An investigation has found AggregateIQ (AIQ), a Victoria-based online political advertising company, failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States and the United Kingdom.
The investigation conduced by the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada found the company failed to ensure appropriate consent for its use and disclosure of the personal information of voters.
The investigation also found the company did not take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada. As well, AggregateIQ did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018.
“It is imperative that the activities of tech companies operating across borders respect privacy obligations in all jurisdictions in which they operate,” information and privacy commissioner for British Columbia Michael McEvoy said.
“That is especially the case when it comes to handling sensitive information like the psychological profiles described in this investigation report.”
AggregateIQ was embroiled into a massive global controversy around political advertising and the use of social media sites like Facebook. The company allegedly had over $1 million funneled to it by the U.K.’s Vote Leave campaign, in what could have been a violation of spending rules during the Brexit referendum.
- Alberta to overhaul municipal rules to include sweeping new powers, municipal political parties
- Grocery code: How Ottawa has tried to get Loblaw, Walmart on board
- Canada, U.S., U.K. lay additional sanctions on Iran over attack on Israel
- Trudeau says ‘good luck’ to Saskatchewan premier in carbon price spat
One of the people who helped to start the company was Christopher Wylie, the whistleblower who revealed that U.K. company Cambridge Analytica was at the centre of a data-harvesting operation that targeted millions of Facebook users before the 2016 U.S. election.
This investigation was was launched after media reports raised concerns related to Aggregate’s involvement in the Brexit referendum. Federal privacy commissioner Daniel Therrien said the federal government needs to make immediate changes to prevent these sorts of privacy breaches.
“The AIQ investigation shows how sensitive personal information can be used by political campaigns to sway voters,” said Therrien.
“This highlights once again the urgent need for law reform to protect democratic processes and the fundamental human right to privacy.”
“The federal government has said that Parliament should study how to bring federal parties under privacy legislation. We urge the government to move quickly with this review and amend the law.”
AggregateIQ has worked for political candidates in B.C. including Green Party leader Andrew Weaver and former Liberal leadership candidates and current MLAs Todd Stone and Mike de Jong.
AIQ also worked on various U.S. political campaigns with a company called SCL. The two companies used an online tool to collect and store vast amounts of voter data, and to provide lists of voters to various campaigns for targeting.
The personal information provided by SCL to AIQ included psychographic profiles, ethnicity and religion, political donation history, birth dates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information and vehicle ownership details.
The B.C. and federal offices are recommending that AIQ implement measures to ensure the company obtains valid consent in the future and that it delete all personal information that is no longer necessary for legal or business purposes.
The company has agreed to do so. AIQ is also committing to improve its security measures.
“AggregateIQ was happy to cooperate fully with the Commissioners, including many meetings and telephone calls with their investigators and responding openly and completely to every single request for information they made. We also tried to help the Commissioners and their staff understand how privacy rules can operate in real-life,” AggreateIQ COO Jeff Silvester wrote in an email.
“While this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important. This is why we have been sharing our experience of navigating the complexities of cross jurisdictional information and privacy laws with other organizations through private meetings and public speaking opportunities.”
Comments