Give Me Liberty, Or Give Me Data Protection? A Troubling Implication Of The American Voter UK Data Protection Case

from the frying-pan-to-fire dept

Wed, May 9th 2018 3:34am — Cathy Gellis

The Guardian had an article this past weekend about what looks like a potentially successful attempt by an American to use UK data protection law to force Cambridge Analytica to divulge what information it had collected about US voters like him. Whether the UK Information Commissioner’s Office (ICO) is truly entitled to compel Cambridge Analytica to do anything, much less on behalf of an American, is an open question. But for purposes here, let's assume that UK data protection law works this way, that it was intended to work this way, and that it's good policy for it to work this way.

The problem is, it's one thing for the ICO to force Cambridge Analytica to share with the American voter himself what personal data it had about him. But it's another thing entirely for the ICO to force Cambridge Analytica to share the personal data it has about American voters with it. Yet it looks from the article like that's what ICO may have threatened to force Cambridge Analytica to do.

The troubling passage:

The covering letter from the ICO says that if Cambridge Analytica has difficulties complying, it should hand over passwords for the servers seized during its raid on the company’s office – something that raises questions also about what it has managed to retrieve from the servers so far.

Insert record scratch noise here. The framing of the article, and a lot of reaction to it, is that ICO is the white knight here, seeking to vindicate the privacy rights of Americans whose data has been scooped by Cambridge Analytica. Maybe so, but to the extent it proposes to do this by itself scooping up Americans' data (and hopefully future reporting can be more explicit on whether this is what is truly proposed; the Guardian article did not link to the cover letter, nor does the ICO's press announcement) such a move is extremely concerning.

Because regardless of how problematic it is for a private entity like Cambridge Analytica to have access to lots of data about American voters, for all those same reasons it is even more problematic for a government to. And while it would be bad enough if it were the American government demanding it, it's even worse if it's a foreign government that now has access to all this data about American voters.

It's not a question of how much we trust that foreign government. We might see the problem more easily if it were, say, Russian regulators demanding Cambridge Analytica give it all the data it has, but the fact that it is our UK ally demanding it makes no difference. Irrespective of how well-intentioned or trust-worthy one considers the UK government of today, or its data protection authority, we still fought a war or two to keep it out of American democracy. In fact, so unhappy were we about things the UK government had done to help itself to information about American lives that we even came up with a couple of constitutional amendments to ensure the practice would not be continued.

Thus no matter how we feel about Cambridge Analytica having acquired our data without our permission, it would be a strange thing to encourage governments to return to those old ways and get to acquire our data without our permission too. Especially not governments so politically unaccountable to those whose data they would now collect.

Because while voters like Professor Carroll might not care, the apparently indiscriminate way the ICO has acquired data by copying entire servers would seem to capture the data of many more American voters than just him. Which, to put into the language of EU privacy regulators, would constitute a sort of data acquisition that not all of us affected had consented to.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, foreign governments, ico, information commissioner's office, uk, voter info
Companies: cambridge analytica

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 9 May 2018 @ 4:25am

if things were reversed, the USA would expect to be able to do whatever it wanted, get whatever information it wanted, from wherever it wanted, on anyone it wanted, regardless of where they lived or whatever nationality they were and order whosoever it wanted to comply!! why should the UK be any different??
[ link to this | view in chronology ]
- Anonymous Coward, 9 May 2018 @ 6:33am
  
  Re:
  and then lie about having demanded same
  [ link to this | view in chronology ]
- Anonymous Coward, 9 May 2018 @ 7:08am
  
  Re:
  You forget that the US and the UK trade so very much intelligence. Five Eyes. Any of that information on voters that the US doesn't have legal access to? "Hey, UK, how about a little quid pro there..."
  [ link to this | view in chronology ]
Anonymous Coward, 9 May 2018 @ 5:14am

Seems to me that if they don't want to be subject to European law, they shouldn't keep servers there
[ link to this | view in chronology ]
Simon, 9 May 2018 @ 5:23am

Legality
As the ICO is an independent organisation and not a part of government technically speaking the UK Government does not have access to the data.

Furthermore under the GDPR the "Public Task", and any derogations under "the prevention, investigation, detection or prosecution of criminal offences;" would justify accessing and processing this data.

from

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Y ou may be unhappy that the data is in UK hands and I sympathize with that view but the processing of it is in accordance with the GDPR and prior legislation. After all, in the UK, UK law is paramount.
[ link to this | view in chronology ]
- Anonymous Coward, 9 May 2018 @ 6:34am
  
  Re: Legality
  "in the UK, UK law is paramount."
  
  for the little people - as always
  [ link to this | view in chronology ]
DannyB (profile), 9 May 2018 @ 6:01am

Give Me Liberty
Give me Liberty or give me something of lesser or equal value. Or a coupon for it.
[ link to this | view in chronology ]
Richard (profile), 9 May 2018 @ 6:17am

You beileive?
We might see the problem more easily if it were, say, Russian regulators demanding Cambridge Analytica give it all the data it has,

You believe the Russian government doesn't already have this data???
[ link to this | view in chronology ]
Richard (profile), 9 May 2018 @ 6:24am

Problematic?
Because regardless of how problematic it is for a private entity like Cambridge Analytica to have access to lots of data about American voters, for all those same reasons it is even more problematic for a government to.

I'd say it is more problematic if a private entity has this data. At least governments are generally under some kind of legal framework that requires "fairness" in some sense.

The whole point of the ICO/data protection act/GDPR is to prevent the collection of this data without consent.

So if UK law had been complied with by Cambridge Analytics then this data wouldn't exist in the first place.

Of course, by having this data they have committed an offence and the data itself is now evidence.

In short it is necessary for the legal system to get this data in order to enforce the laws that are supposed to protect privacy.

