UK political consultancy firm, Cambridge Analytica (CA), acquired Facebook user data initially gathered for academic research and used it to influence political campaigns. As shown by papers released by a former CA employee, Chris Wylie (the Papers), CA used the data to campaign for Donald Trump in at least 11 US States during the 2016 US election. They have also been linked to over 200 elections worldwide and their activity has caught the attention of the United Kingdom’s Information Commissioner’s Office (ICO), who is investigating CA for breaking data protection laws.

Background

In 2015, a psychologist Dr Aleksandr Kogan, created a Facebook app through his company Global Science Research Ltd (GS), called “thisisyourdigitallife”. 270,000 people downloaded the app and were asked to complete a personality test and give their consent to GS to access their profile information, including what content they had ‘liked’. In addition to this information, GS also harvested the profile information of a users’ friends.

The total number of profiles said to have been captured by the app is around 87 million; all of which were licensed to Cambridge Analytica in an agreement dated 4 June 2014 (the Papers, page 71). According to Wylie, CA analysed the relationships between personality traits and political preferences to inform the campaign strategies of Donald Trump and the Brexit referendum’s Vote Leave group. ICO is investigating the latter of these allegations.

Analysis

ICO’s powers of investigation and enforcement come from the Data Protection Act 1998 (the Act). The Act distinguishes between data controllers and processors; the former having a higher burden of responsibility. CA would be classified as the data controller, as they exercise professional judgement and significant decision-making over how the data is processed. This is despite clause 9.3 of the licensing agreement which attempts to relinquish CA of their regulatory burden by recognising GS as the sole data controller.

CA’s burden of responsibility is further raised by the fact that their activity comes under the Act’s definition of marketing which, according to ICO guidance, includes the actions of political organisations in the promotion of aims and ideals. Political campaigning is defined by ICO as “activity in support of, or against, a political party, a referendum campaigner or a candidate.” This could be taken from one of CA’s brochures.

The Act raises the bar further by distinguishing between data which is simply personal and that which is sensitive and personal. There is a higher burden of protection placed on sensitive personal data which relates to a data subject’s race, politics, religion, health, and sexuality. Not only do Facebook profiles invariably contain these indicators but GS were contractually obliged to handover users’ names; gender; date of birth; addresses; GS ‘Big Five’ personality survey scores; GS Republican Party support score; GS political involvement score; and political volatility score.

Cambridge Analytica are therefore a data controller engaging in political campaigning with sensitive personal data; a triad of attributes that imposes the highest of data protection standards. In enforcing these standards, the ICO will investigate whether CA’s processing of the Facebook user data breached any of the eight Data Protection Principles.

The first principle is perhaps the most important of all: that personal data must be processed fairly and lawfully. At its core is the requirement that the data subject consents to the processing. As it is sensitive personal data, this consent must be expressly given, implicit consent is insufficient. This is precisely what is at issue with CA’s acquisition of the data.

As for the friends of those users who downloaded the app, no consent was given whatsoever for their data to be harvested, passed on to another party and used in political campaigning. While the app’s users may have consented to having their data used for academic purposes, the first principle requires that they must not be misled as to the purpose of the processing and any further processing.

As the data was initially obtained under the pretext of academic research before it was licensed to CA for political campaigning, the first principle appears breached. Indeed, the ICO’s guidance explicitly states that “marketing organisations must not ask market research firms they employ to give them the research data for future sales or marketing purposes unless the individuals contacted agree to this.”

The issue of conflicting purposes is also relevant for the second principle. This principle holds that personal data must be obtained for lawful purposes and processed for the same or compatible purposes. The ICO are unlikely to find that CA’s political campaigning during the Brexit referendum is the same or a compatible purpose to Dr Kogan’s academic research or even to their own stated purpose which was “to further enhance or augment [CA’s] political modelling of the [US] population” (clause 6.1 of the licensing agreement).

Conclusions

ICO have been investigating the use of data analytics for political purposes since early 2017, but it was Wylie’s public revelations that precipitated the dramatic court battle over the warrant and its subsequent execution against Cambridge Analytica. Despite rumour, the drama and delay was not due to any conspiracy, nor was Elizabeth Denham’s announcement, as the Information Commissioner, a clumsy tip off.

The ICO have to give CA at least seven days’ notice and allow them to fight the application in court. Indeed, both parties had been negotiating the terms of an onsite inspection since early February. If the ICO continue with their investigation, they may fine CA up to £500,000.