UK levels first GDPR fine against Canadian analytics firm linked to Brexit campaign Watch Now

The United Kingdom has issued the first GDPR notice in relation to the Facebook data scandal which saw the data of up to 87 million users harvested and processed without their consent.

While the UK's Information Commissioner's Office (ICO) has recently imposed the maximum fine of £500,000 under the terms of the Data Protection Act 1998 on Facebook for the social media giant's role in the scandal, a Canadian company may not be so lucky in avoiding scrutiny under new data protection laws.

The EU's General Data Protection Regulation (GDPR) came into force this year, on May 25.

Under the terms of the legislation, companies operating in the region must report data breaches to regulators within 72 hours. Failures to adequately protect information can result in fines of up to €20 million or four percent of annual global turnover, whichever is higher.

The ICO has not issued any GDPR-related fines yet, despite recieving 500 calls a week reporting data breaches since the new rules came into effect in the EU.

This does not mean, however, that notices and investigations are not underway.

In fact, the first GDPR-related notice was issued back in July but was only noticed last week by legal firm Mishcon De Reya.

Served by the ICO, the notice has been levied against AggregateIQ Data Services (AIQ). However, there is no mention of the enforcement action on the ICO's website; rather, the document was tagged on to the commission's investigation (.PDF) "into the use of data analytics in political campaigns."

AIQ has been tied to the Facebook-Cambridge Analytica scandal as a provider of software and tools for the management of data destined for use in voter targeting.

The company has also been connected to the Vote Leave campaign in the United Kingdom.

While the company is based outside the EU, the ICO has ascertained that it is still subject to GDPR "as AIQ's processing of personal data is said to relate to monitoring of data subjects' behavior taking place within the European Union," as noted by Mishcon De Reya.

According to the ICO, AIQ was provided with the personal data of UK citizens including names and email addresses. In March, security researchers revealed that the Canadian firm had left a code repository open to the public online, exposing not only microtargeting tools but also political data.

CNET: 6 ways to delete yourself from the internet | The best password managers of 2018 | The Best VPN services for 2018

AIQ told the UK watchdog in May that the company still holds EU citizen data. However, as the data has been stored and processed for political purposes and without the consent of users, the ICO says:

"The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing."

See also: GDPR's silver lining: Data-driven AI and innovation in the enterprise

Under the terms of the notice (.PDF), the ICO has demanded that AIQ "cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes." The company had 30 days to comply.

TechRepublic: 5 data protection policies your employees must know in the post-GDPR era

If AIQ ultimately fails to comply with the enforcement notice to the ICO's satisfaction, the Canadian company may find itself subject to the new fines imposed by GDPR -- assuming the EU's GDPR reach successfully extends beyond its own borders.

However, the legislation does give AIQ -- and any other company which finds itself the recipient of an enforcement notice -- the right to appeal. It is understood that AIQ is exercising that right.

Previous and related coverage