For the second time this year, the Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia announced an organization had violated federal and provincial privacy laws through its use of data.
Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy revealed the findings of their investigation into data analytics firm AggregateIQ. The commissioners concluded the British Columbia–based AIQ breached privacy rules when it used and disclosed the information of voters in Canada, the U.S. and U.K. The report comes after the two offices completed a similar probe in April, when it ruled Facebook had violated the law via Cambridge Analytica.
McEvoy said in a news conference the regulators based their investigation on AIQ's security practices and whether the firm had properly obtained data subjects' consent. The investigation was launched based on AIQ's alleged involvement with the EU referendum vote.
"These provincial and laws are based on consent, and our analysis and findings are focused on whether individuals provided consent and how their personal information was processed by AIQ," McEvoy said."While we found that some of AIQ’s services were covered by the consent of individuals, in many other instances, they were not. This included micro-targeting online profiling using social media, which was clearly not based on consent."
The British Columbia commissioner said AIQ did not properly secure passwords, encryption keys and passwords to its databases. These actions left the information of 35 million Canadians at risk, McEvoy said.
The commissioners offered two recommendations based on their findings, both of which AIQ agreed to follow. The firm must ensure it obtains consent for all data it possesses and delete all information in its custody when its no longer of use. AIQ is also required to implement better security practices, which McEvoy said it has already started to do.
McEvoy added the probe particularly focused on AIQ's U.S. activity, which he called the most "egregious" misuse of data by the firm. AIQ had built a database containing the personal information of a vast number of U.S. citizens through information it had received from Cambridge Analytica and SCL Elections. McEvoy said when the agencies asked AIQ about its U.S. practices, it told them the U.S. "basically had no law" to stop it from continuing its work.
AIQ's response highlighted a key point McEvoy stressed throughout the conference. Regardless of where an organization may do work around the globe, they still need to adhere to Canadian law if they are based within the nation's borders.
"While some of these campaigns took place in foreign jurisdictions where AIQ may have been subject to those laws, they and every other Canadian company doing work abroad still remain subject to the privacy laws in this country," McEvoy said.
Political parties are not covered under Canadian privacy laws. Therrien has repeatedly called for an update for the country's legislation. For the commissioner, the AIQ investigation is another example he can point to for a needed revamp.
"Political parties collect vast amounts of data about voters, and yet British Columbia is the only jurisdiction in Canada that expressly regulates the privacy practices of political parties," Therrien said. "My office has repeatedly called for political parties to be explicitly covered by privacy legislation."
McEvoy shared a similar sentiment. The OIPC only has order-making powers at its disposal should it believe its recommendations have not been properly implemented. McEvoy said Canada lags behind other countries' abilities to levy legitimate penalties. He pointed to the fines regulators can administer under the EU General Data Protection Regulation as an example of a true deterrent to privacy infractions.
Therrien wants the federal government to give his office the power to dole out fines and issue binding orders to ensure companies follow through on its rulings.
"Here though, we have a company that has agreed to comply with our recommendations. There is obviously a link between this case and the other investigation we conducted with our British Columbia colleague into Facebook," Therrien said. "Facebook has refused to comply with our recommendations, and an absence of order-making power was more compelling there."
Though the focus was on AIQ, Therrien did offer an update on the commissioners' Facebook case. Back in April, Therrien and McEvoy said they intended to take Facebook to federal court after it said it would not implement any of the regulators' recommendations. Therrien said the agencies plan to file with the federal court "very soon" and added the "complicated procedure process" was the major obstacle needed to be cleared before the case moved forward.
AIQ may have agreed to the commissioners' recommendations, but McEvoy sees a greater problem in need of solving. McEvoy said the Cambridge Analytica revelations have had a global seismic impact. In Canada, he believes it has shaken citizens' trust in the political campaign system. He concluded the AIQ probe highlights what Canada needs to do to restore that trust with voters around the country.
"That is critically fundamental in a democratic society where trust is often in short supply. What we need to do — and this investigation demonstrates it — is that we need to have tougher regulations to ensure that Canadians, the public and voters have trust and confidence in their political campaigning system at the heart of our democracy," McEvoy said. "It means a great deal to Canadians, to British Columbians, and I would say to global citizenry, as well."
Photo by sebastiaan stam on Unsplash