B.C. firm AIQ breached privacy law, probe finds
The British Columbia firm tied up in the Cambridge Analytica scandal repeatedly broke Canadian law, according to an investigative report published Tuesday.
AggregateIQ was one of a network of companies that inappropriately obtained personal information on millions of Facebook users, which they used to psychologically profile and target political messages to voters during the 2016 U.K. Brexit referendum and U.S. presidential election campaigns.
A joint investigation by Canada’s privacy commissioner and the B.C. information and privacy commissioner found the political technology firm didn’t have adequate consent to use the data.
Speaking to reporters, federal privacy commissioner Daniel Therrien and B.C. commissioner Michael McEvoy said that they would’ve liked to punish AIQ, but they don’t have the power to levy fines. “This is an area where Canada is in serious need of reform. In Europe, under the privacy regulation, their companies can be fined significant amounts of money, which act as a real deterrent,” McEvoy said.
“Canada needs to keep up.” Because neither commissioner has the power to levy fines, the report concludes by making two recommendations that have been accepted by AIQ: The company must be more diligent about respecting individual consent when handling data; and it must beef up security and delete the personal information it shouldn’t have been using.
In March of 2018, British journalists broke a story about personal data harvested from Facebook without user consent by an academic named Aleksandr Kogan.
The data was then provided to a company called Cambridge Analytica, and was used to create psychographic profiles of individuals, which could then be used to target advertising in various election campaigns, including the Brexit referendum and the early stages of the last U.S. presidential campaign.
In particular, the report said that AIQ took personal information gathered from various sources to create “custom audiences” and “lookalike audiences” using Facebook’s ad targeting tool.
Custom audiences are when an advertiser uploads a list of names, email addresses or other identifying data, so that they can target ads to those people. Lookalike audiences take a list of individuals — for example a customer set — and then target ads at other people who fit a similar profile.
In an emailed statement to the Financial Post, AIQ chief operating officer Jeff Silvester made no mention of the finding that the company broke the law, but he emphasized that they have been fully co-operating with the investigation, and that they have taken action on the recommendations.
“While this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important,” Silvester wrote.
Facebook did not respond to a request for comment on these issues.