Has GDPR given the ICO balls or just a quick power trip
Here's hoping it's a set of shiny balls that last beyond Christmas and brexit.
A Canadian data analytics firm on the receiving end of the UK's first-ever violation notice of Europe's new data privacy laws is appealing the claims against it. The GDPR notice was sent by Blighty's Information Commissioner (ICO) against AggregateIQ, an organization linked to the Facebook-Cambridge Analytica scandal. The biz …
AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office: Compare https://opengovca.com/victoria-business/27499 with https://web.archive.org/web/20160317101833/https://sclelections.com/contact/
The phone number was also tweeted by Massingham: https://archive.fo/0R4Nf I'm amazed that the farcical nature of their denial isn't made clear by journalists.
AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office
That's doesn't necessarily mean anything. Here in Cambridge (UK) many companies use the St John's Innovation Centre as their address. It's a business incubator. It could equally be a law firm's address used as a registered office - the father of an ex of mine was a Jersey lawyer and had around a hundred company brass plates by his office door.
According to the link smartse posted, AIQ's registere'd address is "320-1070 DOUGLAS ST VICTORIA BC V8W 2C4 ". That's actually number 1070 on Douglas street (320 must be the office number), which is a generic looking office block.
".AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office.."
Don't know about elsewhere, but offices buildings in Delaware in the U.S. host hundreds or thousands of companies in registration addresses of convenience. In Delaware's case, being the second-smallest state in physical size, they apparently decided that business incorporations are the most remunerative cash crop per acre and offer companies tax incentives to register there -- often in a mail slot in a lawyer's or accountant's office. Could the building in question be one of those?
https://www.businessinsider.com/building-wilmington-delaware-largest-companies-ct-corporation-2017-4
This is going to be a very unpopular answer, but, first of all I'll do what no other commentard on this topic has ever done, and post chapter and verse of the actual law rather than say, spout bollocks about how EU law applies abroad, or that to do business in the EU you must adhere to the GDPR:-
Enforcement Outside EU: Chapter 5 of the GDPR relates to handling of data by non-member countries or organizations. The relevant text relating to enforcement of fines is from Article 50, titled "International cooperation for the protection of personal data":
(1) In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
So, to answer your question, they haven't a hope in hell.
Section 1a) says they will need to negotiate new agreements with other countries, so we can prosecute their citizens.
b) We'll offer to help other countries let us prosecute their citizens.
c) Ask nicely if we can prosecute their citizens,
and d) if all else fails, keep telling everyone involved what a great idea it would be if other countries would let us prosecute their citizens.
Article 27 requires any organisation not established in the Union that processes the personal data of subjects in the Union in order to monitor their behaviour, and particularly in respect of the special categories, to appoint a representative in the Union.
Performing data analytics in political campaigning falls into both these categories (monitoring and special category data). Consequently the ICO could in principle enforce the notice on the representative.
Should there not be a representative, that might in its own right constitute a breach of Article 27.
Not sure I agree.
--> https://gdpr-info.eu/issues/third-countries/
"...At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations),"
It suggests that the "Supervisory Authority" in Canada are obliged to assist to the extent that the existing (canadian) laws that govern data protection requires.
Article 45 may also apply:
https://gdpr-info.eu/art-45-gdpr/
"Transfers on the basis of an adequacy decision"
If so, then article 47 applies regarding "Binding corporate rules", which commit those entities to ensuring "Data Protection" principles that make them "their legally binding [..in..] nature, both internally and externally;"
Here - https://gdpr-info.eu/art-47-gdpr/
They can't as we here in Canada or the USA can TELL THEM TO GO POUND SAND !!!
GDPR LAWS DO NOT APPLY IN USA OR CANADA !!!!!! END OF STATEMENT -- PERIOD !!!!!
if you are a user of CANADIAN or USA located, owned and operated systems you follow US or Canada laws NOT ANYONE ELSES !!!!!
Only if the equipment and/or the company personnel are located or operate out of the EU or Britain does GDPR law apply. ONLY THEN !!!! Any US judge (or canadian one!) would DENY any extradition request and/or application of a fine in that jursidiction!
