FIRST UK GDPR ENFORCEMENT ACTION IS AGAINST CANADIAN FIRM WITHAPPARENTLY NO EU PRESENCE
研究背景
2018年10月24日,英国数据保护执法机构,信息专员办公室(ICO)发布了针对加拿大数据服务公司AggregateIQ(AIQ)的执行通知。这是ICO根据欧盟《通用数据保护条例(GDPR)》发布的第一份执行通知。如果AIQ经过30天整改期仍未合规,该公司将面临2000万欧元或集团全球营业额的4%的罚款。
AIQ涉及违反GDPR使用英国公民的个人数据,并为政治团体提供数据分析业务。据英国媒体报道,脱欧游说组织 Vote Leave 曾支付给AIQ270万英镑,用以在英国脱欧公决期间针对潜在投票人投放广告。
On 24 October 2018, the UK data protection enforcement body, the Information Commissioner’s Office (ICO), issued an Enforcement Notice against Canadian dataservices firm, AggregateIQ (AIQ).[1]This was the first Enforcement Notice issued by the ICO under theGeneral Data Protection Regulation (GDPR).[2]The Notice specifies several breaches of the GDPR and gives AIQ 30days to put itself into compliance or face a fine of €20 million or 4% of global group turnover, whichever is greater.
AIQ’s breaches of the GDPR relate to its use of personal data of UK individuals in connection with its business of providing data services to political organizations. Specifically, AIQ used this data to target individuals with political advertising on social media.
The specific GDPR breaches were as follows:
1.AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing “personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Moreover, “the processing was incompatible with the purposes for which the data was originally collected.”
2.AIQ also breached Article 14 in that it failed to provide “data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply.” Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.
3.Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company’s global group turnover, whichever is higher.
The GDPR provides detailed guidance to companies on how the collection of personal data may be legally justified and the steps that must be taken with regard to the privacy of the data and the disclosures and/or authorizations that must be made to, or obtained from, the individuals affected. This isa complex exercise that should normally require the assistance ofoutside legal counsel. AIQ was either ignorant of how GDPR may affectits business or, what is more likely in view of the wide publicity GDPR has generated around the world, totally indifferent to its GDPR legal obligations.
The GDPR breaches by AIQ areso serious and wide ranging that it will be nearly impossible for it to fully comply with the Enforcement Notice within 30 days. It should be kept in mind that AIQ must carry out its compliance steps with regard to all UK individuals affected (i.e. with regard to all those in the UK whose data was collected). If AIQ’s measuresare only piecemeal, the ICO will probably deem AIQ to be non-compliant.
If AIQ fails to comply with its GDPR obligations within 30 days, and a fine is imposed, the fine may be enforced in a UK court. If AIQ fails to make a court appearance and a default judgment is entered, AIQ may well have to defend itself in an action to enforce a foreign judgment. Moreover,with a UK judgment entered, AIQ may be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for the collection of the fine.
The situation for Chinese companies could not be clearer. Even those not established in the EU could face the sort of risks identified above. Those Chinese companies taking a “relaxed position” or preferring to “see how things develop” before they take GDPR compliance measures could find themselves unpleasantly surprised. Keep in mind that AIQ is asmall consultancy, but its business depends on assembling a massive database of personal data.
Now, imagine how much personal data a large Chinese manufacturer of consumer goods or electronic products, a Chinese airline or hotel chain, or a Chinese internet selling platform is able to collect from/on EU consumers, and how much time it would need to comply with the GDPR. A 30-day window would be laughable. And it should be considered that the GDPR did not require the ICO to provide a 30-day window—that was the ICO’s decision, or if you prefer, English hospitality.
Notes
[1]For a copy of this Notice, see https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf.
[2]Most EU Member States have data protection agencies which are responsible for the enforcement of the GDPR. |