The first ever violation notice of Europe's new data privacy laws has been issued – and has landed on a Canadian data analytics firm that campaigned for Brexit.
The GDPR notice was sent by the UK's Information Commissioner (ICO) against AggregateIQ, an organization linked to the Facebook-Cambridge Analytica scandal. The biz faces a possible €20m ($23.5m) fine. The company has appealed the claims against it.
The notice is the first in the new data privacy environment where companies are legally obligated to limit the personal data they gather on people, be open about how they use that data, and allow people to demand that their information is deleted.
Amazingly, given its status as the first GDPR notice, it was sent in July but was only noticed late last week by eagle-eyed law firm Mishcon De Reya. For some reason, the notice wasn't posted on the ICO's enforcement page, and in fact there is no mention of it anywhere on the ICO website. The notice itself [PDF] was hyperlinked in an annex at the end of a "investigation update" into the "use of data analytics in political campaigns."
The report [PDF] title refers to the Cambridge Analytica scandal where the shady data company gathered information on millions of people by using a feature on social media giant Facebook where a company could suck in information on the friends of people who downloaded a particular app – in this case, a "survey."
That information was then used in a series of controversial political campaigns including the vote to remove the UK from the European Union (Brexit) and the election of Donald Trump as US president.
The ICO notice accuses AggregateIQ of violating Articles 5, 6 and 14 of the GDPR rules because it "processed personal data in a way that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing." It is alleged that AggregateIQ is linked to Cambridge Analytica in that information flowed from CA to AIQ, although AggregateIQ denies any connection.
That processing was "incompatible with the purposes by which the data was originally collected." And it did not let people know it had received their data from a third party. The notice orders the company to stop processing the personal data it holds for "any advertising purpose."
Those violations means that the ICO is allowed to impose the higher GDPR fine level of up to €20m or four per cent of a company's annual turnover, whichever is higher.
AggregateIQ is thought to have "micro-targeted" possible voters through social media channel using data gathered by pro-Brexit campaigns. It spent $2m on Brexit-related advertisements on Facebook alone.
Interesting, the company may have thought it was in the clear because it gathered all the data under question before the May 31 start-date of the GDPR legislation. But it was still holding the data when the law came into effect, making it liable, the ICO has said.
AggregateIQ has refused to discuss the violation notice beyond noting that it is appealing the decision. A statement on its website, first posted back in March, reads:
While the notice is the first to be sent as part of the GDPR regime, it will certainly not be the last. Data protection regulators across Europe have received numerous complaints from consumers covering just about every social media company including Google, Facebook, Instagram and WhatsApp. Investigations into each are thought to be ongoing. ®