Lessons from the first GDPR Enforcement Notice

Since the European Union’s General Data Protection Regulation (“GDPR”) went into effect in May of this year, and for months prior to “GDPR Day”, the number one question has been how will the various data protection authorities enforce the GDPR? Will the EU use this new regulation as a hammer? Will there really be fines that equate to 20 million Euros or 4% of an offender’s global revenue? And while those of us who follow the GDPR have “enjoyed” the “magic 8 ball” approach to predicting what would happen, the wait is now over.

All signs point to the GDPR being taken seriously: Giovanni Buttarelli, the European Union’s Data Protection Supervisor, in his Opinion published by The Washington Post, unequivocally stated that “[t]he public will see the first results before the end of the year. Regulators will use the full range of their enforcement powers to address abuses, including issuing fines.” In short, Mr. Buttarelli is calling for enforcement and the member states will likely not disappoint.

As for the first official GDPR action, we did not have to wait long: less than two months after the GDPR went into effect, the ICO issued the first GDPR Enforcement Notice against Aggregate IQ Data Services Ltd (“AIQ”). AIQ is a a digital advertising, web and software development company based in Canada that focuses on political advertising (a hot topic these days). The ICO Notice expressed concern with AIQ’s use of personal data to create targeted messaging on behalf of various UK political organizations. Specifically, the ICO Notice claims that AIQ violated Articles 5, 6, and 14 of the GDPR because AIQ “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” ❡ 12.

The ICO gave AIQ 30 days to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” Annex 1. If AIQ failed to take this corrective action, the ICO confirmed its authority to issue penalties of 20 million Euros, or 4% of AIQ’s total annual worldwide turnover, whichever is higher. ❡ 15.

AIQ ultimately exercised its right to appeal the Enforcement Notice, under ❡ 16 and section 162(1)(c) of the UK’s Data Protection Act 2018 (DPA). But, as we await the ultimate outcome of that appeal from this particular Enforcement Notice, there are some key takeaways to consider.

First, it is interesting that the first GDPR Enforcement Notice was issued not against an EU company, but a non-EU company. Many US-based companies are taking a wait-and-see approach, believing that the GDPR will not impact them or enforcement against a non-EU company would be difficult. By issuing this first notice against a Canadian company, the EU appears to be signaling that it intends to enforce the Article 3 extraterritorial reach of the GDPR. Granted, AIQ has significant interactions within the UK, and therefore, clearly falls within the confines of the GDPR, the fact that a non-EU company is the first up for a GDPR Enforcement Notice seems significant.

Second, the ICO Notice gave AIQ only 30 days to cease its violation of the GDPR. We cannot underscore enough the significance of this truncated timeframe. Data is like a spiderweb throughout an organization: finding all of its tendrils can take weeks, if not months, at best. If a company has not, at a minimum, started to create some semblance of GDPR compliance (or an analogous data management program), ceasing the use of specific data within 30 days would be impossible. Additionally, this requirement would move downstream, to any and all vendors/third-parties who are “processing” that data. Pushing this requirement downstream would depend on prior agreed to terms as well as practical limitations. While companies are loathsome to start the process of data mapping or data categorization, citing cost and limited resources, waiting until a company receives an EU Notice is not practical, and potentially costly in light of the significant fines under the GDPR.

Third, the EU intends to fully enforce the GDPR, and it is not waiting to give companies any extra time to finalize their compliance. The ICO issued this Notice in July, less than two months after the GDPR went into effect. And, it clearly outlined that it intends to exercise its authority to issue sanctions to the fullest extent of the GDPR, if necessary. The fines (if any) that are ultimately issued will be telling: is a good-faith attempt to comply sufficient to negate the need for fines? What will be considered “reasonable” under the GDPR? (Ok, so reading the GDPR tea leaves is not over).

While AIQ is the unfortunate recipient of this first Enforcement Notice, it will likely be joined by additional companies as the EU data protection authorities continue to flex their enforcement muscles and put the GDPR into practice. But, for companies watching, this is a signal to take the GDPR seriously. At a minimum, start a dialogue on how your company is impacted and the first steps to take to mitigate the risk of fines. And remember, in the GDPR and any privacy requirements, luck favors the prepared.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.