• 重庆妙珠律师事务所
  • |
  • 律师网上服务大厅
  • |
  • 刑事图书馆
  •  值班律师
  • |
  •  妙珠微信
  • |
  •  律师微博
  • |
  •  妙珠律师移动端
  • 官网首页
  • 律师网上服务大厅
  • 刑事图书馆
  • 律师智库
  • 律师执业
  • 学术科研
  • 律师实务
  • 司法行业
  • 当前位置:首页 > 律师执业 > 法律风险 > 正文

    从英国首张GDPR执行通知,看中国企业可能面对的危机

    WWW.CQLSW.NET   2018-11-18   信息来源:德恒律师事务所   作者:Frank Fine
    核心提示:AIQ涉及违反GDPR使用英国公民的个人数据,并为政治团体提供数据分析业务。据英国媒体报道,脱欧游说组织 Vote Leave 曾支付给AIQ270万英镑,用以在英国脱欧公决期间针对潜在投票人投放广告。

    FIRST UK GDPR ENFORCEMENT ACTION IS AGAINST CANADIAN FIRM WITHAPPARENTLY NO EU PRESENCE

    研究背景

    2018年10月24日,英国数据保护执法机构,信息专员办公室(ICO)发布了针对加拿大数据服务公司AggregateIQ(AIQ)的执行通知。这是ICO根据欧盟《通用数据保护条例(GDPR)》发布的第一份执行通知。如果AIQ经过30天整改期仍未合规,该公司将面临2000万欧元或集团全球营业额的4%的罚款。

    AIQ涉及违反GDPR使用英国公民的个人数据,并为政治团体提供数据分析业务。据英国媒体报道,脱欧游说组织 Vote Leave 曾支付给AIQ270万英镑,用以在英国脱欧公决期间针对潜在投票人投放广告。

    On 24 October 2018, the UK data protection enforcement body, the Information Commissioner’s Office (ICO), issued an Enforcement Notice against Canadian dataservices firm, AggregateIQ (AIQ).[1]This was the first Enforcement Notice issued by the ICO under theGeneral Data Protection Regulation (GDPR).[2]The Notice specifies several breaches of the GDPR and gives AIQ 30days to put itself into compliance or face a fine of €20 million or 4% of global group turnover, whichever is greater.

    AIQ’s breaches of the GDPR relate to its use of personal data of UK individuals in connection with its business of providing data services to political organizations. Specifically, AIQ used this data to target individuals with political advertising on social media.

    The specific GDPR breaches were as follows:

    1.AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing “personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Moreover, “the processing was incompatible with the purposes for which the data was originally collected.”

    2.AIQ also breached Article 14 in that it failed to provide “data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply.” Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.

    3.Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of €10 million or 2% of a company’s global group turnover, whichever is higher.

    The GDPR provides detailed guidance to companies on how the collection of personal data may be legally justified and the steps that must be taken with regard to the privacy of the data and the disclosures and/or authorizations that must be made to, or obtained from, the individuals affected. This isa complex exercise that should normally require the assistance ofoutside legal counsel. AIQ was either ignorant of how GDPR may affectits business or, what is more likely in view of the wide publicity GDPR has generated around the world, totally indifferent to its GDPR legal obligations.

    The GDPR breaches by AIQ areso serious and wide ranging that it will be nearly impossible for it to fully comply with the Enforcement Notice within 30 days. It should be kept in mind that AIQ must carry out its compliance steps with regard to all UK individuals affected (i.e. with regard to all those in the UK whose data was collected). If AIQ’s measuresare only piecemeal, the ICO will probably deem AIQ to be non-compliant.

    If AIQ fails to comply with its GDPR obligations within 30 days, and a fine is imposed, the fine may be enforced in a UK court. If AIQ fails to make a court appearance and a default judgment is entered, AIQ may well have to defend itself in an action to enforce a foreign judgment. Moreover,with a UK judgment entered, AIQ may be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for the collection of the fine.

    The situation for Chinese companies could not be clearer. Even those not established in the EU could face the sort of risks identified above. Those Chinese companies taking a “relaxed position” or preferring to “see how things develop” before they take GDPR compliance measures could find themselves unpleasantly surprised. Keep in mind that AIQ is asmall consultancy, but its business depends on assembling a massive database of personal data.

    Now, imagine how much personal data a large Chinese manufacturer of consumer goods or electronic products, a Chinese airline or hotel chain, or a Chinese internet selling platform is able to collect from/on EU consumers, and how much time it would need to comply with the GDPR. A 30-day window would be laughable. And it should be considered that the GDPR did not require the ICO to provide a 30-day window—that was the ICO’s decision, or if you prefer, English hospitality.

    Notes

    [1]For a copy of this Notice, see https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf.

    [2]Most EU Member States have data protection agencies which are responsible for the enforcement of the GDPR.

    延伸阅读 重庆妙珠律师事务所 / 国法网 / 中法网 律师业务在线办理平台 | 值班律师
  • 上一篇文章:公职人员受贿法律风险防范指南
  • 网友评论 举报不当信息评论
    重庆律师 / 重庆律师事务所 / 重庆妙珠律师事务所,更多精彩在首页,点击直达
    执业关注
    刑事辩护受理
    刑事侦查辩护委托    审查起诉辩护委托
    刑事一审辩护委托    刑事二审辩护委托
    死刑复核辩护委托    刑事再审辩护委托
    诉讼仲裁代理
    买卖合同纠纷代理    借款合同纠纷代理
    租赁合同纠纷代理    房屋买卖纠纷代理
    建设工程纠纷代理    房产开发纠纷代理
    产品责任纠纷代理    网络侵权纠纷代理
    触电损害纠纷代理    铁路运输纠纷代理
    交通事故纠纷代理    人事仲裁纠纷代理
    离婚争议纠纷代理    财产损害纠纷代理
    不当竞争纠纷代理    网络域名纠纷代理
    特许经营纠纷代理    保险金融纠纷代理
    合伙企业纠纷代理    其他民事纠纷代理
    律师的甄别
    识别真假律师
    对律师的错误解读
    以什么标准判断律师是否专业
    律师的作用
    为什么需要律师
    律师表现对于胜诉到底有多大影响
    律师告诉您官司打不赢的原因
    律师为什么不给你胜诉的承诺
    如何选择律师
    聘请律师的误区
    找律师,最忌讳说这八句话
    律师不接待的十类当事人
    重庆律师收费
    重庆律师服务收费指导标准
    你知道重庆律师是如何收费的吗
    同样的事情,律师收费可能会不一样
    律师对刑事案件不能实行风险收费
    委托流程
    重庆律师办理法律事务流程
    咨询律师
    重庆律师法律事务受理大厅
    重庆律师服务
    重庆律师诉讼代理法律事务中心
    重庆律师刑事辩护法律事务中心
    重庆律师专项法律事务办理中心
    重庆律师法律顾问法律事务中心
    All RIGHTS RESERVED © CQLSW.NET 2008-2024   |   重庆妙珠律师事务所版权所有,关于我们信息公开联系方式   |   工信部ICP备案:渝ICP备08101889号-2    国际联网备案:  渝公网安备 50010502000058号