On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum.


The terms of the enforcement notice require AggregateIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”, within 30 days of the date of the notice.

AggregateIQ contracted with UK political organisations to receive personal data of UK individuals during the Brexit campaign. In particular, AggregateIQ contracted with a number of pro-Brexit groups, including Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaign. AggregateIQ processed this personal data to target individuals with political advertising messages on social media.

The ICO found that AggregateIQ failed to comply with the GDPR because:

i. data subjects were not aware of the way their personal data was being processed;

ii. personal data was processed for purposes that data subjects would not have expected;

iii. there was no lawful basis for the processing;

iv. the processing was incompatible with the purposes for which the personal data was originally collected; and

v. data subjects were not provided with the information they ought to have received when their personal data was obtained indirectly.

On 30 July 2018, AggregateIQ filed an appeal with the First-tier Tribunal (Information Rights) against the enforcement notice. AggregateIQ does not need to comply with the enforcement notice pending determination or withdrawal of its appeal.

The ICO’s investigation

The ICO’s wider investigation into the use of data analytics in political campaigns is ongoing. So far, Facebook and Emma’s Diary have both been the subject of notices of intent from the ICO – see our recent blog on this here. Other organisations of interest are listed in the ICO’s Investigation Update. They include Cambridge University, the Conservative Party, the Labour Party, and a number of other technology and social media companies.

The ICO asks that government, parliament, regulators, political parties, online platforms and the public reflect on their responsibilities in the era of big data. See the ICO’s press release here. Information commissioner Elizabeth Denham emphasised the need for trust and confidence in the United Kingdom’s democratic system. According to Denham, such trust is at risk because “the average voter has little idea of what is going on behind the scenes”.

The ICO expects to finish the next phase of its investigation by the end of October 2018. Denham has set out her position in this area very clearly: “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our economic system”.


The ICO’s rigorous investigation and initial regulatory action send out a strong message to businesses that the rights of UK data subjects must be respected. The notices of intent to fine will have little impact on the relevant organisations’ financial health. However, combined with the enforcement notice against AggregateIQ, they demonstrate that the ICO takes this issue seriously. We expect to see more enforcement action taken in this area as the ICO’s investigation continues.