• Skip to main content
  • Skip to footer
  • About
    • Board of Directors
    • Advisory Board
    • Code of Ethics
    • Privacy Commitment
    • Fellowship Awards
    • Media
  • Get Involved
    • Membership
      • Advancing the Profession
      • Member Benefits
      • Why Join the PACC
      • Member Contact Update
    • Speak Out
    • Volunteer
    • Donate
      • Donor Bill of Rights
  • Certification
    • Apply for Certification
    • Recertification
    • Why Pursue Certification?
    • Certificate or Certification?
    • Accreditation
  • Resources
    • Strategic Privacy and Access Resource Center
      • Parents & Teachers
      • Standards
      • SPARC Contribution Guidelines
    • International Data Flows
    • Commissioners
    • Careers
    • Publications
    • Training & Education
  • Data Privacy Day
  • News & Views
    • Guest Post Guidelines
  • Contact
    • Speaking Invitations & Media Requests
    • Stay Informed & Avoid Spam
    • Partner
  • Login

The Privacy and Access Council of Canada

The voice for privacy and access

First GDPR Enforcement Action Taken Against a Data Controller Located Outside the EU

15/Jan/2019

The first enforcement action under the General Data Protection Regulation 2016/679 (“GDPR”) has been taken against a data controller outside the European Union. The UK’s Data Protection Authority (“ICO”) served an enforcement notice on a Canadian political consultancy and technology company without any physical presence in the EU. The notice is based on the company’s processing of UK and EU citizens’ personal data for Brexit campaigns. These circumstances demonstrate the potential for enforcement under the GDPR against companies outside of the EU.

The ICO served the first enforcement notice to AggregateIQ Data Services Ltd (‘AIQ’) in Canada on 6 July 2018 (“First Notice”). The First Notice was served based on Article 3(2)(b) of the GDPR. The article suggests that the GDPR applies to organizations outside of the EU when they process personal data which relates to monitoring behavior of individuals who are in the EU. In the First Notice, the ICO required AIQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.

Four months after the First Notice, the ICO amended it in a notice dated 24 October 2018 (“Second Notice”). The Second Notice removed the reference to Article 3(2)(b) and limited the scope to individuals in the UK. The ICO gave AIQ 30 days to comply with the Second Notice, or it would potentially face a fine which is the higher out of either €20 million or 4% of AIQ’s global turnover.

AIQ appealed the First Notice but withdrew the appeal with the narrowed scope of the Second Notice.

Please see this link for full text of the First Notice and this link for full text of the Second Notice.

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.

Filed Under: Uncategorized

Footer

PACC is the voice for privacy and access.

PACC is Independent  •  Non-profit  •  Non-partisan  •  Non-government

PACC is dedicated to the development and promotion of the access-to-information, information privacy, and data governance profession across the private, non-profit and public sectors.

PACC is the certifying body for access and privacy professionals, and engages in outreach efforts to advance awareness about access, privacy, and data protection.

Recent Posts

  • Guidelines 01/2021 on Examples regarding Data Breach Notification
  • Facial Recognition Cameras Here to Stay as Country’s Court System Entrenches Video Surveillance
  • IPC consultation on five-year strategic priorities under way
  • Info watchdog raps Privy Council Office for terminating access requests from public
  • A year to forget that’s worth remembering

© 2021 · Privacy and Access Council of Canada · Maintained by SLIcore Design.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkNoPrivacy policy