You are here

General Data Protection Regulation: first enforcement notice shows extra-territorial reach

26 October 2018 | London
Legal Briefings – By Miriam Everett, Peggy Chow and Jeremy Birch.


The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the EU’s new strict data protection law, the General Data Protection Regulation (679/2016/EU) (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU (see box “Background”).

Not only is it the first extra-territorial notice issued by the ICO under the GDPR, but it is the first action ever taken by the ICO against an entity outside the UK. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR.

Read the full article

This article was first published in the November 2018 issue of PLC Magazine



See how we help our clients in

Cyber risk advisory

Learn More