Cambridge Analytica demonstrably non-compliant with data protection law

Over the past couple months, PersonalData.IO has helped at least a dozen individuals exercise their right of access to data processed by Cambridge Analytica, with great difficulty. We even wrote a guide about it, to help others do such requests. We are pleased to say that we can put anyone who has experienced similar difficulties in touch with pro bono legal help (reach out to us below, or at contact@PersonalData.IO). But first, a little recap…

According to the UK Data Protection Act 1998 implementing EU Data Protection Directive 95/46/EC, any individual whose data is processed in the UK has the right to access it (Article 7), regardless of nationality. The UK Information Commissioner has formulated a code of practice, providing guidelines for compliance when individuals seek to exercise that right.

Diary

Dec 3rd 2016: I myself ask for my data from Cambridge Analytica, through social media and shortly after through PersonalData.IO in emails addressed to alex.tayler@sclgroup.cc (because this address is listed on their privacy policy dated April 20th 2016) and to london@cambridgeanalytica.org (because this is an address that “establishes” Cambridge Analytica in the UK).

Dec 3rd 2016 onwards: Swiss and German individuals start filing Subject Access Requests on PersonalData.IO (not public). Cambridge Analytica objects to their use of a third-party site (private reports), in violation of UK ICO Code of Practice for Subject Access Requests.

Dec 15th 2016: I finally get a response through social media that Cambridge Analytica needs name, address and birthday to assess my request, and that if they hold data there might be a small charge to get access to it. I am also told to re-address my request to datarequests@cambridgeanalytica.org (presumably because all the PersonalData.IO requests were landing in the wrong mailbox). Later, through private channel, I am again told to re-address that to data.requests@cambridgeanalytica.org (typo correction).

Dec 20th 2016: Based on a screenshot of this exchange, I manage to convince some Americans to start tying to ask for their Cambridge Analytica data as well, through PersonalData.IO. Note, and this is very remarkable, that it was very difficult to convince people to do this: there was great fear at the time, and little understanding of the issue and interest. I am grateful to those who were willing to take that risk. The same day, Cambridge Analytica updated their privacy policy. The change seems tiny, but looks like it is specifically aimed at curbing UK-based data protection rights of Americans.

Eventually, I myself received a response to my request: they didn’t have any data about me. Given that I am based in Switzerland, this was not surprising. Beyond my own case, my goal was actually to help US and UK individuals in the process, which turned harder and harder.

Jan 10th 2017: Cambridge Analytica responds to some requests addressed through PersonalData.IO, and asks individuals to actually submit their request through a form hosted on their website instead. That same day, several individuals whom I had helped for a long time actually resubmit the same information through the form. It becomes harder to organize as Cambridge Analytica has managed to force the request process off PersonalData.IO, where it would be possible to directly provide advice and raise awareness. Cambridge Analytica changes the privacy policy again.

Around Feb 14th 2017: No American has received a response yet. Some of those “pioneers” send emails to alex.tayler@sclgroup.cc, recounting their difficulties and explicitly mentioning the personal liability of officers in the corporate bodies holding the data (“General provisions relating to offences” articles in the Data Protection Act 1988).

Feb 15th or 16th 2017: Cambridge Analytica comes forward with new instructions, which PersonalData.IO shares widely, because they are not updated on their privacy policy. Theses instructions seem to have been addressed only to Americans, and request payment. This is indicative of Cambridge Analytica actually holding data. They also require sending proof of ID and two proofs of residence. This confuse lots of people, as they are not necessarily residing in the state where they vote (those living abroad, for instance). Finally, they also change the relevant email address to data.compliance@sclgroup.cc.

Feb 16th 2017: I ask for clarifications on the payment procedure.

Feb 20th 2017: Without response, but wishing to speed this up, PersonalData.IO pays the fee for 8 people to further “grease the cogs”.

Feb 24th 2017: Cambridge Analytica finally acknowledges the Feb 16th and Feb 20th emails, and confirms reception of the payment. They promise: “We will process relevant requests shortly and keep you informed on further developments”.

Mar 2rd 2017: There is still not response at this time, a full 73 calendar days after the first requests by US citizens. The mandatory deadline according to UK Data Protection Law and the associated guidance is 40 calendar days. This is a clear violation of the law. Even if it is argued by Cambridge Analytica that the delay only runs once they had all the necessary material (which would be the moment people filled the form they put up on January 10th), they still have not respected the deadline of 40 days. The could try to argue that it is the moment where people paid that actually matters, but that moment was pushed so far back through their sheer negligence only.

Why?

The question is now: why? Why is Cambridge Analytica clearly not complying with data protection law and simply stalling this process for so long? For a while I blamed incompetence (their CEO seems to certainly have no clue of what he is talking about when discussing data protection issues, particularly around so-called special categories of data). With the recent developments, I am starting to suspect something more nefarious.

Next?

If you also tried to access your data, and are experiencing similar problems, please reach out to us (see below). We will happily put you in touch with pro-bono legal help.

Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have contributed a lot of the research behind the VICE article The Data That Turned the World Upside Down and the Guardian article Robert Mercer: the Big Data billionaire waging war on mainstream media, and written several additional pieces on Cambridge Analytica that you will find here in exclusivity!