It was reported in the Guardian last month that Cambridge Analytica’s parent company, SCL, held provisional List X status, until 2013. According to the government’s own website this means it was a company “operating in the UK who are working on UK government contracts which require them to hold classified information. This information is at ‘Secret’ or above or international partners information classified ‘Confidential’ or above, and is held their own premises at a specific site”. See more about List X here. The MOD reportedly paid the company nearly £200,000, £40,000 of which was for “external training”.

It has also been widely reported that Cambridge Analytica harvested 50 million Facebook profiles, data it used for financial gain. Its use of such data is now under investigation by the Information Commissioner’s Office (ICO). On 21 March 2018, the ICO (eventually) obtained a warrant to search the company’s offices. To do so, the court needed to be satisfied, amongst other things, that there was reasonable suspicion an offence under s 55 of the Data Protection Act 1998 had been committed (unlawful obtaining of personal data).The judgment in respect of the warrant can be found here.

A statement by Christopher Wylie, a former senior employee of SCL and Cambridge Analytica, supported the application for the warrant. This statement referred to the data as “unlikely to be held in a single file or table and that multiple tables or databases with varying file names would be likely to contain elements or fragments of its data or its derivatives” (emphasis added).

This blog explores the legal implications that would arise if, as a List X company, SCL or Cambridge Analytica, one or more of these databases were provided to the MOD or other government departments for exploitation.

What we know now but didn’t when SCL were providing whatever services they provided to the MOD is that databases containing “sets of personal information about a large number of individuals” were and are routinely used by the intelligence services. Perhaps somewhat counter-intuitively, these sets of personal information relate to persons, “the majority of whom [are] not…of any interest to [the intelligence services]”. These are now known statutorily as “bulk personal datasets”. The quotes above are from the Security Service’s own website but it only avowed their existence on 12 March 2015 and only did so as a result of a case brought by Privacy International before the Investigatory Powers Tribunal. Details here.

There was a justifiable sense of unease about the use of the use of such data. In response, the government commissioned the former independent reviewer of terrorism legislation, David Anderson QC to carry out a review. Anderson’s “A Question of Trust” was the blueprint for what became the Investigatory Powers Act. His review identified the importance bulk personal datasets played in meeting threats to the United Kingdom and that there was a strong operational case for their use but cautioned that their legitimacy would only be sustainable if there existed “a strong oversight body” that operated “on a properly informed basis”.

The bulk personal dataset was made formally and expressly a creature of statute in Part 7 of the Investigatory Powers Act 2016 (the 2016 Act). Prior to this, the nebulous s 94 of the Telecommunications Act 1984 was shoehorned into intelligence law as the basis for acquisition, retention and use of bulk personal datasets.

Under Part 7, only the intelligence services can apply for a warrant for their use and where issued, it requires judicial approval (see the earlier blog here as to the approach the Investigatory Powers Commissioner will take to approval decisions). There are a series of conditions that must be met before a warrant can be issued, including a necessity test based on meeting the threshold of the interests of national security and the economic wellbeing of the United Kingdom so far as this relates to national security. Surprisingly perhaps, it can also be used for the purpose of prevention and detection of serious crime. Since the intelligence agencies only support law enforcement in this connection, it can reasonably be inferred that such data as is acquired, retained and accessed, at some stage finds its way into the possession of the police.

Accessing material that was unlawfully obtained would unquestionably put the 2016 Act on a collision course with data protection laws. Under the Data Protection Bill the existing framework under the Data Protection Act 1998 will, according to the Home Office’s website, be “updated” and brought “in line with international standards”. It remains the case that processing must be “lawful, fair and transparent” – even in national security cases. This says little, although implies much, about the lawfulness of the acquisition of intelligence.

There is no express requirement that a personal bulk dataset must be legally obtained but huge issues arise if the SCL material was used or may still be being used in this way. Certainly the MOD could not use the dataset under the new legal framework, nor could any other public authority that was not one of the intelligence services. If it was or is data being used by MI5, MI6 or GCHQ, then it is an issue of quality of law: is it foreseeable, having regard to the position pre-the 2016 Act and after its enactment, that harvested Facebook profiles could form part of a bulk personal dataset capable of exploitation by the intelligence services? The answer to that may need to await further revelations from those making the disclosures and legal challenge. It is, after all, unlikely that if some government departments are hoarding the very data – the lawfulness of which is being investigated by another government entity – they are, based on current reporting at least, unlikely to come clean about it.

Being “properly informed”, the onerous qualification Anderson identified in recognising the legitimacy of bulk powers requires the government to be up front with its oversight mechanism. If the MOD or other government departments, including the intelligence services, used SCL datasets – and if they did, it was plainly pre-the 2016 Act – then this should be self-reported to the Investigatory Powers Commissioner’s Office. That data should be purged from the subsequent databases it may later have formed part of. It should not be, as it has in the past, incumbent on civil liberties groups to force such matters out of the government during the course of expensive litigation.


Dates for the Investigatory Powers Act 2016 Training Days have been released: 15 May (London) and 17 May (Leeds). Details of the programme can be found here. Places are strictly limited and bookings have already been received from Merseyside, South Wales, Northamptonshire and West Yorkshire Police, the Independent Office for Police Conduct, Kent County Council and others. Use the contact page on this site to reserve your place. 

© Simon McKay (2018). As a general rule, I have no problem with third parties using my material but please ask for my permission before using or copying the material contained in this blog. If you do use it, attribute it to me with a link to the original content where possible. This is opinion, not legal advice.