First ever GDPR notice issue to AggregateIQ
AggregateIQ (AIQ), a Victoria-based Canadian digital advertising, web and software firm, is the first company in Canada to receive an enforcement notice under the new European Union General Protection (GDPR) regulations. The United Kingdom Information Commissioner’s Office (the ICO) issued its first extraterritorial enforcement notice under GDPR to AIQ.
ICO slaps AggregateIQ with initial official GDPR notice.
The ICO said that although the data was gathered before 25 May, when the GDPR regulations came into effect, it was concerned about the “continued retention and processing” of data after that date. This, it said, meant GDPR applied to AIQ’s handling of that information.
Earlier this year it was linked to UK data firm Cambridge Analytica by whistleblower Chris Wylie, who alleged that Cambridge Analytica improperly acquired Facebook data belonging to 50 million people via a third party.
A Canadian analytics firm that worked for Vote Leave has received the UK’s initial formal notice beneath a key information law, the UK’s information protection watchdog has confirmed.
AggregateIQ (AIQ) was suspect of process people’s information “for functions that they might not have expected”.
The firm has appealed against the notice, that was issued by the UK’s data Commissioner’s workplace.
AIQ is a small Canadian data firm that uses data to target online ads at voters during public polls. It was paid nearly £2.7m ($3.6m) by Vote Leave to target ads at prospective voters during the Brexit referendum campaign. It was also used by pro-Brexit youth group BeLeave.
Vote Leave has been fined £61,000 and referred to the police after an Electoral Commission probe said it broke an electoral law by exceeding its spending limit by funneling money through BeLeave.
AIQ also received funding from Northern Ireland’s Democratic Unionist Party and Veterans for Britain, amounting to a total of £3.5m from all of its pro-Brexit clients.
Cambridge Analytica has been credited with helping Donald Trump win the US presidential election in 2016.
The GDPR notification was the first in the new data privacy environment where companies are legally obligated to limit the personal data they gather on people, be open about how they use that data, and allow people to demand that their information is deleted.
It was sent in July, amid the ICO’s probes into Facebook data harvesting, although the notice wasn’t posted on the ICO’s enforcement page, and in fact there is no mention of it anywhere on the ICO website. The notice itself [PDF] was hyperlinked in an annex at the end of a “investigation update” into the “use of data analytics in political campaigns.” The fact it was a GDPR notice was only just spotted last week.
#GDPRNotice #AggregateIQ #AIQ #AggregateIQcanada