• Skip to content
  • Skip to footer
  • About
    • Board of Directors
    • Advisory Board
    • Fellowship Awards
    • Privacy Commitment
  • Get Involved
    • Join the PACC
      • Member Benefits
      • Why Join the PACC
      • Member Contact Update
    • Speak Out
    • Volunteer
    • Support the PACC
      • Donor Bill of Rights
  • Certification
    • Apply for Certification
    • Recertification
    • Why Pursue Certification?
    • Certificate or Certification?
    • Accreditation
  • Events
    • What Previous Attendees Say
    • Past Attendees
    • Volunteer
    • Sponsors
    • 10 Tips for Congress Speakers
    • Media Kit
    • Sunshine Summits
    • Data Privacy Day
  • Resources
    • Code of Ethics
    • Standards and Guidelines
    • Resource Links
      • Submission Guidelines
    • Commissioners
    • Careers
    • The Winston Report
    • Training & Education
    • Speaking Invitations & Media Requests
  • News
  • Blog
    • Guest Post Guidelines
  • Contact
    • Stay Informed & Avoid Spam
    • Partner
  • Login

The Privacy and Access Council of Canada

Canada's voice for privacy and access

Search

First GDPR Enforcement Action Taken Against a Data Controller Located Outside the EU

15/Jan/2019 by

The first enforcement action under the General Data Protection Regulation 2016/679 (“GDPR”) has been taken against a data controller outside the European Union. The UK’s Data Protection Authority (“ICO”) served an enforcement notice on a Canadian political consultancy and technology company without any physical presence in the EU. The notice is based on the company’s processing of UK and EU citizens’ personal data for Brexit campaigns. These circumstances demonstrate the potential for enforcement under the GDPR against companies outside of the EU.

The ICO served the first enforcement notice to AggregateIQ Data Services Ltd (‘AIQ’) in Canada on 6 July 2018 (“First Notice”). The First Notice was served based on Article 3(2)(b) of the GDPR. The article suggests that the GDPR applies to organizations outside of the EU when they process personal data which relates to monitoring behavior of individuals who are in the EU. In the First Notice, the ICO required AIQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.

Four months after the First Notice, the ICO amended it in a notice dated 24 October 2018 (“Second Notice”). The Second Notice removed the reference to Article 3(2)(b) and limited the scope to individuals in the UK. The ICO gave AIQ 30 days to comply with the Second Notice, or it would potentially face a fine which is the higher out of either €20 million or 4% of AIQ’s global turnover.

AIQ appealed the First Notice but withdrew the appeal with the narrowed scope of the Second Notice.

Please see this link for full text of the First Notice and this link for full text of the Second Notice.

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.

Filed Under: Uncategorized

Reader Interactions

Footer

Recent Posts

  • Privacy: Future Tense
  • First GDPR Enforcement Action Taken Against a Data Controller Located Outside the EU
  • Doobie or Not Doobie: Privacy in a Digital World
  • PACC Participates in National Digital & Data Consultations

© 2019 · Privacy and Access Council of Canada · Maintained by SLIcore Design.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok