A small B.C. company involved in a scandal that saw the personal information of millions of voters illicitly collected for the purpose of shaping political events around the world will not face financial penalties in Canada for its misuse of data.
A joint investigation by the privacy commissioners of British Columbia and Canada concluded AggregateIQ (AIQ) broke domestic privacy laws, shaking Canadians’ confidence in the political campaign system.
But BC Privacy Commissioner Michael McEvoy expressed frustration that he could not levy a fine, unlike regulators in the United States and the European Union.
“It is the kind of case where we would have looked at monetary penalties to be administered on a company," Mr. McEvoy said. “This is an area where Canada is in serious need of reform. In Europe, under the privacy regulation there, companies can be fined significant, significant amounts of money which act as a real deterrent."
AIQ is linked to the political consulting company Cambridge Analytica. Both agencies were co-founded by Canadian Christopher Wylie, who later emerged as the whistle-blower who revealed that the personal information of up to 87 million Facebook users globally may have been improperly used to influence elections.
Victoria-based AIQ bills itself as a data-intelligence firm, providing election-related software and political advertising services around the globe. The privacy officers say the company must adhere to Canadian law, no matter where its clients are located.
Daniel Therrien, Privacy Commissioner of Canada, said the investigation underscores the urgent need for privacy-law reforms, including the option for significant fines to act as a deterrent for companies that improperly use or keep personal data for the purpose of influencing voters.
“With AIQ, we now have a Canadian player playing a key role in the troubling ecosystem of political campaigns in the digital era,” Mr. Therrien said. “Canadians expect and deserve to have their privacy respected as they exercise their democratic rights. Reform is urgently needed to maintain public trust in political parties and our democratic system.”
Other jurisdictions have already taken action. In May, the EU adopted the General Data Protection Regulation, a sweeping data-privacy law.
In January, in the first major example of the GDPR, the French data-protection authority fined Alphabet Inc.'s Google the equivalent of $75-million for not properly disclosing to users how data are collected across its services – including its search engine, Google Maps and YouTube – to present personalized advertisements.
The privacy investigation of AIQ looked at the company’s actions in several campaigns. During the 2016 British referendum on European Union membership, it provided targeted advertising and other services to various Brexit campaigns on the “leave” side. It also provided services to a variety of political clients at the municipal and provincial levels in British Columbia. And, it collected personal information to assist in micro-targeting of voters in the 2014 midterms and in the 2016 presidential primary campaign in the United States.
The privacy report released on Tuesday concluded that in many instances in those campaigns, the company failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of voters – mostly in the U.S. but also in British Columbia, Britain and other countries – because it did not clearly obtain consent from the individuals whose data they used.
As well, the company failed to take reasonable security measures to protect personal information in its custody or under its control, after a data breach put the personal information of more than 35 million people at risk.
In April, Mr. Therrien concluded in a separate probe that Facebook committed serious contraventions of Canadian privacy law and failed to take responsibility for protecting the personal information of citizens. His office intends to file legal action against Facebook.
Mr. McEvoy said that, unlike Facebook, AIQ has agreed to comply with provincial and federal privacy laws, and his office will monitor to ensure the rules are followed.
In October, Britain’s information rights regulator announced that Facebook will pay a £500,000 ($853,308) fine for breaches of the country’s data-protection law related to the harvesting of data by Cambridge Analytica.
In July, the U.S. Federal Trade Commission and Facebook said the social-media company will pay a record-breaking US$5-billion fine to resolve a government probe triggered by the Cambridge Analytica case.
Mr. Therrien said he has repeatedly called for tougher legislation to regulate how political parties use personal data in Canada, but the federal government has stalled, saying more study is required.
“My office has called for federal political parties to be explicitly covered by privacy legislation,” he said. “Unfortunately, there's currently a gaping hole in terms of protection.” Only British Columbia imposes privacy standards on political parties.
In a written statement, AIQ’s chief operating officer Jeff Silvester said the company fully co-operated in the investigation and sought to “help the commissioners and their staff understand how privacy rules can operate in real life.”
In an interview, Mr. Silvester said lengthy investigations, both in Canada and Britain, have taken their toll on the firm. “It’s certainly not as bustling as it was previously, but the same fundamentals continue; we work hard for clients and try to help them to share their messages and to achieve their goals.”