A Canadian data analytics firm on the receiving end of the UK's first-ever violation notice of Europe's new data privacy laws is appealing the claims against it.

The GDPR notice was sent by Blighty's Information Commissioner (ICO) against AggregateIQ, an organization linked to the Facebook-Cambridge Analytica scandal. The biz faces a possible €20m ($23.5m) fine.

The company denies any wrongdoing, and is challenging the notice.

The GDPR notification was the first in the new data privacy environment where companies are legally obligated to limit the personal data they gather on people, be open about how they use that data, and allow people to demand that their information is deleted.

It was sent in July, amid the ICO's probes into Facebook data harvesting, although the notice wasn't posted on the ICO's enforcement page, and in fact there is no mention of it anywhere on the ICO website. The notice itself [PDF] was hyperlinked in an annex at the end of a "investigation update" into the "use of data analytics in political campaigns." The fact it was a GDPR notice was only just spotted last week.

The ICO report [PDF] title refers to the Cambridge Analytica scandal where the shady data company gathered information on millions of people by using a feature on social media giant Facebook where a company could suck in information on the friends of people who downloaded a particular app – in this case, a "survey."

Violations

That information was then used in a series of controversial political campaigns including the vote to remove the UK from the European Union (Brexit) and the election of Donald Trump as US president.

The ICO notice accuses AggregateIQ of violating Articles 5, 6 and 14 of the GDPR rules because it "processed personal data in a way that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing." It is alleged that AggregateIQ is linked to Cambridge Analytica in that information flowed from CA to AIQ, although AggregateIQ denies any connection.

Europe's GDPR, Whois shakeup was supposed to trigger spam tsunami – so, er, where is it? READ MORE

That processing was "incompatible with the purposes by which the data was originally collected." And it did not let people know it had received their data from a third party. The notice orders the company to stop processing the personal data it holds for "any advertising purpose."

Those violations means that the ICO is allowed to impose the higher GDPR fine level of up to €20m or four per cent of a company's annual turnover, whichever is higher.

AggregateIQ is thought to have "micro-targeted" possible voters through social media channel using data gathered by pro-Brexit campaigns. It spent $2m on Brexit-related advertisements on Facebook alone.

Interesting, the company may have thought it was in the clear because it gathered all the data under question before the May 25 start-date of the GDPR legislation. But it was still holding the data when the law came into effect, making it liable, the ICO has said.

Appeal

AggregateIQ has refused to discuss the violation notice beyond noting that it is appealing the decision. A statement on its website, first posted back in March, reads:

AggregateIQ has never been and is not a part of Cambridge Analytica or [CA parent] SCL… AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity… AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.

While the notice is the first to be sent as part of the GDPR regime, it will certainly not be the last. Data protection regulators across Europe have received numerous complaints from consumers covering just about every social media company including Google, Facebook, Instagram and WhatsApp. Investigations into each are thought to be ongoing. ®