By Sascha Matuszak
On Friday, May 4, the UK Information Commissioner’s Office (ICO) sent a letter to SCL Elections Limited, Cambridge Analytica’s parent company, demanding the release of information regarding a US voter, David Carroll. Legal experts consider the ICO’s actions—demanding the information and advising Cambridge Analytica that it would be a criminal offense to refuse to comply—to be a watershed moment in the debate regarding how governments can regulate data that is controlled, processed, and transferred across national borders.
“It’s this fascinating situation because when it became apparent that Cambridge Analytica had processed Americans’ data in Britain, it suddenly opened up this window of opportunity,” said Ravi Naik, a human rights lawyer with Irvine Thanvi Natas, the British solicitor who is leading the case, as quoted in The Observer. “In the US, Americans have almost no rights over their data whatsoever, but the data protection framework is set up in such a way that it doesn’t matter where people are: it matters where the data is processed.”
The IOC decision opens up the possibility that as many as 270 million Americans can make similar subject access requests for information on how Cambridge Analytica obtained their data, what the company did with their data, and who else had access to or helped process that data. Not only that, but because the UK will be subject to the GDPR come May 25th (and is already preparing through new legislation, such as the Data Protection Bill and other measures), any person, regardless of citizenship, can theoretically submit a similar subject access request for his/her own data to a company that controls, processes, or transfers data within the UK or EU. It also opens up companies, such as Cambridge Analytica, to class action lawsuits from the millions of people whose personal data are stored on the companys’ encrypted servers. [Read more…]