Back in July the ICO issued its first formal notice under GDPR. It’s a sign that the commissioner means business when it comes to enforcing the new, stricter data protection regime. The ICO’s action in the case – AggregateIQ – is significant for two reasons:

  • It relates to a company based outside the EU
  • The breach concerns data that was processed prior to GDPR

At Big Data Law we think the case illustrates the need for our clients in London and elsewhere to review their data management processes – wherever they are based and whenever they collected the data of individuals they currently hold.


We are all aware of the Cambridge Analytica/Facebook controversy around the use of personal data in political campaigns. The ICO is continuing a large scale investigation into the subject. In the course of its work, the regulator examined the way AggregateIQ processed personal data for UK political groups, including Vote Leave. Vote Leave and others provided AggregateIQ with the personal details of UK individuals. This information was then used by AggregateIQ to target the individuals with political advertising on social media.

At the time of the investigation AggregateIQ was still holding the data. The ICO found that the data had been processed in a way that:

  • The individuals were unaware of
  • Individuals would not have expected
  • Had no lawful basis
  • Was incompatible with the way the data was originally collected


As far as we are aware, the notice is the first time the ICO has tried to use its enforcement powers outside the UK. AggregateIQ is a Canadian company. The ICO argues that the data relates to EU citizens and therefore comes within the scope of GDPR. The decision raises the relatively untested area of the extra-territorial effect of GDPR.

The AggregateIQ enforcement notice is also important because the data in question was gathered before the introduction of GDPR on May 25 2018. As a result AggregateIQ may well have believed it was immune fro any GDPR intervention. Not so. The ICO found that the Canadian company continued to retain and process the information after the new regulations were in place. In the ICO’s view this meant the company should be subject to the full force of GDPR.


The terms of the enforcement notice are wide. They oblige Aggregate IQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations for the purposes of data analytics or political campaigning. Failure to comply could result in a fine of 20 million euros or 4% of AggregateIQ’s annual turnover.

Reports suggest the Canadian company has appealed the notice. It will be interesting to see if they are successful or not. And whether the ICO’s clear indication of its intention to bare its teeth when it comes to enforcement of GDPR will be sanctioned on appeal.

Big Data Law provides bespoke advice on GDPR related matters. You don’t have to be a large organisation to be subject to GDPR. For small and medium-sized businesses handling personal data correctly now makes sound commercial sense. For further advice please call us on +44(0)203 670 5540 or contact us online.

Shubha Nath