First formal enforcement notice issued under General Data Protection Regulation (GDPR) in Europe

Frith Tweedie, Digital Law Leader at EY Law New Zealand, discusses what firms can learn from Europe’s first enforcement notice under the GDPR, which the UK Information Commissioner’s Office issued against a Canadian data analytics firm.

Frith Tweedie

A Canadian data analytics firm has received the first formal enforcement notice under Europe’s General Data Protection Regulation (GDPR) from the UK Information Commissioner’s Office (ICO).

While the brevity of the notice may raise more questions than it answers, it is a useful indicator of potential GDPR enforcement focus areas – and that European regulators are prepared to pursue entities anywhere in the world for breaches of the GDPR.

Our research indicates this enforcement notice is not only the first UK order under the GDPR, but also the first in Europe. So it’s somewhat surprising that it only recently come to light, given the notice was issued on 6 July 2018. Included as an easily-missed link at the end of the ICO’s report on its investigation “into the use of data analytics in political campaigns”, there is no mention of it on the ICO enforcement webpage. The fact it was a GDPR notice was only spotted last week by a UK law firm and the media has been surprisingly quiet. Has the GDPR hype cycle moved on?

What does the enforcement notice say?

The ICO has ordered AggregateIQ Data Services Limited (AIQ) – a Canadian data analytics firm alleged to have close links to Cambridge Analytica – to cease processing UK and EU personal data obtained from pro-Brexit political organisations within 30 days of the notice. According to the BBC, AIQ was paid nearly £3.5m by several pro-Brexit organisations to target prospective voters with political ads on social media during the Brexit referendum campaign.

Failure to comply with the notice could result in a penalty notice requiring payment by AIQ of up to €20 million or 4% of total annual worldwide turnover, whichever is higher. AIQ denies any wrongdoing and has appealed.

AIQ was given the names and email addresses of UK individuals under contracts with its political clients. Despite collecting the personal data before the GDPR came into force on 25 May 2018, the ICO states that AIQ’s confirmation that the “personal data regarding UK individuals was still held by them” meant that the GDPR applies.

The notice states that AIQ failed to comply with the GDPR by processing personal data in a way that data subjects were not aware of, for purposes they would not have expected and without a lawful basis. The processing was incompatible with the purposes for which it was originally collected and AIQ also failed to provide data subjects with relevant information about its use of the personal data, typically done using a privacy notice or policy.

Interestingly, the ICOdescribes AIQ as a “data controller” but then subsequently refers to it as processing personal data “on behalf of UK political organisations” – language usually used to describe a “data processor”, including in the definition in Article 4. Unhelpfully, the notice does not explain why AIQ is considered to be a data controller.

TOP 5 TAKEAWAYS FOR NON-EUROPEAN ORGANISATIONS

1. GDPR regulators are serious about pursuing non-European entities

Serving the enforcement notice on a non-European entity demonstrates both the GDPR’s extra-territorial reach and that European regulators are not afraid to exercise their powers outside Europe.

While the facts of this case are fairly extreme – not many New Zealand or Australian organisations are likely to be involved in political campaigns with the potential to influence the democratic outcomes of other countries – the notice should serve as something of a wake-up call to organisations around the world that process European personal data. Are you prepared to risk €20 million plus fines and significant reputation damage by choosing to believe geographical distance negates any real likelihood of being penalised for GDPR non-compliance?

2. Online “monitoring” could trigger your GDPR exposure

In the absence of an EU establishment, the ICO’s basis for applying the GDPR to AIQ was its “monitoring of behaviour” of EU individuals (Article 3(2)(b)). You will be “monitoring” the behaviour of EU individuals if you track them online (e.g. using cookies), including profiling individuals to analyse or predict “personal preferences, behaviours and attitudes” (Recital 24). This covers a wide range of online marketing and personalisation activity.

The enforcement notice does not discuss why AIQ’s activities were considered to be monitoring, the more opaque “third limb” of Article 3’s Territorial Scope provision. But it shows you cannot overlook this trigger for the application of the GDPR, particularly in the borderless world of the internet.

3. You must determine your lawful basis for processing

The processing of personal data is only lawful under the GDPR if one of six grounds applies, including consent and performance of a contract (Article 6). Unhelpfully, the enforcement notice does not detail why none of those grounds applied to AIQ. Compliance with Article 6 requires analysis of your different types of data, a determination of the applicable lawful basis for processing of each, documentation of those decisions to meet your accountability obligations and transparent communication of your lawful grounds to individuals.

4. Transparency is key

Individuals have the right to be informed about the collection and use of their personal data. Most organisations do this with their privacy policy/notice. But where the personal data is obtained from third parties, you must provide individuals with the relevant information within at least a month of collection, subject to certain exceptions (Article 14).

This can be challenging in practice. Have you considered and addressed how to communicate the requisite privacy information to individuals whose data you are using but with whom you don’t have a direct relationship?

5. Fines are not the only risk

There is a growing view that “cease processing orders” could be one of the most powerful tools in EU regulators’ toolkit. Ordering an organisation to stop processing personal data could have a debilitating impact on its ability to conduct business. How would your business fare if you were forced to stop using all personal data of your European customers and/or employees?

Potentially even more damaging than fines or other regulatory orders is the brand and reputational harm associated with GDPR non-compliance. The heightened global privacy debate and the ever-increasing awareness of individuals’ privacy rights makes this a real, tangible risk despite potential questions as to the ability to actually enforce GDPR orders outside Europe.

WHAT SHOULD YOU BE DOING TO MANAGE YOUR GDPR RISK?

1. Assess whether the GDPR really applies. Do you have a presence in Europe? If not, do your European activities trigger the GDPR, including online monitoring? Conversely, a risk-based analysis determining the GDPR does not in fact apply (or does not apply to certain parts of your business) could save substantial compliance costs.

2. Undertake a GDPR gap analysis to help you prioritise and take a risk-based approach to achieving compliance.

3. Understand the extent of your online monitoring. Online advertising and targeting can involve multiple partners in a complex web of relationships. You need to understand the extent to which you are “monitoring the behaviour” of EU data subjects and conduct a Privacy Impact Assessment to determine the extent of your risk.

4. Establish your lawful bases for processing personal data. Particularly if you are relying on “legitimate interests”, requiring a balancing of your interests against those of data subjects.

5. Build processes to ensure transparency. Agree with third parties collecting personal data on your behalf who will be responsible for communicating the necessary information to individuals and who will conduct privacy policy reviews, updates and approvals.

It remains to be seen what the ultimate outcome of this first enforcement notice issued under the GDPR will be. We can only hope the final decision resulting from AIQ’s appeal will clarify some of its vagaries.

Frith Tweedie has more than 16 years’ experience advising on privacy, technology, IP, online/e-commerce, consumer protection and entertainment law issues. She has extensive experience advising on privacy issues arising in a digital context, including the privacy implications of data analytics, data sharing, cloud storage and data monetisation initiatives.

Prior to joining EY Law to lead the Digital Law team, she was responsible for establishing a large privacy programme at a major telecommunications company in response to the European General Data Protection Regulation (“GDPR”). Frith also worked closely with a major bank’s digital teams on numerous data-driven initiatives requiring extensive privacy input. In her current role, Frith works closely with EY management consultants advising on and implementing a range of technology and digital solutions. Contact Frith at frith.tweedie@nz.ey.com

You can also connect with EY New Zealand via Facebook, Twitter, and LinkedIn