The United Kingdom's Information Commissioner's Office (ICO) has issued the first formal enforcement notice under the European Union's General Data Protection Regulation (GDPR). The enforcement notice has been issued against AggregateIQ Data Services Limited (AggregateIQ), a data analytics provider based in Canada. This is the first action taken by the ICO outside of the United Kingdom.
In summary, the GDPR applies to companies and individuals outside of the European Union if they:
- Have a presence in the European Union (eg an office or a branch)
- Process the personal data of individuals within the European Union in connection with the offering of goods or services
- Monitor the behaviour of individuals within the European Union.
As part of an ongoing investigation into the use of data analytics in political campaigns, the ICO has found that AggregateIQ used personal data provided to it by a number of political organisations to target online advertisements to voters in the United Kingdom. The advertisements related to the United Kingdom's referendum on membership of the European Union and were largely created on behalf of Vote Leave.
The ICO concluded that AggregateIQ breached the GDPR by using personal data in a way that data subjects were not aware of, for purposes they would not have expected and without a lawful basis for that processing. In addition, the processing was incompatible with the purpose for which it was originally collected and the relevant data subjects were not informed of the necessary details of that processing.
If AggregateIQ fails to comply with the enforcement notice, the ICO may serve a penalty requiring payment of up to 20m Euros, or of 4% of an undertaking's total annual worldwide turnover, whichever is higher. As the first extraterritorial enforcement notice issued under the GDPR, much attention will be paid to the level of the fine sought by the ICO.
AggregateIQ is currently appealing the ICO's findings.
Extra territorial impact in New Zealand
AggregateIQ's enforcement notice is an important reminder for New Zealand companies that they may be subject to the terms of the GDPR (even where they are not established in the European Union). However, as AggregateIQ's processing of voter personal data was particularly politically sensitive, it remains unclear how the GDPR's extra territorial provisions will be applied and enforced in respect of more mundane data processing. For the time being, we consider that in most cases a pragmatic and proportionate approach should be taken to the application of the GDPR until further clarity and guidance is available.