Since the EU’s General Data Protection Regulation (GDPR) went into effect, we have been anxiously awaiting enforcement activities that would indicate regulator priorities. The waiting is over. It was recently reported that the UK Information Commissioner’s Office (ICO) issued an Enforcement Notice to AggregateIQ Data Services (AIQ) on July 6, 2018. Although the Enforcement Notice was issued in July, it only recently came to light.
AIQ is a Canadian analytics firm that was involved with political advertising during the Brexit vote in the UK. The ICO alleges that AIQ received personal data including names and email addresses of people in the UK from political organizations, including Vote Leave and others. AIQ used this personal data to target individuals with political advertising on social media without their knowledge or consent. AIQ also confirmed in writing to the ICO that a third party had unauthorized access to that personal data, which AIQ kept in a code repository. AIQ gathered this information before GDPR went into effect on May 25, 2018, but the ICO stated ongoing concerns that AIQ continued to possess and process personal data after that date.
The ICO concluded that AIQ failed to comply with GDPR Article 5, which requires that personal data must be processed lawfully, fairly and in a transparent manner; for legitimate purposes; and on a limited basis necessary for that purpose. The ICO also alleges that AIQ did not have a lawful basis for processing the personal data under Article 6 and did not comply with Article 14, which specifies what information a controller must provide to a data subject when the controller did not receive the personal data directly from them. The ICO determined that “damage or distress” to data subjects is likely as a result. There are some details to be filled in, but this does give some sense of the alleged unlawful activities.
ICO directed AIQ to cease processing personal data of UK or EU citizens obtained from these political organizations for data analytics, political campaigning, or advertising. AIQ has appealed. The ICO’s enforcement could result in a large fine for AIQ. The Enforcement Notice lists the maximum GDPR penalties of 20 million Euros or 4% of annual worldwide revenue, but at this point it is unclear how much the actual fine will be.
More broadly, the ICO indicated concern with “the application of techniques hitherto reserved for commercial behavioural advertising being applied to political campaigning, during recent elections and the EU referendum campaign in 2016.” The ICO noted that it is focusing on the unlawful use of personal data in political campaigning generally, so similar Enforcement Notices may follow. The Enforcement Notice is available here.
We will continue to monitor GDPR enforcement developments for our clients and interested parties, which will shed light on how companies should adjust or prioritize their actions to comply with GDPR.