You may have missed it but the first-ever GDPR enforcement notice was served by the Information Commissioner’s Office (the UK data watchdog) against the Canadian data analytics company, AIQ, in July. You will not find it on the ICO’s “Actions we have taken” section of their website. Instead it was listed in a report into the use of personal data in political campaigns.
The ICO gave the Vote Leave-associated data company 30 days to comply with data regulations or face a fine of up to £17 million.
The ICO said that AIQ’s continued retention of UK citizens’ data is likely to have caused “damage or distress” to those affected and the company is in breach of Articles 5 and 6 of GDPR, particularly as processing the data was contrary to the privacy expectations of those affected.
The firm has appealed against the notice.
The Information Commissioner’s Office (“ICO”) issued the first GDPR Enforcement Notice in July this year, less than two months after the General Data Protection Regulation (“GDPR”) came into force.
This investigation is part of a wider review by the ICO into the use of data in political campaigns – triggered by the Cambridge Analytica/Facebook scandal. The ICO released the interim results of the investigation at the same time as the Enforcement notice, and published recommendations resulting from the investigation in a partner report, “Democracy Disrupted?”.
The company concerned was Canadian company AggregateIQ Services Ltd (“AIQ”).
As a Canadian company, AIQ is obviously located outside of the EEA. However, the GDPR applies to the processing of personal data if the data subjects are located in the EEA, even where the processor is not established in the EU, if the processor uses the data to offer goods or services to the data subjects, or monitors the data subjects’ behaviour.
In this case, AIQ had collected UK citizens’ data, including names and email addresses, before the GDPR came into force on 25 May 2018. It was paid £2.7m by Vote Leave during the EU Referendum to target political messages and adverts on social media based on the data. It also worked for BeLeave, Veterans for Britain and the DUP Vote to Leave.
The collection of data and use during the 2016 referendum was not contrary to the regulations then in force. However, the ICO has found that AIQ is now contravening the GDPR as it continues to hold the data. Merely storing data qualifies as processing under the GDPR as the ICO also found that because AIQ is processing personal data after the 25 May 2018, it is in breach of several provisions of the GDPR, including:
i) Article 5(1)(a)-(c) GDPR: ‘processing the personal data in a way the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing’. The processing was also incompatible with the purposes for which the data was originally collected.
ii) Article 6 GDPR: AIQ had no lawful ground for processing the personal data; and
iii) Article 14 GDPR: AIQ had not provided information to the data subjects about the processing of their data. This is necessary because AIQ did not obtain that data from those data subjects first-hand.
The Enforcement Notice also states that data subjects are likely to suffer ‘damage or distress’ as a result of being denied an explanation of what and how their personal data is being used, and being unable to exercise their other rights in respect of that data, such as a subject access request.
Under the Data Protection Act 2018 (“DPA”) (which implements the EU’s GDPR), the ICO has power to issue an Enforcement Notice to ask a data processor or controller to cease the processing within 30 days. If AIQ fails to appeal or fails to comply with the notice, the penalty is a fine of up to €20m or 4% of AIQ’s total annual worldwide turnover in the preceding financial year, whichever is the higher.
The Notice requires AIQ to ‘cease processing any personal data on UK or EU citizens obtained from UK political organisations or otherwise for the purpose of data analytics, political campaigning or any other advertising purposes’ within 30 days from the date of the notice.
This is a draconian sanction effectively telling AIQ to stop and delete the data.
AIQ is currently appealing the notice under the DPA , so it remains to be seen whether they will be fined. As well as this fine, AIQ may also face compensation claims from individuals for distress. Although not individually large the number of potential claimants is huge.
Data controllers can avoid this type of situation by adopting one of the key tenets of the GDPR: transparency. Top of the league-table for complaints to the ICO is a failure to notify data subjects exactly what is being done with their data, causing them to be surprised when they find out, and in this case, according to the ICO, to suffer distress and damage.