On September 25, the UK Information Commissioner’s Office (ICO) issued an enforcement action against a Canadian data analytics firm. The enforcement action alleges violations by the firm of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA). This represents the first GDPR-related enforcement action by the ICO.
Per the enforcement action, the ICO asserts that the firm used personal data of EU citizens for political campaigning, data analytics, and other advertising purposes. The firm allegedly used this personal information to target voters with online advertisements related to the Brexit referendum. While the firm is not in the EU, it allegedly used data from individuals residing in the EU, thereby violating the provisions of the GDPR and DPA.
The alleged actions breach Articles 5(a) (b) and (c) as well as Article 6 of GDPR. These articles restrict the use of personal data in a way in which individuals have not been made aware and for a purpose that is not expected. The alleged actions likewise breach transparency regulations cited in GDPR Article 14.
As stated in the enforcement action, the ICO is demanding that the Canadian firm “immediately cease processing personal data of EU or UK citizens for data analytic, political campaigning and advertising purposes.” It further states that failure to comply may incur a penalty of up to 20 million Euros or 4% of annual income turnover, whichever is higher. The cited firm is appealing the ICO’s decision.
The enforceability of the GDPR against firms without a European presence has been a topic of considerable debate. Firms should monitor the ICO’s enforcement actions against the Canadian firm as they may be a significant bellwether for potential enforcement actions against firms that do not have a physical presence in the EU, but nevertheless process the personal data of EU residents.
How ACA Can Help
ACA Aponix’s team of compliance professionals has developed a series of resources to help firms navigate the complexities of GDPR. These include:
- GDPR is Live – How to Ensure Ongoing Compliance (blog post)
- GDPR for Investment Managers FAQs (download)
- GDPR Implications for U.S. Private Equity Fund Managers (ACA Alert)
In addition, ACA Aponix offers several solutions for assessing your organization’s compliance with GDPR requirements. These include:
For More Information
If you have questions, please contact your regular ACA Aponix consultant or email us at firstname.lastname@example.org.