A case in point(lessness)

The Information Commissioner did a bit of business in Hendon Magistrates’ Court recently, as SCL Elections was fined £15000 for breaching an enforcement notice. Long ago, Professor David Carroll made a subject access request to Cambridge Analytica. As Cambridge Analytica was based in the US where SARs do not apply, they passed it to SCL Elections, a related company established in the UK, to process his request. Having received a response, Carroll claimed it was inadequate and complained to the ICO. After some correspondence, SCL and Cambridge Analytica went into administration. The ICO then served SCL with an enforcement notice over Carroll’s SAR, and SCL failed to comply with or appeal it.

On the face of it, it’s a win – fines in the Mags for breaches of ICO notices are usually in the low thousands, and after more than a year of a multi-million-pound investigation into data analytics, this seems a rare example of something actually happening. Following the humiliation of the first GDPR enforcement notice against AIQ, which had to be withdrawn and replaced, and the Facebook £500,000 penalty which was immediately appealed, you could argue that it’s a solid result for Team Wilmslow.

But the ICO reaction is weird – their website misleadingly claims that SCL was ‘also known as Cambridge Analytica’. SCL was a shareholder in Cambridge Analytica but the two companies are separate and based in different countries. Moreover, the ICO press release states “In pleading guilty, the company has accepted it should have responded fully to Professor Carroll’s subject access request and the ICO’s notice in the first place” but this is not what reality suggests. SCL’s guilty plea was helpfully tweeted out by Denham’s hagiographer Carole Cadwalladr, and it clearly says that they were pleading guilty to failing to answer the notice, not to any ‘misuse of data’.

Denham seems stuck in the past. This prosecution is, she says, ‘the first against Cambridge Analytica’ and her comment implies it won’t be the last, despite the fact that both SCL and Cambridge Analytica are being wound up. Since May 2018, the ICO’s needle on GDPR has barely twitched beyond that abortive AIQ notice, but the noise on analytics has been deafening. Whatever Cambridge Analytica did back in 2016, a massive change like GDPR requires a Commissioner completely focussed on implementing it. Stories about delays and poor decisions at the ICO are rife in the Data Protection community at the moment; the ICO can’t even keep its website up and running, and yet Denham seems dedicated to fighting old battles like a Japanese soldier lost in the Pacific who doesn’t know WW2 is over.

I can’t see what the SCL case has achieved. Carroll has trumpeted the criminal nature of the prosecution, claiming it proves that CA was a ‘criminal enterprise’, but the case is a relic. Under GDPR / DPA 2018, ignoring an enforcement notice is no longer a criminal offence and so there will never be another case like this. SCL might have pleaded guilty, but the substantive question of whether they gave Carroll all the data he was entitled to remains unresolved. They didn’t admit that they hadn’t, and the court cannot order them to deliver any outstanding data even if the judge thought that they should. The punishment for ignoring an enforcement notice can only ever be a financial one – a fine on conviction under the old rules, a penalty from the ICO under the new. The ICO must have known this going in.

The idea, of course, is a data controller will comply with an enforcement notice rather than face the possible punishment, but when the ICO served the notice on SCL, they were already in administration, so they were unlikely to respond in the normal way. Indeed, as the administrators confirmed, the prosecution was only possible because they gave ICO permission to take it forward. In a bizarre twist, the administrators’ guilty plea also revealed that data relating to Carroll isn’t in their possession – it is stored on the servers seized by the ICO on the celebrated Night of the Blue Jackets. So we’re in the bewildering position of the ICO starting enforcement on a defunct company, aware that the enforcement in question cannot result in any personal data being disclosed, and in the full knowledge that any relevant information is actually in their possession. It’s DP enforcement designed by MC Escher. You have to wonder why ICO didn’t just give Carroll his data themselves.

Underneath the surface froth, there are some interesting issues. SCL’s approach to the ICO (as set out in the enforcement notice) is an exemplar in how not to deal with a regulator. In my former life as a Data Protection Officer, I was guilty of a ‘make them blink first’ approach to ICO case officers, but I never did anything as stupid as to make comparisons to the Taliban in my correspondence, or to demand that the ICO stop harassing my employer. More importantly, SCL committed a glaring tactical mistake by switching their approach mid-race. Initially, they answered Carroll’s request, but then u-turned into a claim that his request was invalid because he was a US citizen (hence the remark that he was no more entitled to make a request than a member of the Taliban). In my opinion, had they stuck to their guns and argued that there was no more data, the case would have been less appealing as an enforcement issue. In deciding to change tack, the onus is on them to convince the ICO of the change, rather than getting all holier-than-thou.

Equally interesting is Carroll’s claim that he should be treated as a creditor of the business, which he outlined to the FTProf Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor — just like the financial creditors,” he says. “There are outstanding obligations to me.”

I think this argument is nonsense, but the idea that data subjects own their data is a popular myth (revived with enthusiasm by the introduction of the GDPR). The problem / advantage with personal data is that it can be easily and quickly replicated; I can take a copy of your data without your permission, but unlike a conventional theft, you still have it. You can get access to the data I hold about you under a SAR or portability, but once again, I give you a copy and keep my version. Only in limited circumstances can you request that I delete it, and there are many exceptions.

Admittedly, GDPR gives the subject more control over their data than before, but it doesn’t give them ownership. It’s misleading to suggest that a data controller doesn’t really own personal data when there are so many circumstances where they can obtain, disclose, retain or destroy it without the permission of the subject, and when the opportunities for the subject to object are so limited. I don’t think Carroll understands this, but it would be interesting to see his ‘creditor’ notion tested.

