ICO -v- SCL Elections case highlights data protection applies to non-EU citizens too

Contact the Digital Compliance Hub

Share This Post

The ICO have taken SCL Elections Ltd (AKA Cambridge Analytica) to court, and won, over a failure to comply with an enforcement notice issued to the company back in May 2018 further to a complaint and investigation that took place towards the end of 2017.

Whilst Cambridge Analytica is probably best known for it’s part in the election and Facebook scandals of the last year or so, this specific case related to a subject access request from a US citizen who also resided in the US, Professor David Carroll. Professor Carroll had served SCL with a subject access request (under old data protection (i.e. DPA1998)) and SCLE had provided the data held with some explanation of its source and processing, but Professor Carroll complained to the ICO that he didn’t feel he’d been provided with all the data or a clear explanation as to where the data had come from or what it was going to be used for.

The ICO discussed this with SCLE, but SCLE refused to provide any further information, citing that Professor Carroll was neither a UK citizen nor resided in the UK and was therefore not entitled to a subject access request right under the Data Protection Act 1998. Despite the ICO explaining why it had jurisdiction and that SCLE did have to abide by UK law regardless of the nationality of the data subject, SCLE continued to fail to provide the additional information so the ICO issued an enforcement notice (in May 2018).

SCLE did not, within the timescales set in the enforcement notice, provide the additional information, so the ICO took them to court which has led to this court ruling in favour of the ICO (failure to comply with an enforcement notice is a criminal offence), resulting in a £15k fine for SCLE plus expenses.

So what can we learn from this ruling?

When we talk about GDPR or data protection “extra-territorial scope” we tend to think about the reach the GDPR has with regards to businesses operating outside the EU but targeting and processing personal data of EU citizens. The GDPR has a range of clauses and requirements about what happens in such circumstances.

What this case highlights is that when it comes to processing personal data in the UK, the nationality of the Data Subject is irrelevant when the organisation processing the data operates in the UK, meaning that the ICO have jurisdiction and UK data protection legislation applies.

Need help with subject access requests?

Whether you need help understanding what you need to do when you’re served with a subject access request, or whether you’re looking for someone to take care of them (and general compliance) for your organisation (i.e. you’re looking for a Data Protection Office (DPO)), a Digital Compliance Hub subscription can help your organisations. Get in touch if you’d like to find out more.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy