Trial by Fire - GDPR's First Extra-Judicial Claim AggregateIQ is facing the very first enforcement notice from the European Union\u2019s Information Commissioner's Office (ICO). AggregateIQ is a Canadian data analytics firm with connections to the Facebook-Cambridge Analytica scandal. This first GDPR violation notice was sent on July 6, but it did not become public knowledge until September. The case is interesting because it is the first GDPR enforcement notice with the possibility of being escalated into a fine and the first GDPR international violation notice. The maximum fine, based on annual revenue is a steep \u00a317M. AggregateIQ, is a Canadian data analytics firm and one of the companies connected to the Facebook data-sharing scandal. Chris Wylie, the Cambridge Analytica whistleblower, alleges that AggregateIQ used algorithms from Facebook data held by Cambridge Analytica to build software to target Republican voters in the 2016 US election. Cambridge Analytica is the company that used Amazon Turk to survey and gain access to Facebook users' profile data and that of their friends. AggregateIQ denies that they were ever in any type of contract with Cambridge Analytica. They also worked on behalf of pro-Brexit groups Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote profiling and targeting people with advertisements. Who Does GDPR Affect? The GDPR violation notice was sent by the EU\u2019s ICO Commissioner. The notice cites several GDPR compliance breaches, including processing without a lawful basis and failing to provide transparency information to the individuals whom the data referred to. The ICO fined Facebook \u00a3500,000 for its role in the Cambridge Analytica data privacy scandal. What is GDPR? GDPR, the European Union\u2019s General Data Protection Regulation, went into effect on 2018 May 25. The new regulation is designed to protect the privacy of EU citizens and give them the ability to control who has their personal data and for how long. Companies must have legal justification for collection and using data. For example, if a person signs up for an email list, then it is legal for the collecting company to hold and use the data for the purpose of sending the emails. It is not, however, legal for the collecting company to use or sell anyone\u2019s email address to advertisers or others without the person\u2019s consent. It must be clear to the person what their email is being used for and by whom. In addition, the person must have the ability to revoke their consent at any time. They also retain the \u201cright to be forgotten\u201d by a firm whenever they choose. What is GDPR? Although AggregateIQ collected the data before GDPR went into effect, the data was held after the regulation was enacted. The ICO Commissioner\u2019s office stated in its notice that AggregateIQ violated GDPR because it \u201cprocessed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis of that processing.\u201d GDPR applies to AggregateIQ because the company processes personal data concerning user behavior within the EU. GDPR defines what the terms data processor and data collector mean. Who is AggregateIQ? AggregateIQ is a small Canadian data firm that uses personal data to target online ads at potential voters. The firm works for various organization looking to turnout voters or sway their opinions. The company was given 30-days to rectify the situation by bringing its data collection practices in line with GDPR standards. The GDPR fine, which is or four per cent of the company\u2019s annual global turnover, could be up to \u00a317 million. The outcome of this fine will depend on the cooperation of the Canadian government.