In one of the first enforcement steps it took under GDPR, the ICO issued an order in October against a Canadian company, AggregateIQ Data Services (ADS), which required it to delete all personal data held by it on UK residents. The order was issued in the context of the ICO’s ongoing action in relation to political social media advertising. ADS confirmed that it held personal data on UK residents, but it had made no effort to comply with the GDPR .
The order would only become effective once the British Columbia regulator, the OIPC, dropped its corresponding investigation into ADS or confirmed it was content for ADS to comply.
The GDPR extends to data controllers based outside the EU where they are “monitoring [individuals’] behaviour as far as their behaviour takes place within the [EU]” (Article 3), and the ADS scenario is probably exactly what the EU had in mind when they included this provision.
If ADS does not comply with the order it faces a penalty of the higher of €20M or 4% of its worldwide annual turnover. Whether the ICO could enforce such a penalty against a Canadian company is, of course, an entirely different question.