The first enforcement action under the General Data Protection Regulation 2016/679 (“GDPR”) has been taken against a data controller outside the European Union. The UK’s Data Protection Authority (“ICO”) served an enforcement notice on a Canadian political consultancy and technology company without any physical presence in the EU. The notice is based on the company’s processing of UK and EU citizens’ personal data for Brexit campaigns. These circumstances demonstrate the potential for enforcement under the GDPR against companies outside of the EU.
The ICO served the first enforcement notice to AggregateIQ Data Services Ltd (‘AIQ’) in Canada on 6 July 2018 (“First Notice”). The First Notice was served based on Article 3(2)(b) of the GDPR. The article suggests that the GDPR applies to organizations outside of the EU when they process personal data which relates to monitoring behavior of individuals who are in the EU. In the First Notice, the ICO required AIQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.
Four months after the First Notice, the ICO amended it in a notice dated 24 October 2018 (“Second Notice”). The Second Notice removed the reference to Article 3(2)(b) and limited the scope to individuals in the UK. The ICO gave AIQ 30 days to comply with the Second Notice, or it would potentially face a fine which is the higher out of either €20 million or 4% of AIQ’s global turnover.
AIQ appealed the First Notice but withdrew the appeal with the narrowed scope of the Second Notice.