Earlier this year, while conducting investigations into the harvesting of personal information of millions of UK citizens by data analytics firms without obtaining their consent, the Information Commissioner's Office (ICO) issued an an Enforcement Notice to data analytics firm AggregateIQ to stop processing retained data belonging to UK citizens.
In July, the ICO issued an enforcement notice to AggregateIQ in which it voiced its concern over the harvesting and use of personal data of UK citizens for political campaigning "without due legal or ethical consideration of the impacts to our democratic system".
AggregateIQ processed citizens' data for Vote Leave campaign
The ICO stated that AggregateIQ processed data of UK citizens on behalf of political organisations such as Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote to Leave and that it used personal data obtained from these political organisations to target individuals with political advertising messages on social media.
According to BBC, AggregateIQ "was paid nearly £2.7m ($3.6m) by Vote Leave to target ads at prospective voters during the Brexit referendum campaign". It also received funding from Northern Ireland's Democratic Unionist Party and Veterans for Britain, receiving £3.5m in total.
Because of such conduct, the ICO ruled that AggregateIQ has failed to comply with the relevant provisions of GDPR as it processed personal data of UK citizens in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.
Even though the Vote Leave campaign took place prior to the referendum in 2016, the ICO found that the new Data Protection Act 2018 could be applied to AggregateIQ since the firm confirmed that it still held personal information of UK citizens after the new DPA came into force and such data is stored in a cold repository and has been subject to unauthorised access by a third party.
Through the Enforcement Notice, the ICO directed AggregateIQ to "cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes" within 30 days, failing which, the firm could be served with a penalty of up to 20 million Euros or 4% of its annual worldwide turnover whichever is higher.
ICO stands firm against illegal data processing
Back in July, the ICO also fined Facebook £500,000 under the 1998 Data Protection Act for failing to prevent data analytics firms such as Cambridge Analytica from harvesting personal details of millions of users.
"The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others," the watchdog said.
Aside from fining Facebook, the ICO also issued warning letters to 11 political parties in order to compel them to agree to audits of their data protection practices, issued an Enforcement Notice to SCL Elections Ltd to deal properly with a subject access request, issued an an Enforcement Notice to Aggregate IQ to stop processing retained data belonging to UK citizens, and announced an audit of the Cambridge University Psychometric Centre.