You are complaining about the very thing that is supposed to prevent the problem in the first case.

How stupid is that??
[ link to this | view in chronology ]
- Anonymous Coward, 9 May 2018 @ 6:36am
  
  Re: Problematic?
  "At least governments are generally under some kind of legal framework that requires "fairness" in some sense."
  
  Fairness - LOL
  [ link to this | view in chronology ]
  - Richard (profile), 9 May 2018 @ 7:22am
    
    Re: Re: Problematic?
    Well at least a pretence of fairness - which is more than what is required from private organisations.
    [ link to this | view in chronology ]
Anonymous Coward, 9 May 2018 @ 7:06am

Wait .......
You want the Peasants to have Rights ?
[ link to this | view in chronology ]
Dingledore the Previously Impervious, 9 May 2018 @ 7:36am

But the order doesn't say anything like that
It clearly say that the data must be provided to the complainant.

In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of her powers under section 40 of the DPA, she requires that the data controller shall within 30 days of the data of this notice take the following steps:

Provide the complainant with:

(i) a description of the personal data processed by the data controller about the complainant;

(ii) a description of the purposes for which that data are being processed;

(iii) a description of the recipients or classes ofrecipients to whom the data are or may be disclosed;

(iv)copies of the information constituting personal data about the complainant in an intelligible form in accordance with the requirements of section 7 of the DPA and the Sixth Data Protection Principle, subject only to the proper consideration and application of any exemption from, or modification to, section 7 of the DPA provided for in or by virtue of Part IV of the DPA which may apply;

and (v) a description as to the source of that personal data.

I haven't seen the cover letter, but that's not the order. It sounds as if the ICO is saying "this can be done", but nothing more at this point because CA aren't (yet) being prosecuted. Even if they were being prosecuted and the servers were confiscated as evidence, the Government would not have access to the data.

This seems to be another article on TD that confuses the UK state with the UK government. They're entirely different things. If the Government wanted access, they'd use the intelligence services - who probably already have the data anyway.
[ link to this | view in chronology ]
Anonymous Coward, 9 May 2018 @ 8:01am

Cambridge Analytica...told the ICO that Carroll was no more entitled to make a so-called “subject access request” under the UK Data Protection Act “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”.

Wow. Whatever PR firm they hired for damage control was obviously a bad choice.

(And: if the Taliban asks for their data, give it to them. "Just give us your address and we'll mail a disc.")

Whether the UK Information Commissioner’s Office (ICO) is truly entitled to compel Cambridge Analytica to do anything, much less on behalf of an American, is an open question.

Can you say more about this? It seems pretty straightforward to me that they can; what's questionable here? (Them requesting the data for themselves is weird, but the ICO saying CA has to follow the law seems uncontroversial.)
[ link to this | view in chronology ]
- Dingledore the Previously Impervious, 9 May 2018 @ 8:48am
  
  Re:
  > Whether the UK Information Commissioner’s Office (ICO) is truly entitled to compel Cambridge Analytica to do anything, much less on behalf of an American, is an open question.
  
  It's not an open question. The laws are for the UK organizations that are holding people's data. The location of the person requesting their data from that organization is not relevant.
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward (profile), 9 May 2018 @ 9:13am
    
    Re: Re:
    
    "The location of the person requesting their data from that organization is not relevant."
    
    It may not be relevant to you or me, but it is likely relevant to those who wish to profit in some way from the information. That group might include several governments, who in their various points of view, want to use such information in very different ways.
    
    If they are going to release the information to anyone, they should send it to the person about which it was collected, and only them. Then it should be destroyed. After that, verifying that is was sent only to the person(s) abused and its destruction would be an almost impossible task.
    [ link to this | view in chronology ]
    - Anonymous Coward, 9 May 2018 @ 10:04am
      
      Re: Re: Re:
      
      Then it should be destroyed. After that, verifying that is was sent only to the person(s) abused and its destruction would be an almost impossible task.
      
      That's where this whole thing started, of course. CA told Facebook in 2015 that they had deleted all this data.
      [ link to this | view in chronology ]
    - Anonymous Coward, 9 May 2018 @ 2:15pm
      
      Re: Re: Re:
      The ICO is an independent organization tasked with overseeing GDPR compliance. So if anyone in the world requests PII from a UK company, they are the ones who broker the release of that data. As such, they have authority to compel access into any org in the UK. Remember that in the UK, unlike the US, corporations aren't people, and don't have rights as strong as they do in the US: in the UK, corporations are created as a limited entity by the government, and as such, the government dictates what the corporation can and can not do. In exchange, the people running the corporation get a layer of protection.
      
      So this really does seem like how things are supposed to work.
      
      Always assume that any data you store in some country is accessible by that country's government, or some subset of it, because that's how governments tend to work.
      [ link to this | view in chronology ]
      - Dingledore the Previously Impervious, 10 May 2018 @ 2:14am
        
        Re: Re: Re: Re:
        GDPR doesn't just cover the UK - that was the DPA. GDPR is EU wide.
        
        >Always assume that any data you store in some country is accessible by that country's government, or some subset of it, because that's how governments tend to work.
        
        Absolutely, but they wouldn't use GDPR laws or ICO to get it. It's also why the UK gov tries to not store any such data outside the UK.
        [ link to this | view in chronology ]
    - Dingledore the Previously Impervious, 10 May 2018 @ 2:10am
      
      Re: Re: Re:
      >If they are going to release the information to anyone, they should send it to the person about which it was collected, and only them.
      
      Which is what the order said, and what I said.
      
      >That group might include several governments
      If those governments are partners in an organization in the UK, then it might, yes. But the horse would have bolted by then since they'd have the data. But they'd still be required to follow the DPA/GDPR laws, and that's not the point of this article.
      [ link to this | view in chronology ]