GDPR Compliance Myth #8: GDPR enforcement doesn’t go beyond EU borders

Silhouhette of a spy
The Information Commissioner’s Office (ICO) is deploying agents around the world to clamp down on those failing to comply with GDPR

As a year since the introduction of the EU’s General Data Protection Regulation (GDPR) approaches, we revisit our popular GDPR Mythbusters series to separate the data protection facts from fiction.

GDPR’s reach promised to be global. Companies around the world would fear the shadow of the EU regulators. They would quake in their sandals or snow boots as diligent Europeans pursued international data bandits across baking desserts and frigid tundra in the name of justice; serving enforcement actions on those crooks, wherever they may hide.

Read more: GDPR training for US-based staff

EU residents locked out of US websites

Screenshot of Chicago Tribune for EU residents
Almost a year after GDPR has come into force, you will still be unable to access certain US-based websites from the EU

The practicalities of these cross-border raids have remained a scarring question mark in the first year of GDPR. While many businesses around the world who processed European data did their best to make themselves compliant in the name of doing right by the law, others blocked Europeans from even crossing their path.

Major international news websites including the Los Angeles Times and Chicago Tribune shuttered their sites to EU IP addresses in the days after GDPR. While they claimed this would only be a temporary measure till they got up to scratch, those sites have never reopened and Europeans remain geo-segregated from swathes of the internet.

In November 2018, the UK’s Information Commissioner’s Office (ICO) ruled the way the Washington Post website tracked EU user data was incompatible with GDPR. It issued a written warning to the publisher, but neither side has taken further action.

This kind of posturing might have exposed GDPR as being meek and toothless outside of European borders – achieving little more than a strongly worded press release easily ignored by American publishers. However, a curious detail buried in an ICO report reveals more of a cloak-and-dagger operation raging beneath the public eye.

What we can learn from AIQ scandal

AIQ is a Canadian company which was involved in the Facebook-Cambridge Analytica scandal as a provider of software and tools for data management. The company was also linked to the data skulduggery carried out by various UK political organisations backing Leave in the Brexit referendum. While Leave.EU was fined £120,000 by the ICO for marketing abuses carried out in the 2016 vote under the old Data Protection Act, AIQ was served the ICO’s very first enforcement action under GDPR rules, aka the Data Protection Act 2018.

For all those marauding data gangsters on the other side of the Atlantic thinking the arm of GDPR will never reach them, the ICO is signalling something else. Despite AIQ not being an EU entity, it processed and monitored EU citizens’ behaviour, doing so unbeknownst to those data subjects, for undeclared purposes and without a lawful basis for processing.

The ICO’s enforcement notice, served without fanfare and hidden from public view, demands AIQ to cease its processing operations of EU or UK citizens’ data. If it fails to comply within 30 days, they could be fined up to 4% of their global turnover. This is not some mild-mannered warning, it’s an indictment that AIQ is now fighting in courts of law.

Like Judy Dench’s ‘M’ in the James Bond episodes starring Pierce Brosnan, Her Majesty’s Information Commissioner Elizabeth Denham CBE is dispatching her ICO agents around the world, from snowy peaks to jungle dens, in the first act of a quiet but serious war against the international data villains.

Upcoming GDPR Mythbusters webinar

As we approach a year since GDPR came into force, we will re-visit our popular GDPR Mythbusters series with a new round of questions and answers about data protection.

During the webinar, we will be answering questions such as:

  • Are huge GDPR fines a myth?
  • Does anyone actually care about GDPR compliance?
  • Does enforcement really go beyond EU borders?
  • Does GDPR apply to me if I’m not based in the UK?
  • Does GDPR require me to appoint a DPO?

Register now

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.