Even as Facebook is offering new features and making promises about greater privacy for its users in an attempt to wash off the stench of the Cambridge Analytica data-breach scandal, that scandal continues to haunt the company. On Sunday, the British Information Commissioner’s Office (ICO) ordered SCL Elections, Cambridge Analytica’s parent company, to provide an American citizen, David Carroll, all of the information it has on him.
As the Associated Press reported, this decision by the ICO confirms the right of Facebook users outside the U.K. to seek — and receive — data held on them by a U.K. firm.
While the order from Britain’s data privacy watchdog office names SCL (and by extension, Cambridge Analytica) and not Facebook, this is still bad news for the beleaguered social-media giant. Not only does this move by the British government set a precedent that will allow millions of Americans and others around the world to demand that Cambridge Analytica hand over the private data the company collected about them, it also pushes past the veil behind which Facebook has always hidden that data.
In the past, Facebook has been able to take cover behind its user agreement and craftily worded “privacy policy” (a misnomer if ever there was one) in keeping the data the company holds on users away from those users. In short, the data users can download from Facebook by clicking the “download all my data” button buried deeply in their account settings is far from all of the data the company holds on those users. But until now, the veil has held up and users could only speculate as to just how much the company knows about them. With Pandora’s box having been opened by the British ruling, that is changing.
By forcing Cambridge Analytica to release the data to Carroll, the ICO is essentially ordering the company to reveal everything it harvested from Facebook about Carroll. That information is a good indicator of what information Facebook gathers on its users.
The case began when Carroll, a media design professor at Parsons School of Design in New York City, filed under the U.K. Data Protection Act of 1998 for Cambridge Analytica to release to him all of the data the company collected on him. He filed that request in January 2017 — considerably before Cambridge Analytica was in the headlines in the wake of revelations that the company had mined the Facebook data of at least 87 million U.S. voters and used that data to manipulate the 2016 elections.
In response to his request, Carroll was sent a spreadsheet the company claimed contained “all of the personal data to which he was legally entitled.” Professor Carroll’s ICO complaint says he was “not satisfied” that claim was true and accurate, so he filed the complaint.
SCL (Cambridge Analytica’s parent company) still refused to comply, saying that since Carroll is not a U.K. citizen and is not based in the U.K., he had no rights under the Data Protection Act. ICO disagreed and informed SCL of that. In an online statement on the matter, Information Commissioner Elizabeth Denham said, “The company’s reply refused to address the ICO’s questions and incorrectly stated Prof Carroll had no legal entitlement to it because he wasn’t a UK citizen or based in this country,” reads the statement. “The ICO reiterated this was not legally correct in a letter to SCL the following month.”
The statement goes on to say that SCL/Cambridge Analytica has “consistently refused to co-operate” with their investigation and has “refused to answer” specific questions about the data the company has on Carroll.
The issue of privacy as it relates to data-mining is a key component of liberty. After all, if you have no control over who may collect your personal data and have no right to even know what has been collected, are you truly free? Commissioner Denham wrote in the statement,
The right to request personal data that an organisation holds about you is a cornerstone right in data protection law and it is important that Professor Carroll, and other members of the public, understand what personal data Cambridge Analytica held and how they analysed it.
Part of SCL/Cambridge Analytica’s initial response to the ICO was to deny “that the ICO had any jurisdiction or that Prof Carroll was legally entitled to his data,” according to the ICO statement. The statement adds that SCL/Cambridge Analytica stated that the company did “not expect to be further harassed with this sort of correspondence.”
SCL/Cambridge Analytica has filed for insolvency in the wake of the Facebook data-breach scandal. While that may protect the company from honoring its debts, it will not likely shield it — or its principals — from the likelihood of criminal charges if they fail to obey the ICO order to furnish Carroll’s data withing 30 days. The ICO statement says:
We are aware of recent media reports concerning Cambridge Analytica’s future but whether or not the people behind the company decide to fold their operation, a continued refusal to engage with the ICO will potentially breach an Enforcement Notice and that then becomes a criminal matter.
The implications of this case are far-reaching on both sides of the pond. Professor Carroll’s U.K. lawyer, Ravi Naik, may have put it best, saying, “The ICO’s decision will provide us all with answers about what Cambridge Analytica did with people’s data, how it was used and who it was given to.”
As this writer asserted above, it will also pull back the veil, showing Facebook users much more of what the social-media company knows about them. And that will likely be big news, too.
