Canadian Company Receives First GDPR Enforcement Decision

Despite all the hype around the May 2018 coming into force of the EU General Data Protection Regulation (GDPR), with its detailed provisions, strict enforcement regime and the threat of daunting penalties, many of us missed the first formal enforcement action under the GDPR that was released by the UK Data Protection Commissioner this past summer. The decision in question invoked the extra-territorial scope provisions in Article 3(2)(b) and was served as an Enforcement Notice on AggregateIQ Data Services Ltd (“AIQ”) requiring it to: ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes’.

AIQ is a Canadian company that uses data to target online advertisements at voters, and its clients include UK political organizations. These organizations provide personal data to AIQ for the purposes of targeting individuals with political advertising messages on social media. As outlined by the UK Commissioner, AIQ’s processing of personal data relates to monitoring of data subjects’ behaviour taking place within the European Union, and thus, the GDPR applies.

The Notice, served under section 149 of the UK Data Protection Act, was attached as an annex to the UK Commissioner’s report entitled “Investigation into the use of data analytics in political campaigns”, dated July 11, 2018.

AIQ was found to be in breach of Articles 5(a) – 5(c) and Article 6 of the GDPR for processing personal data in a way that data subjects were not aware of, for a purpose they would not have expected, and without a lawful basis for processing. In addition, AIQ failed to provide the transparency information required under Article 14 of the GDPR.

Unfortunately, the terms of the Notice are rather vague and no depth or clarity is offered. Does “cease processing” mean AIQ must erase all the data? (Mere storage is, of course, in and of itself “processing” by the GDPR definitions). However, the specifics of the order will likely be clarified, quite possibly in some detail, before the matter comes to a close, because AIQ have exercised their right of appeal the decision to the First-tier Tribunal, under section 162(1)(c) of the DPA. PRIVATECH will keep you posted on the appeal.

Regardless of where your organization operates, if EU resident data is being processed, it is critical to understand how the GDPR affects your business. For assistance with your GDPR compliance initiatives, contact PRIVATECH.