First UK GDPR Notice is Issued to Canadian Firm Linked to Cambridge Analytica

AggregateIQ, a Canadian-based analytics company which acted on behalf of the Vote Leave campaign, has been issued with the first ever UK GDPR notice by the Information Commissioner’s Office (ICO) in relation to business carried out in that jurisdiction.

ICO said that, although the data was gathered before the May 25 GDPR introduction date, it has a number of concerns in relation to the ‘continued retention and processing’ of data after that date. Due to this, ICO ruled that GDPR and its penalties are applicable in this case regarding AggregateIQ’s handling of the information in question.

The Victoria, British Columbia-based company describes its business as ‘integrating, obtaining and normalizing data from disparate sources’. Four pro-Brexit campaigning groups, Vote Leave, BeLeave, Veterans for Britain, and Northern Ireland’s Democratic Unionist Party spent £3.5 million($4.5 million) with AggregateIQ during the Brexit campaign.

AggregateIQ has, in the recent past, been linked to Cambridge Analytica, the UK-based analytics firm which was charged with improperly acquiring Facebook data belonging to 50 million people via a third party. In an interview with the Guardian newspaper earlier in 2018 whistleblower Chris Wylie alleged that employees at Cambridge Analytica used to call AIQ ‘our Canadian office’.  AggregateIQ refutes these claims and says it has nothing to do with the now defunct UK-based company.

ICO issued the formal GDPR notice on 20 September 2018. AggregateIQ has already launched an appeal. A spokesman for AIQ told the BBC: “We appealed the enforcement notice to the first level tribunal [a legal mechanism for challenging ICO notices]”. If the appeal is unsuccessful Aggregate IQ may be hit with a penalty of up to €20m or 4% of annual worldwide turnover, whichever figure is higher.

An official statement issued on the Aggregate IQ website said: “AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity. All work AggregateIQ does for each client is kept separate from every other client. AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.”

Other main points included in the notice issued by ICO are:

  • AggregateIQ was using techniques ‘reserved for commercial behavioural advertising being applied to political campaigning’ during recent elections and the EU referendum campaign in 2016.
  • The aforementioned Pro-Brexit groups – Vote Leave, BeLeave, Veterans for Britain, and Northern Ireland’s Democratic Unionist Party- provided AggregateIQ with personal data of UK individuals. This personal data was then used to target individuals with political advertising messages on social media.
  • The data in question was processed in a manner that the data subjects were not aware of, for purposes which they would not have expected and without a lawful basis for that processing.  In addition to this the processing had different aims to the purposes for which the data was originally collected.
  • The Information Commissioner deemed that, as the data subjects were not afforded the opportunity of properly understanding what personal data may be processed about them by the AggregateIQ, that damage or distress is a possibility.

You can read the notice issued by ICO here.