Transatlantic enforcement action for breach of the GDPR

The data protection supervisory authority for the United Kingdom, the Information Commissioner's Office (ICO),has issued its first enforcement notice under the General Data Protection Regulation. The Enforcement Notice of the 24th October 2018 is directed to AggregrateIQ (AIQ), a Canadian data analytics firm which notably played a significant part in the UK's "Brexit" referendum on its membership of the European Union, using its data analytics capabilities to target voters with advertisements on behalf of clients such as Vote Leave, the official campaign for leaving the European Union.

As part of the widening scandal surrounding the use of campaign finances during the Brexit campaign and the revelations about Cambridge Analytica's harvesting of data, it emerged that AIQ, based in Vancouver, had been processing the personal data of UK individuals, including their names and e-mail addresses. It was using this data to target these individuals with political advertisements on social media in the run-up to the 2016 referendum. The ICO has determined that AIQ failed to comply with Articles 5 (1)(a) – (c) and Article 6 of the GDPR, as it "processed data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for the processing."

By virtue of the Enforcement Notice, AIQ is required to erase any personal data of individuals in the UK within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying AIQ that it is no longer the subject of an investigation by the OIPC or that it is content for AIQ to comply with the notice. If AIQ does not comply, it could face a fine of up to 20 million Euros or 4 % of the company's total annual worldwide turnover for the previous financial year, whichever is higher. AIQ is understood to be appealing against the Enforcement Notice to the First Tier Tribunal.

Not only is this the first enforcement action to be taken under the new EU General Data Protection Regulation,applicable since May 2018, but it is also immediately directed against a company based in Canada. This demonstrates the extraterritorial scope of the GDPR where the personal data of people within the EU is processed from outside of the EU and sends a warning to Canadian and American companies that transatlantic enforcement of the Regulation is possible. Those companies across the pond which process the personal data of people within the EU, but have yet to become GDPR compliant should do so as a matter of priority or risk being the subject of similar enforcement actions by EU-based data protection supervisory authorities.

The contribution was created with the collaboration of Sam Cross. If you have any questions on this topic, do not hesitate to contact Dr Axel von Walter.