VANCOUVER - Canada's privacy commissioner says the findings of an investigation into a Victoria software company linked with the Cambridge Analytica scandal has profound implications for fundamental democratic principles and privacy rights.
The federal and B.C. privacy commissioners released a joint report Tuesday finding that AggregateIQ Data Services Ltd., also known as AIQ, broke Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States and the United Kingdom.
“With AIQ we now have a Canadian player playing a key role in the troubling ecosystem of political campaigning in the digital era. This is too close for comfort,” Daniel Therrien, Canada's privacy commissioner, told a news conference in Vancouver.
AggregateIQ provides election-related software and political advertising. It has been linked to Cambridge Analytica, a now bankrupt company accused of improperly helping to crunch data for Donald Trump's presidential campaign in the United States.
Michael McEvoy, the information and privacy commissioner of B.C., said they launched the probe after the media reported that the Canadian company may have improperly used voter information during the Brexit referendum. The investigation was subsequently expanded to encompass AggregateIQ's activities in the United States, as well as political campaign work in B.C. and Canada.
The probe found the company leveraged a Facebook audience feature that allowed advertisers to target certain users for political advertising.
The company failed to obtain appropriate consent from voters for the way it used their personal information, the report says. It also failed to take reasonable security measures to protect that personal information, leading to a privacy breach last year.
AgreggateIQ is an example of a company that operates across borders and boundaries, so it's subject to the laws in each of those jurisdictions, McEvoy said.
“When it comes to collecting and using people's personal information, companies that operate on a global and national scale cannot simply pick and choose the rules they wish to follow,” McEvoy said.
The commissioners recommend, and AIQ agreed, to implement measures to ensure it obtains valid consent in the future and that it delete all personal information that is no longer needed for legal or business purposes.
Jeff Silvester, chief operating officer for AggregateIQ, said the company has fully co-operated with the commissioners, and also tried to help them and their staff understand how privacy rules can operate in real life.
Canadian and British Columbia laws provide for a company in B.C. to rely on the consent obtained by their clients in whatever jurisdiction they operate, he said.
AggregateIQ did that, Silvester said, but the commissioners did not agree the consent was “meaningful enough.”
Had it not been for the AggregateIQ's involvement, as a B.C. company, the actions would not have been deemed unlawful, he said.
“Our clients were doing nothing wrong. If they had done that work without us, they would have been fine.”
Navigating the complexities of cross-jurisdictional information and privacy laws is difficult, he said.
“It's certainly going to be a challenge for a lot of companies,” he said in an interview, adding that synchronizing laws internationally and within Canada would be “helpful.”
McEvoy and Therrien used the case to renew calls for greater penalties for companies that break privacy laws and expand the powers of their offices to investigate possible breaches.
In April, they called for additional power to levy financial penalties on companies and for broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.
This report by The Canadian Press was first published Nov. 26, 2019.