First extra-territorial enforcement action puts global organisations on notice 

Understandably (given the breadth of the new regime and the huge potential fines introduced for non-compliance), the lead up to 25 May 2018 and the months that followed saw many companies frantically preparing for the arrival of the EU’s General Data Protection Regulation (GDPR) and subsequently rushing to put in place robust compliance regimes. By contrast, the European data protection authorities (DPAs) responsible for enforcement of the new regime have so far been relatively muted.  

The DPAs have certainly been inundated with complaints in these early days, such as those lodged by notorious privacy activist Max Schrems against Google and Facebook minutes after go-live of the GDPR. However, it was not until 6 July 2018 that the UK’s Information Commissioner’s Office (ICO) issued its first official enforcement notice under the GDPR.  The enforcement action is particularly notable as it has been issued against a Canadian company with seemingly no presence in the EU, and therefore may offer some insight into the vexed questions being asked about the extent of the GDPR’s extra-territorial reach.

The Facts:

As part of their broader investigation into the use of data analytics in political campaigns (and in particular, the 2016 Brexit referendum), the ICO served an enforcement notice against Canadian data analytics business, AggregateIQ Data Services Ltd (AIQ), for a purported failure to comply with Articles 5, 6 and 14 of the GDPR. Despite the date of the Brexit referendum, the enforcement notice was able to be brought under the GDPR on the basis that the infringements were (and are) “ongoing” (i.e. post-25 May 2018). The ICO alleges that personal information of UK individuals was processed by AIQ in a manner, and for purposes, that relevant individuals were not aware of and would not have ‘legitimately’ expected. As such the processing has been deemed without lawful basis, with damage and distress contended to be the likely result. Under the terms of the notice, AIQ was given 30 days to cease the processing of any personal information of UK and EU citizens obtained from political organisations, or otherwise received and used for the purposes of advertising, data analytics or political campaigning. Failure to comply with this notice could attract financial penalties of up to €20 million or 4% of AIQ’s global annual turnover, whichever is the higher. 
AIQ has indicated that they will appeal the notice. Given how little regulatory guidance there currently is around the extra-territorial reach of the GDPR and the interpretation of certain key related terms, the outcome of the appeal could be an invaluable guide for organisations around the world as to how European regulators and courts might seek to apply the extra-territorial scope going forward. 

There is currently little understanding about how the statutory tests for extra-territorial applicability of the GDPR, detailed in Article 3, may be applied in practice, given the breadth of the language used in those provisions and the lack of regulatory clarification to date.  Whilst the ICO’s view in this case is that AIQ clearly satisfies those tests - in particular, Article 3(2)(b), which bites on organisations not based in the EU but which process personal data of EU persons in connection with monitoring their behaviour - AIQ’s view is that it is not subject to the ICO’s jurisdiction. Industry commentators strongly suspect that questions around the application of those tests will form part of AIQ’s appeal. For the rest of us, that could be good news in providing some much needed clarification. 

Another territorial quandary might arise from the fact that the ICO has been forced to issue the enforcement notice to AIQ itself, and not to its appointed EU representative. Article 27  of the GDPR requires organisations based outside of the EU, but which are subject to the GDPR, to appoint a representative in the EU (to facilitate enforcement of the GDPR by EU-based regulators). AIQ’s failure to do so puts it in breach of that provision, assuming it is subject to the GDPR.  However, ironically, as neither the GDPR nor the relevant UK legislation contemplates enforcement against wholly foreign respondents (not to mention the practical difficulties associated with cross-border enforcement), AIQ’s breach might end up being the issue that most assists it to evade the potentially long-arm of the GDPR. In any event, this will be an interesting test case for the practical ability of DPAs to enforce the GDPR’s broad extra-territorial reach. 

You can find the full text of the ICO’s notice here.

For more background on the GDPR, including an overview of the key changes introduced by the regulation and whether it will apply to Australian organisations, please see our “GDPR: The Final Countdown” Article. 

For a comparison of the key requirements in the Australian Privacy Act and the GDPR, together with a 10-step plan to achieving cross-border privacy compliance, please see our “GDPR: Ready or Not, Here it Comes” Article.

Look out for our upcoming “GDPR: 6 Months On” Article, in which we will reflect on our learnings over the past half year, including how we have seen Australian organisations manage their compliance obligations, what we are currently seeing in terms of enforcement, and what we expect to see in the coming months and years.

Authored by Melissa Fai, Nikhil Shah and Bryce Craig.