201811.08
0

The question of whether European data protection authorities will, in fact, seek to enforce the General Data Protection Regulation (GDPR) on non-European entities has been answered.  The UK Information Commissioner’s Office (ICO) issued an enforcement notice (Notice) against a Canadian corporation with no EU operations, AggregateIQ Data Services Limited (AIQ).

Canadian Company had Ties to Cambridge Analytica

The Notice, issued on July 6, 2018, alleged that AIQ contracted with multiple UK political organizations to provide AIQ with personal data of UK individuals, including names and email addresses, which AIQ then used to target individuals with political advertisements on social media.  The Notice, which was attached as an appendix to an ICO investigation report and was not placed on the ICO’s enforcement action page, initially received little attention.

Although the Notice only identified connections between AIQ and pro-Brexit groups, an ICO report issued on November 6, 2018 also identified connections between AIQ and Cambridge Analytica, the company infamous for harvesting the personal data of 87 million Facebook users. The report noted concerns that there “was a permeability between [AIQ and Cambridge Analytica] above and beyond what would normally be expected to be seen.” However, the report ultimately concluded that AIQ only worked with Cambridge Analytica’s parent company by building a political Customer Relationship Management tool for its use during the 2014 U.S. midterm elections and providing political ad services via Facebook.

Notice Ordered AIQ to Cease Processing EU Personal Data

The Notice alleged that AIQ was holding the personal data of UK individuals and storing the data on a code repository previously accessed by an unauthorized third party. The ICO found that AIQ violated the GDPR because it “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Additionally, the processing was incompatible with the purposes for which the data was originally collected, and AIQ did not provide the data subjects with the information required by Articles 14(1) and (2) of the GDPR, such as the categories of personal data collected and the time period the data would be stored. The Notice ordered AIQ, within 30 days, to cease processing any personal data of UK or EU citizens obtained from political organizations for the purposes of data analytics, political campaigning, or advertising.

AIQ Initially Argued It was Not Subject to the ICO’s Jurisdiction

Notably, AIQ initially did not cooperate with the ICO’s investigation and argued it wasn’t subject to the ICO’s jurisdiction. AIQ also argued that it continued to hold the personal data of UK individuals because it was subject to a preservation order by Canadian officials – a reference to a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC-BC) into Facebook and AIQ’s data protection compliance. AIQ appealed the ICO’s enforcement notice, requesting more specificity as to their obligations under its requirements.

ICO’s Response

In response, the ICO reissued the Notice on October 24, 2018, with instructions for AIQ to “erase any personal data of individuals in the UK, determined by reference to the domain name of the email addresses processed by AIQ” and retained by AIQ on its servers within a set time frame. If AIQ fails to comply, it faces a fine of up to 20 million euros or 4% of its total annual worldwide turnover.

Takeaways

The ICO’s actions demonstrate that EU data protection authorities will take action against non-European entities failing to comply with their GDPR obligations.  We anticipate that, moving forward, data protection authorities will use not only their fining powers, but also their other corrective powers, such as the power to ban or limit data processing or to suspend data flows to countries outside of the EU.

Fey LLC will continue to monitor GDPR enforcement developments for our clients and interested parties.

Hannah Zimmerman

Hannah Zimmerman is an associate attorney with Fey LLC.

Laura Fey

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.