A case in point(lessness)

The Information Commissioner did a bit of business in Hendon Magistrates’ Court recently, as SCL Elections was fined £15000 for breaching an enforcement notice. Long ago, Professor David Carroll made a subject access request to Cambridge Analytica. As Cambridge Analytica was based in the US where SARs do not apply, they passed it to SCL Elections, a related company established in the UK, to process his request. Having received a response, Carroll claimed it was inadequate and complained to the ICO. After some correspondence, SCL and Cambridge Analytica went into administration. The ICO then served SCL with an enforcement notice over Carroll’s SAR, and SCL failed to comply with or appeal it.

On the face of it, it’s a win – fines in the Mags for breaches of ICO notices are usually in the low thousands, and after more than a year of a multi-million-pound investigation into data analytics, this seems a rare example of something actually happening. Following the humiliation of the first GDPR enforcement notice against AIQ, which had to be withdrawn and replaced, and the Facebook £500,000 penalty which was immediately appealed, you could argue that it’s a solid result for Team Wilmslow.

But the ICO reaction is weird – their website misleadingly claims that SCL was ‘also known as Cambridge Analytica’. SCL was a shareholder in Cambridge Analytica but the two companies are separate and based in different countries. Moreover, the ICO press release states “In pleading guilty, the company has accepted it should have responded fully to Professor Carroll’s subject access request and the ICO’s notice in the first place” but this is not what reality suggests. SCL’s guilty plea was helpfully tweeted out by Denham’s hagiographer Carole Cadwalladr, and it clearly says that they were pleading guilty to failing to answer the notice, not to any ‘misuse of data’.

Denham seems stuck in the past. This prosecution is, she says, ‘the first against Cambridge Analytica’ and her comment implies it won’t be the last, despite the fact that both SCL and Cambridge Analytica are being wound up. Since May 2018, the ICO’s needle on GDPR has barely twitched beyond that abortive AIQ notice, but the noise on analytics has been deafening. Whatever Cambridge Analytica did back in 2016, a massive change like GDPR requires a Commissioner completely focussed on implementing it. Stories about delays and poor decisions at the ICO are rife in the Data Protection community at the moment; the ICO can’t even keep its website up and running, and yet Denham seems dedicated to fighting old battles like a Japanese soldier lost in the Pacific who doesn’t know WW2 is over.

I can’t see what the SCL case has achieved. Carroll has trumpeted the criminal nature of the prosecution, claiming it proves that CA was a ‘criminal enterprise’, but the case is a relic. Under GDPR / DPA 2018, ignoring an enforcement notice is no longer a criminal offence and so there will never be another case like this. SCL might have pleaded guilty, but the substantive question of whether they gave Carroll all the data he was entitled to remains unresolved. They didn’t admit that they hadn’t, and the court cannot order them to deliver any outstanding data even if the judge thought that they should. The punishment for ignoring an enforcement notice can only ever be a financial one – a fine on conviction under the old rules, a penalty from the ICO under the new. The ICO must have known this going in.

The idea, of course, is a data controller will comply with an enforcement notice rather than face the possible punishment, but when the ICO served the notice on SCL, they were already in administration, so they were unlikely to respond in the normal way. Indeed, as the administrators confirmed, the prosecution was only possible because they gave ICO permission to take it forward. In a bizarre twist, the administrators’ guilty plea also revealed that data relating to Carroll isn’t in their possession – it is stored on the servers seized by the ICO on the celebrated Night of the Blue Jackets. So we’re in the bewildering position of the ICO starting enforcement on a defunct company, aware that the enforcement in question cannot result in any personal data being disclosed, and in the full knowledge that any relevant information is actually in their possession. It’s DP enforcement designed by MC Escher. You have to wonder why ICO didn’t just give Carroll his data themselves.

Underneath the surface froth, there are some interesting issues. SCL’s approach to the ICO (as set out in the enforcement notice) is an exemplar in how not to deal with a regulator. In my former life as a Data Protection Officer, I was guilty of a ‘make them blink first’ approach to ICO case officers, but I never did anything as stupid as to make comparisons to the Taliban in my correspondence, or to demand that the ICO stop harassing my employer. More importantly, SCL committed a glaring tactical mistake by switching their approach mid-race. Initially, they answered Carroll’s request, but then u-turned into a claim that his request was invalid because he was a US citizen (hence the remark that he was no more entitled to make a request than a member of the Taliban). In my opinion, had they stuck to their guns and argued that there was no more data, the case would have been less appealing as an enforcement issue. In deciding to change tack, the onus is on them to convince the ICO of the change, rather than getting all holier-than-thou.

