There has been a lot of speculation over which entity the European regulators would hit first with a General Data Protection Regulation (GDPR) enforcement action. Many assumed it would be a multinational company with a huge online presence. That way regulators could make an example of a deep-pocket, brand-name organization. The enforcement action would get lots of publicity. Other companies would review their own practices and could learn what not to do by drawing on what befell the targeted company.
But that’s not how things have played out in GDPR enforcement. The first GDPR action (actually filed in July but only disclosed to the public in September) seemed to come out of left field. It hasn’t generated much media attention, but it surely sent a message to companies dabbling in political persuasion of the unsavory kind.
In late September, the BBC reported that the UK’s Information Commissioner’s Office (ICO) issued its first GDPR notice. By way of background, each EU member state has its own responsibility for GDPR enforcement. Thus, sovereign countries, as opposed to the EU as an organization, are responsible for oversight and enforcement. The notice was the first of its kind for the UK and for all of the EU member states. Who was the unlucky recipient? According to reports and testimony, AIQ was a subcontractor to Cambridge Analytica. Not Facebook. Not Google. Not Instagram. The recipient was AggregateIQ Data Services Ltd. (AIQ), a Canada-based data analytics company with some 20 employees (fewer now). You probably haven’t heard of them.
But you probably have heard of their evil second cousin, Cambridge Analytica, the company at the heart of the Facebook data mining scandal for the 2016 US presidential elections. According to reports and testimony, AIQ was a subcontractor to Cambridge Analytica. More interestingly, a Cambridge Analytica whistleblower claims AIQ helped develop the algorithm that was used by Cambridge Analytica to target Facebook users in the 2016 US presidential election.
And you probably have heard of a thing called Brexit, i.e. the 2016 referendum asking UK citizens whether their country should leave the EU. AIQ was behind several groups supporting the Brexit campaign in 2016, including Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote to Leave. Many credit the Canadian company with playing a crucial role in the Brexit result whereby voters approved the British exit from the EU.
Getting At The Vote
AIQ has faced scrutiny from a number of regulators on both sides of the pond, in both Canada and the UK. The surprise results of the Brexit referendum (like the surprise win of President Trump) have made Cambridge Analytica and AIQ targets of government inquiry, especially for regulators keenly interested in understanding the apparent upset at the 2016 polls.
The ICO has been investigating AIQ and the company’s use of data analytics for political purposes.
The ICO announced a formal investigation into the use of data analytics in political campaigning in May 2017, noting concern “that this has occurred without due legal or ethical consideration of the impacts to our democratic system.” The ICO has been investigating AIQ and the company’s use of data analytics for political purposes. Authorities want to know what AIQ’s role was in the Brexit campaign, especially since it was revealed that AIQ was paid roughly $4.6 million for its work for Vote Leave (a number representing almost 40 percent of Vote Leave’s budget).
The ICO started questioning AIQ at least as early as April 2018, before the GDPR’s effective date. Among the questions AIQ has faced is whether the company violated the privacy laws of Canada and British Columbia. At the time, AIQ refused to answer the ICO’s inquiries, claiming the UK agency had no jurisdictional hook to use against the Canadian company.
The GDPR Grab
When the GDPR came into effect on May 25, it gave UK authorities the legal reach they needed. Since the GDPR implicates data controllers and data processors anywhere in the world (so long as they are collecting or processing data of people in the European Economic Area), the ICO found an angle to pursue action against AIQ. With this bit of detail, it may make more sense why the ICO was so quick to issue a GDPR enforcement notice to AIQ (again, even though the ICO announced the action in late September, the ICO actually issued it in early July, just six weeks after the GDPR regulation took effect). The agency was actively investigating the company, alongside Cambridge Analytica, and wanted a legal basis for a deeper inquiry.
Did the ICO properly apply the GDPR against AIQ? Or did it misuse it as a tool to accomplish ends other than privacy enforcement?
