Lessons from the ground-breaking first enforcement action under GDPR

11 Feb 2019 , 2:32pm

​​​​​​​Sehaj Lamba of Mackrell Turner Garrett explains how the the UK’s data protection regulator (the ICO) issued its first formal enforcement notice under the General Data Protection Regulation (GDPR) last year against Canadian company AggregatelQ, relating to voter targeting during the Brexit campaign.

Extra-territorial reach

The action has been considered a “GDPR milestone”. What was interesting about this action was that it was issued against a company located in Canada, rendering it the Information Commissioner’s Office's (ICO) first action taken against a non-UK entity. The GDPR is a ground-breaking data protection law in that it has extra-territorial reach, meaning the law applies to organisations outside of the EU who process personal data of individuals whom are situated in the EU.

Targeting voters during the Brexit campaign

AggregatelQ Data Services Limited (AggregatelQ) is a Canadian data analytics company that uses data to target voters with specific online advertisements during public polls. AggregateIQ’s data processing related to online political messages sent by it on behalf of various UK political organisations to UK citizens during the Brexit referendum. Allegedly, the firm worked to profile and target voters during the campaign.

The firm was served with an enforcement notice that stated it must cease processing any personal data on EU citizens for the purposes of data analytics, political campaigning or any other advertising purposes. The ICO found that the GDPR applied to the company because it processed personal data relating to the monitoring of the behaviour of data subjects within the EU.

Failure to comply

The ICO found that AggregatelQ failed to comply with the GDPR in a number of ways, including:

  • Processing personal data without a lawful basis for doing so.
  • Processing personal data in a way that was incompatible with the purposes for which the data was collected originally.
  • Processing personal data in a way that the data subjects were unaware of.

The ICO’s powers under the GDPR

It is interesting to see the ICO’s response to AggregatelQ, given that its powers to issue large fines have made headlines. The GDPR has adopted a tiered approach to penalties for breaches of the law and significantly increased fines for breaches. In the most serious cases fines can be made up to either 4% of annual worldwide turnover or EUR20 million, whichever is higher. Additionally, this action demonstrates that the ICO has a close eye on the conduct of data analytics by firms.

Implications for businesses

This case stresses the importance for foreign companies to consider how the GDPR could apply to their data processing activities and the need to comply with the evolving regulatory regime. Companies should identify gaps in their compliance and implement the documentation, policies and procedures needed in order to comply with the rules around processing personal data of data subjects in the EU.

 Undoubtedly there will be further enforcement actions taken by the ICO under the GDPR, currently still a largely untested area of the law. It also remains to be seen as to how the ICO will approach the issuing of fines under the new data protection framework.