Equally interesting is Carroll’s claim that he should be treated as a creditor of the business, which he outlined to the FTProf Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor — just like the financial creditors,” he says. “There are outstanding obligations to me.”

I think this argument is nonsense, but the idea that data subjects own their data is a popular myth (revived with enthusiasm by the introduction of the GDPR). The problem / advantage with personal data is that it can be easily and quickly replicated; I can take a copy of your data without your permission, but unlike a conventional theft, you still have it. You can get access to the data I hold about you under a SAR or portability, but once again, I give you a copy and keep my version. Only in limited circumstances can you request that I delete it, and there are many exceptions.

Admittedly, GDPR gives the subject more control over their data than before, but it doesn’t give them ownership. It’s misleading to suggest that a data controller doesn’t really own personal data when there are so many circumstances where they can obtain, disclose, retain or destroy it without the permission of the subject, and when the opportunities for the subject to object are so limited. I don’t think Carroll understands this, but it would be interesting to see his ‘creditor’ notion tested.

Teasing this out might have been a justification for the ICO to enforce on SCL, except for the obvious fact that these issues would never be raised by doing so. If SCL hadn’t pleaded guilty, the question for the court would be whether SCL breached the notice and nothing else. Because SCL made no attempt to comply with or appeal the notice, they never had much to argue about. The enforcement notice was remarkably misguided considering ICO actually holds the data, but it is a tribute to SCL’s ineptitude that they didn’t choose to highlight this by appealing.

According to Carroll, the fight goes on with other cases, so his beef with SCL / Cambridge Analytica might one day result in something interesting, but there’s nothing here. I don’t believe that the ICO has any business enforcing Data Protection on behalf of Americans when they’re so lackadaisical about doing so on behalf of people in the UK, and so this case is an almost offensive waste of resources. But even if you disagree, all they’ve achieved here is given the corpse of SCL a good kicking, with a result that doesn’t tell us anything about the future or very much about the past.

 

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Facebook posts can mean prison

When I lived in Wigan, the most common response to seeing a copy of the local weekly, the Wigan Observer, was to turn to the page that showed who had been up in front of the magistrates. Like most people, what I wanted to know was whether anyone I had been to school with had broken into a shed or got drunk and hit a policeman with a fire extinguisher. In recent days, the Manchester Evening News, normally a paper with a rich and varied coverage, has been transformed by marathon court sittings into a multi-page version of the same thing. It’s an endless succession of self-destructive anecdotes – the guy identified by his Batman jumper, the chef who stole a camera ‘because he did not have one’, and the squaddie who tried to sell a £2000 Les Paul guitar that he claimed he had bought during the riots.
Today, I assume the MEN will go for the comparatively huge sentences for two chaps in Cheshire who tried (and thankfully, failed) to use Facebook to incite riots in Northwich and Warrington: http://tinyurl.com/3utotsu. However, the story is an object lesson in how so many people do not understand social media or electronic communications.
I’m paranoid. As far as possible, I never write anything in an email that I wouldn’t want to have broadcast. I had an email exchange recently where a friend sent increasingly rude and abusive jokes about a third party we both know, and all of my responses were basically “                    “ . I didn’t want my opinions on record, especially as the tone of an email is incredibly hard to judge.
On the other hand, Facebook, instant messaging and email allow some parts of society to extinguish the concept of an unexpressed thought. The Daily Mail is a rich seam of stories about people saying ridiculous and damaging things on Facebook and similar sites – the teacher who criticised her pupils http://tinyurl.com/3c65fkx or the girl sacked after describing her new job as ‘boring’ http://tinyurl.com/d4h9c5. The Mail still hasn’t thought of different way of illustrating these stories than asking the subject to pose in front of a computer, as if it’s impossible to understand the situation otherwise. In both of these cases, people’s careers are damaged; in others, (a quick Google search will show you many), people also get sacked, or damage their reputations or ruin their family lives.
Fast forward to today, and we see these two young men going to prison (and the Mail has another one here: http://tinyurl.com/4xpowny. Meanwhile, the DisabledGo News blog reports Facebook comments allegedly made by employees of Atos, the firm delivering the work programme, describing disabled clients as ‘parasitic wankers’ and ‘down and outs’: http://tinyurl.com/3bpvb66. This could have consequences both for their careers, and for the company’s contracts.
I’m far from the first to say this, but much as social media has connected the world in new and interesting ways, it has also opened the door for a lot of people to cause themselves huge damage. No matter who you are, the lesson has to be learned: THINK BEFORE YOU TYPE. Who might read what I have said? How might it be misinterpreted? Can I trust the recipients not to forward it on to everyone they know? Facebook encourages lots of friends, while an email is the ultimate form of portable, airborne information.