Connect with us

Hi, what are you looking for?


Privacy & Compliance

UK Regulator Issues Second GDPR Enforcement Notice on Canadian Firm

On 6 July 2018, the UK’s data protection regulator (ICO) issued the first GDPR-related enforcement notice. It was delivered on Canadian firm Aggregate IQ.

On 6 July 2018, the UK’s data protection regulator (ICO) issued the first GDPR-related enforcement notice. It was delivered on Canadian firm Aggregate IQ. The notice comments, “The Commissioner has observed with concern the application of techniques hitherto reserved for commercial behavioural advertising being applied to political campaigning, during recent elections and the EU referendum campaign in 2016.”

That enforcement notice requires that AIQ should within 30 days “Cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

AIQ appealed the notice. In that appeal, AIQ states “the data continues to be held by AggregateIQ for the simple reason that it remains subject to a preservation order made by Canadian officials.”

In reality there is no conflict between preserving the data for the Canadian officials and ceasing to process it for the stated purposes. Nevertheless, it seems to have alerted the ICO to the need to account for separate simultaneous legal requirements in different jurisdictions. The ICO has now issued a new enforcement notice (PDF) that “varies and replaces the Notice served on AIQ dated 6 July 2018. The Notice clarifies the steps to be taken by AIQ…”

The requirements of the new notice (two short paragraphs replacing one short paragraph) are effectively the only difference between the two notices. 

“AIQ appealed the issue of the Notice on a number of grounds, one of which was the apparent lack of precision as to what AIQ would have to do to comply and also the fact that AIQ was subject to a requirement of the Office of Information and Privacy Commissioner [OIPC] of British Columbia not to destroy data,” explains David Flint, senior partner at MacRoberts LLP.

The new requirements include oblique reference to the investigation by the ICO’s Canadian counterpart (OIPC) and the Canadian preservation order already on AIQ. The terms must now be acted upon within 30 days of the OIPC “notifying (AIQ) that it is no longer the subject of any investigation by the OIPC, or that the OIPC is content for it to comply with this Notice.”

Advertisement. Scroll to continue reading.

The action required is also slightly different. “Erase any personal data of individuals in the UK, determined by reference to the domain name of the email addresses processed by AIQ, retained on its servers as notified to the Information Commissioner…”

But, comments Flint, “Given that the October Notice states in paragraph 2 that it “clarifies the steps to be taken by AIQ”, some lack of clarity remains. What is to happen to the personal data of non-UK data subjects mentioned in the July Notice? What about UK data subjects who have e-mail addresses other than “” — such as Does the “clarification” go beyond the original Notice which had a purpose restriction on the use of the data — the October Notice seems to be all encompassing.”

In short, he adds, “the October Notice may provide some “clarification” but really raises as many questions as it answers.”

Related: Canadian Firm Linked to Cambridge Analytica Exposed Source Code 

Related: Cambridge Analytica: Firm at the Heart of Facebook Scandal 

Related: Would Facebook and Cambridge Analytica be in Breach of GDPR? 

Related: Facebook as an Election Weapon, From Obama to Trump 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.