26 September 2018 #Data Protection
As recently reported in the media, the Information Commissioner’s Office (“ICO”) has issued its first Enforcement Notice under the Data Protection Act 2018 (“DPA 2018”) against AggregateIQ Data Services Ltd (“AIQ”), a Canadian data analytics company.
AIQ was associated with targeted advertising for the ‘Vote Leave’ campaign during the Brexit referendum. AIQ has been linked to Cambridge Analytics, which was the centre of the Facebook data privacy scandal we reported on here. AIQ have appealed against the notice.
While the data was initially gathered by AIQ before 25 May 2018 (the date the GDPR and DPA 2018 came into force), the ICO said it was concerned about the ‘continued retention and processing’ of data after that date, so the ICO confirmed the GDPR is applicable for AIQ's handling of that information.
AIQ have now been served with an Enforcement Notice to, within 30 days, ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.'
If AIQ fails to successfully appeal the ICO's notice or does not comply with it, it could face a large fine. It will be interesting to see what level of fine the ICO deems appropriate given its increased powers under the GDPR and DPA 2018.
This notice is significant for various reasons. It is the first time the ICO has used the new extra territorial provisions of the GDPR against an organisation based outside the EU.
In addition, while a number of recent fines have made headlines (such as Facebook and Equifax both recently being fined the maximum £500,000 penalty under the previous Data Protection Act 1998 legislation), AIQ is the first organisation to receive an Enforcement Notice under the new provisions.
With the ICO having reported record numbers of self-reporting breaches since the GDPR came into effect (which is mandatory in certain circumstances), we can expect more actions undertaken by the ICO under the GDPR and DPA 2018 to be published in due course.