Teasing this out might have been a justification for the ICO to enforce on SCL, except for the obvious fact that these issues would never be raised by doing so. If SCL hadn’t pleaded guilty, the question for the court would be whether SCL breached the notice and nothing else. Because SCL made no attempt to comply with or appeal the notice, they never had much to argue about. The enforcement notice was remarkably misguided considering ICO actually holds the data, but it is a tribute to SCL’s ineptitude that they didn’t choose to highlight this by appealing.

According to Carroll, the fight goes on with other cases, so his beef with SCL / Cambridge Analytica might one day result in something interesting, but there’s nothing here. I don’t believe that the ICO has any business enforcing Data Protection on behalf of Americans when they’re so lackadaisical about doing so on behalf of people in the UK, and so this case is an almost offensive waste of resources. But even if you disagree, all they’ve achieved here is given the corpse of SCL a good kicking, with a result that doesn’t tell us anything about the future or very much about the past.


Stop the press

Whatever the rights and wrongs of the Leveson proposals for press regulation, the Independent Press Standards Organisation is currently the preferred regulator for most newspapers. Even if you think that IPSO shouldn’t be the regulator for press standards and something more rigorous should be, there is no question that for most of the press, IPSO is the preferred choice. This means that an adverse IPSO decision is something to take seriously.

In January 2015, the Lancashire Evening Post published a story about the use of images of children on a Russian file sharing website, which the paper described as a “Russian pervert website” and a “paedophile website”. Because readers would be unable to understand the story without being reminded what children look like, the paper reproduced images of some of the children. The images were small and pixellated, but they were real children whose images had appeared on the site, and the parents were unaware that the paper was publishing them.

One of the children was recognised by family friends, and the mother was alerted (she had originally posted them on Facebook) and contact her. She complained to the paper and received an apology. The paper’s plan to use the images in a follow-up article were abandoned. Unsatisfied, she complained to IPSO, who upheld her complaint that the newspaper had breached her child’s privacy. There is an argument to be had about how much protection anyone can expect once they have posted images of their children onto the internet. I have moments where I sympathise wholly with the average Facebook user, who has been softened up by big internet companies to share every waking moment with the web, and moments where I think that if you don’t want your kids’ pictures to end up on RussianPaedos.com, you should keep them offline. But the Lancashire Evening Post is not a dodgy file sharing hub, it is a newspaper whose license to use personal data and intrude into privacy is based on the public interest. They can’t simply shout ‘public domain’ and then run and hide like a certain charity I could mention.

There is, of course, an journalist’s exemption in the Data Protection Act which is second only to the national security one in  terms of its scope. Section 32 removes the requirement to comply with any of the data protection principles if data is being used for journalistic purposes, as long as the data controller (here, the Lancashire Evening Post) reasonably believes that publication is in the public interest, and complying with the relevant principle is ‘incompatible’ with the public interest in publication.

The exemption isn’t absolute – if it is possible to publish and comply without the two coming into conflict, then the newspaper should do so. Nevertheless, It’s not hard to see why journalists routinely publish information without (for example) informing subjects, without allowing them a right or subject access, or meeting a data protection condition. The exemption is designed to prioritise freedom of expression over privacy, like it or not. However, in this case, I don’t think the exemption could possibly apply.

Most importantly, the Lancashire Evening Post’s failed defence against the mother’s complaint is that the image was not identifiable: “It strongly denied that the child was identifiable from the photographs“. Given that this story starts with the mother’s friends recognising the child from the published image, this is clearly nonsense. If it wants to use a pixellated image of a real child, the onus is on the paper to ensure that the child cannot be identified, and in this they clearly failed.

In this case, S32 doesn’t apply. The Post’s argument isn’t that it was in the public interest to publish the image of an identifiable child. I think that argument is impossible to make, because the public interest would surely count against the identification of a child in these circumstances unless the parents consented (and even then, the interests of the child would be more important than the views of the parent). However, the newspaper’s case is the image wasn’t identifiable, and they have been found to be wrong, firstly by what happened in the real world, and secondly by the independent press regulator.

It won’t happen, and I doubt my call for journalists to be punished for something will generate much support, but this case presents an opportunity for the Information Commissioner to take some action – even if the mother does not complain, there is nothing to stop the ICO from getting involved. The Wilmslow business model is based on a production line of undertakings and (occasionally) civil monetary penalties against public sector bodies who have reported themselves for losing data or sending it to the wrong place. This convinces everybody (most notably, the ICO itself), that this is where the problem lies. That’s not to say that the public sector doesn’t have a problem, it’s just that every sector has the same or a bigger problem and the ICO doesn’t do much about all the others. When newspapers publish inconvenient and embarrassing information about people, data protection isn’t supposed to get in the way. But when newspapers unnecessarily screw up, they should face the same scrutiny as councils and health bodies. The ICO does not have a proud track record of taking on the press when they act unlawfully. The Lancashire Evening Post doesn’t pretend that identification of this child was necessary or relevant, so there is no reason at all why they should not be investigated. This would have two benefits – firstly, it would remind all those who publish data that the public interest in freedom of information does not excuse sloppy data handling, and secondly, it would show that the Commissioner has more imagination than simply chasing another misdialled fax number in the hope of a press release.