AggregateIQ breaches federal and B.C. data privacy laws for political campaigns in Canada, U.S., UK

The investigation delves into a security breach of a database involving over 35 million people

AggregateIQ breaches federal and B.C. data privacy laws for political campaigns in Canada, U.S., UK

AggregateIQ, a Victoria, B.C.-based company, breached data privacy laws when it non-consensually disclosed the personal information of tens of millions of people across four continents, on behalf of various organizations supporting political campaigns in countries such as Canada, the U.S. and the UK.

According to the joint report by Michael McEvoy, B.C.’s information and privacy commissioner, and Daniel Therrien, Canada’s federal privacy commissioner, the company violated the Personal Information Protection and Electronic Documents Act, as well as B.C.’s Personal Information Protection Act, when it failed to secure meaningful and express consent, especially as applied to the disclosure of sensitive information.

Specifically, the company worked for Vote Leave, a pro-Brexit campaign, for which it disclosed personal information for the purpose of advertising to custom audiences and lookalike audiences on Facebook, all without adequate consent under federal and B.C. privacy laws.

Working alongside political consulting firm Cambridge Analytica, as well as its parent company, SCL Elections Ltd., AggregateIQ also collected and disclosed the personal information of millions of Americans, which was ultimately used to advance various U.S. political campaigns.

In Canadian political campaigns, while the company generally obtained the consent of the individuals who willingly entered their personal information into websites to show their support for their preferred candidates, the consent in such cases only extended to the receipt of news regarding the campaign. Instead, the company also used the information for social media advertising and analytics.

According to an Office of the Privacy Commissioner of Canada news release, the personal information collected and disseminated by the company included birth dates, email addresses, ethnicity, religion, income, psychographic profiles, political donations, magazine subscriptions and association memberships, as well as information on home ownership and vehicle ownership.

The investigation further found that the company failed to adopt reasonable security measures to protect its vast databases of personal information of more than 35 million people. Back on Mar. 20, 2018, a cybersecurity researcher in the U.S. was able to access and download more than 20,000 folders and 113,000 files stored via an application called GitLab. The data repository, he reported, had been left unprotected.

In accordance with their findings, the privacy commissioners gave several recommendations to the company, such as to ensure that any third-party consent on which it relies is adequate under federal and B.C. privacy laws, to review the consent language used by its clients, to secure express consent when collecting sensitive information, to employ stronger security measures to protect personal information and to delete information it no longer needs for business or legal reasons.

AggregateIQ has since said that it has taken steps to deal with the security breach and that it agrees to adopt the commissioners’ recommendations.