One factor that those looking to register a business in the UK must bear in mind is the EU’s recently introduced strict data protection law, the General Data Protection Regulation (GDPR). Such individuals may therefore take an interest in the news that the UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first GDPR enforcement notice.

What has attracted particular attention about this enforcement notice, however, is the fact that it has been issued against a company that does not appear to have any EU presence – the Canadian-based analytics business, AggregateIQ Data Services Ltd.

Indeed, it is also the first action that the ICO has ever taken against an entity outside the UK. The notice is understood to be under appeal, and the outcome of the case will be an intriguing indicator of the extent of the GDPR’s enforceability outside the EU.

What breaches did the ICO find?

The ICO found a number of ways in which AggregateIQ had contravened the terms of the GDPR. The company was found to have processed personal information, including UK individuals’ names and addresses, in a manner that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for such processing.

The ICO has also said that this processing was incompatible with the purposes for which the information was originally collected. It added that damage or distress was likely because data subjects were denied the opportunity to properly understand what personal data about them the controller may process, or to effectively exercise the various other rights of a data subject in respect of this information.

What could the consequences be for AggregateIQ?

The terms of the notice require AggregateIQ to cease processing any EU citizens’ personal data for data analytics, political campaigning or any other advertising purposes within 30 days of the date of the notice. If AggregateIQ does not comply, the ICO will be entitled to issue a monetary penalty notice fining the company as much as €20 million or 4% of its annual worldwide turnover – whichever is higher.

How much extra-territorial scope does the GDPR have?

Article 3 of the GDPR sets out that the EU data protection legislation applies to organisations outside the EU when they process personal data that, among other things, relate to monitoring the behaviour of individuals within the EU (Article 3(2)(b)). The ICO’s notice makes clear that it regards AggregateIQ to be directly subject to the GDPR as a consequence of Article 3(2)(b).

What are the next steps for this case?

Data regulation and enforcement in relation to cross-border conduct is still in its infancy. This means that until now, enforcement has always been local. However, the outcome of the AggregateIQ case could greatly shape the future development of the framework for cooperation between EU member states and their international counterparts with regard to multi-jurisdictional data misuse.

Are you the owner of an overseas company and wish to register a business in the UK? If so, we can provide the relevant services and expertise as part of our wider business formulation and dissolution services. Furthermore, we can also provide the other business support that will help to keep your firm on the right side of the GDPR and other relevant legislation.

November 2018