Canadian Analytics Firm Served with GDPR Enforcement Notice

The UK Information Commissioner’s Office (“the Commissioner”) recently served a formal Enforcement Notice (“the Notice”) under the European Union’s (“EU”) General Data Protection Regulation EU2016/679 (“GDPR”) against Canadian data analytics firm, AggregateIQ Data Services (AIQ).

The GDPR came into force on May 25, 2018, and failure to adequately protect individual’s personal data in compliance with the GDPR can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher.

As per the Notice, AIQ is a “data controller” and has been processing personal data on behalf of UK political organizations to target online ads at voters during public polls. Although the data was collected prior to the date on which the GDPR came into effect, AIQ is subject to the obligations under the GDPR because it continued to retain and process personal data that relates to monitoring data subjects’ behaviour taking place within the EU.

The Commissioner took the view that AIQ failed to comply with the GDPR because it processed personal data in a way that data subjects were not aware of, for purposes which they would not have expected, without a lawful basis for that processing, and the processing was incompatible with the purposes for which the data was originally collected. The Commissioner demanded that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” 

AIQ has exercised its right to appeal the Notice.

Summary By: Sumaiya Sharmeen