On July 6, 2018, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served what looks like the first enforcement notice regarding the processing of UK individuals’ personal data by a nonresident organization.
The notice was directed to Aggregate IQ (AIQ), a digital advertising, web and software development company based in Canada. According to the ICO, AIQ received personal data (including names and email addresses) from political organizations and used them to target individuals with political advertising on social media. The data was held by AIQ and was subject to unauthorized access by third parties.
The ICO stated that AIQ failed to comply with Articles 5(1)(a)-(c), and 6, GDPR, since the advertising company “processed personal data in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. Furthermore the processing was incompatible with the purpose for which the data was originally collected.”
The ICO gave AIQ 30 days to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purpose of data analytics, political campaigning or any other advertising purposes.”
The ICO warned AIQ that failure to comply with the enforcement notice could imply a penalty of an “amount up to 20 million Euros, or 4% of an undertaking’s total annual worldwide turnover whichever is the higher.”
The enforcement notice can be found in the “Action we have taken” section of the ICO’s website, but no further information is available on the DPA’s website. A spokesman for the company told BBC that “We appealed the enforcement notice to the first level tribunal”, which is the legal mechanism set forth by the UK Data Protection legislation for challenging ICO’s notices.
More information on the ICO’s investigation on the use of data analytics for political purposes and on the micro targeting of political adverts during the EU Referendum can be found at https://ico.org.uk…
For more information on this and for advice on GDPR implementation, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.