First Formal Enforcement Action under GDPR

The ICO has issued has issued its first enforcement action under the GDPR. Unusually, the ICO did not report this case on the “enforcement action” page of its website and therefore this notice has been overlooked by many, despite being issued in July.  Instead it was attached to the Commissioner’s Report “Investigation into the use of data analytics in political campaigns.”  Despite being missed by many, this case is particularly notable as not only is it the first enforcement notice to be issued under GDPR, but it is also the first cease processing order to be taken by the ICO against a company based outside of the UK.


The enforcement action was taken against a Canadian company, AggregateIQ (AIQ). However, since this case concerned AIQ’s monitoring of individuals’ behaviour taking place within the EU, its actions came within the territorial scope of GDPR.

What actions were the ICO concerned with?

The ICO entered into a formal investigation, after it became aware of AIQ’s processing activities in relation to political campaigning.  AIQ processed data on behalf of political bodies including Vote Leave and as such had access to the details of UK individuals, such as names and email addresses. AIQ used behavioural advertising techniques so that political adverts could be directed at specific individuals via social media.

Further, at the end of May, AIQ admitted that it still retained data subjects’ personal data and that it had previously been accessed unlawfully by a third party.

What provisions of the GDPR did AIQ breach?

The ICO stated that three articles of GDPR had been breached by AIQ – articles 5, 6 and 14.

Article 5 was held to have been breached by AIQ because the data was processed in a manner which the individuals could not have been aware of and they could not have anticipated the purposes for which the data was processed – i.e. the data was not being processed by AIQ in a manner inconsistent with AIQ’s initial purpose for processing.

Article 6 requires that there be a lawful basis for processing data.  However, AIQ had not identified and could not be said to have had a lawful basis for the processing it was carrying out.

Article 14 provides that where the data has not been obtained from the individual, the data controller must provide the individual with certain information, such as the identity and contact details of the controller.  This article was breached because the ICO was not aware of any of this information being provided to the affected individuals by AIQ.

Action taken

The ICO issued an enforcement notice, stipulating that AIQ must “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

Therefore, AIQ had to stop processing data immediately and could not process data until the ICO is satisfied that there is no longer a danger posed by AIQ’s activities to data subjects.  Some critics have commented that the enforcement notice issued by the ICO is particularly wide and contains vague language, such as “or otherwise” and “any other advertising purposes”.  Therefore it is not particularly clear exactly what processing AIQ is prohibited from undertaking.

What happens now?

AIQ have appealed against the issuing of the enforcement notice and we await further information in due course.  It will be interesting to see whether the First Tier Tribunal uphold the ICO’s decision, or whether they are critical of the wide wording used by the ICO in the enforcement notice.

This article was co-written by Charlotte Fleming. 

Technology, Media & Telecoms

With very few areas not impacted by technology, media and telecoms, we remain focused on ensuring we stay ahead of the curve in advising clients of the ever-increasing body of law, regulation and policy affecting the sector.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 23 hours ago
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… 13/07/2021