The other GDPR shoe has dropped… with the European data protection law being enforced against a Canadian company.
Since the sweeping law went into effect on May 25, 2018, the digital world has been waiting for enforcement actions to help bring the law into focus. Recently, one case arose in the United Kingdom. Violation of the law may result in massive fines of up to €20 million (about US $24 million) or 4% of annual global turnover.
The UK’s data privacy authority (“DPA”) is the Information Commissioner’s Office (“ICO”). ICO has brought an enforcement action against AggregateIQ Data Services Ltd. (“AggregateIQ”) for violating the General Data Protection Regulation (better known as “GDPR”). AggregateIQ is a data analytics company based in Canada. It was retained by several political groups to improve campaigning during the Brexit 2016 EU referendum, through use of names and email addresses of individuals residing in the UK.
ICO determined that AggregateIQ is a Data Controller as defined in the GDPR, based on how it was collecting and using the data. ICO claimed that AggregateIQ violated the principles of data processing under Article 5(1)(a)-(c), which are transparency, limited purpose, and data minimization. These principles reflect the EU Commission’s overall goal of having individuals (bloodlessly called “Data Subjects”) become fully informed of the who, what, when, where and why of the processing of their data; have more control over how the data spreads; and limit how much of the personal data exists in cyberspace.
The violation of the transparency principle stems from AggregateIQ, as a Data Controller, failing to notify people about the use of their information, as required under Article 14 of the GDPR. ICO alleged that AggregateIQ lacked a lawful basis for processing personal data under GDPR Article 6, which could have been satisfied with the consent of the Data Subjects. Massive fines are to be levied absent compliance with the order issued by the ICO.
ICO has also notified the Washington Post that the Post is in violation of GDPR because website readers must pay for a subscription if they don’t want to accept cookies. Cookies are small pieces of code used to track viewers, often to serve ads. However, no enforcement action has been brought to date against the Post.
What should we take away from this? First, even a small amount of personal data or cookie collection can lead to a GDPR violation. Second, the “extraterritorial” nature of the GDPR is real, and national authorities such as ICO can and will reach across borders and even continents. Finally, ICO did not distinguish between information that most people disclose freely, such as names and email addresses, compared with identification numbers or other data that is typically guarded quite closely.
Before this, entities across the world were hypothesizing how and when enforcement actions would be brought and fines assessed. Some believed there would be no enforcement actions brought against smaller overseas companies, so they were “safe” from prosecution – call this the “distance myth.” Still others believed that there might be a non-compliance threshold below which it wouldn’t be practical for a DPA to bring enforcement, possibly based on the type and quality of data collected (e.g., name, DOB, SSN, email, street address, bank account as opposed to just an email address) – call this the “threshold myth.” ICO has now dispelled both the distance myth and the threshold myth in a single action.
However, questions remain. For example, was AggregateIQ really just ICO’s first opportunity to bring an enforcement action, or did ICO use this case to send a message to entities all over the world that it can and will prosecute even for cases where a relatively small amount of personal data was collected and used? Or was this done to send a message specifically to those involved in trying to influence elections and referendums, as Cambridge Analytica was? This may indeed be about elections, as that use of the data was specifically called out in the enforcement notice, and is in contrast to the warning sent to the Washington Post.
Stay tuned for more on this developing story.