GDPR breach leads to transatlantic enforcement action and more to come

When GDPR first came into force firms around the world stated that ‘time would tell’ in terms of enforcement and how it would work in practice.

Starting in October 2018 the message has been clear - the ICO intends to come down hard on those breaching the GDPR.

The first enforcement notice issued was directed to AggregateIQ, a Canadian data analytics firm.  AggregateIQ used its data analytics capabilities to target voters in the 2016 Brexit referendum with advertisements on behalf of clients such as Vote Leave, the official campaign for leaving the European Union.

It emerged that AggregateIQ, based in Vancouver, after the advent of the GDPR, had been processing the personal data of UK individuals and using this data to target individuals with political social media advertising. The ICO has determined that there was a failure to comply with Articles 5 (1)(a) – (c) and Article 6 of the GDPR, as it "processed data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for the processing."

Not only is AggregateIQ required to erase any personal data of individuals in the UK, they could be a subject to a fine of up to 20 million Euros or 4 % of the company's total annual worldwide turnover for the previous financial year, whichever is higher. AggregateIQ is understood to be appealing against the Enforcement Notice to the First Tier Tribunal.

This is the first major, international enforcement action taken by the ICO but we can be sure it’s not the last. This has resulted in significant press interest - not least because of the circumstances of the failure - and the ICO will surely be under pressure to enforce GDPR more widely, to support international action such as this and prevent further appeals.

Another example of GDPR enforcement worthy of mention is the record fine sustained by Google (€55m (£44m)) by French supervising authority, CNIL, when it was  found to have breached GDPR rules by failing to have a lawful basis for processing its customers’ data in relation to personalised adverts. Two group complaints were filed by privacy groups against Google.

When it investigated, CNIL found that Google had violated GDPR obligations in relation to transparency and information, as well as the requirement to have a legal basis for any advertising personalisation. CNIL found that users were not told enough about how Google collected data for personalised advertising, were not able to fully understand the extent of Google’s processing operations and that the pre-ticked option (when people create a Google account) did not present the ‘unambiguous’ affirmative permission required.

And it doesn’t stop there… Austria’s data protection regulator (NOYB1) is investigating complaints against eight more tech firms – including Google, Amazon, Apple, Netflix and Spotify – on behalf of users who stream music, films and other entertainment. The complaints allege non-compliance with the user’s right to access their data and various “structural violations” of the law.

We feel sure the number of organisations facing this will only increase - particularly once the UK leaves the EU. For now, it’s important to review compliance procedures and international contracts in particular, to prepare as best you can.