The start of the New Year comes with an expected aggregation in GDPR related matters more precisely an enforcement action by the UK’s data protection authority – the ICO.
The ICO’s first enforcement notice was taken against a Canadian political consultancy and technology company (AggregateIQ Data Services Ltd (‘AIQ’)) without a physical presence in the EU. The problem apparently arose from the company’s processing of UK and EU citizens’ personal data for Brexit campaigns, which sets a precedent for actions taken against non-EU based companies. AIQ’s UK political clients provided the organisation with personal data for the purposes of targeted online advertisements at voters.
AIQ received its First Noticefrom the ICO on 6 July 2018 on the grounds of Article 3(2)(b) of the GDPR. This Article concerns the territorial scope of the GDPR and its application for organisations outside of the EU when they process personal data which relates to monitoring behaviour of individuals who are in the EU. In this First Notice, the ICO required AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
Four months later, the ICO amended its First Notice with a Second Notice dated 24 October 2018. This time the reference to Article 3(2)(b) had been removed and the scope was limited to individuals based in the UK. AIQ was given 30 days to comply with the Second Notice or face a fine which is the higher out of either €20 million or 4% of their global turnover.
AIQ appealed the First Notice but withdrew the appeal with the narrowed scope of the Second Notice.