Cambridge Analytica demonstrably non-compliant with data protection law

Paul-Olivier Dehaye
Mar 3, 2017 · 5 min read

Over the past couple months, PersonalData.IO has helped at least a dozen individuals exercise their right of access to data processed by Cambridge Analytica, with great difficulty. We even wrote a guide about it, to help others do such requests. We are pleased to say that we can put anyone who has experienced similar difficulties in touch with pro bono legal help (reach out to us below, or at contact@PersonalData.IO). But first, a little recap…

Image for post
Image for post

According to the UK Data Protection Act 1998 implementing EU Data Protection Directive 95/46/EC, any individual whose data is processed in the UK has the right to access it (Article 7), regardless of nationality. The UK Information Commissioner has formulated a code of practice, providing guidelines for compliance when individuals seek to exercise that right.

Diary

Dec 3rd 2016 onwards: Swiss and German individuals start filing Subject Access Requests on PersonalData.IO (not public). Cambridge Analytica objects to their use of a third-party site (private reports), in violation of UK ICO Code of Practice for Subject Access Requests.

Dec 15th 2016: I finally get a response through social media that Cambridge Analytica needs name, address and birthday to assess my request, and that if they hold data there might be a small charge to get access to it. I am also told to re-address my request to datarequests@cambridgeanalytica.org (presumably because all the PersonalData.IO requests were landing in the wrong mailbox). Later, through private channel, I am again told to re-address that to data.requests@cambridgeanalytica.org (typo correction).

Image for post
Image for post

Dec 20th 2016: Based on a screenshot of this exchange, I manage to convince some Americans to start tying to ask for their Cambridge Analytica data as well, through PersonalData.IO. Note, and this is very remarkable, that it was very difficult to convince people to do this: there was great fear at the time, and little understanding of the issue and interest. I am grateful to those who were willing to take that risk. The same day, Cambridge Analytica updated their privacy policy. The change seems tiny, but looks like it is specifically aimed at curbing UK-based data protection rights of Americans.

Image for post
Image for post

Eventually, I myself received a response to my request: they didn’t have any data about me. Given that I am based in Switzerland, this was not surprising. Beyond my own case, my goal was actually to help US and UK individuals in the process, which turned harder and harder.

Jan 10th 2017: Cambridge Analytica responds to some requests addressed through PersonalData.IO, and asks individuals to actually submit their request through a form hosted on their website instead. That same day, several individuals whom I had helped for a long time actually resubmit the same information through the form. It becomes harder to organize as Cambridge Analytica has managed to force the request process off PersonalData.IO, where it would be possible to directly provide advice and raise awareness. Cambridge Analytica changes the privacy policy again.

Around Feb 14th 2017: No American has received a response yet. Some of those “pioneers” send emails to alex.tayler@sclgroup.cc, recounting their difficulties and explicitly mentioning the personal liability of officers in the corporate bodies holding the data (“General provisions relating to offences” articles in the Data Protection Act 1988).

Feb 15th or 16th 2017: Cambridge Analytica comes forward with new instructions, which PersonalData.IO shares widely, because they are not updated on their privacy policy. Theses instructions seem to have been addressed only to Americans, and request payment. This is indicative of Cambridge Analytica actually holding data. They also require sending proof of ID and two proofs of residence. This confuse lots of people, as they are not necessarily residing in the state where they vote (those living abroad, for instance). Finally, they also change the relevant email address to data.compliance@sclgroup.cc.

Feb 16th 2017: I ask for clarifications on the payment procedure.

Feb 20th 2017: Without response, but wishing to speed this up, PersonalData.IO pays the fee for 8 people to further “grease the cogs”.

Feb 24th 2017: Cambridge Analytica finally acknowledges the Feb 16th and Feb 20th emails, and confirms reception of the payment. They promise: “We will process relevant requests shortly and keep you informed on further developments”.

Mar 2rd 2017: There is still not response at this time, a full 73 calendar days after the first requests by US citizens. The mandatory deadline according to UK Data Protection Law and the associated guidance is 40 calendar days. This is a clear violation of the law. Even if it is argued by Cambridge Analytica that the delay only runs once they had all the necessary material (which would be the moment people filled the form they put up on January 10th), they still have not respected the deadline of 40 days. The could try to argue that it is the moment where people paid that actually matters, but that moment was pushed so far back through their sheer negligence only.

Why?

Next?

Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have contributed a lot of the research behind the VICE article The Data That Turned the World Upside Down and the Guardian article Robert Mercer: the Big Data billionaire waging war on mainstream media, and written several additional pieces on Cambridge Analytica that you will find here in exclusivity!

PersonalData.IO

Big Data and Society, Privacy, Data Protection Rights…

Paul-Olivier Dehaye

Written by

Mathematician. Co-founder of PersonalData.IO. Free society by bridging ideas. #bigdata and its #ethics, citizen science

PersonalData.IO

Big Data and Society, Privacy, Data Protection Rights http://www.PersonalData.IO

Paul-Olivier Dehaye

Written by

Mathematician. Co-founder of PersonalData.IO. Free society by bridging ideas. #bigdata and its #ethics, citizen science

PersonalData.IO

Big Data and Society, Privacy, Data Protection Rights http://www.PersonalData.IO

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store