Share this content
Finger point

It’s official: Brexit Vote Leave firm is served first GDPR notice

20th Sep 2018
Share this content

A Canadian company hired by the Vote Leave campaign group to help influence the outcome of Brexit has become the first to be served a noticed under Europe’s new GDPR data laws.

The firm, AggregateIQ (AIQ), used Facebook data to target adverts at pollsters in the build up to 2016’s EU referendum in the UK.

Whilst this falls well within the date threshold of GDPR’s 25th May 2018 deadline, the UK’s data regulator, the ICO has confirmed that it would be applying GDPR legislation as AIQ had “continued retention and processing” of data after 25th May.

The firm is under fire for processing data "for purposes which they would not have expected", but has already appealed the ICO’s notice.

Significant moment

The news of the ICO’s intent is momentous for customer data practitioners. Since GDPR came into enforcement many have awaited news of the first company to be hit with a fine relating to the legislation.

The announcement also highlights that the ICO is taking GDPR extremely seriously, with further significance placed on the fact that the first notice is for a company based outside the EU.  

The BBC states that Vote Leave paid AIQ nearly £2.7m for their targeted Facebook campaign, with the company being used by other parties including the Democratic Unionist Party and Veterans for Britain, both pro-leave organisations.

"It was just a matter of time before it would happen," Sandra Wachter, a data regulation expert at the University of Oxford.'s Internet Institute told the BBC.

"The GDPR makes it very clear that if you process data within the EU obviously the laws are applicable but also if you transfer data out of the EU… or if you are targeting European markets then the GDPR is also applicable."

British Airways spared, for now

Just two weeks ago, British Airways revealed a major data breach, with the personal and financial records of nearly 400,000 customers being compromised.

At the time it was debated whether the airline would become the globe’s first GDPR casualty, however it has cooperated with the ICO within its stipulated guidelines and awaits notice of any potential fine.

Writing for Forbes, cyber security expert Kate O'Flaherty stated she expected BA to be hit with a massive fine, once the ICO has finished its investigation into the data breach.

“Under GDPR, firms can be fined up to 4% of turnover: In BA’s case £500 million. If the airline’s parent group International Airlines Group (IAG) is held accountable instead, the number could be even higher.

“The fines are in addition to any compensation BA needs to pay to customers who might have suffered financial fraud as a result of the breach.

“But the costs do not end there: BA has been threatened with a £500 million class-action lawsuit in a UK court by law firm SPG Law. It alleges BA is liable to compensate for non-material damage under the Data Protection Act 2018, the UK’s implementation of GDPR.”

Both the British Airways and AIQ cases highlight that the ICO is serious in stating that action will be taken against misusers of customer data, and that businesses must not take their foot of the gas when it comes to their compliance to GDPR.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.