AggregateIQ, a Canadian company that’s also been involved in the Facebook and Cambridge Analytica scandal, is the first to be put on notice.
The Facebook data scandal involved the personal data of 87 million users being harvested and processed, without them consenting to it. For their role in the scandal, Facebook has been fined £500,000, the maximum fine possible under the current regulations.
AggregateIQ, on the other hand, might not be so lucky. The GDPR requires companies within the region to report data breaches within 72 hours or face steep fines. In concrete numbers, these fines can reach €20 million or 4% of annual turnover, whichever is higher.
Despite getting 500 calls a week, not a single company has been fined thus far. The first-ever notice was actually sent out in July, but it was only spotted recently by Mishcon de Reya, a legal firm.
AggregateIQ has developed tools for voter targeting and the management of data. They’ve been linked to the Cambridge Analytica scandal. Even though the company resides outside of the European borders, the ICO has determined that GDPR still applies to them, since they’re monitoring the subjects’ behaviour within the European Union.
Allegedly, AggregateIQ had access to the personal data of UK citizens, including names and emails. In March, it was revealed that they left a code repository open to the public, exposing political data and microtargeting tools.
In May, the company revealed that they are still holding the personal data of EU citizens. This is against GDPR and the company was given 30 days to remedy the situation.