REUTERS | Jon Nazca

Recent ICO enforcement action and our geopolitical times

In the past weeks and months, we have seen some high profile enforcement activity by the ICO central to geopolitical events of the past, present and future.

The regulator has brought some fruition to its investigation work into data breaches connected with the 2016 EU referendum, issuing a £500,000 fine to Facebook, following on from the ICO’s enforcement action back in July in the closely connected case of AggregateIQ.

The ICO’s forceful actions send a signal of its intent in its ongoing high profile investigation into the use of data analytics in political campaigns.

The UK’s data protection regulator’s confirmation last week that it will levy the full £500,000 anticipated fine on Facebook was expected. This is, of course, the maximum permitted sanction under the old Data Protection Act 1998 regime, and was imposed on Facebook for failure to protect app users’ personal data which may have been used for political campaigning.

Meanwhile, the AggregateIQ action is noteworthy not only due to its status as the first enforcement action taken by the ICO under the GDPR regime (with a much higher fine in scope) and its pivotal part in the major ICO investigation into political campaigns referred to above.

Arguably the most eye-catching aspect is that AggregateIQ is a Canadian entity with no apparent UK presence, so it is the first extra-territorial action taken by the ICO in history and has the potential to become a landmark case in data protection law.

However, we have yet to see the challenges the ICO will face in the real world of enforcing its sovereignty outside its territory albeit in relatively EU-friendly Canada. An article by Miriam Everett, Peggy Chow and Jeremy Birch of Herbert Smith Freehills LLP published last week on Practical Law explores this in depth that is not possible here.

How the ICO is able to handle the complexities of extra-territorial enforcement may serve as a bellwether for the further big battles to come over data sovereignty in the political sphere.

It scarcely needs saying that we live in interesting political times; the UK political economy’s divisions, playing out most acutely in the tortuous Brexit withdrawal process, a microcosm of forces at play globally. The supranational EU, the world’s leader in cross-border data regulation, is under severe challenge from a resurgence of national sovereignty across the world and an increasing propensity for national governments to assert a right to perform surveillance on individuals both in the realm of national security and beyond.

Surveillance, of course, runs contrary to the fundamental principles enshrined in the GDPR and the UK government’s surveillance powers and willingness to use them, more than anything else, threaten the adequacy decision on which free flow of personal data between the UK and EU may well rest.

Anything other than a short term post-Brexit no adequacy decision “limbo” could be hugely disruptive to cross-border data flows between the UK and the continent and to the UK economy especially, perhaps even forcing it to focus operations increasingly inwards and elsewhere beyond Europe. My previous post, Papering over the cracks: preparing for Brexit’s impacts on data protection is a starting point for more discussion on this and the practice note, Brexit: implications for data protection goes much more in depth.

That note also highlights the issues with the US. The US’s role has, of course, already been substantial. The US government’s power and willingness to carry out surveillance activity has already played its part in the demise in 2015 of the EU-US Safe Harbor framework which allowed EU to US export of personal data. Its replacement, the Privacy Shield, is itself now under challenge. A further mechanism permitting data export outside the EEA under the GDPR, the EU’s standard contractual clauses, is also under threat as a result of US surveillance.

While the global economy remains ever more driven by cross-border data flows, this tension between the globalisation of its regulation, primarily through the GDPR, and the increasing reassertion of national sovereignty looks set to deepen.

Major disruption is possible from Brexit and beyond. Keeping a close eye on these geopolitical trends as much as the regulatory and judicial interventions themselves looks key to understanding the road ahead.

Rob Beardmore

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: