The ICO have taken SCL Elections Ltd (AKA Cambridge Analytica) to court, and won, over a failure to comply with an enforcement notice issued to the company back in May 2018 further to a complaint and investigation that took place towards the end of 2017.
Whilst Cambridge Analytica is probably best known for it’s part in the election and Facebook scandals of the last year or so, this specific case related to a subject access request from a US citizen who also resided in the US, Professor David Carroll. Professor Carroll had served SCL with a subject access request (under old data protection (i.e. DPA1998)) and SCLE had provided the data held with some explanation of its source and processing, but Professor Carroll complained to the ICO that he didn’t feel he’d been provided with all the data or a clear explanation as to where the data had come from or what it was going to be used for.
The ICO discussed this with SCLE, but SCLE refused to provide any further information, citing that Professor Carroll was neither a UK citizen nor resided in the UK and was therefore not entitled to a subject access request right under the Data Protection Act 1998. Despite the ICO explaining why it had jurisdiction and that SCLE did have to abide by UK law regardless of the nationality of the data subject, SCLE continued to fail to provide the additional information so the ICO issued an enforcement notice (in May 2018).
SCLE did not, within the timescales set in the enforcement notice, provide the additional information, so the ICO took them to court which has led to this court ruling in favour of the ICO (failure to comply with an enforcement notice is a criminal offence), resulting in a £15k fine for SCLE plus expenses.
So what can we learn from this ruling?
When we talk about GDPR or data protection “extra-territorial scope” we tend to think about the reach the GDPR has with regards to businesses operating outside the EU but targeting and processing personal data of EU citizens. The GDPR has a range of clauses and requirements about what happens in such circumstances.
What this case highlights is that when it comes to processing personal data in the UK, the nationality of the Data Subject is irrelevant when the organisation processing the data operates in the UK, meaning that the ICO have jurisdiction and UK data protection legislation applies.
Need help with subject access requests?
Whether you need help understanding what you need to do when you’re served with a subject access request, or whether you’re looking for someone to take care of them (and general compliance) for your organisation (i.e. you’re looking for a Data Protection Office (DPO)), a Digital Compliance Hub subscription can help your organisations. Get in touch if you’d like to find out more.