EU GDPR enforced against a Canadian data analytics company

News / / EU GDPR enforced against a Canadian data analytics company

The UK data protection regulator has issued its first enforcement notice against a non-EU company. Canadian AggregateIQ Data Services Ltd (AIQ), which is alleged to have ties to Cambridge Analytica, used the personal data of Facebook users to target pro-Brexit advertisements at prospective voters online during the Brexit referendum campaign.

The breaches

Social media “micro-targeting” was carried out without the consent of Facebook users and as a result was determined by the UK Information Commissioner’s Office (ICO) to have breached Articles 5(1)(a)-(c) and 6 of the EU General Data Protection Regulation (GDPR) concerning data processing and Article 14 of the GDPR concerning notices to data subjects. Specifically, AIQ failed to be transparent about its use of personal data. It processed the personal information of UK individuals in a way that they were not aware of, for purposes they would not have expected and without a lawful basis for that processing. AIQ also failed to appoint an EU representative in breach of Article 27 of the GDPR.

In July 2018, the ICO used its powers under the UK Data Protection Act 2018 (DPA) to serve AIQ with an enforcement notice requiring it to delete all data of individuals in the UK from its servers within 30 days. Due to the seriousness of the breaches, compliance with the enforcement notice was nearly impossible. AIQ appealed the notice.

In October 2018, AIQ withdrew its appeal as a result of the ICO agreeing to narrow the scope of the enforcement notice. On 24 October 2018, the ICO published a revised enforcement notice which ordered AIQ to delete any UK personal data on its servers – determined by reference to the domain names of email addresses – that the company had told the ICO it held in May 2018, rather than the broader category of “any personal data of UK or EU citizens obtained from UK political organisations”.

The ICO needed to involve the local Canadian data protection regulator in the enforcement action due to AIQ’s location and failure to appoint an EU data protection officer. The company was required to delete the information within 30 days of the Office of the Information and Privacy Commissioner for British Columbia (OIPC) ending its investigation of the company, or OIPC agreeing that AIQ could comply with the UK order.

Extra-territorial reach

Article 3 of the GDPR applies to non-EU organisations who monitor the behaviour of individuals in the EU. The DPA replicates the territorial scope of the GDPR.

Failure to comply with the ICO’s enforcement notice could result in AIQ becoming liable for a fine of up to EUR 20 million or 4 per cent of their total annual worldwide turnover, whichever is higher.

Since AIQ has breached the requirement to have an EU representative, any court action following a fine imposed by the ICO would have to be served out of the jurisdiction. With a UK judgment entered, AIQ would be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for collection of the fine.


Whilst the Brexit referendum campaign took place prior to the GDPR coming into force, the notice against AIQ was issued under the GDPR because the alleged breaches were ongoing.

This case serves as a useful reminder that the GDPR will continue to regulate many non-EU organisations. 

Francesca Jus-Burke

Francesca Jus-Burke Senior Associate

Related sectors:

Related services:

Related news & insights

Insights / Climate Change Litigation Continueth – The Scottish Case: Greenpeace v. BEIS and the OGA (and BP too)

15-10-2021 / Energy & Infrastructure

The Scottish Court of Session has declared that dealing with the global environmental impact of the consumption of oil is a political matter for the UK Government, not a legal issue for the UK Courts in considering the validity of approval to drill new oil wells in a single field.

Climate Change Litigation Continueth – The Scottish Case: Greenpeace v. BEIS and the OGA (and BP too)

News / AfCFTA and Energy & Infrastructure

11-10-2021 / Energy & Infrastructure, Maritime

This article is the third in a series of articles looking at the impact of the African Continental Free Trade Area (the “AfCFTA”) on various practice areas and industry sectors that our clients operate in. This article focuses on Energy and Infrastructure and addresses some of the key questions our clients have asked us.

AfCFTA and Energy & Infrastructure

Insights / Supreme Court clarifies lawful act of duress

21-09-2021 / Energy & Infrastructure

In Times Travel (UK) Ltd v Pakistan International Airlines Corporation (Rev 2) [2019] EWCA Civ 828, the Supreme Court confirmed the existence of the doctrine of ‘lawful act duress’ under English law and its limited scope in commercial transactions.

Supreme Court clarifies lawful act of duress

News / Shell agrees pay out to Nigerian community to settle long-running oil spill dispute

17-08-2021 / Energy & Infrastructure

In 1991, the Ejama-Ebubu people began a legal campaign to hold Shell Nigeria (“Shell”) accountable for an oil spill that occurred in 1970. Shell accepted that these oil spills had occurred, but argued that these were caused by “third parties” during the Biafran war, for which Shell should not be held liable. Almost 20 years later, in 2010, a Nigerian Federal court ordered Shell to pay 17 billion naira to the Ejama-Ebubu community. Shell has unsuccessfully attempted to challenge this ruling over several years and, in November 2020, the Nigerian Supreme Court ruled that Shell could no longer appeal the decision.

Shell agrees pay out to Nigerian community to settle long-running oil spill dispute

News / The Bribery Act: ten years on

19-07-2021 / Energy & Infrastructure

The Bribery Act: ten years on

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500