Cambridge Analytica sister firm pleads guilty, fined £21k for failing to obey UK information commish
Data regulator notches up another successful prosecution
SCL Elections Ltd, stablemate of scandal-hit Cambridge Analytica, has been fined a total of £21,000 after pleading guilty to not complying with an Information Commissioner's Office enforcement notice.
He had no right to make a subject access request any more than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan...
In a sentencing hearing before Hendon Magistrates' Court in north London this morning, barrister Sam Stockwell, on behalf of SCLE, entered a guilty plea to one count of failing to comply with an Information Commissioner's Notice, contrary to sections 47(1) and 60(2) of the Data Protection Act 1998.
"This case is a discrete part of a broader matter," prosecuting barrister Ben Summers, on behalf of the ICO, told the court. "It begins in January 2017 when Professor David Carroll, who is a United States citizen and resident, made a subject access request to Cambridge Analytica UK Ltd."
SCLE filed a "basis of plea" document with the court this morning, stating: "The company failed to engage with the enforcement notice."
What's in a name? For Cambridge Analytica, about a quid apparentlyREAD MORE
Professor Carroll demanded to know what data Cambridge Analytica held on him and where it had obtained the data from. Cambridge Analytica emailed him back to say, in Summers' words, "that for the purposes of complying with a subject access request to Cambridge Analytica, SCLE, the defendant in these proceedings, was the agent of Cambridge Analytica. In short terms, the two are both parts of a broader group, the SCL companies group."
Although SCLE revealed some of the data that Professor Carroll was entitled to, it did not reveal everything he was entitled to. He was particularly interested in what Summers described in court as "modelled data", which, it was explained, "represented predictions that we, the company, have made about you, Professor Carroll, as an individual".
Summers told the judge that SCLE had eventually refused Professor Carroll's request because he was not a British citizen or a resident of the UK, quoting from an email the firm sent to the ICO: "He had no right to make a subject access request any more than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan."
An enforcement notice was eventually issued against SCLE on 4 May 2018 – one day after High Court-appointed administrators took over the company. What that does is tell a data processor to hand over data that it is obliged to by law or face a criminal prosecution. Following months of "discussions", SCLE pleaded guilty this morning.
District Judge Grant, sitting alone, heard pleas in mitigation from Stockwell, who urged the court not to punish SCLE too harshly because the effect of any fine (the only punishment available for failing to comply with an enforcement notice) would fall "on the company's creditors". He also drew attention to the fact that the information Professor Carroll wanted was among 700TB on servers seized by the ICO, comparing it to a needle in a haystack.
"The answer to the questions about one person, Professor Carroll, sat within that haystack, sat within 700TB of data," said Stockwell. "Which the ICO held at that point. We say that the failure [of compliance with the enforcement notice] was to address that meaning. It was obvious to the ICO and that's why it was explicitly dealt with in the letter of 4th May. In order to deal with the needle, you would need to have access to the haystack."
SCLE's administrators have been trying to regain access to the data on CA's servers, in part because they do not know what the company's financial situation was; Stockwell had to ask the court to adjourn briefly in order for the administrators' lawyers to look up Companies House records revealing SCLE's financial situation. It was suggested before the judge that one way they could have gained access to the servers was for SCLE's administrators to give the ICO the passwords to the seized servers.
Handing down sentence at midday, District Judge Grant said: "No notice of appeal was lodged against the enforcement notice and no efforts have been made by the administrators to actively recover the information held in the computer servers in the possession of the information commissioner."
The judge continued: "The actions of the company amounted to a wilful disregard of the enforcement notice which was served last year. I take into account and I am, of course, bound to take into account the company's plea of guilty through the administrators, albeit a plea of guilty entered on the day of the hearing."
SCL Elections Ltd was ordered to pay a fine of £15,000, a contribution to prosecution costs of £6,000 and a victim surcharge of £170. The ICO spent £6,573.75 prosecuting the firm.
Stockwell, on SCLE's behalf, asked for 30 days to pay the fine. ®
Sponsored: Becoming a Pragmatic Security Leader