It looks like Cambridge Analytica, the firm behind, may be forced to tell a US citizen what data it held on him and how it was being used. And it took a UK regulator to make it happen.
The development could clear the way for millions of other Americans to demand info on their data too.
On Friday, a British privacy regulator ordered (PDF) the parent company of London-based Cambridge Analytica to hand over information to a US academic within 30 days or face criminal charges. The info would include copies of the data held on him, where it came from, whom it was being shared with and how it was being used.
The UK's Information Commissioner's Office was acting on a "subject access request," or SAR, submitted under Britain's Data Protection Act by David Carroll, an associate professor at New York's Parsons School of Design. An SAR lets people demand computer records and related info from companies holding, using or sharing personal data on them.
"The right to request personal data that an organisation holds about you is a cornerstone right in data protection law," UK Information Commissioner Elizabeth Denham said in a statement. "It is important that Professor Carroll, and other members of the public, understand what personal data Cambridge Analytica held and how they analysed it."
The Cambridge Analytica scandal had mainly to do with the US presidential election and data on millions of US Facebook users that was improperly shared. But Carroll took his legal battle overseas because in the states, Cambridge Analytica is merely a shell company, potentially making legal action there less effective, a representative for Carroll said in a statement. America's data-protection laws are less stringent than Britain's too, the representative added.
The ICO's support of Carroll's request suggests that millions of other US Facebookers whose data was shared without their knowledge may also be able to demand info from CA.
"The ICO's decision will provide us all with answers about what Cambridge Analytica did with people's data, how it was used and who it was given to," Ravi Naik, Carroll's UK solicitor, said in a statement. "We were always confident that he was in the right to request his data, and are very pleased that the ICO has confirmed his position."
Cambridge Analytica and its parent, SCL Elections Limited, specialized in data analysis and engaged in voter profiling. In mid-March, news emerged that the developer of a third-party Facebook app had gathered data on more than 80 million users of the social network and had broken Facebook's rules by handing the info to CA. The company later consulted with the Donald Trump presidential campaign during the 2016 US election.
The revelation raised concerns about Facebook's data policies and how data collection by tech firms could be taken advantage of for political and propaganda purposes. Among other things, the scandal took. It also led , but the ICO says that makes no difference in regard to handing over Carroll's data.
"We are aware of recent media reports concerning Cambridge Analytica's future," Denham said in a statement, "but whether or not the people behind the company decide to fold their operation, a continued refusal to engage with the ICO will potentially breach an Enforcement Notice and that then becomes a criminal matter."
SCL Elections Limited can appeal the ICO's order within 30 days.
The company didn't respond to a request for comment Saturday, nor did Cambridge Analytica.
: Everything you need to know about Facebook's data mining scandal.
: CNET looks at how intolerance is taking over the internet.