Security Experts:

Test Case Probes Jurisdictional Reach of GDPR

GDPR Enforcement Case Will Show How Courts View the Extension of GDPR Beyond the Borders of the European Union

Given the potential size of GDPR fines, it has always been likely that there would be GDPR appeals. While business needs to know how the regulators will enforce the regulation, the regulators need to know how the courts will react to appeals. It has always been likely that the regulators would test the water quietly before embarking on any major action against a major company.

It should be no surprise that this has already happened. The UK's Information Commissioner's Office (ICO) quietly delivered a GDPR enforcement notice on the Canadian firm AggregateIQ Data Services Ltd (AIQ) back on July 6, 2018. The ICO did not publish the notice on its 'enforcement action' page as it usually does (including, for example, details of the £500,000 fine it imposed on Equifax, dated September 20, 2018).

Instead, the AIQ notice was published as an addendum to a report entitled 'Investigation into the use of data analytics in political campaigns'. Here it remained unnoticed until found and highlighted by law firm Mishcon de Reya LLP last week. 

Equally unnoticed is that AIQ has unsurprisingly appealed the notice. Since appeals are not handled by the ICO, there is no mention of it on the ICO website. Appeals against ICO notices are handled by the General Regulatory Chamber (GRC) of HM Courts & Tribunals Service. This site lists that an AggregateIQ Data Services Ltd ("AIQ") appeal against an unreferenced ICO decision notice was received on 30 July 2018 -- which brings it perilously close to the allowed 28-day appeal period.

No further details are given, and no hearing date is listed. SecurityWeek has requested a copy of the appeal (reference EA/2018/0153); which may or may not be allowable under the Freedom of Information Act. SecurityWeek has not yet received a response from GRC. However, it is likely to be many months before the result of the appeal becomes known.

In effect, this is a test case to see how the courts view the extension of European regulations (in this instance, specifically the UK implementation of GDPR) beyond the borders of the European Union. AIQ is a Canadian firm, and Canada is a softer target than the United States. Nevertheless, the case is likely to provide important information to European regulators before they take on any of the big U.S. tech companies. Smaller U.S. firms should still monitor the outcome to gauge their own exposure to GDPR.

The ICO launched its investigation into the use of data analytics in political campaigns in May 2017, following press reports that Cambridge Analytica (CA) worked for the Leave.EU campaign during the Brexit referendum. During its investigation, Christopher Wylie (a former employee of Cambridge Analytica and the original whistleblower) provided information that led the ICO to investigate AIQ and its work with Vote Leave, BeLeave, Veterans for Britain and the Democratic and Unionist Partyís Vote to Leave campaign. "We have identified information during our investigation that confirmed a relationship between Aggregate IQ (AIQ) and CA / SCL," states the investigation report (PDF). SCL is the parent company of CA.

The report further states, "We have established that AIQ had access to UK voter personal data provided from the Vote Leave campaign. We are currently working to establish where they accessed that personal data, and whether they still hold personal data made available to them by Vote Leave. We are engaging with our regulatory colleagues in Canada, including the federal Office of the Privacy Commissioner and the Office of the Information and Privacy Commissioner, British Columbia."

However, it also adds that on March 5, 2018, "AIQ stated that they were 'not subject to the jurisdiction of the ICO' and ended with a statement that they considered their involvement in the ICO's investigation as 'closed'." Noticeably, Facebook has also disputed the ICO's jurisdiction over it, but has nevertheless cooperated with the ICO. Jurisdictional reach is clearly the first major GDPR issue that will need to be settled by the courts.

The ICO did not accept AIQ's rejection. It issued a formal enforcement notice on July 6, 2018. The two key paragraphs (6 and 7) of the notice state, "As part of AIQ's contract with these political organizations, AIQ have been provided with personal data including names and email addresses of UK individuals. This personal data was then used to target individuals with political advertising messages on social media. In correspondence with the Commissioner dated May 31, 2018, AIQ confirmed that personal data regarding UK individuals was still held by them. This data is stored on a code repository and has previously been subject to unauthorised access by a third party."

The claim is that AIQ processed UK personal data in a manner that did not include the consent of the data subjects concerned, and that (notice the date) it continued to hold this personal data after the date at which GDPR came into force (May 25, 2018). "The Commissioner takes the view that damage or distress is likely as a result of data subjects being denied the opportunity of properly understanding what personal data may be processed about them by the controller [which is AIQ], or being able to effectively exercise the various other rights in respect of that data afforded to a data subject."

The enforcement notice (PDF) demands that "AIQ shall within 30 days of the date of this notice: Cease processing any personal data of UK or EU citizens obtained from UK personal organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes." The notice itself warns that failure to comply could lead to the ICO serving a penalty notice "requiring payment of an amount up to 20 million Euros, or 4% of an undertaking's total annual worldwide turnover whichever is the higher."

This is the enforcement notice that has been appealed by AIQ. On its website, AIQ has a brief note: "AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity. All work AggregateIQ does for each client is kept separate from every other client. AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica."

Without seeing the appeal document itself, it is impossible to know on what grounds AIQ is rejecting the ICO's notice. It seems most likely that this will at least include the rejection of the ICO's jurisdiction. It will take many months before the Tribunal makes its ruling on the appeal and jurisdiction -- but it is a case that all non-EU companies processing EU personal data will need to follow closely.

Related: Canadian Firm Linked to Cambridge Analytica Exposed Source Code 

Related: Cambridge Analytica: Firm at the Heart of Facebook Scandal 

Related: Would Facebook and Cambridge Analytica be in Breach of GDPR? 

Related: Facebook as an Election Weapon, From Obama to Trump 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.