The federal and B.C. privacy commissioners recently released a joint investigative report into AggregateIQ Data Services Ltd. (AIQ), a B.C. based company that specializes in data related services for political campaigns. The commissioners found breaches regarding consent and data security failures which required AIQ to make changes to the way they collect, manage, and use personal data.
AIQ’s business was to use data collected by other companies (such as Cambridge Analytica) to populate voter databases and run targeted political advertisements for its clients. The commissioners examined AIQ’s use and disclosure of voters’ personal information with respect to the Brexit Vote Leave and BeLeave campaigns, the American 2014 midterm and 2016 presidential primary campaigns, and several Canadian provincial and municipal campaigns.
The commissioners concluded that in many instances, AIQ violated its consent obligations under the Personal Information Protection and Electronic Documents Act and the B.C. Personal Information Protection Act when it used and disclosed voters’ personal information. It found that for most of the campaigns, (i) the consent relied on by AIQ did not address all of the work AIQ was performing; or (ii) AIQ was unaware of how, or whether, individuals had consented to the use of their personal information.
For example, AIQ obtained personal information from SCL Elections Ltd. (Cambridge Analytica’s parent company) and various data vendors, including psychographic profiles for millions of American voters derived from data harvested through a personality quiz application. AIQ used this information to deliver targeted Facebook advertisements. AIQ did not seek consent, nor did it seek assurance that SCL had obtained consent.
The commissioners also found that AIQ failed to take reasonable security measures to protect personal information from unauthorized access or disclosure. AIQ had a data breach involving unauthorized access to an unsecure code repository holding substantial personal information, encryption keys, and login credentials. The commissioners found that AIQ’s inadequate safeguards left the personal information of over 35 million people at risk.
Consequences and Recommendations
Despite the fact that the commissioners found clear breaches of privacy law, AIQ will not face any fines. It appears that the B.C. Commissioner did not exercise his order making power because AIQ accepted the investigation report’s two recommendations.
First, AIQ agreed with the recommendation to ensure that it complies with federal and provincial consent requirements. More specifically, AIQ is required to verify that the third-party consent, upon which it relies, meaningfully explains how personal information will be used and disclosed. For sensitive personal information, such as political opinions, the commissioners recommended that AIQ obtain express consent.
Secondly, the commissioners recommended that AIQ adopt and maintain reasonable security measures to protect personal information. AIQ should also delete all personal information in its custody, or under its control, that is no longer necessary for legal or business purposes, and should implement certain remedial security measures, including employee training, technical and administrative safeguards, and regular audits of the code repository.
This investigation report offers a few important reminders:
- Organizations must ensure that they understand and comply with their privacy obligations in Canada, even when they are also operating in other jurisdictions.
- To the extent that organizations wish to rely on consent obtained by third parties for their own collection, use, and disclosure of personal information, including for processing on their clients’ behalf, they must ensure that the consent is sufficient for their purposes under Canadian or B.C. law.
- Organizations must verify that the third party consent upon which they rely, meaningfully explains the intended uses and disclosures of personal information.
While AIQ did not face any fines, organizations would be wrong to conclude that they can breach privacy law with impunity. There are numerous implications beyond regulator involvement. Organizations must pay attention to civil liability and reputational risks that arise from their handling of personal information, including privacy breaches resulting from improper use of personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.