Cambridge Analytica: would GDPR make a difference?
In recent times, there have been a host of data protection breaches involving large organisations. The allegations facing Cambridge Analytica and Facebook could feel like nothing more than the next in a long line but, in a world where social media has become an intrinsic part of society, the alleged misuse of data of over 50 million Facebook users is a worry to everyone.
The Information Commissioner is an independent official whose role is to uphold information rights and ensure that data protection laws are complied with. The Information Commissioners Office (ICO) is able to investigate whether data protection laws have been breached, either by acting on complaints or from conducting proactive investigations on its own volition. The ICO has a number of powers available to it to obtain information and assess whether data is being properly and lawfully used or held.
The Data Protection Act 1998 sets out the law which governs how data must be handled with the intention of protecting the public. But the law is changing in the next few months in the hope of making data protection obligations even more robust and increasing the deterrent by allowing much larger fines to those who cause data breaches.
In May 2018, the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which is on course to receive royal assent within the same timeframe (it’s currently at the Committee Stage in the House of Commons). GDPR is extending the scope of what is considered to be personal data, such as including IP addresses and other forms of digital data which can be associated with an individual.
In the event of a breach, the fines have been substantially increased from the current maximum of £500,000 to £18million or 4% global turnover.
So the data protection laws are getting more teeth and large organisations like Facebook and Cambridge Analytica need to pay attention in the same way that any smaller business which handles personal data will have to.
There are weaknesses in the current legal structure which it was hoped would be strengthened by the incoming legislation. For example, the ICO is able to take various forms of regulatory action against an organisation, including the issuing of what is known as an Information Notice, which requires the recipient to supply the ICO with information for the purpose of assessing whether data protection laws have been complied with. However, the weakness in taking this action is that, although failure to comply with an Information Notice is in itself a criminal offence punishable by a fine in the Magistrates’ Court, the recipient of such a Notice cannot be compelled to disclose the material requested.
Turning to the current case of Cambridge Analytica, it is not known what previous steps the ICO have taken in an attempt to get information from either that organisation or Facebook, but press reports suggest that the Information Commissioner is considering applying for warrants to obtain the information due to previous lack of co-operation. It is not public knowledge whether or not Information Notices have been issued and ignored. (It is assumed that they have not, otherwise criminal action could be taken against the organisation irrespective of whether the ICO then chooses to apply for a warrant).
It is therefore not possible to comment on the facts of this case and whether Information Notices have been previously issued but, for the purposes of this article, we look at the hypothetical scenario of an investigation by the ICO where such Notices were issued and ignored as an illustration of the differences between the current law and that soon to be introduced by GDPR and the Data Protection Bill.
The first thing to take into account is that GDPR is not retrospective. If a data breach occurs before May 2018, then the larger fines imposed by GDPR are not applicable. However, the failure to comply with any Information Notice issued in this period could see the organisation receiving a separate fine irrespective of any subsequent sanction imposed as a result of the data breach itself.
Had the investigation into any breach occurred on or after 25 May 2018, then the GDPR and the Data Protection Bill (as it is currently drafted) will remove the criminal sanction for failing to comply with an Information Notice and replace it with a monetary fine to be imposed directly by the ICO. The Information Commissioner has written to parliament at the committee stage to express concerns as to this change on the grounds that it is “likely to be less of a deterrent, as data controllers with deep pockets might be inclined to pay the fine, rather than disclose the information being requested.”
If no further amendments are made to the incoming legislation, the effect of Information Notices may be eroded which will mean that the more intrusive, time-consuming and costly method of applying to the court for warrants will be more frequently required.
Irrespective of what eventually plays out with the Cambridge Analytica/Facebook investigation, the fact remains that data protection is again at the forefront of public concern and the laws are changing to reflect this.