First GDPR enforcement action is against a Canadian data controller

First GDPR enforcement action is against a Canadian data controller

Standard Contractual Clauses to transfer EU personal data to the US are valid

The Information Commissioner’s Office’s (the “ICO”) has issued its first enforcement notice under the General Data Protection Regulation (“GDPR”), against the Canadian organisation, AggregateIQ Services Ltd (“AIQ”), a political consultancy and technology company.

Context for enforcement

The ICO’s enforcement action can be seen in the context of its ongoing formal investigation into the use of data analytics in political campaigning. The ICO comments in its notice to AIQ that it is concerned the use of data analytics in political campaigning has occurred “without due legal or ethical consideration of the impacts to our democratic system”.

The enforcement action against AIQ is based on AIQ’s processing of personal data of UK individuals on behalf of UK political organisations, in particular Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave. The ICO states that as part of AIQ’s contract with these political organisations, AIQ received personal data including names and email addresses of UK individuals. This personal data was then used to target individuals with political advertising messages on social media.

Action taken by the ICO

The ICO served a first enforcement notice on AIQ on 6 July 2018, which related to EU as well as UK individuals. This was followed by a second enforcement notice served on 24 October 2018, which narrowed the scope to UK individuals only.

As set out in its enforcement notice, the ICO considers that AIQ failed to comply with the GDPR as follows:

  • AIQ failed to comply with article 5(1)(a)-(c) and article 6 GDPR by processing “personal data in a way data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing”. In addition, the “processing was incompatible with the purposes for which the data was originally collected.”
  • AIQ failed to comply with articles 14(1) and (2), as it did not provide data subjects with the required information regarding the processing of their data, in circumstances where the data was not obtained from those data subjects.  

In its notice of 24 October 2018, the ICO requires AIQ to erase all the personal data it holds for individuals in the UK. This order becomes effective once the Information and Privacy Commissioner of British Columbia (“OIPC”) drops its own investigation into AIQ or confirms it is content for AIQ to comply with the ICO’s order. AIQ will then have 30 days to comply with the order.

If AIQ fails to comply with the ICO’s notice, it may be subject to a fine of up to 20 million euros or 4% of AIQ’s total annual worldwide turnover, whichever is the higher.

Comment

The ICO’s action against AIQ is interesting for the following reasons:

  • It highlights the ICO’s appetite for enforcement in relation to the use of personal data in political campaigning. Organisations active in this area would be well advised to review their compliance with the GDPR.
  • As this action is the first example of enforcement under the GDPR, it provides some insight into how the ICO may treat non-compliance under the GDPR. As such it should be noted that the ICO chose to issue an enforcement notice in the first instance and reserved its rights to impose a fine. It may therefore be considered that the ICO is likely to take a pragmatic approach, however it would not be safe to assume that the ICO will not exercise its rights to impose fines for breaches of the GDPR going forward.
  • It is also notable that AIQ is a Canadian organisation without a presence in the EU. This enforcement action serves as a reminder that the scope of the GDPR can in certain circumstances extend to companies based outside the EU. In this case, even though AIQ is not ‘established’ in the EU, it was caught within the scope of the GDPR because its business activities involve the monitoring of individuals based in the EU.

In light of the above, to the extent that GDPR compliance has not already been addressed, organisations based outside the EU may wish to take steps to analyse their processing of personal data in the context of the territorial scope of the GDPR and ensure they are in compliance with its provisions. Absent compliance, organisations should be aware that the ICO may come knocking.

Search our site