Security Experts:

First GDPR Enforcement is Followed by First GDPR Appeal

In what has been billed as the world's first GDPR action, the UK regulator -- the Information Commissioner's Office (ICO) -- quietly issued an enforcement notice against Canadian firm AggregateIQ Data Services Ltd (AIQ). It is a low-key affair. Although the enforcement notice was issued on 6 July 2018, the notice was not and has not been placed on the ICO's enforcement action page.

Instead, the notice was attached as an appendix to an investigation report by the ICO. There it largely remained unnoticed until found by law firm Mishcon de Reya LLP in September. SecurityWeek asked the ICO, "Is there any reason for the only occurrence (that I can find) of the notice appearing as an addendum to a longer report?" All other questions were answered, but SecurityWeek did not receive a direct answer to this direct question.

However, we were told that AIQ had appealed the notice. Appeals go to the First-tier Tribunal of the General Regulatory Chamber (GRC). They are not normally made public in the UK. SecurityWeek approached the GRC and asked for a copy -- and has now received a copy, slightly redacted, of AIQ's appeal against the GDPR enforcement notice.

Our first article discussed the reasoning behind the ICO's enforcement notice. Now we can look at AIQ's arguments against it. This is an important issue. While lawmakers make laws, it is the judiciary that interprets them. Neither the lawmakers nor the regulators know how the letter of the law will play out until the law has been tested in front of the judiciary. Equally, the subject of the laws -- in this case businesses that use the personal data of EU citizens around the world -- cannot fully understand their exposure to the law until it has faced the scrutiny of the judiciary.

The first specified ground for the appeal is that the ICO has no jurisdiction over AIQ "in this matter". This implies that the reason for appeal is not based on geography, but on the application of the law. SecurityWeek talked to a UK-based lawyer to understand the basis for the AIQ appeal.

AIQ claims, "There is no evidence whatsoever of any 'processing' of the data held for the purposes of 'monitoring' after the in-force date of the GDPR and DPA in 2018..." This may become the pivotal section of the appeal. Was, in GDPR terms, AIQ a data controller and/or a data processor? 

"If AIQ is a Data Controller," comments David Flint, Senior Partner at MacRoberts LLP, "there would be an overriding issue of how it had a lawful basis for processing and meeting the [GDPR] Article 5 Principles. If it were a Processor, the question would be the compliance with Article 5 of those who gathered the information and whether they knew that AIQ would be processing the data."

Flint believes that AIQ's term 'monitoring' relates to 'profiling' within the legislation. Recital (24) of GDPR  says "profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes", where there is any evaluation of response or otherwise to the activity. The ICO enforcement notice, comments Flint, "suggests that this is what was being done and why the data was being processed."

He adds that "'processing' also includes holding the data, so the fact that the data was still 'held' on 31 May would, in my opinion bring the activities of AIQ squarely within the scope of the GDPR/DPA2018." This is an important point for all companies that may store and forget they have EU data. They don't have to do anything with that data. Merely storing it makes them a data processor under GDPR.

Noticeably, Equifax said that it had 'forgotten' about the storage of EU citizen data in the U.S. This forgotten data resulted in a £500,000 fine from the ICO after the breach.

Data subject 'consent' is likely to be a key issue within GDPR. The ICO finds that the data subjects did not consent for AIQ to use their data. AIQ responds that the ICO has provided no proof that it lacked the consent of the subjects, and it believes that they had provided the information voluntarily to AIQ's clients with at least 'implied consent'. If the tribunal finds in favor of the ICO, it will reinforce the idea that organizations will need to obtain and be able to demonstrate actual and explicit consent from every EU citizen.

AIQ also argues that 'natural justice' should mitigate in its favor. "The position taken by the ICO in the Enforcement Notice and the Order," it claims, "is contrary to the principles of fairness and natural justice (which also may be referred to as the duty on the ICO to act fairly), and breaches AggregateIQ's right to a fair hearing."

Flint has little sympathy here. "I think the arguments of 'natural justice' fall away where there is a specific statutory provision prohibiting the behavior in question," he told SecurityWeek. "The only argument might be one based on ECHR but that would mean that the GDPR was invalid as being in breach." This in itself is an interesting comment. If the appeal were to the European Court of Human Rights, it would largely come down to whether business' rights take precedence over citizens' rights -- which seems unlikely. But if they did, then GDPR would be invalidated as in breach of the European Constitution (just as the original Safe Harbor agreement between the EU and the U.S. was invalidated).

In fairness to AIQ, this is the one section of the appeal that has been largely redacted by the Tribunal. Elsewhere in the appeal, AIQ accuses the ICO of "taking a position which is contrary to previous positions taken by the ICO, resulting in substantial unfairness and the denial of natural justice to AggregateIQ." We will not know until the hearing whether there is any link between the redacted section and AIQ's comment on 'previous positions', nor whether the Tribunal will consider this to be important.

The AIQ Appeal is number EA/2018/0153 with the Tribunal. It was received on 30 July 2018. At the time of writing this, there is no further information on the Tribunal's appeals table.

The result of the appeal is likely to be important. Much of it seems to be unconvincing -- but it doesn't matter what the lawmakers, the regulators, businesses. lawyers or the media think. In the end, it all comes down to how the judiciary interprets the law and the incident. It would be natural for the regulators to put their toe in the water before potentially going after big companies like Google or Facebook. This may partly explain the low publicity so far afforded to this first case.

"Lots to think about," comments Flint; "and an interesting case to follow particularly given that other cases are starting to line up! Wonder what the Tribunal (and I suspect in due course the Courts) will make of it." The final result may well provide clues to how GDPR is likely to play out over the next few years.

There is, however, one further point worth noting. The ICO enforcement notice requires certain action by AIQ. There is no imposed monetary penalty. This leaves one issue undiscussed. If an EU regulator were to impose a financial penalty on an extra-territorial entity, how -- or even could -- that penalty be enforced?

Related: UK Regulator Issues Advice on 'Consent' Within GDPR

Related: Would Facebook and Cambridge Analytica be in Breach of GDPR? 

Related: Kantara Initiative Assists With EU Privacy and GDPR Issues 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.