AggregateIQ failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States and the United Kingdom, an investigation has found.
AggregateIQ Data Services Ltd. (AIQ) is a Victoria-based company that provides election-related software and political advertising services. AIQ has been linked to Cambridge Analytica, a company caught up in a global scandal involving the micro-targeting of voters in various political campaigns.
The Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada jointly conducted the investigation, which focused on whether AIQ was meeting legal obligations relating to consent and safeguarding personal information in connection with work it performed for certain political campaigns.
The two offices found AIQ failed to ensure appropriate consent for its use and disclosure of the personal information of voters. The company did not take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada. As well, the company did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018.
“It is imperative that the activities of tech companies operating across borders respect privacy obligations in all jurisdictions in which they operate,” said Michael McEvoy, information and privacy commissioner for British Columbia. “That is especially the case when it comes to handling sensitive information like the psychological profiles described in this investigation report.”
Daniel Therrien, federal privacy commissioner, said, “The AIQ investigation shows how sensitive personal information can be used by political campaigns to sway voters. This highlights once again the urgent need for law reform to protect democratic processes and the fundamental human right to privacy. The federal government has said that Parliament should study how to bring federal parties under privacy legislation. We urge the government to move quickly with this review and amend the law.”
The AIQ investigation was launched after media reports raised concerns related to that company’s involvement in the 2016 Brexit referendum on the U.K.’s membership in the European Union. Subsequent reporting linked the company to political consulting firm Cambridge Analytica and SCL Elections Ltd. (SCL), its parent.
AIQ worked with SCL on various U.S. political campaigns between 2014 and 2016. These included midterm elections and a presidential primary campaign.
AIQ created a political customer-relationship management tool for SCL called Ripon. This tool was used to collect and store vast amounts of voter data, and to provide lists of voters to various campaigns for targeting. The personal information provided by SCL to AIQ included psychographic profiles, ethnicity and religion, political donation history, birthdates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information and vehicle ownership details. AIQ confirmed that SCL was able to use the information to segment individuals into narrow groups for microtargeted advertising campaigns on Facebook.
AIQ used individuals’ names and email addresses to deliver ads for SCL and other clients using the social network’s “custom audience” feature, which allows advertisers to show ads to a list of contacts that Facebook matches on its platform. It also leveraged Facebook’s “lookalike” audience feature, which allows advertisers to target broader groups of Facebook users with similar characteristics.
The investigation found AIQ did not appropriately verify consent. Individuals would neither have expected that their personal information would be disclosed to Facebook for the purpose of delivering political advertising, nor would they have expected their information to be analyzed for the purposes of identifying people with similar characteristics.
The B.C. and federal offices recommended that AIQ implement measures to ensure the company obtains valid consent in the future and that it delete all personal information that is no longer necessary for legal or business purposes. The company agreed to do so.
The investigation also found that AIQ’s inadequate safeguards resulted in unauthorized access to U.S. voter information and left vulnerable the personal information of some 35 million people. This failure to adequately protect personal information was a contravention of Canadian privacy laws.
AIQ committed to taking a number of measures to improve its security measures. The two offices were satisfied with those steps and will follow up with AIQ in the coming months to confirm that it has implemented the investigation recommendations.