Skip to content
Join our Newsletter

Les Leyne: AggregateIQ privacy breach gets ‘tut-tut’ from federal, B.C. watchdogs

The combined forces of the B.C. and federal information and privacy commissioners offices announced Tuesday that the Victoria data company AggregateIQ broke the law while working for international political clients.
a1-11272019-privacy.jpg
Daniel Therrien, privacy commissioner of Canada, front, and Michael McEvoy, information and privacy commissioner for B.C., hold a news conference about their investigation into AggregateIQ, in Vancouver on Tuesday. Nov. 26, 2019

The combined forces of the B.C. and federal information and privacy commissioners offices announced Tuesday that the Victoria data company AggregateIQ broke the law while working for international political clients.

Based on that weighty conclusion following a lengthy investigation, what did the commissioners do next?

They asked the company to stop doing it. And the company said it would. The commissioners are going to watch to make sure they stop, but it’s more or less case closed.

If this was a movie, the ending would be a dud. There was a huge amount of work investigating and a corresponding effort by AggregateIQ to comply with all the investigators over a two-year period.

But the whole process concluded with an official “tut-tut,” partly because the commissioners’ authority is so limited and their powers are so weak that’s about all they can muster.

It’s the second report by the two offices this year in which they have had to acknowledge how helpless they are when it comes to policing 21st-century manipulation of social-media information on tens of millions of people.

Last spring, they arrived at a similar conclusion about the notorious Cambridge Analytica firm’s handling of data from Facebook, which was used by “leave” campaigners in the Brexit referendum in Britain and also in other campaigns. Tens of millions of unwitting people had their personal information secretly used to build psychographic profiles handy for targeting ads. The privacy breach included Canadians and British Columbians, which brought the commissioners calling.

They compiled a list of recommendations to Facebook to improve privacy. Facebook informed them it was going to ignore them all. The provincial and federal commissioners have gone to court over it, but it’s only to force the company to accept the recommendations, not about the breach of privacy.

The AggregateIQ investigation flowed from that case, since the firm handled some of the work.

The commissioners said AggregateIQ had responsibility by law to get express consent from people to use the information, some of it personal and sensitive, but the firm didn’t show that it sought such assurances.

The report inquired as to whether the firm took measures required to ensure it had the legal authority to use U.K. voter information in the way it did.

“We have found that, in the context of certain of its work related to the Brexit referendum, it did not.”

They reached the same conclusion regarding AIQ’s work in support of a U.S. political campaign. It worked with psychographic profile information derived from Facebook data that was obtained by Cambridge Analytica, via a third-party app, from millions of Americans.

“Even where the information was collected in a different jurisdiction, AggregateIQ is still required to meet its obligations under Canadian law with respect to its handling of that information in Canada.”

“When AIQ failed to ensure it had meaningful consent from the individuals whose personal information it collected, used, or disclosed, it contravened B.C. and Canadian privacy laws,” says their report. It was also found responsible for a separate data breach that contravened privacy laws.

They said the firm committed to implement their recommendations. “Our offices will engage with AIQ to obtain evidence confirming that the company has in fact implemented those recommendations. We therefore conclude this matter to be well founded and conditionally resolved.”

AggregateIQ’s chief operating officer, Jeff Silvester, said after the decision was released that the firm was happy to co-operate fully with the commissioners.

He said it the investigation imposed a tremendous burden and took a long time. “As the report confirms, and as we told the commissioners long ago, we have already implemented all of the recommendations.”

Silvester said in an interview that despite the co-operation offered, investigators produced an order to appear and took testimony under oath. They also demanded entry to the firm’s Market Square offices and procured evidence.

The whole story exploded globally more than two years ago when a Victoria-raised man, Christopher Wylie turned whistleblower after being involved with both Cambridge Analytica and AggregateIQ.

It raised lots of sensational issues about loss of privacy, but the whole controversy seems to be sputtering to an end — with a whimper, rather than a bang.