After much anticipation, the first enforcement action has been taken under the GDPR on a company outside the EU. Hayley Miller and Harry Kirkwood examine what’s happened and encourage companies to consider whether the GDPR applies to them, and if it does, commence compliance steps.
The first enforcement notice under the GDPR was issued in July of this year and was recently varied by the UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’). AggregateIQ Data Services Ltd (‘AIQ’), a political consultancy and technology business located in Canada (with no physical presence in the EU), is the company in the crosshairs of the ICO. The notice arose out of the ICO’s investigation into the use of data analytics in political campaigns for the Brexit referendum. Not only is this significant because it is the first enforcement action under the GDPR, it also has demonstrated the potential for enforcement under the GDPR against companies outside of the EU.
Interestingly, the first notice served on AIQ on 6 July 2018, went largely under the radar. That’s not a surprise considering the notice was not listed on the ICO’s enforcement website. Instead a link to the notice was buried at end of an ICO report titled “Investigations into the use of data analytics in political campaigns”.
In that notice, the ICO required AggregateIQ to 'cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes'.
According to that notice, the ICO considered Aggregate IQ to be subject to the GDPR by virtue of Article 3(2)(b), which provides that the GDPR applies to organisations outside of the EU when they process personal data which relates to monitoring behaviour of individuals who are in the EU. The notice did not discuss why AIQ was considered to have been ‘monitoring behaviour’, which unfortunately leaves us with no further guidance around the application Article 3 (other than the initial guidance in Recital 24 of the GDPR).
Since then, in a notice dated 24 October, the ICO varied and replaced its earlier notice, removing the reference to Article 3(2)(b) (the reason for which is unclear) and clarifying that AIQ needed only to ‘Erase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner by Borden Ladner Gervais LLP in letters of 10 and 31 May 2018.’
Interestingly, AIQ is only to erase that data within 30 days of notice by the Office of the Information and Privacy Commissioner of British Columbia (‘OIPC’) that it is no longer the subject of any investigation by the OIPC (or informed by the OIPC that it is content for the former to comply with the ICO's Notice).
A failure to comply with this notice could leave AggregateIQ liable to a substantial fine of €20 million or 4% of its global turnover (whichever is higher).
AggregateIQ had exercised its right to appeal the first notice, but has since withdrawn the appeal with the narrowed scope of the second notice. The withdrawn appeal has taken away what would have been the first real indicator of the practical challenges that might exist in relation to extraterritorial enforcement. What is clear, is that operating in a far-away corner of the globe, does not necessarily mean you will escape the watchful eye of the GDPR regime.
If you are one of the many New Zealand businesses and organisations that are impacted by these data regulations then if you haven’t already you will need to review, adapt and implement new data compliance and privacy policies.
We can help you with your compliance process. Kensington Swan has created a number of resources for reference in your journey to understanding GDPR and compliance with it:
Our thanks to Harry Kirkwood, Solicitor in our Corporate and Commercial team for preparation of this newsflash.