The UK has seen its first data protection enforcement action under the new regime of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).
The Enforcement Notice issued by the UK’s Information Commissioner’s Office (“ICO”), was given against a Canadian company called AggregateIQ Data Services Ltd (“AIQ”) on 6 July 2018. The notice was published with little fanfare and was included as an annex to the ICO’s report, “Investigation into the use of data analytics in political campaigns”, published on 11 July 2018. A further Enforcement Notice was issued against SCL Elections Ltd for failure to comply with a Subject Access Request.
The background to this ICO investigation was the circumstances around the lead up to the UK’s referendum on its continued membership of the European Union on 23 June 2016. In May 2017, the ICO announced a formal investigation into the use of data analytics in political campaigning during the referendum and contacted AIQ regarding its processing of personal data on behalf of certain UK political organisations.
The ICO’s investigation found that personal data supplied to AIQ as part of its work during the referendum was used to target individuals through political advertising messages on social media. AIQ was found to have contravened Articles 5 and 6 of the GDPR, by processing personal data in a way that “the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing”. The processing was also deemed not compatible with the purposes for which it was collected.
The terms of the Enforcement Notice were relatively concise, if not precise: that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”.
No fine has been levied, but the text of the Enforcement Notice highlights that, if AIQ does not comply with the steps specified by the ICO, the Commissioner may serve a penalty notice on AIQ under s.155(1)(b) of the DPA requiring payment of an amount of up to the higher of EUR 20 million or 4% of worldwide turnover.
On 30 July, AIQ appealed the Enforcement Notice to the First-tier Tribunal (Information Rights), as is its right under s.162(1)(c) DPA. AIQ appealed the Enforcement Notice arguing several grounds, including that the ICO is unlawfully attempting to retroactively apply its new powers, and that the ICO lacks jurisdiction over AIQ, a Canadian company. It is understood that the company continues to hold the data covered by the Enforcement Notice, as it is subject to a Canadian preservation order.
This decision does not lead to the dramatic headlines anticipated by the popular pre-GDPR commentary. No million pound fines were levied; in fact, no fine at all has been levied to date. Nonetheless, it marks an important moment in post-GDPR enforcement as the first action taken by the UK regulator under the DPA. It has an extraterritorial aspect, with AIQ being a Canadian dataanalytics company. It may also be the first action taken against an analytics company in the political sphere, something which has garnered a lot of press attention and will continue to be a topic of interest to prosecutors and regulators worldwide for some time.