A Victoria-based data analytics company once engaged by a Kamloops MLA has been found to have violated Canada’s privacy laws by engaging in micro-targeted political advertising without consent.
By using and disclosing the personal information of millions of voters, AggregateIQ failed to meet its obligations under Canadian privacy laws, according to the results of a joint investigation conducted by the B.C. and federal privacy commissioners.
The investigation concerned AIQ’s involvement in political campaigns around the world, including work in pro-Brexit campaigns in the United Kingdom and U.S. political campaigns.
In B.C., AIQ’s wrongdoings also included work with a provincial political party, candidates in the 2017 provincial election, a municipal slate in the 2018 local elections and a candidate for the leadership of a provincial party.
That leadership candidate was Kamloops-South Thompson MLA Todd Stone, who in a bid to win the B.C. Liberal party leadership, had 1,349 prospective party members disqualified from voting.
The privacy commissioners’ findings note that in working on B.C. campaigns, AggregateIQ either “took no measures to verify that there was appropriate consent it could rely on or, … relied on consent that was not sufficient to cover all of AIQ’s activities.”
Stone said AIQ only provided “very basic website and social media services” during his 2018 leadership campaign and said he has not had dealings with the firm since.
“I was not aware then and I’m not aware today of any wrongdoing with respect to any of the services they provided to us,” he told KTW, adding nobody from either the provincial or federal privacy commissioner offices had contacted him regarding the investigation.
But Stone said AIQ did make a “poor judgment call” when it created a list of fake email addresses to be associated with the 1,349 members who were later be disqualified by B.C. Liberal party officials during the party’s leadership race.
Asked if AIQ provided his campaign with any micro-targeting advertising or communication services, Stone said, “Not that I’m aware of.”
When AIQ was first criticized for its links to Cambridge Analytica, Stone defended his use of the company and said he stands by that defence.
“The company did the work we asked of them and they did it very well,” he said. “I can’t comment on what a company does with other clients outside the province or the country. All I can speak to is what they did for us.”
AIQ created a customer relationship management tool called Ripon for a SCL Elections Ltd., the parent company of disgraced data analytics firm Cambridge Analytica.
The tool collected and stored “vast amounts” of voter data that included psychographic profiles, ethnicity and religion, political donation history, birth dates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information and vehicle ownership details, according to the OIPC report.
“Individuals would not have expected that their personal information would be disclosed to Facebook for the purpose of delivering political advertising. Nor would they have expected their information to be analyzed for the purposes of identifying people with similar characteristics,” the report reads.
During a press conference in Vancouver on Tuesday, Daniel Therrien, Canada’s privacy commissioner, and Michael McEvoy, B.C.’s privacy commissioner, both reiterated the investigation focused on AIQ, not its clients.
The commissioners recommended, and AIQ agreed, to implement measures to ensure it obtains valid consent in the future and that it delete all personal information that is no longer needed for legal or business purposes.
Jeff Silvester, chief operating officer for AggregateIQ, said the company has fully co-operated with the commissioners, and also tried to help them and their staff understand how privacy rules can operate in real life.
Canadian and British Columbia laws provide for a company in B.C. to rely on the consent obtained by their clients in whatever jurisdiction they operate, he said.
AggregateIQ did that, Silvester said, but the commissioners did not agree the consent was "meaningful enough.''
Had it not been for the AggregateIQ's involvement, as a B.C. company, the actions would not have been deemed unlawful, he said.
"Our clients were doing nothing wrong. If they had done that work without us, they would have been fine.''
Navigating the complexities of cross-jurisdictional information and privacy laws is difficult, he said.
"It's certainly going to be a challenge for a lot of companies,'' he said in an interview, adding that synchronizing laws internationally and within Canada would be "helpful.''
McEvoy and Therrien used the case to renew calls for greater penalties for companies that break privacy laws and expand the powers of their offices to investigate possible breaches.
In April, they called for additional power to levy financial penalties on companies and for broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.
— with files from Canadian Press