GDPR laws apply to companies that trade in Europe, so the answer is that the guilty (as defined by law) companies (and any companies that their executives have an interest in given that they are accountable) lose their license to trade in Europe.
There are many, many ways to cause a company pain if you can't collect a fine.
Please excuse the no capitals except where required, I was brought up not to shout.
GDPR LAWS DO NOT APPLY IN USA OR CANADA !!!!!! END OF STATEMENT -- PERIOD !!!!!
Interesting. I'm in the UK and in recent weeks I've tried visiting a few Canadian websites only to be met with a message with words to the effect of "We have detected which country you are in and are blocking access for you as we cannot guarantee that our website is compliant with GDPR"
I'm fairly sure TVA Nouvelle was one of the websites in question. Can;t remember the other offhand.
@YAAC - The EU would need to have an treaty signed with Canada to allow them to ask for extradition to the EU for the violations or they sue the EU subsidiary if one exists. However winning against the EU subsidiary may get an uneforceable judgment as the money would have to come from the Canadian parent and that would require the Canadian courts to meddle in the case. The same problem with the US, the EU will spend a ton of time and money arguing in the feral courts just to get the parent to pay up with dicey chances. But devil is the details of the various treaties as to how difficult getting money out of non-EU parent would be.
Not really, It's all about being able to do business in Europe. Witness various US web services becoming unavailable in Europe when the GDPR deadline was reached earlier this year.
Companies that are fined could in theory use the "we're registered to trade from the US/Canada/Mars so we're not subject to EU laws" defence if fined. Which may well work, as long as they no longer want to be able to do business in Europe, or at least the part of Europe that is protected by the EU.
Serious question but how are the ICO going to enforce the GDPR against a Canadian company?
Assuming Canada wants to trade with the Eu in future - quite easily.
Oh? The ICO is going to take the whole of Canada to task over the action of one company? Really? And when the Canadian PM tells the Canadian High Commissioner in London to have a polite (they're Canadians, they're always polite, even when they're telling you to rotate on a cactus) word with the MayBot, about what Canada will or will not buy from Britain if the ICO takes any action at all against the whole country for the actions of a single company, what do you really think the MayBot will do? Back the ICO, or ruin the relationship with one of the pillars of the Commonwealth? Things will get awfully lonely after Brexit...
"Oh? The ICO is going to take the whole of Canada to task over the action of one company? Really? "
You seem to be under the impression that Canadian courts would somehow be inclined to protect this company. They won't be. They have no reason to be. Canadian courts don't defend scumbags just because they are Canadian.
If there is a UK court that signs off on it, and it can't make this company pay, then they send it to a court in Canada, and that court will make them pay.
how are the ICO going to enforce the GDPR against a Canadian company?
The only way that they could do anything would be if the company, from any jurisdiction outside the EU, had assets inside the EU. If the company, any company, does not have assets inside the EU there is absolutely nothing they can do unless and until the company, any company, either has assets inside the EU or does business with some entity inside the EU.
In this case the company is Canadian and does not seem to have assets inside the EU and is not currently doing business with any entity within the EU. The ICO has zero leverage. They cannot compel the Canadian courts to do anything, which means that they cannot enforce the fine, or, indeed, anything whatsoever. Our Canadian heroes could, if they so wished, stand on a ship outside of the territorial waters of any EU country and make remarks about farting in the ICO's general direction and about how the parents of the ICO rep were funny-smelling rodents, and there would be nothing that the ICO could do about it.
I suspect that I see the reason why the ICO failed to mention this (non)action.
Anonymous Coward said: "Serious question but how are the ICO going to enforce the GDPR against a Canadian company?"
I imagine it would involve the ICO going to a UK court asking that the judgement be enforced, followed by the UK court filing appropriate papers with a Canadian court asking them to enforce the UK decision. AggregateIQ would then appeal to a Canadian court asking that it not be enforced, and then after some back and forth with lawyers, the Canadian court approves the UK request and the ICO gets their judgement approved.
