The European Union and its privacy protection laws may seem far away.
But are they really?
Earlier this year, the first case of General Data Protection Regulation (GDPR) enforcement hit North America. And some are wondering if more could be coming.
The GDPR, which only became official in May, is now testing how far it can really reach. This fall, the UK’s Information Commissioner’s Office (ICO) launched legal action against a small Canadian company, AggregateIQ, a company that has no presence overseas. The ICO alleges that company was involved in data processing for supporters of the 2016 Brexit campaign and was tangled in the Cambridge Analytica scandal, as well. GDPR rules were broken as a result of this involvement, they say.
What GDPR rules may have been ignored? Some of the provisions the ICO is focusing on include:
- Not processing data lawfully, fairly, or transparently.
- Not making clear the purposes of collection.
- Not limiting data collection to only what is necessary.
The ICO is ordering the company not to simply pay fines, but to completely end their data processing of any UK or EU citizens. If not, it could be subject to millions in fines.
This case is mission critical for the ICO, a test of the GDPR’s scope and power. Will the law be strong enough to control companies not even on its shores?
And there’s another twist in this story — Brexit. AggregateIQ has said it will appeal this legal action, but that appeal will take time. And as the case moves slowly through the legal system, Britain moves through its own Brexit process. It’s not immediately clear how the GDPR will emerge from Brexit.
But another question remains: are US-based companies next? Experts advise them to watch this case closely. It’s believed AggregateIQ will likely challenge the case not only on its merits but also on its jurisdiction.
Keep your customers and your company protected. Choose support from a professional partner like ClearStar. Want to know more? Connect today!