Mishcon de Reya page structure
Site header
Main menu
Main content section
First UK enforcement action under GDPR and the new Data Protection Act

First UK enforcement action under GDPR and the new Data Protection Act

Posted on 19 September 2018 by Jon Baines

Those who have been waiting, since 25 May this year, for the first formal enforcement action issued under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), might just have missed - as I did - that it actually surfaced in July, but with such little fanfare that it went largely unnoticed. Data protection expert Tim Turner drew my attention to it.

The action in question was an Enforcement Notice of the Information Commissioner, served under section 149 of DPA18, on AggregateIQ Data Services Ltd ("AIQ") requiring it to

'cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes'     

One could be forgiven, however, for overlooking the Notice. It is not, for some reason, listed on the Commissioner's "Enforcement action" page (which is stated to include "the latest…enforcement notices"). Rather, it was attached as an annex to the Commissioner's report into its "Investigation into the use of data analytics in political campaigns".

Firstly, and most unusually, the Notice is served on an entity established outside the UK: AIQ are a Canadian company, but the Commissioner has determined that - as AIQ's processing of personal data is said to relate to monitoring of data subjects' behaviour taking place within the European Union - they are subject to GDPR, under its territorial scope provisions at Article 3(2)(b). This is – of course – the first time the UK Commissioner has attempted to take enforcement action of this kind outside the jurisdiction.

Secondly, the terms of the Notice are very wide, and arguably imprecise. What, one might ask, do "or otherwise" and "data analytics" and "any other advertising purposes" mean? What does "cease processing" mean? Does it require AIQ to erase all the data? (Mere storage is, of course, in itself "processing").

Finally, it seems quite likely that those first and second points will be ventilated, quite possibly in some detail, before the matter comes to a close, because it is understood that AIQ have exercised their right of appeal to the First-tier Tribunal, under section 162(1)(c) of DPA18.

It appears that, even if the Commissioner's first enforcement action under the new regime made little noise, there may be plenty of time and opportunity for it to gather headlines. Especially if what seems to have been a bold attempt (albeit in rather vague terms) to extend her enforcement powers beyond EU borders gets overturned.

Related links

BBC
Media Post

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else