Cambridge Analytica has finally responded (past deadline, after some threatening emails) to requests by individuals all over Europe and the United States for a copy of their data. I give here some advice on how to go further, and offer a template for responding at the bottom.
Cambridge Analytica’s response included specific instructions on payment and required identity proofs (copy/pastable version, if you need the bank account numbers):
First, a couple comments about this:
- The data compliance obligation is passed on to the “parent” company, SCL Group. This is very significant, as SCL Group is a company registered in the UK, while Cambridge Analytica is officially registered in the US. EU data protection laws are stronger, and this will greatly facilitate proving their applicability to US citizens in this particular case.
- This being said, SCL Group does not specify which regulation they will use (“applicable laws and regulations”), and this should be clarified with them.
Secondly, you have a lot more rights than just accessing your data.
I suggest to those who wish to send this template to email@example.com, alongside a photo ID and two proofs of identity, and in addition to the 10 GBP fee.
I cannot foresee any direct negative consequence to doing so, except losing 10 GBP. Be warned, however, that I am not a lawyer. (Note: this request was updated April 2nd 2017, in light of the first responses: two longish paragraphs were added towards the end, explicitly setting bounds on trade secret and third party privacy exemptions).
Dear Data Compliance Team at SCL Group,
Under the purview of EU Data Protection Directive 95/46/EC and Data Protection Act 1998, I wish to:
- know whether your company or any of its processors hold any of my personal data (this includes Cambridge Analytica and other companies in the SCL Group);
- know the legal basis of such processing, for each of those companies holding my data (if you rely on consent, please be specific on when I might have given consent and how);
- know how you classify this data into the different categories recognized by applicable data protection regimes;
- know for what purposes you process this data;
- know the legal bases of potential transfers of such personal data to the United States, for each vendor;
- for each vendor, obtain my own identifiers within that vendor’s systems;
- for each data point, obtain full information as to its source;
- get an explanation on the “logic of the processing” of my personal data;
- get a list of recipients of my personal data;
- obtain a copy of all my personal data.
I remind you that the deadline to respond to this request is 40 calendar days. I trust that in light of the seriousness of the issue, you will faithfully respect this deadline.
I remind you that no exemption exists in UK Data Protection Act for the right of access with respect to trade secrets (see doi.org/10.1093/idpl/ipv030 Trade Secrets v Personal Data: a possible solution for balancing rights, page 6, bottom 1st column). This exception only applies to the “logic of the processing” disclosure, and even than has to be interpreted in the narrowest sense. As a consequence, you would still need to disclose intermediate stored data computed as part of the profiling, as well as give a sense of the “logic of the processing”, without explicitly disclosing the algorithms used.
In addition, I remind you that any limitation on the access right in the UK Data Protection Act regarding the privacy of others (i.e. Article 7.4) is expressly limited to the protection of individuals and therefore does not apply to the protection of the identity of other companies or legal persons that your company would have contracted with, either as a source or recipient of my personal data. Corporate privacy rights have never been recognised in UK law (or US law, for that matter). Therefore, if you have the information I ask for in points 6, 7 and 9, you have to disclose it. I understand that some communications with those third parties might include personal information of other individuals (names of officers at those companies for instance). In this case, Article 7.5 of the DPA provides a very clear basis: only very limited information should be excised (names and other identifying information of those individuals), but all the rest of the data, i.e. all my personal data, should be given to me.
To conclude, I particularly wish to attract your attention to the “General provisions relating to offences” articles in the Data Protection Act 1988, as they pertain to liabilities by body corporates, but also the personal liability of any officer in such body.
<FIRST NAME, LAST NAME as on the voter rolls>
<ADDRESS as on the voter rolls>
<DATE OF BIRTH>
Apparently, even with the process streamlined this far (which really wasn’t easy), Cambridge Analytica is still failing to meet its legal obligations. If you need legal assistance, a pro-bono lawyer has stepped up. Please contact us directly for more information.
Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have contributed a lot of the research behind the VICE article The Data That Turned the World Upside Down, and written on my own about Cambridge Analytica’s microtargeting of low information voters and the (dis)information mercenaries now controlling Trump’s databases.