Canadian watchdog says Brexit data firm broke privacy laws

A Canadian data company that worked with a leading pro-Brexit group broke privacy laws, according to a report by Canada's federal privacy commissioner.

AggregateIQ (AIQ), which also worked with a number of US political campaigns, did not take adequate measures to ensure it had the authority to disclose voter information, the report said.

The firm was hired by Vote Leave in 2016 to create Facebook advertisements aimed at potential voters. The British Columbia-based business used online data gathered by Vote Leave and disclosed it to Facebook.

However, the pro-Brexit group hadn't explained to respondents that their information might be shared with the social network, according to the commissioner's report, and AIQ didn't do enough to make sure it had the right to use the information.

The report also cited concerns about AIQ's work with US election campaigns, particularly with the Strategic Communications laboratories – the former name of the SCL Group, the parent company of Cambridge Analytica.

"When the company used and disclosed the personal information of Vote Leave supporters to Facebook... it went beyond the purposes for which Vote Leave had consent to use that information," the report said, according to The Guardian.

"When AIQ failed to ensure it had meaningful consent from the individuals whose personal information it collected, used, or disclosed, it contravened British Columbia and Canadian privacy laws."

AggregateIQ was the first firm to be hit with a GDPR enforcement notice back in September 2018. This was handed to it by the UK's own data regulator, the ICO. The notice was sent in July and said the firm must stop processing the personal data of UK or EU citizens obtained from political groups, or face a heavy financial penalty.

The ICO also fined the Vote Leave campaign £40,000 in March 2019 for sending unlawful and unsolicited text messages prior to the EU referendum.