A Canadian company has been hit with what appears to be the first formal enforcement action under the GDPR.
The UK Information Commissioner’s Office sent an enforcement notice to AggregateIQ Data Services Ltd. (AIQ), a Canadian data processor, charging that the firm provided UK political organizations with personal data such as names and email addresses for use in campaigns, including the Brexit referendum in 2016.
It adds that “this data is stored on a code repository and has previously been subject to unauthorized access by a third party.”
The notice was sent in July, "but with such little fanfare that it went largely unnoticed," Jon Baines writes on the site for the law firm Mishcon de Reya in a statement that has been widely publicized this week.
In response to a query, AggregateIQ’s COO Jeff Silvester says: “We have appealed the notice, but as it is before the Tribunal, it would be inappropriate for me to comment further.”
This is not the firm’s first brush with controversy. Earlier this year, it was accused of involvement with Cambridge Analytica, and drawing on that firm’s databases during the Brexit campaign, according to media reports.
Whistleblower Christopher Wylie testified before Parliament that “there is now tangible proof in the public domain that (AggregateIQ) actually built Ripon, the software that utilized the algorithms from the Facebook data,” according to National Post.
AggregateIQ has put a disclaimer on its home page, avowing that it is a 100% Canadian owner and “has never been and is not a part of Cambridge Analytica or SCL.”
It adds that it has “never managed, nor have we ever had access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.”
The ICO enforcement notice does not mention any connection with Cambridge Analytica or Facebook, an it is not clear if these allegations have any bearing on the enforcement notice.
However, the ICO alleges that the AIQ has “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, without a lawful basis for that processing,’ in violation of the GDPR.
The alleged offenses took place prior to GDPR, but the firm continued retaining and processing after that date, so GDPR applies, the ICO contends in the enforcement notice.
The enforcement notice points out that non-compliance with enforcement notices can lead to penalties of up to 20 million Euros, or 4% of a firm’s worldwide annual revenue.
This proves that you don’t have to be hooked up with Cambridge Analytica to be subject to staggering fines.
BBC reports that AIQ was paid nearly £2.7 million—the equivalent of U.S. $3.6 million — by the group Vote Leave during the Brexit campaign. The firm was also used by pro-Brexit youth group BeLeave.
In a related development, Vote Leave has been fined £61,000 for allegedly exceeding its spending limit by funneling money through BeLeave, the BBC writes.
AggregateIQ’s website continues: “AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity.”
Here’s the takeaway: Beware when providing services to UK organizations. Victoria-based AIQ reportedly has about a dozen employees. Companies that small could be put out of business by the kind of penalties specified in GDPR.