Out-Law News 2 min. read

Business fined after data subject access request failings

A business that failed to respond fully to a data subject access request and later ignored an enforcement notice served on it for doing so has been fined £15,000 for breaching UK data protection laws.

SCL Elections, better known as the business behind the now defunct data analytics company Cambridge Analytica, was prosecuted at Hendon Magistrates' Court in London on Wednesday.

SCL Elections pleaded guilty, via its administrators, to breaching section 47(1) of the Data Protection Act (DPA) 1998 in a prosecution brought by the Information Commissioner's Office (ICO). Under that section of the Act, a person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.

The ICO issued its enforcement notice (12-page / 51KB PDF) against SCL Elections in May last year after a US academic, professor David Carroll, had complained to the watchdog that the company had not provided him "with all of the personal data [it] held about him … nor an adequate explanation of where the data had been obtained from or how it would be used".

In correspondence sent to the ICO, SCL Elections claimed professor Carroll "was not entitled to make a subject access request or make a request for assessment to the commissioner under the DPA" because he was not a UK citizen or based in the UK.

After further correspondence between the ICO and SCL Elections which did not spur the company to release further information to professor Carroll, the ICO concluded that SCL Elections had "not fully complied with [the academic's] subject access request", that it had acted in breach of the DPA, and imposed the enforcement notice. However, SCL Elections did not comply with the notice, leading the watchdog to prosecute.

Elizabeth Denham, UK information commissioner, said: "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law. Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply."

"Organisations that handle personal data must respect people's legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action," she said.

There is a right to appeal an enforcement notice to the First-tier (information rights) Tribunal, which it appears SCL Elections chose not to pursue in this case.

Data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com, said: "If an organisation disagrees with an ICO notice they should not ignore it – if they have grounds to challenge it or disagree with the ICO’s reasons in the notice, then the appropriate and responsible course of action is an appeal."

In October last year, the ICO fined Facebook £500,000 after the watchdog found that the company was responsible for serious breaches of UK data protection laws and that the failings meant some of the personal data in question had been shared with Cambridge Analytica. Facebook has appealed against the fine.

The DPA 1998 was the relevant legislation in force at the time of professor Carroll made his subject access request. The Act has since been replaced in the UK by the General Data Protection Regulation (GDPR) and a new Data Protection Act 2018 that supplements the GDPR provisions.

Like the DPA 1998, the new Data Protection Act provides people with a right to a copy of the personal data organisations hold on them. This includes employees requesting data held by employers. Those subject access requests must generally be complied with within one month.

Supplemental information also has to be disclosed by organisations alongside the personal data they provide in response to the requests. That includes information about the categories of personal data they hold about the requester, what the purposes of, and legal basis for, their processing is, who they have shared the data with and where they have sourced the personal data they hold from.

Under the new UK data protection regime, fines of up to €20 million, or 4% of a business' annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.