Landmark GDPR enforcement action taken against Canadian company

Posted on Friday November 2, 2018

The UK Information Commissioner’s Office (ICO), the UK’s data protection regulator, recently issued its first formal enforcement notice under the General Data Protection Regulation (GDPR).

The action has been considered a “GDPR milestone”. What was interesting about this action was that it was issued against a company located in Canada, rendering it the ICO’s first action taken against a non-UK entity. The GDPR is groundbreaking data protection law in that it has extra-territorial reach, meaning the law now applies to organisations outside of the EU who process personal data of individuals who are in the EU.

AggregatelQ Data Services Limited (AggregatelQ) is a Canadian data analytics company which uses data to target online advertisements at voters during public polls. AggregateIQ’s data processing related to online political messages sent by it on behalf of various UK political organisations to UK citizens during the Brexit referendum. Allegedly, the firm worked to profile and target voters during the campaign.

The firm was served with an enforcement notice which stated it must cease processing any personal data EU citizens for the purposes of data analytics, political campaigning or any other advertising purposes. The ICO found that the GDPR applied to the company because it processed personal data relating to the monitoring of the behaviour of data subjects within the EU.

The ICO found AggregatelQ failed to comply with the GDPR in a number of ways, including:

  • Processing personal data without a lawful basis for doing so.
  • Processing personal data in a way which was incompatible with the purposes for which the data were collected originally.
  • Processing personal data in a way that the data subjects were unaware of.

It is understood that AggregatelQ are appealing the notice.

It is interesting to see the ICO’s response to AggregatelQ, given that its powers to issue large fines have made headlines. The General Data Protection Regulations have adopted a tiered approach to penalties for breaches of the law and significantly increased fines for breaches. In the most serious cases fines can be made of up to the higher of 4% of annual worldwide turnover and EUR20 million. Additionally, this action demonstrates that the ICO has a close eye on the conduct of data analytics by firms.

Having worked widely with a number of clients globally on GDPR compliance, this matter stresses the importance for foreign companies to consider how the GDPR could apply to their data processing activities. We await further enforcement actions taken by the ICO under the GDPR, currently an untested area of the law. It also remains to be seen as to how the ICO will approach fines under the new data protection framework.

For advice on data protection compliance, contact