GDPR Enforcement Update
In the months since the General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018, data protection authorities (“DPAs”) have received thousands of complaints from European Union (“EU”) residents. The European Data Protection Board, an independent data protection authority based in the EU, reported that more that 42,000 GDPR complaints have been filed throughout the EU. Given the large amount of GDPR complaints, EU residents and entire industries have been waiting for the first GDPR enforcement actions. Now, as the GDPR nears its six-month milestone, there have been some significant developments regarding enforcement.
On October 24, 2018, the Information Commissioner’s Office (“ICO”) of the United Kingdom (“UK”) Supervisory Authority, issued an Enforcement Notice (“Notice”) to AggregateIQ Data Services Ltd. (“AIQ”), requiring AIQ to erase all the personal data held by AIQ related to residents of the UK. AIQ is a Canada-based data analytics company that was a subcontractor of the analytics firm Cambridge Analytica. The Notice cited AIQ’s use of commercial behavioral advertising techniques and data analytics for political campaigning as the impetus for ICO’s initial investigation and the subsequent Notice. In 2016, AIQ received names, email addresses, and other personal information of UK residents (“Personal Data”) from several political organizations, using such Personal Data to target individuals with political advertising messages through social media sites. On May 31, 2018, AIQ confirmed to ICO that it had retained the Personal Data from 2016, and that the Personal Data was accessed by an unauthorized third party.
The ICO determined that AIQ failed to comply with the Articles 5 (data processing) and 6 (lawful purposes) of the GDPR because: (1) data subjects were not aware of the extent and purpose of AIQ’s processing of Personal Data, and (2) AIQ’s lawful purpose for processing Personal Data was inconsistent with the purposes for which the Personal Data was originally collected. Additionally, AIQ failed to comply with Article 14 because it did not provide data subjects with the information set required to be provided when a data controller processes personal data that was not obtained from the data subject. Under the Notice enforcement terms, AIQ was required to erase all of the Personal Data within thirty (30) days of receiving the Notice. If AIQ fails to comply with the Notice, ICO could impose a severe monetary penalty of either 20 million Euros, or 4 percent of AIQ’s total annual worldwide turnover, whichever is higher.
Ultimately, AIQ decided to appeal the ICO’s Notice to the First-tier Tribunal of the General Regulatory Chamber where it is awaiting a hearing date. While we are likely months away from any final outcome in a GDPR enforcement action, the AIQ Notice indicates that DPAs are actively investigating GDPR complaints, the potential penalties for non-compliance are significant, and data controllers and data processors should ensure that any processing of personal data is done so pursuant to a lawful basis and consistent with the purpose under which it was collected.