An enforcement notice filed by the Information Commissioner’s Office (ICO) against AggregateIQ Data Services Ltd has been revealed following a tip off from a data protection specialist.
The enforcement notice – a legal document under the General Data Protection Regulation (GDPR) which requires the notified organisation to comply with an ICO order – was served on 6 July but was not listed in the "Action we have taken" section of the ICO’s website.
Instead it was buried in the annex to a report on investigations into political groups.
The enforcement notice was discovered by data protection expert Tim Turner, according to Jon Baines, data protection advisor at lawyers Mishcon de Reya.
Baines wrote in a blog published today that even though the notice had been sent in July, "one could be forgiven… for overlooking the Notice. It is not, for some reason, listed on the Commissioner’s ‘Enforcement Action’ page (which is stated to include ‘the latest… enforcement notices’). Rather, it was attached as an annex to the Commissioner’s report into its ‘Investigations into the use of data analytics in political campaigns’."
Baines said on his blog: "Those who have been waiting, since 25 May this year, for the first formal enforcement action issued under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), might just have missed – as I did – that it actually surfaced in July, but with such little fanfare that it went largely unnoticed."
The notice is also unusual, he said, for being served on a company outside the UK. AIQ is Canadian but the commissioner said that the use of data to monitor subjects in the EU meant GDPR applied.
He said it appears that AIQ will exercise its right of appeal against the enforcement notice under section 162(1)(c) of the Data Protection Act 2018. Any appeal would be heard by the First-tier Tribunal.
The ICO told SC Magazine UK that it publicised the notice in a press release entitled "Findings, recommendations and actions from ICO investigation into data analytics in political campaigns" published on 10 July. It consisted of a bullet point in a list of six items under the heading that started "Other regulatory action…" about halfway down a lengthy press release.
* This article has been updated to include a comment from the ICO.