The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 US presidential election, something the ICO is otherwise investigating. In this case, the ICO accused AggregateIQ of failing to follow GDPR by using personal information without a legal basis under GDPR, and using it in ways that people would not have expected when they provided it. Although the data was gathered before GDPR went into effect on May 25, 2018, the ICO stated that GDPR applies due to AggregateIQ’s continued retention and processing of the information about UK residents after that date.

The ICO found that enforcement action was justified because AggregateIQ’s improper use was likely to cause “damage or distress” to the affected people. The ICO’s notice instructs AggregateIQ to cease all use of UK or EU citizens’ personal data for analytics and advertising, political or otherwise. Failure to comply could result in a fine of up to four percent of the company’s annual revenue, or 20 million euros, whichever is greater. AggregateIQ has appealed the notice to the UK’s First-tier Tribunal for Information Rights.

Putting it Into Practice: This case is a reminder that regulators are gearing up to enforce GDPR. Of note here are both that the entity was Canadian, and that the information was collected prior to GDPR coming into effect.