Victoria’s AggregateIQ Broke Federal and Provincial Privacy Laws, Says Report

Privacy watchdogs for Canada and British Columbia have found that Victoria company AggregateIQ broke federal and provincial privacy laws in its work on political campaigns in the United Kingdom, the United States and Canada.

But the company will not face any fines or penalties despite misusing the personal information of millions of people, according to a joint report released today by Daniel Therrien, the federal privacy commissioner, and Michael McEvoy, B.C.’s information and privacy commissioner.

Neither B.C. nor Canada’s laws allow for such penalties.

There were “no fines because we do not have the ability to levy fines,” McEvoy said in a news conference.

“The deterrents are not strong enough,” he said, noting that B.C. and Canadian law were written before Facebook existed. “The world has changed dramatically since that time and the laws need to keep up, including in the need for penalties in cases like this.”

AggregateIQ Data Services, Ltd. develops advertising to be used on sites including Facebook, Twitter and YouTube and then targets messages to audiences who are likely to be receptive, a practice known as “micro targeting.”

The Canadian and B.C. commissioners’ joint investigation began after Facebook revealed the personal information of 87 million people, most of them in the United States, had been improperly shared with Cambridge Analytica, a digital advertising company alleged to have close connections with AIQ. About 600,000 Canadians were affected.

There had already been questions about AggregateIQ’s role in the Brexit vote, which saw Britons narrowly vote to leave the European Union. Campaign disclosures showed that Vote Leave campaigners had spent £3.5 million — about $5.75 million Canadian — with the Victoria company. That was more than the Leave side paid any other company or individual during the referendum campaign and about 40 per cent of its total spending.

The Tyee reported in 2017 on the links between AggregateIQ and SCL Group, whose website says it has worked to influence election outcomes in 19 countries. Cambridge Analytica, SCL’s associated company in the U.S., had worked on a wide range of campaigns, including Donald Trump’s presidential bid.

The commissioners’ report released found that in some campaigns AggregateIQ was aware of the level of consent people had provided for use of personal information and stayed within bounds.

But frequently that wasn’t the case.

“For most campaigns, the investigation finds that: (i) the consent relied on by AIQ did not address all of the work performed by AIQ; or (ii) AIQ was unaware of how, or whether, individuals had consented to the use of their personal information,” it said.

They also found that AggregateIQ had not done enough ahead of a 2018 data breach to secure people’s personal information.

The company’s files covered millions of people and included sensitive information such as “psychographic profiles, ethnicity and religion, political donation history, birthdates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information, and vehicle ownership details.”

The report noted that data easily crosses borders, thus raising questions around which jurisdiction’s privacy laws apply. The commissioners looked at whether AggregateIQ took measures to ensure it had the legal authority to use and disclose information it had about voters in the United Kingdom and the United States.

“We have found that, in the context of certain of its work related to the Brexit referendum, it did not,” they wrote. “We reach the same conclusion regarding AIQ’s work in support of a United States political campaign.”

It’s widely known that AIQ used psychographic profile information that Cambridge Analytica and SCL Elections got through a third-party app on Facebook, they wrote.

“Even where the information was collected in a different jurisdiction, whether that be the U.K. or the U.S., AIQ is still required to meet its obligations under Canadian law with respect to its handling of that information in Canada,” they said.

The commissioners made two recommendations for changes at AIQ.

One was that AIQ take steps to make sure its collection and use of people’s personal information on behalf of its clients is consistent with federal and provincial privacy laws. “Where the information is sensitive, as with political opinions, AIQ should ensure there is express consent, rather than implied,” they said.

They also recommended “AIQ adopt and maintain reasonable security measures to protect personal information, and that it delete personal information that is no longer necessary for business or legal purposes.”

Aggregate IQ’s Jeff Silvester said in an email that the company was happy to cooperate fully with the investigation and help the commissioners and their staff members understand the “real-world” application of privacy laws.

“While this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important,” Silvester said.

“This is why we have been sharing our experience of navigating the complexities of cross-jurisdictional information and privacy laws with other organizations through private meetings and public speaking opportunities.”

AIQ has already implemented the recommendations the commissioners made, he said.

In a previous investigation into Facebook released in April, the commissioners found that Facebook had committed serious contraventions of Canadian privacy laws and had failed to take responsibility for protecting Canadians’ personal information.

Facebook had publicly acknowledged the Cambridge Analytica scandal was a major breach of trust, but refused to implement the recommendations the commissioners made to address the deficiencies, they said.

Federal commissioner Therrien said his office is preparing to take Facebook to court to enforce orders against the company.

Talking about the report on AIQ, McEvoy said, “Companies that operate on a global scale cannot simply pick and choose the rules they wish to follow.”

Both he and Therrien called on politicians to pass stronger laws to protect people’s personal information.

Therrien said privacy laws need to apply to political parties across Canada.

Commissioners’ offices need the power to make orders and levy fines, he said, and to inspect organizations to make sure they are complying with privacy laws.

A spokesperson for the B.C. citizen’s services ministry said staff are reviewing the report and that “all feedback from the Commissioners would be considered as part of any future reviews of the Act.”