AggregateIQ, one of the companies at the heart of the Facebook unauthorized data-sharing scandal, could be one of the first companies to face penalties under the European Union’s recently implemented General Data Protection Regulation (GDPR). The United Kingdom’s (UK’s) Information Commissioner’s Office (ICO) quietly issued its first notice under the GDPR to the Canadian-based firm on July 6, although the news didn’t publicly surface until last week when legal firm Mishcon De Reya called attention to it in a blog post. The notice was delivered as an annex to a report the ICO published about its investigation of the use of data analytics in political campaigns.
The ICO already fined Facebook £500,000 for its role in the scandal, in which questionable collection and misappropriation of Facebook data by U.K.-based data firm Cambridge Analytica resulted in the mishandling of data for 87 million users of the social network–and potentially even swayed the 2016 U.S. presidential election in favor of President Donald Trump. So far no company has had to pay fines specifically as a result of the GDPR, which went into effect May 25.
The GDPR protects the data privacy of citizens and enforcing corporate accountability for that privacy by imposing heavy fines on companies that don’t inform people of serious data breaches within 72 hours after they occur. Failure to comply with the GDPR could result in a fine of up to 20 million euros. While AggregateIQ is not technically an EU company, it still is subject to the jurisdiction of the GDPR because its processing of personal data related to user behavior taking place within the EU, the ICO said in its enforcement notice to the company.
[A podcast you may like: Episode 97: On eve of GDPR frightening lack of data privacy, security in US]
“As part of AIQ’s contract with these political organisations [sic], AIQ have been provided with personal data including names and email addresses of UK individuals,” the ICO wrote in the notice. “The personal data was then used to target individuals with political advertising messages on social media.”
Full involvement not fully disclosed
AggregateIQ’s full role in the Facebook-Cambridge Analytica debacle remains murky, and the notice does little to shed new light on just exactly how precisely the firm violated the GDPR. However, the fact that the obscure Canadian firm is the first to face enforcement action under the GDPR hints that it was just as significant a player as Facebook or Cambridge Analytica in the data-privacy scandal.
AggregateIQ’s involvement in the politically motivated use of Facebook user data first surfaced when a data leak revealed that AggregateIQ developed the software Cambridge Analytica used and sold to clients during the 2016 election. The software helped Republican campaigns target voters. Clues in the data also revealed ties to other GOP-linked data and research firms as well as to known pro-Brexit political organizations and leaders in the United Kingdom.
[Related reading: AggregateIQ Data reveals tools behind pro-Brexit Leave campaigns]
The ICO’s action is concerned with AggregateIQ’s ties to pro-Brexit organizations–specifically Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave, the office said in its notice. It asserts that in its dealings with these groups, AggregateIQ failed to comply with the statutes of three specific Articles of the GDPR–Articles, 5, 6 and 14.
As to Articles 5 and 6, the company violated them because it “processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis of that processing,” the commissioner’s office said in its notice. AggregateIQ failed to comply with Article 14 because it did not, to the ICO’s knowledge, provide people whose data it processed the specific information about that data processing that the article stipulates in cases where the person owning the data itself did not knowingly give it up.
Moreover, as of May 31, AggregateIQ continues to hold onto data of U.K. citizens in a code repository to which third parties–presumably the aforementioned politically motivated organizations–had unauthorized access, the ICO said in the notice.
The ICO demanded that AggregateIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes,” giving the company 30 days to do so.
AggregateIQ appealed the enforcement notice to a first-level tribunal with the ICO, Jeff Silvestre, AggregateIQ’s chief operating officer, told Security Ledger Tuesday.
“Seeing as that is still before the Tribunal, it would be inappropriate for me to comment further,” he said, but promised further updates on the situation as it progresses.