UK Regulator Issues Second GDPR Enforcement Notice on Canadian Firm
31.10.2019 securityweek
BigBrothers

On 6 July 2018, the UK's data protection regulator (ICO) issued the first GDPR-related enforcement notice. It was delivered on Canadian firm Aggregate IQ. The notice comments, "The Commissioner has observed with concern the application of techniques hitherto reserved for commercial behavioural advertising being applied to political campaigning, during recent elections and the EU referendum campaign in 2016."

That enforcement notice requires that AIQ should within 30 days "Cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes."

AIQ appealed the notice. In that appeal, AIQ states "the data continues to be held by AggregateIQ for the simple reason that it remains subject to a preservation order made by Canadian officials."

In reality there is no conflict between preserving the data for the Canadian officials and ceasing to process it for the stated purposes. Nevertheless, it seems to have alerted the ICO to the need to account for separate simultaneous legal requirements in different jurisdictions. The ICO has now issued a new enforcement notice (PDF) that "varies and replaces the Notice served on AIQ dated 6 July 2018. The Notice clarifies the steps to be taken by AIQ..."

The requirements of the new notice (two short paragraphs replacing one short paragraph) are effectively the only difference between the two notices.

"AIQ appealed the issue of the Notice on a number of grounds, one of which was the apparent lack of precision as to what AIQ would have to do to comply and also the fact that AIQ was subject to a requirement of the Office of Information and Privacy Commissioner [OIPC] of British Columbia not to destroy data," explains David Flint, senior partner at MacRoberts LLP.

The new requirements include oblique reference to the investigation by the ICO's Canadian counterpart (OIPC) and the Canadian preservation order already on AIQ. The terms must now be acted upon within 30 days of the OIPC "notifying (AIQ) that it is no longer the subject of any investigation by the OIPC, or that the OIPC is content for it to comply with this Notice."

The action required is also slightly different. "Erase any personal data of individuals in the UK, determined by reference to the domain name of the email addresses processed by AIQ, retained on its servers as notified to the Information Commissioner..."

But, comments Flint, "Given that the October Notice states in paragraph 2 that it "clarifies the steps to be taken by AIQ", some lack of clarity remains. What is to happen to the personal data of non-UK data subjects mentioned in the July Notice? What about UK data subjects who have e-mail addresses other than ".co.uk" -- such as outlook.com? Does the "clarification" go beyond the original Notice which had a purpose restriction on the use of the data -- the October Notice seems to be all encompassing."

In short, he adds, "the October Notice may provide some "clarification" but really raises as many questions as it answers."