The Information Commissioner has issued its first enforcement notice under the GDPR. Unsurprisingly it’s to a company called AggregateIQ Data Services Limited, which is actually a Canadian company in connection with what went on with Cambridge Analytica and Facebook. The notice is interesting in a couple of respects:
- It sets out concerns that the ICO has about how the company were processing personal data, and these concerns could apply to any organisation. It was processing personal information including names and email addresses in a way that the data subjects were not aware of, or for purposes that they would not have expected, and without a lawful basis for that processing. Processing was incompatible with the purposes for which the data was originally collected and a view that the data subjects, in being denied the opportunity to properly understand what personal data about them was being processed and how and why, they were likely to suffer damage and distress.
- This is the first time an enforcement notice has been sent to an entity outside the UK. The party is disputing that it is subject to the jurisdiction of the ICO. The territorial scope of the GDPR is set-out in article 3 and provides that the GDPR applies to organisations outside of the EU when they process personal data which, among other things, relates to monitoring the behaviour of individuals who are in the EU. An organisation that is outside of the EU is supposed to appoint a representative within the EU, and the company appears to have failed to have done that.
As this case pans out it is obviously going to shape the way framework develops for addressing multi-jurisdictional misuse of data for the future.
It’s a reminder to take care about ‘mission creep’ and to only be using data for the purposes that somebody originally provided it to us, and for those purposes that we notified them in our Privacy Notice to be using that data.