some of those “pioneers” send emails to firstname.lastname@example.org, recounting their difficulties and explicitly mentioning the personal liability of officers in the corporate bodies holding the data (“General provisions relating to offences” articles in the Data Protection Act 1988).
Feb 16th 2017: I ask for clarifications on the payment procedure.
Feb 20th 2017: Without response, but wishing to speed this up, PersonalData.IO pays the fee for 8 people to further “grease the cogs”.
Feb 24th 2017: Cambridge Analytica finally acknowledges the Feb 16th and Feb 20th emails, and confirms reception of the payment. They promise: “We will process relevant requests shortly and keep you informed on further developments”.
Mar 2rd 2017: There is still not response at this time, a full 73 calendar days after the first requests by US citizens. The mandatory deadline according to UK Data Protection Law and the associated guidance is 40 calendar days. This is a clear violation of the law. Even if it is argued by Cambridge Analytica that the delay only runs once they had all the necessary material (which would be the moment people filled the form they put up on January 10th), they still have not respected the deadline of 40 days. The could try to argue that it is the moment where people paid that actually matters, but that moment was pushed so far back through their sheer negligence only.
The question is now: why? Why is Cambridge Analytica clearly not complying with data protection law and simply stalling this process for so long? For a while I blamed incompetence (their CEO seems to certainly have no clue of what he is talking about when discussing data protection issues, particularly around so-called special categories of data). With the recent developments, I am starting to suspect something more nefarious.
If you also tried to access your data, and are experiencing similar problems, please reach out to us (see below). We will happily put you in touch with pro-bono legal help.
Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have contributed a lot of the research behind the VICE article The Data That Turned the World Upside Down and the Guardian article Robert Mercer: the Big Data billionaire waging war on mainstream media, and written several additional pieces on Cambridge Analytica that you will find here in exclusivity!