The notice demonstrates the regulator’s willingness to exercise the extra-territorial scope of the new data protection regime. It also shows the UK regulator’s willingness to take action where it finds evidence of the misuse of personal data, rather than focusing on data breaches.
The enforcement notice was issued as part of the ICO’s investigation into the use of data analytics in political campaigns. In particular, the ICO looked into Aggregate IQ’s use of personal data belonging to UK citizens – the Canadian company had worked under contract for a number of political organisations during the EU referendum campaign in 2016.
Aggregate IQ is also being investigated in Canada by the federal Office of the Privacy Commissioner and the Office of the Information and Privacy Commissioner of British Columbia.
When contacted by the ICO in May 2018, Aggregate IQ confirmed it still held personal data on UK citizens. It was said to be stored on a code repository, although the data had been subject to unauthorised access by a third party.
The ICO concluded that Aggregate IQ failed to comply with Articles 5 and 6 of the GDPR, having processed data in a way that data subjects were not aware of, and for purposes that they would not have expected, and without a lawful basis.
It also found the processing of data was incompatible with the purpose the data was originally collected for, and that it failed to comply with Article 14 of the GDPR, which requires the data controller to provide data subjects with certain information.
When deciding whether to issue an enforcement notice, the Commissioner was required to consider whether Aggregate IQ’s failings had caused personal damage or distress. It concluded that damage and distress was likely, as the data subjects had been denied the opportunity to understand what data was used and were not able to exercise their various privacy rights.
Following the investigation, the ICO issued an enforcement notice in July requesting that Aggregate IQ erase “any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
The notice shows the regulator is willing to enforce the GDPR with little leeway in compliance. Interestingly, the ICO gave Aggregate IQ just 30 days to comply with the notice, a relatively short period to identify the data (that could also be held by third parties), and take the required action. The notice adds failure to comply could result in a penalty notice and a fine of up to EUR 20 million, or 4% of total worldwide turnover.
However, the ICO’s actions also suggest that the regulator is taking a pragmatic approach to enforcement. Aggregate IQ initially denied any wrongdoing and said it would challenge the enforcement notice. It appears that the ICO listened and clarified its notice, amending the notice to require the Canadian company to only delete UK personal data held on its servers as of May 2018. Aggregate IQ withdrew its appeal and agreed to delete the data as soon as Canadian regulators allowed it to do so.
Download Cyber Decoder
For more information, please contact Shannon Groeber, Senior Vice President, Cyber / Errors & Omissions Practice on 215.309.4495.