Privacy breach gets ‘tut-tut’ from federal, B.C. watchdogs
Investigators say AggregateIQ broke law, but they lack teeth to police social media
The combined forces of the B.C. and federal information and privacy commissioners offices announced Tuesday that the Victoria data company AggregateIQ broke the law while working for international political clients.
Based on that weighty conclusion following a lengthy investigation, what did the commissioners do next?
They asked the company to stop doing it. And the company said it would. The commissioners are going to watch to make sure they stop, but it’s more or less case closed.
If this was a movie, the ending would be a dud. There was a huge amount of work investigating and a corresponding effort by AggregateIQ to comply with all the investigators over a two-year period.
But the whole process concluded with an official “tut-tut,” partly because the commissioners’ authority is so limited and their powers are so weak that’s about all they can muster.
It’s the second report by the two offices this year in which they have had to acknowledge how helpless they are when it comes to policing 21st-century manipulation of social-media information on tens of millions of people.
Last spring, they arrived at a similar conclusion about the notorious Cambridge Analytica firm’s handling of data from Facebook, which was used by “leave” campaigners in the Brexit referendum in Britain and also in other campaigns. Tens of millions of unwitting people had their personal information secretly used to build psychographic profiles handy for targeting ads. The privacy breach included Canadians and British Columbians, which brought the commissioners calling.
They compiled a list of recommendations to Facebook to improve privacy. Facebook informed them it was going to ignore them all. The provincial and federal commissioners have gone to court over it, but it’s only to force the company to accept the recommendations, not about the breach of privacy.
The AggregateIQ investigation flowed from that case, since the firm handled some of the work.
The commissioners said AggregateIQ had responsibility by law to get express consent from people to use the information, some of it personal and sensitive, but the firm didn’t show that it sought such assurances.
The report inquired as to whether the firm took measures required to ensure it had the legal authority to use U.K. voter information in the way it did.
“We have found that, in the context of certain of its work related to the Brexit referendum, it did not.”
They reached the same conclusion regarding AIQ’s work in support of a U.S. political campaign. It worked with psychographic profile information derived from Facebook data that was obtained by Cambridge Analytica, via a third-party app, from millions of Americans.
“Even where the information was collected in a different jurisdiction, AggregateIQ is still required to meet its obligations under Canadian law with respect to its handling of that information in Canada.”
“When AIQ failed to ensure it had meaningful consent from the individuals whose personal information it collected, used, or disclosed, it contravened B.C. and Canadian privacy laws,” says their report. It was also found responsible for a separate data breach that contravened privacy laws.
They said the firm committed to implement their recommendations. “Our offices will engage with AIQ to obtain evidence confirming that the company has in fact implemented those recommendations. We therefore conclude this matter to be well founded and conditionally resolved.”
AggregateIQ’s chief operating officer, Jeff Silvester, said after the decision was released that the firm was happy to co-operate fully with the commissioners.
He said it the investigation imposed a tremendous burden and took a long time. “As the report confirms, and as we told the commissioners long ago, we have already implemented all of the recommendations.”
Silvester said in an interview that despite the co-operation offered, investigators produced an order to appear and took testimony under oath. They also demanded entry to the firm’s Market Square offices and procured evidence.
The whole story exploded globally more than two years ago when a Victoria-raised man, Christopher Wylie turned whistleblower after being involved with both Cambridge Analytica and AggregateIQ.
It raised lots of sensational issues about loss of privacy, but the whole controversy seems to be sputtering to an end — with a whimper, rather than a bang.
VANCOUVER — Canada’s privacy commissioner says the findings of an investigation into a Victoria software company linked with the Cambridge Analytica scandal has profound implications for fundamental democratic principles and privacy rights.
The federal and B.C. privacy commissioners released a joint report Tuesday finding that AggregateIQ Data Services Ltd., also known as AIQ, broke Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States and the United Kingdom.
“With AIQ we now have a Canadian player playing a key role in the troubling ecosystem of political campaigning in the digital era. This is too close for comfort,” Daniel Therrien, Canada’s privacy commissioner, told a news conference in Vancouver.
AggregateIQ provides election-related software and political advertising. It has been linked to Cambridge Analytica, a now bankrupt company accused of improperly helping to crunch data for Donald Trump’s presidential campaign in the United States.
Michael McEvoy, the information and privacy commissioner of B.C., said they launched the probe after the media reported that the Canadian company might have improperly used voter information during the Brexit referendum. The investigation was subsequently expanded to encompass AggregateIQ’s activities in the United States, as well as political campaign work in B.C. and Canada.
The probe found the company leveraged a Facebook audience feature that allowed advertisers to target certain users for political advertising.
The company failed to obtain appropriate consent from voters for the way it used their personal information, the report says. It also failed to take reasonable security measures to protect that personal information, leading to a privacy breach last year.
AgreggateIQ is an example of a company that operates across borders and boundaries, so it’s subject to the laws in each of those jurisdictions, McEvoy said.
“When it comes to collecting and using people’s personal information, companies that operate on a global and national scale cannot simply pick and choose the rules they wish to follow,” McEvoy said.
The commissioners recommend, and AIQ agreed, to implement measures to ensure it obtains valid consent in the future and that it delete all personal information that is no longer needed for legal or business purposes.
Jeff Silvester, chief operating officer for AggregateIQ, said the company has fully co-operated with the commissioners, and also tried to help them and their staff understand how privacy rules can operate in real life.
Canadian and British Columbia laws provide for a company in B.C. to rely on the consent obtained by their clients in whatever jurisdiction they operate, he said.
AggregateIQ did that, Silvester said, but the commissioners did not agree the consent was “meaningful enough.”
Had it not been for the AggregateIQ’s involvement, as a B.C. company, the actions would not have been deemed unlawful, he said. “Our clients were doing nothing wrong. If they had done that work without us, they would have been fine.”
Navigating the complexities of cross-jurisdictional information and privacy laws is difficult, he said. “It’s certainly going to be a challenge for a lot of companies,” he said in an interview, adding that synchronizing laws internationally and within Canada would be “helpful.”
McEvoy and Therrien used the case to renew calls for greater penalties for companies that break privacy laws and expand the powers of their offices to investigate possible breaches.
In April, they called for additional power to levy financial penalties on companies and for broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.