ICO goes extra-territorial

The ICO has issued its first enforcement notice against an organisation which seems to have no presence in the EU.  The company, AggregateIQ Data Services Ltd, is based in Canada, and the enforcement notice seems to be a spin out of the Cambridge Analytica case.

The extra-territorial reach of the GDPR is as yet untested, but is likely to have a significant impact for GDPR enforcement in the coming years.  The enforcement notice, which is being appealed, claims that AggregateIQ Data Services Ltd is holding personal data relating to individuals in the UK, that there is no lawful basis for holding the data, that the data subjects have not received privacy notices in relation to the data being held, and that the personal data is not being lawfully processed.