Canadian data analytics firm AggregateIQ Data Services has become the first company to face a formal enforcement action by the U.K. Information Commissioner’s Office for violations of the EU General Data Protection Regulation and the U.K. Data Protection Act.

AggregateIQ Data Services (AIQ) is a controller, as defined by Article 4(7) of the GDPR and Section 6 of the Data Protection Act (DPA). In May 2017, the ICO announced a formal investigation “into the use of data analytics in political campaigning.”

The ICO reached out to AIQ regarding its processing of personal data on behalf of U.K. political organizations—in particular, Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote to Leave. As part of AIQ’s contract with these political organizations, AIQ was provided with personal data, including names and e-mail addresses of U.K. individuals. “This personal data was then used to target individuals with political advertising messages on social media,” ICO said.

According to the ICO, AIQ breached Articles 5(a) – 5(c) and Article 6 of the GDPR, because it “processed personal data in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for processing.” In addition, AIQ failed to provide the transparency information required under Article 14 of the GDPR.

The enforcement action, in the form of an Enforcement Notice served under Section 149 of the DPA, requires AIQ to “cease processing any personal data of U.K. or EU citizens obtained from U.K. political organizations or otherwise for the purposes of data analytics, political campaigning, or any other advertising purposes.” Failing to comply with an Enforcement Notice may result in a penalty notice under Section 155(1)(b) of the DPA, requiring payment of up to 20 million euros, or 4 percent of total annual worldwide turnover, whichever is higher.

The enforcement action was discreetly announced in July and was included as an annex to the ICO’s investigation update, “Investigation into the use of data analytics in political campaigns,” published on July 11. AIQ has had ties with both pro-Brexit campaigns and Cambridge Analytica and has exercised its right of appeal to the First-tier Tribunal (Information Rights), under section 162(1)(c) of DPA.