Article Detail

News & Knowledge

Yes, They Were Serious: Canadian Company Receives First Enforcement Action Under EU’s New Privacy Law. Does Your Organization Have to Comply?

October 23, 2018

By: Drew Sorrell

It has been several months now since the European Union’s General Data Protection Regulation (GDPR) became effective on May 25, 2018, and, while the relative calm after the storm evoked feelings similar to the Y2K scare, recent news of the first GDPR enforcement action has made it clear that GDPR isn’t going away. The action puts European politics on center stage, combining both the unprecedented privacy law and the Brexit controversy.

As a reminder, the GDPR is a regulation that harmonizes data protection laws across all EU member states and establishes strict requirements for the collection, processing, and storage of personal data, as well as significant individual privacy rights, including the right to erasure or so-called “right to be forgotten.” Article 3 clearly establishes that the territorial scope of the GDPR reaches organizations outside the EU that offer goods or services to individuals present in the EU. Still, in the run-up to the GDPR, many were left wondering how it would be applied extra-territorially. That question has now begun to be answered.

The UK’s privacy watchdog, the Information Commissioner’s Office (ICO), quietly issued an enforcement notice in July to AggregateIQ Data Services Ltd, a Canadian company that used personal data to send targeted ads to prospective voters on behalf of several pro-Brexit organizations. Although the personal data was collected and used in Brexit campaigning well before the GDPR’s May 2018 effective date, the ICO’s notice cites violations of three of the seven GDPR principles that arise from the company’s mere possession of the personal data – (1) lawfulness, fairness and transparency; (2) purpose limitation; and (3) data minimisation. The full enforcement notice can be viewed on the ICO’s website at

The fact that the first action targeted an organization outside the EU should put on notice all U.S. organizations collecting EU data. The GDPR, on its face, applies broadly to the processing of personal data by every organization outside the EU that offers goods or services to, or monitors the behavior of, EU-located individuals. Despite the GDPR’s broad language, it is unlikely that European authorities will target organizations whose EU activities are trivial, and, as a practical matter (but not legal), organizations must balance the costs of compliance with the risks of non-compliance. If your organization has taken the “wait and see” approach until now, or has doubts about whether the GDPR applies to it, below is an outline of questions to be used as a guide for determining whether you should be concerned about the GDPR. Positive answers indicate that your organization’s GDPR exposure should be explored further.


  1. Does your organization have any of the following in the EU:
    • Physical operations?
    • Employees?
    • Consultants?
    • Owners?
    • Corporate affiliates?
    • Data?
  2. Does your organization offer goods or services to individuals located in the EU (whether for free or for a charge)?
  3. Does your organization monitor the behavior of individuals located in the EU?
  4. Does your organization have German, French, Spanish, or other EU-based language versions of its website(s)?
  5. Does your organization’s website(s) allow EU-located users to create an account?
  6. Does your organization send emails or text messages to individuals located in the EU?
  7. Does your organization offer transactions in Euros or other European denominated currency?
  8. Does your organization have an EU domain, such as .fr, .ie, .uk or .eu?
  9. Does your organization’s website(s) collect any of the following from individuals located in the EU:
    • Name?
    • Identification number?
    • Location data?
    • IP addresses?
    • Cookie identifiers?
  10. Does your organization’s website(s) utilize digital tracking or profiling of visitors?
  11. Does your organization possess information about EU located persons collected at any time?
  12. Does your organization post information regarding EU politics, including direct messages?

If you need help determining your requirements under the GDPR, please contact Drew Sorrell or a member of the Privacy, Cybersecurity & eDiscovery Group.


Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo