(Continued from the previous article: Challenging the GDPR Fine-Decision of Greek DPA on Employee data)
The second case on GDPR fine which needs discussion is the decision by the UK ICO on a Canadian Firm Aggregate IQ Data Services Ltd (AIQ). On 24th October 2018, the UK data protection enforcement body, the ICO issued a notice specifying several breaches and a possible fine under GDPR provisions.
The charges made included
- AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing “personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Moreover, “the processing was incompatible with the purposes for which the data was originally collected.”
- AIQ also breached Article 14 in that it failed to provide “data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply.” (Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.)
- Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company’s global group turnover, whichever is higher.
The notice to the Canadian firm has also evoked a question on the extra territorial jurisdiction under GDPR. This breach has come out of the investigation related to the Cambridge Analytica case about the use of UK citizen’s data for analysis without the knowledge of the data subjects.
The claim of ICO is that AIQ processed UK personal data in a manner that did not include the consent of the data subjects concerned, and that (notice the date) it continued to hold this personal data after the date at which GDPR came into force (May 25, 2018).
The notice stated “The Commissioner takes the view that damage or distress is likely as a result of data subjects being denied the opportunity of properly understanding what personal data may be processed about them by the controller [which is AIQ], or being able to effectively exercise the various other rights in respect of that data afforded to a data subject.”
It is important to note that the “Damage” is speculative and not “Real”.
AIQ has objected to the jurisdiction of ICO in the matter and the matter now rests with the General Regulatory Chamber (GRC) of HM Courts & Tribunals Service.
More details will be known in due course but the case indicates how GDPR may be used to target data processing companies outside the jurisdiction of EU.
The global corporate sector needs to seriously think on how this threat could be factored into their business strategies. (Refer the article in secuirtyweek.com for more information)
Indian companies need to take appropriate precautions to safeguard their interests by ensuring that their liability if any comes only out of the processing contract with the Data Controller and not directly.