[BreachExchange] First GDPR Enforcement is Followed by First GDPR Appeal

[Destry Winant]

https://www.securityweek.com/first-gdpr-enforcement-followed-first-gdpr-appeal

In what has been billed as the world's first GDPR action, the UK
regulator -- the Information Commissioner's Office (ICO) -- quietly
issued an enforcement notice against Canadian firm AggregateIQ Data
Services Ltd (AIQ). It is a low-key affair. Although the enforcement
notice was issued on 6 July 2018, the notice was not and has not been
placed on the ICO's enforcement action page.

Instead, the notice was attached as an appendix to an investigation
report by the ICO. There it largely remained unnoticed until found by
law firm Mishcon de Reya LLP in September. SecurityWeek asked the ICO,
"Is there any reason for the only occurrence (that I can find) of the
notice appearing as an addendum to a longer report?" All other
questions were answered, but SecurityWeek did not receive a direct
answer to this direct question.

However, we were told that AIQ had appealed the notice. Appeals go to
the First-tier Tribunal of the General Regulatory Chamber (GRC). They
are not normally made public in the UK. SecurityWeek approached the
GRC and asked for a copy -- and has now received a copy, slightly
redacted, of AIQ's appeal against the GDPR enforcement notice.

Our first article discussed the reasoning behind the ICO's enforcement
notice. Now we can look at AIQ's arguments against it. This is an
important issue. While lawmakers make laws, it is the judiciary that
interprets them. Neither the lawmakers nor the regulators know how the
letter of the law will play out until the law has been tested in front
of the judiciary. Equally, the subject of the laws -- in this case
businesses that use the personal data of EU citizens around the world
-- cannot fully understand their exposure to the law until it has
faced the scrutiny of the judiciary.

The first specified ground for the appeal is that the ICO has no
jurisdiction over AIQ "in this matter". This implies that the reason
for appeal is not based on geography, but on the application of the
law. SecurityWeek talked to a UK-based lawyer to understand the basis
for the AIQ appeal.

AIQ claims, "There is no evidence whatsoever of any 'processing' of
the data held for the purposes of 'monitoring' after the in-force date
of the GDPR and DPA in 2018..." This may become the pivotal section of
the appeal. Was, in GDPR terms, AIQ a data controller and/or a data
processor?

"If AIQ is a Data Controller," comments David Flint, Senior Partner at
MacRoberts LLP, "there would be an overriding issue of how it had a
lawful basis for processing and meeting the [GDPR] Article 5
Principles. If it were a Processor, the question would be the
compliance with Article 5 of those who gathered the information and
whether they knew that AIQ would be processing the data."

Flint believes that AIQ's term 'monitoring' relates to 'profiling'
within the legislation. Recital (24) of GDPR  says "profiling a
natural person, particularly in order to take decisions concerning her
or him or for analysing or predicting her or his personal preferences,
behaviours and attitudes", where there is any evaluation of response
or otherwise to the activity. The ICO enforcement notice, comments
Flint, "suggests that this is what was being done and why the data was
being processed."

He adds that "'processing' also includes holding the data, so the fact
that the data was still 'held' on 31 May would, in my opinion bring
the activities of AIQ squarely within the scope of the GDPR/DPA2018."
This is an important point for all companies that may store and forget
they have EU data. They don't have to do anything with that data.
Merely storing it makes them a data processor under GDPR.

Noticeably, Equifax said that it had 'forgotten' about the storage of
EU citizen data in the U.S. This forgotten data resulted in a £500,000
fine from the ICO after the breach.

Data subject 'consent' is likely to be a key issue within GDPR. The
ICO finds that the data subjects did not consent for AIQ to use their
data. AIQ responds that the ICO has provided no proof that it lacked
the consent of the subjects, and it believes that they had provided
the information voluntarily to AIQ's clients with at least 'implied
consent'. If the tribunal finds in favor of the ICO, it will reinforce
the idea that organizations will need to obtain and be able to
demonstrate actual and explicit consent from every EU citizen.

AIQ also argues that 'natural justice' should mitigate in its favor.
"The position taken by the ICO in the Enforcement Notice and the
Order," it claims, "is contrary to the principles of fairness and
natural justice (which also may be referred to as the duty on the ICO
to act fairly), and breaches AggregateIQ's right to a fair hearing."

Flint has little sympathy here. "I think the arguments of 'natural
justice' fall away where there is a specific statutory provision
prohibiting the behavior in question," he told SecurityWeek. "The only
argument might be one based on ECHR but that would mean that the GDPR
was invalid as being in breach." This in itself is an interesting
comment. If the appeal were to the European Court of Human Rights, it
would largely come down to whether business' rights take precedence
over citizens' rights -- which seems unlikely. But if they did, then
GDPR would be invalidated as in breach of the European Constitution
(just as the original Safe Harbor agreement between the EU and the
U.S. was invalidated).

In fairness to AIQ, this is the one section of the appeal that has
been largely redacted by the Tribunal. Elsewhere in the appeal, AIQ
accuses the ICO of "taking a position which is contrary to previous
positions taken by the ICO, resulting in substantial unfairness and
the denial of natural justice to AggregateIQ." We will not know until
the hearing whether there is any link between the redacted section and
AIQ's comment on 'previous positions', nor whether the Tribunal will
consider this to be important.

The AIQ Appeal is number EA/2018/0153 with the Tribunal. It was
received on 30 July 2018. At the time of writing this, there is no
further information on the Tribunal's appeals table.

The result of the appeal is likely to be important. Much of it seems
to be unconvincing -- but it doesn't matter what the lawmakers, the
regulators, businesses. lawyers or the media think. In the end, it all
comes down to how the judiciary interprets the law and the incident.
It would be natural for the regulators to put their toe in the water
before potentially going after big companies like Google or Facebook.
This may partly explain the low publicity so far afforded to this
first case.

"Lots to think about," comments Flint; "and an interesting case to
follow particularly given that other cases are starting to line up!
Wonder what the Tribunal (and I suspect in due course the Courts) will
make of it." The final result may well provide clues to how GDPR is
likely to play out over the next few years.

There is, however, one further point worth noting. The ICO enforcement
notice requires certain action by AIQ. There is no imposed monetary
penalty. This leaves one issue undiscussed. If an EU regulator were to
impose a financial penalty on an extra-territorial entity, how -- or
even could -- that penalty be enforced?