AggregateIQ, an analytics company located in Canada which represented the Vote Leave campaign, has been issued with the first ever UK GDPR notice by the Information Commissioner’s Office (ICO) regarding business carried out in that jurisdiction.
ICO revealed that, although the data was obtained before the May 25 GDPR introduction date, it has a number of issues in relation to the ‘continued retention and processing’ of data after that date. Because of this, ICO deemed that GDPR and its fines are applicable on this occasion regarding AggregateIQ’s handling of the information.
The Victoria, British Columbia-based company refers to its business as ‘integrating, obtaining and normalizing data from disparate sources’. Four pro-Brexit campaigning organizations, Vote Leave, BeLeave, Veterans for Britain, and Northern Ireland’s Democratic Unionist Party invested £3.5 million($4.5 million) with AggregateIQ as part of the Brexit referendum campaign.
AggregateIQ has, formerly, been connected with Cambridge Analytica, the UK-based analytics firm which was accused of improperly acquiring Facebook data belonging to 50 million people through a third party. In an interview with the Guardian newspaper in 2018 whistleblower Chris Wylie claimed that staff at Cambridge Analytica used to refer to AIQ as ‘our Canadian office’. AggregateIQ denies this and argues that it has nothing to do with the now defunct UK-based company.
ICO sent the formal GDPR notice on 20 September 2018. AggregateIQ has already begun an appeal. A representative for AIQ told the BBC: “We appealed the enforcement notice to the first level tribunal [a legal mechanism for challenging ICO notices]”. If the appeal is unsuccessful Aggregate IQ may be hit with a penalty of up to €20m or 4% of annual worldwide turnover, whichever figure is higher.
An official statement released on the Aggregate IQ website remarked: “AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity. All work AggregateIQ does for each client is kept separate from every other client. AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.”