Jon Baines, Data Protection Advisor, comments on an interesting variation of a GDPR Enforcement Notice issued by the ICO
In September we drew attention to the first formal enforcement action taken by the Information Commissioner's Office (ICO) under the General Data Protection Regulation (GDPR) – an Enforcement Notice served on Canadian company AggregateIQ Data Services (AIQ). At the time, we observed that "the terms of the Notice are very wide, and arguably imprecise" and that this might have made the Notice vulnerable to an appeal (an appeal had already been lodged by AIQ). It is of some interest, therefore, that we note that the ICO has now served (under section 153(1) of the Data Protection Act 2018) a variation to original notice. Whilst the original merely required AIQ to 'cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes' the variation requires them to
'Erase any personal data of individuals in the UK, determined by reference to the domain name of the email addresses processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner by Borden Ladner Gervais LLP in letters of 10 and 31 May 2018'
Notably, as well, AIQ must only do this once it has been notified by the Office of the Information and Privacy Commissioner of British Columbia that the former is no longer the subject of any investigation by the latter (or informed by the latter that it is content for the former to comply with the ICO's Notice).
Whether this variation was served as a result of representations by AIQ is not yet known, but Global Data Review reports that the appeal has been withdrawn as a result