First Enforcement Action under GDPR

By Mallory Henninger

The Information Commissioner’s Office (the “ICO”) in the UK has issued the first enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) against a non-EU based company.  The enforcement notice was directed to AggregateIQ Data Services Ltd. (“AIQ”), a Canadian data analytics firm that has been linked to the Facebook-Cambridge Analytica scandal.  The ICO notice asserts that AIQ violated Articles 5, 6 and 14 of the GDPR rules because it "processed personal data in a way that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing.”  The notice further asserts that AIQ’s processing was “incompatible with the purposes for which the data was originally collected.”  The ICO notice requires that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

While AIQ is exercising its right to appeal and is challenging the ICO’s jurisdiction in issuing the notice, this serves as an important reminder of the reach of the GDPR beyond the borders of the EU.  The GDPR applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Thus, US companies that are monitoring and/or transferring the data of EU citizens need to be aware of what GDPR compliance entails.  

Many US companies are still struggling with GDPR compliance.  A recent TrustArc report indicated that only 12% of surveyed US companies were GDPR compliant one month after the GDPR implementation deadline. US companies are facing additional pressure from the EU as data breaches occur.  Facebook, for example, has recently come under scrutiny following a data breach that put 50 million users at risk.  Though Facebook reported the breach to the Irish Data Protection Commission in accordance with GDPR obligations, the Irish DPC is accusing Facebook of providing incomplete information regarding the nature of the breach and risk to users.       

The lesson to be learned is that GDPR compliance is not optional, and will be an ongoing and prevalent issue for US companies.  All companies that believe they fall under the reach of GDPR should assess their compliance.  The ICO has developed an excellent Guide to the GDPR, as well a self-assessment toolkit.  We recommend dedicating some time to reviewing these resources and seeking legal counsel to determine the best GDPR compliance strategy for your business.

Rebecca Bortolotti