With GDPR complaints rising, UK regulator quietly issued notice of violation
- GDPR complaints have risen sharply in Europe since the regulation went into effect. France's relevant administrative body has received almost 3,700 complaints to date, a 64% increase year-over-year, and received notice of more than 600 data breaches affecting 15 million people, according to TechCrunch. The United Kingdom's Information Commissioners's Office and Ireland's Data Protection Commission have also logged significantly more privacy complaints since May 25.
- The UK ICO sent the GDPR enforcement notice to Canadian firm AggregateIQ (AIQ) in early July. The ICO notified the data controller that it was violating provisions in the European regulation relating to lawful, fair and transparent processing of personal data; limited and relevant data processing; and some disclosure requirements to data subjects.
- The ICO alleged that AIQ worked with political organizations and used personal data of UK citizens to target advertising for political causes including Brexit campaigns and elections; following GDPR's enforcement date, AIQ continued to hold on to and use that data. AIQ was linked to Cambridge Analytica, the firm behind one of Facebook's recent data privacy scandals, by a whistleblower who described it as "our Canadian office," the BBC reports. On its website, AIQ says it is not affiliated with Cambridge Analytica and is "in full compliance with all legal and regulatory requirements."
Penalties may take a while to be handed down, and the process is likely to be lengthened by legal and court challenges to charges. The burden is on regulators to demonstrate "chronic and acute problems" with GDPR compliance and build a strong record against the company.
When GDPR went into effect, there was rampant speculation about enforcement. With high-profile breaches and data scandals fresh in memory, many suspected that the regulatory body might try to make an example of large data processors and controllers.
But after a few weeks, talk of the European regulation steadily subsided. Dealing with an influx of complaints and shortages in resources and manpower, enforcers have not sent out a wave of notices to companies that are not compliant — of which there remain plenty, whether by a lack of commitment or the difficulties of compliance.
AIQ was given 30 days to cease unlawful processing of personal data it received from political organizations for advertising, campaigning or analytics uses. If the company failed to comply, it risks fines of up to 4% of its global annual revenue.
The 4% fines are to be levied on upper level infractions, while lower level infractions will receive 2% fines, equivalent to $24 million and $12 million, respectively. But regulators' intent is not necessarily to heavily fine companies, and severity of fines depends on a number of factors, including the type of infringement, mitigation, company history, if a breach was the result of intent or neglect, cooperation with authorities and notification.
In the U.S., questions about GDPR and data residency have been on the rise, according to Vanessa Pegueros, VP and CISO of DocuSign, speaking at a Forrester event in D.C. on Tuesday. Yet many technology buyers still don't have or don't know of a data privacy and security regulation budget in their companies, especially in SMBs.
The European regulation ignited efforts for state data privacy and security legislation, such as the California Consumer Privacy Act of 2018, as well as discussions of a federal version of GDPR in the White House.
Follow Alex Hickey on Twitter