Finally, we begin to see some enforcement of the Regulation we all worked so hard to be ready for by May. The ICO has sent an enforcement notice to – of all people – a Canadian data firm linked to the Brexit vote micro-targeting scandal. The regulator contends that AggregateIQ obtained and processed data without the knowledge of data subjects and without appropriate justification. More importantly, the firm continued to hold this data, and allow access to at least one unauthorised party, after the May 25th introduction of the GDPR.
Crucially, this allows the ICO to work under the new regime, rather than the old one. As a consequence, they’ve sent the first enforcement notice citing failure to comply with Articles 5, 6 and 14 – remember Article 14? – and threatening a fine of up to 20m€ or 4% of global turnover if AggregateIQ fails to comply. The notice itself requires the firm to cease processing data on EU citizens. Full stop. This is the Article 58 paragraph 2 “nuclear option” I blogged about last year.
AggregateIQ has a right of appeal. Let’s see what they do, and what happens next. In my small world, these are exciting times.