ICO Threatens Max GDPR Fine to AggregateIQ
The United Kingdom Information Commissioner’s Office has given AggregateIQ thirty days to cease processing of certain personal data or it will be subject to a penalty up to the maximum 4% fine under the European Union (EU) General Data Protection Regulation (GDPR). If the maximum fine was issued based on its annual global turnover, it would be 17 million (approximately $22.4 million USD).
There has been a lot of speculation about how and when Data Protection Authorities would levy big fines against companies under GDPR, and privacy professionals have been closely watching for the first enforcement action penalty while finishing up their GDPR compliance efforts and beginning to think about the California Consumer Privacy Act. The Irish Data Protection Commissioner Helen Dixon previously suggested that a cease processing order issued by a DPA might be just as disruptive as a large fine for many organizations. The ICO enforcement notice appears to split the difference, requesting the company stop processing or be subject to a large GDPR fine.
For those not familiar with the company, AggregateIQ is a Canadian company accused of profiling voters with data from Facebook that was improperly acquired. In April, Facebook suspended AIQ from its platform after reports that they may have been affiliated with the parent company of Cambridge Analytica and received some of the data. AIQ denies the accusations on its website and is reportedly appealing the ICO decision.
Although the acquisition and much of the processing of this personal data happened before GDPR went into effect on May 25, ICO contends that AggregateIQ has continued to retain and process the personal data after GDPR’s effective date. It told AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.
ICO called out AIQ for failing to provide notification of data processing to the EU citizens under Article 14, which requires notice when a controller obtains personal data that is not from the data subject.
It is also the first time that the territorial scope of GDPR Article 3 have been interpeted in an enforcement action. ICO contends that AIQ, which is a Canadian company, is processing personal data related to data subjects in the European Union.
Two French companies have also received warnings from the French regulator CNIL for issues with their GDPR compliance. These companies pay app publishers for geolocation and other personal data. The publishers notified consumers of the data collection but did not gain consent for the transfer of the information to third-parties for advertising and marketing purposes. Both companies were given 90 days to come into compliance.
More from Clarip
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey