UK: First Enforcement Action Under The GDPR By The ICO

An enforcement notice filed by the Information Commissioner's Office ("ICO") against AggregateIQ Data Services Ltd ("AIQ"), a Canadian data analytics firm, has been revealed by a data protection specialist. This is the first formal enforcement action under the General Data Protection Regulation ("GDPR") and the UK Data Protection Act 2018.

Although the enforcement action was not published on the ICO's website, it was mentioned in the ICO's report: "Investigation into the use of data analytics in political campaigns". In the report, AIQ has been associated with the Facebook-Cambridge Analytica scandal as a provider of software and tools for the management of data, which were intended for use in voter targeting and processing personal data on behalf of UK political organisations, such as "Vote Leave" and "BeLeave".

According to the enforcement notice, although the entity is not established in the EU, as its processing activities are related to the monitoring of data subjects' behaviour that took place within the EU, AIQ is subject to the GDPR. In this regard, the ICO found that AIQ had violated Article 5(a)-(c), and Article 6 of the GDPR, since it processed personal data unbeknown to the data subjects, for undeclared purposes and without a lawful basis for such processing. In addition, the ICO stated that AIQ had failed to provide the transparency information, as required under Article 14 of the GDPR.

The enforcement notice stated that the Commissioner has considered whether the breach has caused (or is likely to cause) any personal damage or distress to a person, and found that this is likely to occur as a result of data subjects being denied the opportunity to understand which personal data is being processed and for what purpose, and not being effectively in a position to exercise their rights as data subjects.

Accordingly, the Commissioner required AIQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purpose of data analytics, political campaigns or other advertising purposes. If AIQ fail to comply with these terms within 30 days, they will be fined up to €20 million, or 4% of an undertaking's total annual worldwide turnover, whichever is the higher.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.