UK law is considered to be close enough to Canadian law (closer than any other country) and the UK courts fair enough that the Canadian courts are not likely to question their judgements too much provided the proper paperwork has been filled out.
The ICO may have to wait in line however. Cambridge Analytica, AggregateIQ, and Facebook are already under investigation for the same or related matters by the ICO's Canadian equivalent, the OPCC (Privacy Commissioner) over violations of PIPEDA, which is Canada's equivalent of GDPR.
The OPCC web site mentioned six months ago that they are in contact with the UK ICO on their related investigation. It appears that the UK and Canada have been cooperating with each other on this matter for some time now.
The ICO, no because Britain has no power on the world stage - this isn't 1914
But the Eu? Yes, it cannot have a trade deal with Canada that allows Canadian companies to snub their noses at Eu data protection law that other countries have to obey.
If Canada refused to cooperate in prosecuting the offenders the simple result would be that Canadian companies cannot process data on Eu citizens.
"But the Eu? Yes, it cannot have a trade deal with Canada that allows Canadian companies to snub their noses at Eu data protection law that other countries have to obey"
EU just agreed to a trade deal with Canada ... anyone know if this situation was covered?
"the simple result would be that Canadian companies cannot process data on Eu citizens."
Technically I think the result would be that EU companies would not be able to send data to Canada for processing with the EU companies being the ones fined for non-compliance
"Serious question but how are the ICO going to enforce the GDPR against a Canadian company?"
Start by serving a notice on their bank to freeze their account. The company may or may not have assets in the UK. It's very likely their bank does. On the whole a bank is more likely to be prepared to throw a customer under the bus rather than tangle with the government of a country where it has assests and, presumably, a banking license.
"Data is a toxic asset."
... you never know when it might be useful in future. Eg all those landing cards for West Indian migrants destroyed at a time when they had no real relevance but, due to subsequent requirements to prove residency became rather more important.
Also, imagine the reaction here if the ICO went to investigate potential illegal data processing and the company being investigated simply said "nothing to see here, we deleted everything as soon as we'd processed it"
".. you never know when it might be useful in future. Eg all those landing cards for West Indian migrants"
From the PoV of the HO trying to build a hostile environment they were indeed a toxic asset. That's why they were destroyed. They turned out to be even more toxic in their absence, hence the HO is now rudderless.
“the European Union’s General Data Protection Regulation (GDPR) .. will be enforced after a two-year transition, beginning on May 25, 2018” ref
‘The report [PDF] title refers to the Cambridge Analytica scandal where the shady data company gathered information on millions of people by using a feature on social media giant Facebook where a company could suck in information on the friends of people who downloaded a particular app – in this case, a "survey."‘’
What was the name of the app, how was it loaded onto the client machines, what were the terms of the click-through agreement. doesn't the Facebook EULA say they own all your data anyway?
‘That information was then used in a series of controversial political campaigns including the vote to remove the UK from the European Union (Brexit) and the election of Donald Trump as US president.’
I hadn't realized that people voting in their own leaders could now be deemed controversial. The Brexit campaign was never controversial, the Conservative government of the day implimented a referendum at which the people of UK voted out of the EU superstate. A referendum the Conservatives had repeatidly promised to impliment, if elected into office.
Same with the election of Trump, the people decided. Unless we're in a late stage democracy where the real decisions are made by trans-national corporation. If so then as someone once said Goldman-Sachs rules the world.
‘The ICO notice accuses AggregateIQ of violating Articles 5, 6 and 14 of the GDPR rules because’
Brexit took place on June 23 2016 and GDPR became legally enforceable May 25 2018. I thought GDPR was about protecting peoples personal data and not to be used as a political weapon. Besides anyone who thinks their personal data is private on facebook is deluding themselves.
Brexit took place on June 23 2016 and GDPR became legally enforceable May 25 2018.
You didn't read the bit about them still retaining the data post GDPR implementation did you Walter?
Is it just me or does GDPR sound like a German state security service?
@Mark 65: ‘You didn't read the bit about them still retaining the data post GDPR implementation did you Walter?’
