Trial by Fire – GDPR’s First Extra-Judicial Claim
AggregateIQ is facing the very first enforcement notice from the European Union’s Information Commissioner’s Office (ICO). AggregateIQ is a Canadian data analytics firm with connections to the Facebook-Cambridge Analytica scandal. This first GDPR violation notice was sent on July 6, but it did not become public knowledge until September. The case is interesting because it is the first GDPR enforcement notice with the possibility of being escalated into a fine and the first GDPR international violation notice. The maximum fine, based on annual revenue is a steep £17M.
AggregateIQ, is a Canadian data analytics firm and one of the companies connected to the Facebook data-sharing scandal. Chris Wylie, the Cambridge Analytica whistleblower, alleges that AggregateIQ used algorithms from Facebook data held by Cambridge Analytica to build software to target Republican voters in the 2016 US election. Cambridge Analytica is the company that used Amazon Turk to survey and gain access to Facebook users’ profile data and that of their friends. AggregateIQ denies that they were ever in any type of contract with Cambridge Analytica. They also worked on behalf of pro-Brexit groups Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote profiling and targeting people with advertisements.
The GDPR violation notice was sent by the EU’s ICO Commissioner. The notice cites several GDPR compliance breaches, including processing without a lawful basis and failing to provide transparency information to the individuals whom the data referred to.
The ICO fined Facebook £500,000 for its role in the Cambridge Analytica data privacy scandal.
What is GDPR?
GDPR, the European Union’s General Data Protection Regulation, went into effect on 2018 May 25. The new regulation is designed to protect the privacy of EU citizens and give them the ability to control who has their personal data and for how long. Companies must have legal justification for collection and using data. For example, if a person signs up for an email list, then it is legal for the collecting company to hold and use the data for the purpose of sending the emails. It is not, however, legal for the collecting company to use or sell anyone’s email address to advertisers or others without the person’s consent. It must be clear to the person what their email is being used for and by whom. In addition, the person must have the ability to revoke their consent at any time. They also retain the “right to be forgotten” by a firm whenever they choose.
Although AggregateIQ collected the data before GDPR went into effect, the data was held after the regulation was enacted.
The ICO Commissioner’s office stated in its notice that AggregateIQ violated GDPR because it “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis of that processing.” GDPR applies to AggregateIQ because the company processes personal data concerning user behavior within the EU. GDPR defines what the terms data processor and data collector mean.
Who is AggregateIQ?
AggregateIQ is a small Canadian data firm that uses personal data to target online ads at potential voters. The firm works for various organization looking to turnout voters or sway their opinions.
The company was given 30-days to rectify the situation by bringing its data collection practices in line with GDPR standards. The GDPR fine, which is or four per cent of the company’s annual global turnover, could be up to £17 million. The outcome of this fine will depend on the cooperation of the Canadian government.