On November 26, 2019, a report of findings was released following the joint investigation of AggregateIQ Data Services (AIQ) by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia.
The report concluded that AIQ, a British Columbia company, failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States, and the United Kingdom. The two main findings involved consent and taking reasonable security measures to protect personal information. First, AIQ failed to ensure that there was meaningful consent for its use and disclosure of the personal information of voters. Second, AIQ did not take reasonable security measures to protect personal information, and this led to a privacy breach in 2018.
The report asked whether AIQ complied with British Columbia’s Personal Information Protection Act (PIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) regarding its collection, use and disclosure of personal information when providing services to various political campaigns in the United Kingdom, the United States, and in Canada.
AIQ is a commercial organization that provides election and campaign-oriented software, website development, and digital advertising services. Following concerns about connections to the Brexit referendum, it was discovered that AIQ was linked to Cambridge Analytica and its parent SCL Elections Ltd (SCL), and the potential unauthorized receipt and use of data that had been originally obtained from Facebook.
The focus of this report was on AIQ’s collection, use, and disclosure of personal information in connection with work it performed on behalf of the following clients: SCL with respect to US political campaigns; Brexit campaigns; and various provincial or municipal political campaigns in Canada, several of which were in British Columbia.
The first question involved AIQ’s compliance with the consent requirements in PIPA and PIPEDA with respect to the collection, use and disclosure of personal information. The second question concerned AIQ’s compliance with the data security requirements set out in PIPA and PIPEDA.
Briefly, the report concluded the following for each of the two issues:
For some campaigns such as the mayoral campaign and the BeLeave Campaign, AIQ was aware of consent language that may have been sufficient to cover its handling of personal information on behalf of its clients. However, in other campaigns, such as the SCL, the Vote Leave Campaign, and the BC campaigns, AIQ either took no measures to verify that there was appropriate consent it could rely on, or relied on consent that was not sufficient to cover all of AIQ’s activities. As a result, it was found that AIQ failed to ensure meaningful consent for its collection, use, or disclosure of personal information in accordance with applicable requirements in PIPA and PIPEDA.
More specifically, when AIQ used and disclosed the personal information of Vote Leave supporters to Facebook for the purpose of analysing the characteristics of those supporters (using “lookalike audiences”) and targeting advertisements on social media (using custom audiences), it went beyond the purposes for which Vote Leave had consent to use that information. Likewise, when AIQ collected personal information from SCL in order to inform the microtargeting of voters in the United States, it used personal information from several sources without any assurances that consent had been obtained. AIQ delivered targeted ads to lists of recipients that were in some circumstances determined using potentially sensitive personal information, such as ethnicity, or psychographic profiles derived from information Facebook had disclosed without the consent of its users.
With respect to the Canadian campaigns, although AIQ was often aware of the consent obtained by clients, on which it relied for its purposes, the consent did not always extend to the work it performed for those campaigns. One example was when individuals entered their personal information into websites to show their support for candidates or campaigns; those actions would have indicated consent to receive news and information about the campaign. That said, they did not allow that information to be disclosed to Facebook or other social media platforms for the purpose of targeted advertising or to conduct analytics on those individuals in order to find and target other like-minded individuals.
2. Security measures
The breach involved unauthorized access to an unsecure GitLab repository holding substantial personal information, and encryption keys and login credentials that put the personal information of over 35 million people at risk. The investigation determined that AIQ failed to take reasonable security measures to ensure that personal information under its control was secure from unauthorized access or disclosure.
The main point is that, when Canadian businesses do work for clients located in other jurisdictions, they are still subject to Canadian privacy laws. In this case, AIQ demonstrated some awareness of privacy laws when it made contractual commitments with its clients to observe all applicable data protection laws. However, the investigation revealed that AIQ ultimately did not comply with PIPA and PIPEDA.
It was recommended that AIQ take reasonable measures to ensure that any third-party consent it relies on for its collection, use or disclosure of personal information on behalf of its clients is adequate under PIPA or PIPEDA, as appropriate. These measures include contractual measures and other measures, such as reviewing the consent language used by the client. In cases dealing with sensitive information, as with political opinions, AIQ was recommended to ensure that there is express consent as opposed to implied consent. Moreover, it was recommended that AIQ adopt and maintain reasonable security measures to protect personal information, and delete personal information that is no longer necessary for business or legal purposes.
During the investigation, AIQ advised that it had implemented the following security arrangements to prevent a similar security breach incident from happening in the future:
- Improved employee training to help employees better understand data protection and in particular personal information best practices
- Technical safeguards and administrative procedures to ensure that no unnecessary personal information is inadvertently backed up to the GitHub repository
- Regular audits to review active GitHub projects to ensure no unnecessary personal information is stored there
- A new policy to ensure all completed projects are audited and removed from the GitHub repository within a month of the completion of a project. If a backup is required, it is only kept in secure, non-internet accessible storage which would contain very limited personal information, such as the names and addresses of administrative users, and
- New security measures for all of its servers, and for the Git repository.
In addition to taking steps to remedy the breach, AIQ agreed to implement the other recommendations as well.
The report concluded with this statement:
“The use of microtargeting and analytics to target voters, with the assistance of third parties, has been reported elsewhere, both in BC and abroad. This kind of advertising is often based on repurposed and sensitive information and can involve algorithms that are opaque to individuals.
As tempting and effective as these tools might be, they must not be employed at the expense of individuals’ privacy rights, which in most cases require organizations to seek meaningful consent for such activities, by adequately explaining to people how their personal information will be collected, used, or disclosed”