The General Data Protection Regulation (the “GDPR”) applies to European entities as well as non-European Entities, as provided in Article 3 of the GDPR. However, it has been questioned whether and to what extent the relevant European authorities will seek to enforce the GDPR on non-European entities, due to issues of the validity and enforceability of the GDPR in non-European jurisdictions.
Recently, the UK Information Commissioner’s Office (“ICO”) decided to take action, in the form of an enforcement notice issued on July 6, 2018, against a non-European entity following an alleged breach of the GDPR. In this matter, a Canadian corporation by the name of AggregateIQ Data Services Limited (“AggregateIQ”) processed personal data in connection with political campaigns, and the ICO decided to review the manner in which it did so. It is worth mentioning that AggregateIQ did not fully cooperate with the ICO during this process, and claimed that it is not subject to the jurisdiction of the ICO.
The ICO argued that the processing of personal data by AggregateIQ contravened the GDPR, as the data subjects were not aware of the manner in which their personal data was processed and would not have expected the purposes for which it was processed. In addition, the ICO claimed the processing was without a lawful basis, was incompatible with the purposes for which the data was originally collected, and did not provide the data subjects with the information required under the GDPR. Accordingly, the Information Commissioner required AggregateIQ, within 30 days, to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purpose of data analytics, political campaigning or any other advertising purposes.”
Following an appeal filed by AggregateIQ against the enforcement notice (which suggests that AggregateIQ acknowledged, to a certain extent at the very least, the jurisdiction of the ICO), the ICO narrowed the enforcement notice, in exchange for AggregateIQ withdrawing the appeal. According to the narrowed enforcement notice, which was issued on October 24, 2018, AggregateIQ shall, subject to a notification to be issued to it by the Office of the Information and Privacy Commissioner of British Columbia, Canada, erase any personal data of individuals in the UK.
This matter proves that the fact that a business entity does not have an established presence in the EU will not prevent the relevant privacy authorities from taking action, where required, against the entity, if it breaches the GDPR. Therefore, any business subject to the GDPR should be aware of the regulation’s provisions and take the required steps to ensure compliance.