On 24 October 2018, the UK data protection enforcement body, the Information Commissioner's Office (ICO), issued an Enforcement Notice against Canadian data services firm, AggregateI Q (AIQ).1 This was the first Enforcement Notice issued by the ICO under the General Data Protection Regulation (GDPR).2 The Notice specifies several breaches of the GDPR and gives AIQ 30 days to put itself into compliance or face a fine of €20 million or 4% of global group turnover, whichever is greater.
AIQ's breaches of the GDPR relate to its use of personal data of UK individuals in connection with its business of providing data services to political organizations. Specifically, AIQ used this data to target individuals with political advertising on social media.
The specific GDPR breaches were as follows:
1.AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing "personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing." Moreover, "the processing was incompatible with the purposes for which the data was originally collected."
2.AIQ also breached Article 14 in that it failed to provide "data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply." Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.
3.Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company's global group turnover, whichever is higher.
The GDPR provides detailed guidance to companies on how the collection of personal data may be legally justified and the steps that must be taken with regard to the privacy of the data and the disclosures and/or authorizations that must be made to, or obtained from, the individuals affected. This is a complex exercise that should normally require the assistance of outside legal counsel. AIQ was either ignorant of how GDPR may affect its business or, what is more likely in view of the wide publicity GDPR has generated around the world, totally indifferent to its GDPR legal obligations.
The GDPR breaches by AIQ are so serious and wide ranging that it will be nearly impossible for it to fully comply with the Enforcement Notice within 30 days. It should be kept in mind that AIQ must carry out its compliance steps with regard to all UK individuals affected (i.e. with regard to all those in the UK whose data was collected). If AIQ's measures are only piecemeal, the ICO will probably deem AIQ to be non-compliant.
If AIQ fails to comply with its GDPR obligations within 30 days, and a fine is imposed, the fine may be enforced in a UK court. If AIQ fails to make a court appearance and a default judgment is entered, AIQ may well have to defend itself in an action to enforce a foreign judgment. Moreover, with a UK judgment entered, AIQ may be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for the collection of the fine.
The situation for Chinese companies could not be clearer. Even those not established in the EU could face the sort of risks identified above. Those Chinese companies taking a "relaxed position" or preferring to "see how things develop" before they take GDPR compliance measures could find themselves unpleasantly surprised. Keep in mind that AIQ is a small consultancy, but its business depends on assembling a massive database of personal data.
Now, imagine how much personal data a large Chinese manufacturer of consumer goods or electronic products, a Chinese airline or hotel chain, or a Chinese internet selling platform is able to collect from/on EU consumers, and how much time it would need to comply with the GDPR. A 30-day window would be laughable. And it should be considered that the GDPR did not require the ICO to provide a 30-day window—that was the ICO's decision, or if you prefer, English hospitality.
1 For a copy of this Notice, see https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf .
2 Most EU Member States have data protection agencies which are responsible for the enforcement of the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.