TLDR .. I was hoping you would do the reading for me and provide a link to the relevent bits:
Investigation into the use of data analytics in political campaigns:
“In summary, the app accessed up to approximately 320,000 Facebook users to take a detailed personality test that required them to log into their Facebook account. In addition to the data collected directly from the personality test itself, the app utilised the Facebook Login in order to request permission from the app user to access certain data from their Facebook accounts.” page 19 para 03
To summarize, Facebook owns your data and by clicking on the GSR App 'personality test' license you grant AggregateIQ access to that data. Besides, political parties and the advertisers have been using such personal data for targeted campaigns for a long time and will continue to do so on into the future. Your storecard keeps track of what you buy which they aggerate and sell on. The only controversial thing about the whole affair is, why people are so nonchalant about handing over their personal data to so-called social media platforms. And finally, the term Facebook 'privacy settings' are a bit like a unicorn as in people can believe they saw one, but in fact they don't actually exist.
Both the Trump and Brexit campaigns mentioned used tricks, underhand tactics, which werein some cases illegal.
But you know this.
Don't act as if they were honest democratic processes - the opposite is true.
Your trumpite/brexiter typical paranoia shows in your post title, by the way.
"Don't act as if they were honest democratic processes - the opposite is true."
They were. As honest as any other democratic process, like the elections in general.
Or do you honestly believe the other side of those campaigns were all totally honest and didn't use backhanded tactics themselves?
Brexit took place on June 23 2016 and GDPR became legally enforceable May 25 2018.
Nope. The decision to start Brexit happened then, Brexit itself won't happen until March 29th 2019. Anyway, since UK consumer and data protection law has always been consistently more strict than EU requirements, and the UK co-operates closely with Canada on this, it seems unlikely that Brexit will change this case.
Besides anyone who thinks their personal data is private on facebook is deluding themselves.
That's certainly true, but doesn't exempt Facebook from havig to follow the laws of the countries it operates in (and EULAs that say otherwise are invalid).
for using my personal information gleaned from other sites to tailor and create Ads on my phone fed from realtime Ad Auction merchants that invite me to book at those hotels I previously looked at on Booking.com from another entirely separate computer.
"We Know where you stayed on holiday Last Summer".
Ad blockers and No-Script or similar want to be your friends you know, why don't you let them.
(And take the time to got through googles opt-out pages, as theres several, and opt out of EVERYTHING you can. Yes this is slightly inconvenient if you use a lot of googly apps, but then you'll just have to decide what you value more. Your privacy or "convenience")
Wasn't there some sort of protection against being prosecuted if there was clear evidence that the law you "broke" was invented *after* you committed your crime?
Or do the (literally) "Get Out Of Jail Free" rules only apply if you are a politician or a Big Business?
There is, however the company were given notice that the law was changing and that to compile with the new law they would need to change how they processed data. They didn't change and thus were charged with breaching the new law
It's is bit like the speed limits on a road changing from 30 mph to 20 mph, you would have seen the new signs going up and if you still drive at 30 mph you will be taken to court.
Wasn't there some sort of protection against being prosecuted if there was clear evidence that the law you "broke" was invented *after* you committed your crime?
Yeah, it's called "not carrying on committing the crime". Tricky to comply with I know, especially when you're only given a couple of years warning it's going to become illegal.
My partner recently received a letter from the Labour Party inviting her to register for a postal vote. She phoned the local office and asked where they got her details - to which they replied the Open Register. She stated that she wasn't on the Open Register but contacted the Council anyway to check and they concurred that she's not on the public register. She's deliberating what to do next. I'm a Party member, but this really gets on my nerves. A key Labour strategy is to push up the numbers of people to vote by post because the higher the turnout - the better Labour do. Why they're not using an up-to-date Open Register is utterly beyond me.
Can't claim to be working for the working classes while spaffing cash at local authorities for updated datasets can they? Sounds a bit middle class and profligate.
You may assume they look at the mailing preference service data too, although I keep getting told what assumptions make me :)
I admit to being ignorant of most political party mechanics but I would suggest this is a local group operating with "volunteers" who really have no idea and are just doing as they are told from higher up.