The Information Commissioner’s Office (ICO) has served an enforcement notice on AggregateIQ Services Ltd (AIQ) (a Canadian company located outside the EU) using its powers under the Data Protection Act 2018 (DPA 2018). The notice is the first of its kind issued under the General Data Protection Regulation (GDPR) and the DPA 2018.
The notice was issued as AIQ was still holding and processing the data of UK citizens after the GDPR and DPA 2018 came into force on 25th May 2018. The processing was in connection with online political messages sent by AIQ on behalf of several UK political organisations to UK citizens during the Brexit referendum.
The notice requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes”. The ICO held that AIQ had breached various GDPR requirements, including processing personal data without a lawful basis and processing personal data for purposes incompatible with the purpose for which it was collected.
The ICO stated that the territorial scope provisions of the GDPR did apply to AIQ because of its processing of personal data related to the monitoring of the behaviour of data subjects within the EU.
Failure to comply with an enforcement notice could lead to a fine of up to EUR20 million or 4% of total annual worldwide turnover. AIQ is understood to be appealing against the notice.
This first enforcement notice is particularly interesting because it is addressed to a company outside the EU and demonstrates the global reach of the GDPR.
If you would like to discuss any aspect of data protection then please contact Matt Worsnop by email at firstname.lastname@example.org or by phone on 0116 281 6235.