The ICO has issued has issued its first enforcement action under the GDPR. Unusually, the ICO did not report this case on the “enforcement action” page of its website and therefore this notice has been overlooked by many, despite being issued in July. Instead it was attached to the Commissioner’s Report “Investigation into the use of data analytics in political campaigns.” Despite being missed by many, this case is particularly notable as not only is it the first enforcement notice to be issued under GDPR, but it is also the first cease processing order to be taken by the ICO against a company based outside of the UK.
The enforcement action was taken against a Canadian company, AggregateIQ (AIQ). However, since this case concerned AIQ’s monitoring of individuals’ behaviour taking place within the EU, its actions came within the territorial scope of GDPR.
What actions were the ICO concerned with?
The ICO entered into a formal investigation, after it became aware of AIQ’s processing activities in relation to political campaigning. AIQ processed data on behalf of political bodies including Vote Leave and as such had access to the details of UK individuals, such as names and email addresses. AIQ used behavioural advertising techniques so that political adverts could be directed at specific individuals via social media.
Further, at the end of May, AIQ admitted that it still retained data subjects’ personal data and that it had previously been accessed unlawfully by a third party.
What provisions of the GDPR did AIQ breach?
The ICO stated that three articles of GDPR had been breached by AIQ – articles 5, 6 and 14.
Article 5 was held to have been breached by AIQ because the data was processed in a manner which the individuals could not have been aware of and they could not have anticipated the purposes for which the data was processed – i.e. the data was not being processed by AIQ in a manner inconsistent with AIQ’s initial purpose for processing.
Article 6 requires that there be a lawful basis for processing data. However, AIQ had not identified and could not be said to have had a lawful basis for the processing it was carrying out.
Article 14 provides that where the data has not been obtained from the individual, the data controller must provide the individual with certain information, such as the identity and contact details of the controller. This article was breached because the ICO was not aware of any of this information being provided to the affected individuals by AIQ.
The ICO issued an enforcement notice, stipulating that AIQ must “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
Therefore, AIQ had to stop processing data immediately and could not process data until the ICO is satisfied that there is no longer a danger posed by AIQ’s activities to data subjects. Some critics have commented that the enforcement notice issued by the ICO is particularly wide and contains vague language, such as “or otherwise” and “any other advertising purposes”. Therefore it is not particularly clear exactly what processing AIQ is prohibited from undertaking.
What happens now?
AIQ have appealed against the issuing of the enforcement notice and we await further information in due course. It will be interesting to see whether the First Tier Tribunal uphold the ICO’s decision, or whether they are critical of the wide wording used by the ICO in the enforcement notice.