On May 25th, 2018, the General Data Protection Regulation (GDPR) came into effect. The regulation was touted as a major shake-up to data protection laws across all of Europe and many organisations and headlines pointed towards fines worth millions being handed out on an almost daily basis. The truth is that the Information Commissioner’s Office (ICO) who are responsible for enforcing the GDPR (Data Protection Act) in the UK have yet to fine anyone under the regulation. Now, however the ICO has given its first enforcement notice under the regulation, which will likely result in the first major fine.
Canadian firm AggregateIQ Data Services Ltd (AIQ) were served with the enforcement notice, dated July 6th 2018, and will have a period in which they can appeal the notice and work with the ICO to establish the outcome. The firm is most well known for the work it did in the run-up to the EU referendum, which saw the UK vote to leave the European Union. The organisation was also linked to Cambridge Analytica and the Facebook scandal which saw people in the USA targeted by political campaigns in the 2016 US election, which saw President Trump elected.
How did Vote Leave and AIQ fail to comply with the GDPR?
The enforcement notice from the ICO sets out the areas under the regulation that have not been complied with and that will be investigated. There are three articles that have been cited, Article 5, Article 6 and Article 14. Any one of these areas could see the organisation fined the maximum penalties of €20 million or 4% of global revenue.
Article 5 of the GDPR sets out the principles relating to processing of personal data. There are six main points under article 5 which set out the ground rules for how data should be processed. The enforcement notice that AggregateIQ received states the following:
Article 5 (1)(a), (b) and (c)
- Processed lawfully fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purpose or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
Article 6 of the GDPR sets out the lawfulness of processing under the regulation and is one of the most important articles for any organisation processing data. Full definitions of what processing relates to under the regulation are set out in Article 4. The enforcement notice sets out that AggregateIQ and Vote Leave must have legal grounding for processing data. There are six lawful reasons for processing data under the regulation:
- Consent by the data subject
- Fulfilment of a contract or by request of the data subject
- For compliance with legal obligations
- To protect the vital interests of the data subject
- In public interest or exercise of official authority vested in the controller
- Legitimate interest pursued by the controller
Article 14 specifies the information that must be provided to a data subject in the case where their details have not been obtained directly. Included in this information should be, where possible, the details of who the data controller is, the data protection office charged with the safety of the data and the purpose of processing the data. The enforcement notice states that the ICO does not believe that any of this information was shared with data subjects.
“The commissioner is satisfied that the controller has failed to comply with Articles 5 (1)(a)-(c) and Article 6 of the GDPR. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. Furthermore, the processing was incompatible with the purposes for which the data was originally collected.”
Under the terms of the enforcement notice AIQ had 30 days to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.’
Why is this GDPR enforcement notice significant?
This enforcement notice to AggregateIQ from the Information Commissioner’s Office is significant for a number of reasons. Importantly, this is the first enforcement notice to be publicised since the GDPR has come into effect, despite a number of large fines being handed to organisations since May 25th.
Cambridge Analytica were handed a £500,000 fine for their role in the Facebook scandal. The incident, however, took place under the previous Data Protection Act so £500,000 was the maximum penalty that could be levied.
As this is the first case to be enforced it is likely that the result and probable fine will set a precedent for cases moving forward. As the maximum penalty fine is so much higher than before, this case will set a benchmark for fines. In addition, AggregateIQ is an organisation based in Canada, reinforcing the fact that the GDPR applies to organisations all over the globe who deal with EU citizens and that supervisory authorities are not afraid to hand out these fines internationally.
Now that the first notice has been served, it will be notable to see how quickly another is publicised and who to.
Working with compliant vendors and processors
One of the key tenants of the GDPR was to strengthen the protection for data subjects and ensure that data protection laws are up to date following technology advances in the past two decades. As part of the updated laws both data controllers and data processors have a responsibility to comply and to ensure that data is being processed lawfully and securely, this makes it vital for controllers to work with vendors and suppliers who can be trusted and can demonstrate their compliance.
As a vendor committed to complying with the GDPR, Redstor has taken extensive measures to ensure that internal policies and processes uphold the regulation and that all staff are aware of their responsibilities and rights under the GDPR.