A Victoria-based data-gathering company not only gave B.C. political parties’ voters’ personal data but also may have influenced Europe’s Brexit vote and the 2016 U.S. presidential election as it gave far more such data to foreign clients.
As such, AggregateIQ Data Services Ltd. (AIQ) failed in its Canadian privacy law obligations when it used and disclosed millions of voters’ personal information in B.C., the U.S. and the U.K., federal and provincial privacy commissioners report.
Data-mining companies gather such information from social media sources (including Facebook), analyze it and deliver to political parties among others to target voters.
"It is imperative that the activities of tech companies operating across borders respect privacy obligations in all jurisdictions in which they operate," B.C. Information and Privacy Commissioner Michael McEvoy said.
"That is especially the case when it comes to handling sensitive information like the psychological profiles described in this investigation report,” he said.
His comments came as he and federal Privacy Commissioner Daniel Therrien released findings indicating the need for far more stringent privacy laws to protect Canadians’ private political views – and the possibility of fining powers to enforce recommendations.
“Personal information about political views is very sensitive and is worthy of privacy protection,” Therrien said. “There is currently a gaping hole in privacy protection.”
Those conclusions are part of a probe into AIQ resulting in a joint report from B.C.’s Office of the Information and Privacy Commissioner and the federal Office of the Privacy Commissioner.
McEvoy and Therrien said AIQ violated Canadian privacy law and did not have legal authority to disclose United Kingdom voter information it gathered for the ‘leave’ side in the United Kingdom Brexit referendum about leaving the European Union.
“We reach the same conclusion regarding AIQ’s work in support of a United States political campaign,” the commissioners said in a statement. “It is widely known, and we have found, that AIQ worked with psychographic profile information derived from Facebook data that was obtained by Cambridge Analytica and SCL Elections, via a third-party app, from millions of Americans.”
The commissioners said even when information is collected in another country, AIQ is still required to meet Canadian legal obligations around handling of that information in Canada.
They said the UK privacy commissioner, McEvoy’s B.C. predecessor Elizabeth Denham, is also looking into AIQ and its Brexit activities and information has been shared.
The issue, they said, is getting consent from those whose information is collected.
AIQ did not. And, said McEvoy, “AIQ failed to secure data.”
Information collected through data mining can be used to create so-called psychographic profiles – snapshots that can be used to target individual voters.
Therrien said information AIQ gleaned from social media included ethnicity, race and voting intentions.
“All of this was put into a data-crunching machine to an extent built by AIQ,” he said.
Both said such information gathered by a Canadian company is subject to federal and provincial law.
“This is what global citizenry expects,” McEvoy said.
“Digital tools can amass huge amounts of information,” Therrien said. “That data is then analyzed and used to target and swing voters.
“Canadians deserve to have their privacy rights protected as they exercise their democratic rights”
And B.C. voters have not been immune.
McEvoy found in February that B.C. political parties had been giving Facebook voters’ data. He said the governing B.C. NDP was the worst offender, giving Facebook voters’ names, phone numbers, cities of residence and dates of birth, while the BC Liberals have uploaded only financial donor lists to the global social media site.
Now, there’s an overlap in findings there and with AIQ, he said.
The report said AIQ provided a range of services to various B.C. provincial and municipal political clients, including website development and digital advertising delivery such as targeted advertising using “custom audiences” and “lookalike audiences.”
The clients included a provincial party, certain 2017 provincial election candidates, a candidate for the leadership of a provincial party and a municipal slate in the 2018 local elections.
“Political parties are hungry to get information about voters,” McEvoy said. “They are eager to use companies like AIQ.”
But, he added, “Those parties have to get the consent of voters.”
You can read the report here:
The AIQ investigation began after media reports raised concerns about its involvement in the 2016 Brexit referendum on the U.K.'s membership in the European Union. Further reporting linked AIQ to political consulting firm Cambridge Analytica and SCL Elections Ltd. (SCL), its parent.
The commissioners said AIQ worked with SCL on various U.S. political campaigns between 2014 and 2016. These included midterm elections and a presidential primary campaign.
Cambridge Analytica is alleged to have harvested information from 50 million Facebook users to help President Donald Trump take the 2016 U.S. election.
In March, Canada’s privacy commissioner, Daniel Therrien, announced an investigation into alleged unauthorized use of Facebook profiles and the social media giant’s compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.
A month later, Therrien said Facebook’s privacy protections are empty and a risk to Canadians. But the company would not comply with recommendations and Therrien is now in the process of applying to the Federal Court of Canada to make Facebook comply.
The problem in all of this, Therrien and McEvoy said, is that Canadian legislation lacks teeth. While B.C. law protects provincial voters’ information, federal law does not.
And, that needs to change drastically, they said.
“Companies that operate across borders need to be regulated in all the territories where they operate,” Therrien said.
A further issue, they said, is a need to for international cooperation on privacy regulation.
“This cooperation is in its infancy,” McEvoy said. “As companies build themselves out, regulators need to build themselves out.”
The commissioners recommended AIQ implement measures to ensure the company in future obtains valid consent and that it delete all personal information no longer necessary for legal or business purposes.
The company agreed to do so.
The investigation also found AIQ's inadequate safeguards resulted in unauthorized access to U.S. voter information and left 35 million people’s personal information vulnerable, which constitutes a contravention of Canadian privacy laws.
"AIQ committed to taking a number of measures to improve its security measures,” the commissioners’ statement said. "The two offices were satisfied with those steps and will follow up with AIQ in the coming months to confirm that it has implemented the investigation’s recommendations."