GDPR international test case has worldwide significance

The world is watching the first European Union General Data Protection Regulation (GDPR) action against a non-EU company – a test case with global implications.The business in question is AggregateIQ, a small Canadian company specialising in social media advertising, which is accused of using data from United Kingdom and European citizens for politically related advertising.

AggregateIQ was engaged by supporters of Vote Leave, the 2016 Brexit referendum campaign that persuaded UK voters to poll in favour of leaving the European Union. It is alleged to be linked to Cambridge Analytica, the organisation accused of using Facebook data to promote Donald Trump’s 2016 presidential campaign. 

At present the United Kingdom GDPR authority, the Information Commissioner’s Office (ICO), has simply ordered AggregateIQ to desist from processing the personal data of UK or EU citizens, obtained by any means, for the purposes of data analytics, political campaigning or any advertising.

AggregateIQ has indicated it will appeal against this enforcement order, which carries infringement penalties of up to €20 million, or 4% of its worldwide revenue, whichever is greater.

“If the case against AggregateIQ is successful, clients who don’t have operations in the EU but do have connections to the data of EU citizens will be exposed to prosecution under the strict GDPR legislation, greatly increasing their responsibilities and risks,” warns Gallagher cyber specialist, Product Manager Travis Gauci.

“In response to this exposure Gallagher has been working with clients with international operations to navigate the increasingly complex exposures associated with privacy and cyber security.”

The ICO maintains that AggregateIQ was provided with UK citizens’ personal data as part of its work on the Brexit campaign; data which was then used to target these individuals with political advertising through their preferred social media platforms.

The exposures involved

United States law firm Saul Ewing Arnstein & Lehr has published a legal analysis of the basis of the case.

The ICO claims AggregateIQ violated 5 GDPR provisions.

1. That personal data be processed ‘lawfully, fairly and in a transparent manner.
2. That it be collected for specified, explicit and legitimate purposes.
3. That the information collected should be limited to the purpose for which it is processed.
4. The data controller involved must designate the lawful basis for data processing before proceeding.
5. The data processor has a duty to provide notice of its activities to the subjects of the data collection.

The ICO maintains that AggregateIQ violated these provisions by

• processing data in a way the subjects were not aware of
• using the data for purposes they would not have anticipated
• processing the data without lawful basis
• the data use was incompatible with the purpose for which it was originally collected.

The case will test the actual scope of the GDPR in practice and has significant implications for countries outside of the EU.

“This example brings into focus the responsibility for ALL businesses to understand what data they hold, what is being done with it and what legal requirements they are subject to,” Gauci says.

“The financial and reputational consequences of ignoring this can be catastrophic for many businesses, which is why cyber insurance is increasingly being seen as a mandatory purchase as part of a risk management and insurance program.”

How Gallagher can help

If you are concerned about how the GDPR could potentially impact your business or have any other questions around your cyber risk and insurance contact our specialist team of cyber insurance brokers who will be able to help you understand the legislation further.

Download your free guide to developing a data breach response plan here.

New Call-to-action