Who: Information Commissioner’s Office,

When: AggregateIQ Services Ltd

Where: UK

Law as stated at: 26 October 2018

What happened:

The ICO has issued eagerly reported news that it has served its first enforcement notice since the GDPR came into force on 25 May 2018. The notice was served on AggregateIQ Services Ltd, an online behavioural advertising service provider, which is based outside the EU in Canada. The notice is in connection with online political messages sent to UK citizens during the Brexit campaigns by Aggregate IQ.

The ICO held that Aggregate IQ was a data controller and had processed the data without a lawful basis under the GDPR. Furthermore, Aggregate IQ had processed data for a purpose that was incompatible with the purpose for which it was collected and therefore breached the purpose limitation principle.

The enforcement notice requires Aggregate IQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes“.

Why it matters:

The significance of this enforcement is threefold.

Firstly, this is the first ICO enforcement action since the GDPR came into force. Commentators and interested parties have been keen to gain insight into how the ICO will treat breaches of the GDPR and whether it is likely to impose large fines. This case shows that, on the whole, the ICO is likely to remain a pragmatic regulator, although this should not be taken as an indication that the ICO will not start issuing fines for breaches of the relevant legislation. In fact, the ICO can issue fines of up to EUR20 million or 4% of Aggregate IQ’s total annual turnover if it fails to comply with the terms of the enforcement notice.

Secondly, this action demonstrates the extra-territorial effect of the GDPR and that companies will be caught by its provisions if they monitor the behaviour of individuals within the EU, even if the company is based outside the EU.

Lastly this demonstrates the ICO’s increased scrutiny on the use of personal data in political campaigns and that the UK regulator is likely to take a dim view on any non-compliance in this area.