Quick guide to asking Cambridge Analytica for your data
Cambridge Analytica has finally responded (past deadline, after some threatening emails) to requests by individuals all over Europe and the United States for a copy of their data. I give here some advice on how to go further, and offer a template for responding at the bottom.
Cambridge Analytica’s response included specific instructions on payment and required identity proofs (copy/pastable version, if you need the bank account numbers):
First, a couple comments about this first:
- The data compliance obligation is passed on to the “parent” company, SCL Group. This is very significant, as SCL Group is a company registered in the UK, while Cambridge Analytica is officially registered in the US. EU data protection laws are stronger, and this will greatly facilitate proving their applicability to US citizens in this particular case.
- This being said, SCL Group does not specify which regulation they will use (“applicable laws and regulations”), and this should be clarified with them.
Secondly, you have a lot more rights than just accessing your data.
I suggest to those who wish to send this template to firstname.lastname@example.org, alongside a photo ID and two proofs of identity, and in addition to the 10 GBP fee.
I cannot foresee any direct negative consequence to doing so, except losing 10 GBP. Be warned, however, that I am not a lawyer.
Dear Data Compliance Team at SCL Group,
Under the purview of EU Data Protection Directive 95/46/EC and Data Protection Act 1998, I wish to:
- know whether your company or any of its processors hold any of my personal data (this includes Cambridge Analytica and other companies in the SCL Group);
- know the legal basis of such processing, for each of those companies holding my data (if you rely on consent, please be specific on when I might have given consent and how);
- know how you classify this data into the different categories recognized by applicable data protection regimes;
- know for what purposes you process this data;
- know the legal bases of potential transfers of such personal data to the United States, for each vendor;
- for each vendor, obtain my own identifiers within that vendor’s systems;
- for each data point, obtain full information as to its source;
- get an explanation on the “logic of the processing” of my personal data;
- get a list of recipients of my personal data;
- obtain a copy of all my personal data.
It has now been a long time since I initially asked for my data. I trust that you will do your best to respond promptly to my request. Given undue delays incurred so far, a response time below a week seems reasonable.
I particularly wish to attract your attention to the “General provisions relating to offences” articles in the Data Protection Act 1988, as they pertain to liabilities by body corporates, but also the personal liability of any officer in such body.
<FIRST NAME, LAST NAME as on the voter rolls>
<ADDRESS as on the voter rolls>
<DATE OF BIRTH>
<AFAIK, I HAVE PAID FOR ALL THOSE FOR WHOM I PROMISED I WOULD PAY THE FEE. DON’T FORGET TO INDICATE THAT I PAID. I WILL ON MY SIDE INDICATE THAT I PAID FOR YOU.>
Apparently, even with the process streamlined this far (which really wasn’t easy), Cambridge Analytica is still failing to meet its legal obligations. If you need legal assistance, a pro-bono lawyer has stepped up. Please contact us directly for more information.
Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have contributed a lot of the research behind the VICE article The Data That Turned the World Upside Down, and written on my own about Cambridge Analytica’s microtargeting of low information voters and the (dis)information mercenaries now controlling Trump’s databases.