Francesca Jus-Burke Senior Associate
EU GDPR enforced against a Canadian data analytics company
The UK data protection regulator has issued its first enforcement notice against a non-EU company. Canadian AggregateIQ Data Services Ltd (AIQ), which is alleged to have ties to Cambridge Analytica, used the personal data of Facebook users to target pro-Brexit advertisements at prospective voters online during the Brexit referendum campaign.
Social media “micro-targeting” was carried out without the consent of Facebook users and as a result was determined by the UK Information Commissioner’s Office (ICO) to have breached Articles 5(1)(a)-(c) and 6 of the EU General Data Protection Regulation (GDPR) concerning data processing and Article 14 of the GDPR concerning notices to data subjects. Specifically, AIQ failed to be transparent about its use of personal data. It processed the personal information of UK individuals in a way that they were not aware of, for purposes they would not have expected and without a lawful basis for that processing. AIQ also failed to appoint an EU representative in breach of Article 27 of the GDPR.
In July 2018, the ICO used its powers under the UK Data Protection Act 2018 (DPA) to serve AIQ with an enforcement notice requiring it to delete all data of individuals in the UK from its servers within 30 days. Due to the seriousness of the breaches, compliance with the enforcement notice was nearly impossible. AIQ appealed the notice.
In October 2018, AIQ withdrew its appeal as a result of the ICO agreeing to narrow the scope of the enforcement notice. On 24 October 2018, the ICO published a revised enforcement notice which ordered AIQ to delete any UK personal data on its servers – determined by reference to the domain names of email addresses – that the company had told the ICO it held in May 2018, rather than the broader category of “any personal data of UK or EU citizens obtained from UK political organisations”.
The ICO needed to involve the local Canadian data protection regulator in the enforcement action due to AIQ’s location and failure to appoint an EU data protection officer. The company was required to delete the information within 30 days of the Office of the Information and Privacy Commissioner for British Columbia (OIPC) ending its investigation of the company, or OIPC agreeing that AIQ could comply with the UK order.
Article 3 of the GDPR applies to non-EU organisations who monitor the behaviour of individuals in the EU. The DPA replicates the territorial scope of the GDPR.
Failure to comply with the ICO’s enforcement notice could result in AIQ becoming liable for a fine of up to EUR 20 million or 4 per cent of their total annual worldwide turnover, whichever is higher.
Since AIQ has breached the requirement to have an EU representative, any court action following a fine imposed by the ICO would have to be served out of the jurisdiction. With a UK judgment entered, AIQ would be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for collection of the fine.
Whilst the Brexit referendum campaign took place prior to the GDPR coming into force, the notice against AIQ was issued under the GDPR because the alleged breaches were ongoing.
This case serves as a useful reminder that the GDPR will continue to regulate many non-EU organisations.
Related news & insights
News / Refund guarantees – avoiding drafting pitfalls
12-05-2022 / Energy & Infrastructure
Refund guarantees are often described as the cornerstones to shipbuilding projects and the buyer’s main security. Although they do not strictly form part of the shipbuilding contract, a shipbuilding project is unlikely to go ahead at all without one. It is therefore important to understand the different types of guarantee instruments, and the impact each has in practice on the guarantor’s obligations to pay and the buyer’s entitlement to recovery. A well-drafted guarantee provides certainty to the parties and strikes a balance between their respective entitlements and obligations.
News / You will be estopped if you cross the line
04-04-2022 / Energy & Infrastructure
Estoppel is a useful tool in litigation, which is usually used to bind one party to a statement or a promise that it has previously expressed causing another to accept or adopt it for the purpose of their legal relations. The Court’s recent ruling in Geoquip Marine Operations AG v (1) Tower Resources Cameroon SA (2) Tower Resources PLC addresses estoppel by convention and recognises the requirement for the common assumption created between the parties to be clear and unequivocal. In this article, we focus on the specifics of the Court decision.
News / Court of Appeal overturns second Unaoil bribery conviction
29-03-2022 / Energy & Infrastructure
On 24 March 2022, the Court of Appeal overturned the conviction of a second man, Paul Bond, prosecuted by the Serious Fraud Office (SFO) in relation to alleged wrongdoing by Unaoil.
News / The Court grapples with impact of Covid-19 on European rugby
08-03-2022 / Energy & Infrastructure
As we approach the second anniversary of Covid-19 being declared a pandemic by the World Health Organisation on 11 March 2020, a number of judgments are coming out of the English Courts which are providing useful guidance on how the English Courts are treating claims concerning Covid-19, especially in a force majeure context.
News / Climate change litigation: Courts decide the law, not political policies
02-03-2022 / Energy & Infrastructure
R (Finch) v Surrey County Council CA (Civ Div)  EWCA Civ 187 “The task of the court in a claim such as this is only to decide the issues of law. Those issues cannot extend into the realm of political judgment – which is the responsibility of the executive, not the courts …”
News / Climate litigation update: climate-washing comes ashore
28-02-2022 / Energy & Infrastructure
With companies racing to make sense of and take steps towards a net-zero future, an array of climate goals are being published at ever increasing speed; it remains to be seen how achievable many of these goals are without concrete plans in place. Accusations of ‘climate-washing’ are rife and statements have been legally challenged. Current investigations and actions show the direction of travel as pressure groups and public organisations seek to hold private sector companies to account.