February 29, 2020

February 28, 2020

Subscribe to Latest Legal News and Analysis

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

First Notice Filed Under GDPR against Canadian Analytics Firm

The UK Information Commissioner’s Office (ICO) has issued an Enforcement Notice against a Canadian data analytics firm, AggregateIQ (AIQ) that allegedly produced targeted advertisements for pro-Brexit campaigns. This action is the first enforcement Notice issued under the GDPR.

According to the Notice, ICO announced a formal investigation into the use of data analytics in political campaigns in May 2017 and was subsequently in contact with AIQ regarding the processing of personal data by AIQ on behalf of political campaigns. AIQ confirmed that personal data of UK data subjects was still held by them and is stored on a code repository that had previously been subject to unauthorized access by a third party.

The complaint alleges that AIQ has violated GDPR’s Articles 5, 6 and 14. Specifically, the Notice asserts that AIQ violated Articles 5 and 6 because it processed personal data in a manner that was incompatible with the purposes for which it was collected and without a lawful basis. The complaint further alleges that AIQ did not provide the appropriate notice to data subjects as required by Article 14; that is it did not tell the potential voters that it had received data about them from a third party.

Although the data was collected before the effective date of the GDPR, May 25, 2018, the Notice alleges that AIQ was still holding the data after the GDPR’s effective date.

If AIQ does not comply with the Notice or does not appeal within 28 calendar days, then the IOC may serve a Penalty Notice. AIQ faces penalties that could be as high as € 20 million or 4% of the company’s annual turnover, whichever is greater.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...