But did the ICO properly apply the GDPR against AIQ? Or did it misuse the regulation as a legal (or political) tool to accomplish ends other than privacy enforcement? At first blush, many would say that the ICO used the GDPR for its intended purpose: to enforce its privacy regulation against an entity it concluded had improperly mined and misused the personal information of people living in the European Economic Area.
But reviewing the ICO’s enforcement notice to AIQ raises questions about the merits of its action and its use of the GDPR. In brief, the ICO’s allegations are worded carefully to try to avoid a problem: that AIQ may not have processed UK individuals’ personal data after the GDPR took effect on May 25, 2018. And so, the ICO may be trying to apply the GDPR retroactively through a “workaround.”
Questions About The ICO’s Enforcement Action To AIQ
In its enforcement notice to AIQ, the ICO notes that:
- [At some point in the past but before the May 25 GDPR effective date] AIQ was provided the personal data, including names and email addresses, of UK individuals;
- As of May 31, 2018 (i.e. less than a week after GDPR took effect), AIQ still “held” personal data regarding UK individuals.
There is nothing in the notice to clearly indicate that AIQ obtained or processed data of UK individuals after the effective date of the GDPR. The notice faults AIQ for still holding onto data that the company obtained prior to May 25, even if AIQ did nothing with that data after the GDPR effective date.
The ICO’s enforcement notice to AIQ alleges that AIQ is a data controller (as opposed to a data processor). While both controllers and processors have obligations under the GDPR, processors’ obligations are fewer and are also tied to the direction of the controller. The ICO uses the data controller status of AIQ to argue that AIQ improperly held data after May 25. However, later in the notice, the ICO discusses the “processing of personal data by AIQ on behalf of UK political organisations, in particular, Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave.” ICO further states that “[a]s part of AIQ’s contract with these political organisations, AIQ have been provided with personal data including names and email addresses of UK individuals.”
Is AIQ a controller or a processor? One might posit that AIQ is being called a controller under the enforcement notice because it is not, and has not, been processing data after the GDPR took effect. Perhaps the best the ICO could do was call out the company for still holding the data… as a controller.
The timing issue and the “controller vs. processor” issue in the ICO’s notice seem clearer in the heart of the ICO’s substantive allegations. The enforcement notice states that:
The Commissioner is satisfied that the controller has failed to comply with … the GDPR. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. Furthermore the processing was incompatible with the purposes for which the data was originally collected.
Interestingly, the notice does not state that AIQ processed data after May 25, 2018. It only alleges, as noted above, that the AIQ apparently still held data after that date.
In Sum, Then Some
The holes in ICO’s notice to AIQ do not make the first publicized GDPR enforcement action a strong one. And they call into question whether the GDPR may be misused in selective enforcement for purposes outside the privacy sphere. The action will test GDPR’s jurisdictional reach to countries outside Europe. Surprisingly, there has not been a lot of analysis or critique of the action. Perhaps people are generally happy the GDPR was used as a mechanism to take on an unpopular outfit. Perhaps people are not sure what they should expect from regulators as GDPR enforcement gets underway. But it will be interesting to see how the AIQ matter plays out: The action will test GDPR’s jurisdictional reach to countries outside Europe. AIQ’s ties to the UK appear limited to the data the company was provided. AIQ doesn’t appear to have a physical presence in the UK or an ongoing business with others in the UK.
At this point, the enforcement notice requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning, or any other advertising purposes.” If AIQ fails to comply, it may be hit with a steep penalty (GDPR penalties may reach up to 20 million euros, or 4 percent of total annual worldwide turnover).
Of course, the point may be moot if AIQ simply cuts any ties to UK or EU personal data processing, or, if the company just folds, which looks like a possibility from this action and related bad publicity for the company. Our general takeaway on the ICO’s enforcement action against AIQ: if you mingle in an unpopular business that involves personal data, don’t be surprised if an EU regulator knocks on your door with a GDPR investigation or enforcement action.