AggregateIQ: first Canadian company to get notice for a GDPR violation

It didn’t take too long for GDPR make a major impact in Canada. AggregateIQ (AIQ), a Victoria-based Canadian digital advertising, web and software firm, is the first company in Canada to receive an enforcement notice under the new European Union General Protection (GDPR) regulations. The United Kingdom Information Commissioner’s Office (the ICO) issued its first extraterritorial enforcement notice under GDPR to AIQ.

The notice requires the company to, “cease processing any personal data of U.S. or E.U. citizens obtained from U.K. political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” This order relates to AIQ’s involvement in the Facebook and Cambridge Analytica scandal, in which Facebook’s user data was used by Cambridge Analytica to help influence the 2016 Brexit referendum. The ICO released its report, “Investigation into the use of data analytics in political campaigns,” in July 2018, stating that AIQ had access to UK voters’ personal data. AIQ denies any involvement with Cambridge Analytica.

In the enforcement letter sent to AIQ, the ICO found that the company failed to comply with Articles 5(1)(a)-(c), Article 6 and Article 14 of the GDPR, “because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” While GDPR cannot be retroactively applied, AIQ was found to have UK personal user data in its possession after GDPR came into effect in May.

If AIQ does not comply with the order, it could face fines up to 20 million Euros or up to four per cent of its worldwide revenue. Jeff Silvester, Co-founder and Chief Operating Officer for AIQ says, “We have appealed the notice and it is currently before the tribunal (First-Tier Tribunal Information Rights).”

GDPR came into effect in May 2018. The sweeping legislation goes beyond typical privacy laws and includes the right to be forgotten, data portability and the right for users to assess all their data at any time. The regulations also go beyond EU borders. Under GDPR, any organization collecting or using personal data of EU citizens is subject to the law, regardless of whether the organization has a physical office in the EU.

“[Data Protection Authorities] in Europe had been saying since before GDPR came into effect that they were planning on some enforcement actions against organizations that were outside the EU,” says Kris Klein, Partner at nNovation LLP, specializing in privacy and information security and co-author of The Law of Privacy in Canada. “This is an example of that. It is clear that those who oversee GDPR enforcement believe they have jurisdiction over organizations outside of the EU if they otherwise process personal data of EU residents. It’s not entirely different in Canada where we’ve had a small number of enforcement actions against organizations that don’t have a physical presence in Canada. It is just another example of how privacy laws have extra-territorial effect.”

In some ways, AIQ is the test case for GDPR enforcement outside of the EU. Because the legislation is only four months old, it’s unclear how much the company will be fined.

“I’m interested in is how enforcement will be applied,” says Imran Ahmad, partner and Cybersecurity Law Practice leader at Miller Thomson LLP. “This reminds me when CASL (Canadian Anti-Spam Legislation) came out. Some expected a gentle approach but the CRTC went after the most egregious offenders first. AIQ is an easy target. Will the ICO give them a significant fine to show that this legislation has teeth? If so, will AIQ close its doors and start a new business 3 to 4 years from now? Or, will the ICO give them a small fine as a signal that we don’t want to put companies out of business, we want compliance? I’m curious to see what happens.”

As AIQ waits for the tribunal’s ruling, Klein warns that Canadian organizations should take this case as a wake-up call.

“Just like organizations that operate outside of Canada but process the personal information of Canadian residents, I think it is important for all organizations, no matter where they are located, to understand the legal rules applicable to them based on whose personal information is being processed,” says Klein. “If you’re a Canadian organization that deals with the personal data of EU residents, you’d better pay attention because it is clear that efforts will be taken to enforce that law against you if you do not follow the rules appropriately.”