A British Columbia political consulting and technology company failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States, and the United Kingdom, according to a joint report issued today by the federal and B.C. privacy commissioners.
AggregateIQ Data Services of Victoria failed to ensure appropriate consent for its use and disclosure of the personal information of voters in what has become known as the Facebook-Cambridge Analytica scandal, the report said. Nor did it take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada.
As well, the company did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018.
The commissioners don’t have the ability to levy fines. But AggregateIQ has agreed to implement measures to ensure the company obtains valid consent in the future and that it delete all personal information that is no longer necessary for legal or business purposes.
In a statement today AggregateIQ chief operating officer Jeff Silvester said the firm is “happy to co-operate fully with the Commissioners, including many meetings and telephone calls with their investigators and responding openly and completely to every single request for information they made … While this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important. This is why we have been sharing our experience of navigating the complexities of cross-jurisdictional information and privacy laws with other organizations through private meetings and public speaking opportunities.”
The report is a warning to all Canadian companies that process data from many jurisdictions, including outside Canada. “Our report underscores that an organization must ensure that it understands, and complies with, its legal responsibilities in Canada, even when it is also operating in other jurisdictions. This is what the public expects. It is what we, as regulators, expect.”
“It is imperative that the activities of tech companies operating across borders respect privacy obligations in all jurisdictions in which they operate,” Michael McEvoy, information and privacy commissioner for British Columbia, said in a statement. “That’s especially the case when it comes to handling sensitive information like the psychological profiles described in this investigation report.”
Later during a press conference he said that “when it comes to collecting and using people’s personal information, companies operating on a global and national scale cannot simply pick and chose the rules they wish to follow. This applies to Canadian companies that operate across jurisdictions.”
“The AIQ investigation shows how sensitive personal information can be used by political campaigns to sway voters. This highlights once again the urgent need for law reform to protect democratic processes and the fundamental human right to privacy,” added federal privacy commissioner Daniel Therrien in a statement released with the report. That includes giving his office the power to levy fines and make orders.
Before the recent federal election the government rejected calls for political parties and their data gathering activities to be covered by federal privacy law, saying the issued needed more discussion. British Columbia is the only jurisdiction where political parties are obliged to follow a provincial privacy law, which includes rules on getting consent of voters before using their personal information.
The scandal surrounds the use of data gathered from some 87 million Facebook users and their friends to target political ads in the 2016 Brexit referendum and that year’s U.S. federal election. The data came from an app offered to Facebook users — including those in Canada — by a University of Cambridge researcher Aleksandr Kogan which purported to be a personality quiz for academic research. Unknown to participants, the data was shared with SCL Elections and its subsidiary, Cambridge Analytica. Lists of individuals, based on modeling by SCL and Kogan, were then provided to AggregateIQ for the placement of targeted political ads on Facebook.
Information on 622,000 Canadians was among the 87 million globally gathered through the Kogan app.
AIQ was no stranger to SCL Elections, according to the report. It had worked with that firm on various U.S. political campaigns between 2014 and 2016, including midterm elections and a presidential primary campaign.
AIQ created a political customer relationship management tool for SCL called Ripon, according to today’s report. This tool was used to collect and store vast amounts of voter data and to provide lists of voters to various campaigns for targeting. The personal information provided by SCL to AIQ included psychographic profiles, ethnicity and religion, political donation history, birthdates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information, and vehicle ownership details. Some of that data came from the Kogan app. AIQ confirmed to investigators that SCL was able to use the information to segment individuals into narrow groups for micro-targeted advertising campaigns on Facebook.
AIQ used individuals’ names and email addresses to deliver ads for SCL and other clients using the social network’s “custom audience” feature, which allows advertisers to show ads to a list of contacts which Facebook matches on its platform. It also leveraged Facebook’s “lookalike” audience feature, which allows advertisers to target broader groups of Facebook users with similar characteristics.
In April the federal and B.C. privacy commissioners found that while Facebook relies on all apps to obtain consent from users of their friends for its disclosures to those apps, Facebook was unable to show the Kogan app actually obtained meaningful consent for its purposes, including potentially, political purposes. The report also concluded Facebook had “superficial, largely reactive, and thus ineffective, monitoring” to ensure apps were protected against unauthorized access to users’ information.
Facebook has rejected recommendations to toughen its procedures. Today Therrien said his office will shortly ask the Federal Court to compel Facebook to obey.
In July, Facebook agreed to pay a record US$5 billion fine and follow new privacy requirements for 20 years to settle American regulators charges over the scandal for violating a 2012 Federal Trade Commission (FTC) order by deceiving users about their ability to control the privacy of their personal information. The FTC also laid administrative charges against the now-bankrupt Cambridge Analytica, and it proposed settlements with app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix which would restrict how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected.
For this report the two Canadian privacy commissioners looked only at the workings of AIQ and whether it had complied with consent for data collection and disclosure to Facebook or others under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act (PIPA). It also looked into whether AIQ had properly protected personal information it controlled.
Asked at the press conference by IT World Canada what the commissioners found particularly disturbing, McEvoy cited the collection and use of personal data in the U.S. In particular he pointed to AIQ’s reply when asked whether it lawfully collected the “massive” amount of U.S. data it was handed for processing. “They said basically there was no law in the United States by which their clients obtained that information. To which we say as regulators, ‘Well, you operate here in British Columbia and Canada, and regardless of what’s going on down there in the U.S. you have an obligation to ensure the data was collected with consent.”
“AIQ now understands that,” he added.
McEvoy was moved by the sensitivity of the U.S. data collected and forwarded to AIQ. “It [the data] was from ethnicity to race to voting intentions, psychological profiles of voters — obviously pretty sensitive information, put into a data-crunching machine to an extent constructed by AIQ, and all of that data used without consent of voters.”
He noted that since the scandal there have been increased calls in the U.S. for federal privacy legislation.
However, legislators are stuck over whether a U.S. federal law would take precedence over the many state privacy laws. Meanwhile California’s tough new privacy law comes into effect in January.
“Cambridge Analytica-Facebook, that whole story has seismic implications around the world, including Canada,” said McEvoy. “I think to a great extent it has shaken Canadians’ confidence in the political campaign system. That is critically fundamental in a democratic society where trust is often in short supply. And what we need to do — and this investigation I think demonstrates it — is to have tougher regulations to ensure voters have trust and confidence in their political campaigning system, which is the heart of our democracy.”