ICO issues first enforcement notice under GDPR

On 20 September 2018, it was reported that the Information Commissioner’s Office (ICO) had served an enforcement notice dated 6 July 2018 on AggregateIQ Services Ltd (AIQ) (a Canadian company located outside the EU) using its powers under section 149 of the Data Protection Act 2018 (DPA 2018).

The notice is the first of its kind issued under the General Data Protection Regulation ((EU) 2016/679) (GDPR) and the DPA 2018 and was issued as AIQ was still holding and processing the data of UK citizens after the GDPR and DPA 2018 came into force on 25 May 2018.

The processing was in connection with online political messages sent by AIQ on behalf of several UK political organisations to UK citizens during the Brexit referendum.

The notice requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes”.

The ICO held that AIQ had breached various GDPR requirements, including processing personal data without a lawful basis (Article 6, GDPR) and processing personal data for purposes incompatible with the purpose for which it was collected (Article 5(1)(b)).

The ICO stated that the territorial scope provisions of Article 3(2)(b) of the GDPR did apply to AIQ because its processing of personal data related to the monitoring of the behaviour of data subjects within the EU.

Failure to comply with an enforcement notice could lead to a fine of up to EUR20 million or 4% of an undertakings total annual worldwide turnover. AIQ is understood to be appealing against the notice.

The ICO’s actions in this matter illustrate the global reach of the GDPR and serve as a reminder that the conduct of data analytics remains in the focus of the ICO. Data protection practitioners will be awaiting the results of this appeal and, potentially, any further enforcement action by the ICO.

Practical Law (PLC) 28.9.18