The Information Commissioner’s Office (ICO) has sent the UK’s first GDPR notice to AggregateIQ, an analytics firm located in Canada that supported the Vote Leave campaign, in relation to business carried out for the campaign.
ICO reported that while data for the campaign was collected before the May 25 GDPR compliance deadline, it has several concerns with the ‘continued retention and processing’ of data after May 25. That is why ICO believes GDPR penalties would apply.
AggregateIQ’s services are described as ‘integrating, obtaining and normalizing data from disparate sources’. During the Vote Leave campaign, AggregateIQ was given £3.5 million or $4.5 million by four Pro-Brexit campaign groups: BeLeave, Northern Ireland’s Democratic Unionist Party, Vote Leave, and Veterans for Britain.
AggregateIQ has previously been associated with Cambridge Analytica, an analytics firm located in the United Kingdom that was purported to have improperly acquired the data of 50 million Facebook account holders by means of a third party. AggregateIQ stated that it is no longer associated with Cambridge Analytica.
ICO issued the official GDPR notification on 20 September 2018. AggregateIQ submitted an appeal at the first level tribunal to legally challenge the ICO notice. In case the appeal is not accepted, Aggregate IQ may be issued a penalty of up to €20 million or 4% of yearly global revenue.
Aggregate IQ made an official statement about the full compliance of its company with the legal and regulatory requirements in all countries and locations where it operates. It was also stated that the company has never been involved in any criminal activity. All undertakings AggregateIQ carried out per client are distinct from other clients. AggregateIQ expressly stated that it has never viewed or accessed the information of any Facebook account or database supposedly acquired improperly by Cambridge Analytica.
The ICO notice also contained the following major points:
- AggregateIQ used strategies reserved for ‘commercial behavioural advertising’ for use in a political campaigns in previous elections and even in the 2016 European Union referendum campaign.
- The 4 Pro-Brexit groups gave AggregateIQ the personal data of UK residents which was used to target users with political ad messages on social media.
- The data involved was processed without awareness of the data subjects, for purposes they wouldn’t expect, and without legal basis for any processing to have occurred. In addition, the processing of information had targets that deviated from the intent for which the data was collected in the first place.