On November 26th, the Office of the Privacy Commissioner of Canada (the OPC) and the Office of the Information and Privacy Commissioner of British Columbia (the OIPC) jointly held that online marketing company AggregateIQ Data Services breached Canadian privacy law in providing services that supported online targeted political advertising for two campaigns said to be instrumental to the 2016 “Brexit” referendum.
AggregateIQ is a small BC company that provided services to SCL Elections, the UK domiciled parent of Cambridge Analytica – infamous for harvesting data from millions of Facebook users without consent. The joint report is quite vague about whether AggregateIQ used the Cambridge Analytica contraband, and AggregateIQ denies it.
The central finding in the joint report is that information about one’s “political leanings or affiliations” is “sensitive” personal information. Accordingly, the commissioners said, authorization given by an individual to communicate via e-mail was not sufficient to authorize micro-targeting via Facebook (and its “custom audiences” service). They explained:
AIQ asserted that Facebook is simply another way of communicating with individuals, not materially different from email. We respectfully disagree. In our view, an individual who had initially provided their email address for purposes of being kept “up to date” or providing “opportunities to engage” with a campaign may expect to be contacted via email. They would not expect their email address to be used and disclosed to a social media company for advertising on their platform or any other unknown purposes… Accordingly, AIQ had the responsibility, under PIPA and PIPEDA, to ensure that it was relying on express consent for the work it was performing on behalf of Vote Leave.
This finding is about political ad targeting, a problem of great societal importance but of minimal relevance to most organizations. The report also includes two findings of broad relevance.
First, the fact the commissioners took jurisdiction over a matter involving service provided to a foreign political party is is important. The commissioners explained:
To be clear, we are not finding, in this section or below, that AIQ’s foreign clients were required to comply with Canadian and BC privacy laws. The practices of those political organizations would generally fall outside the scope of PIPA and PIPEDA, and in any event, were not the subject of this investigation. That said, to the extent that AIQ wished to rely on the consent obtained by those foreign clients for its own collection, use, and disclosure of personal information on their behalf, it would need to ensure that such consent was sufficient, under Canadian or BC law as the case may be, for its purposes.
This quote speaks to a time-old question about whether the use of a commercial service provider can cause activity that would otherwise not be regulated to become subject to Canadian privacy law. This question is of particular concern to provincially regulated employers, who are not subject to federal privacy legislation in respect of employment but often use service providers to help with employment administration.
The Federal Court’s decision in State Farm suggests that the mere engagement of a service provider is not enough to give rise to application (and enforcement jurisdiction). When State Farm was released in 2010 I asked a contact from the OPC how it would interpret State Farm. The answer was, “narrowly,” exactly as the above quote would suggest!
Second, the commissioners make a significant finding about the use of identifying information with Facebook’s “lookalike audience” service – a popular and powerful ad targeting service that involves uploading identifying information about a population (typically of customers) so Facebook can identify and target a lookalike population (of potential customers). The commissioners held that authorization to use personal information for “engagement” purposes was not authorization for “data analytics” purposes, stating:
It is also the case that the privacy notice largely speaks to collecting and using personal information for the purpose of engaging supporters in the campaign and performing services on their behalf. The disclosure of individuals’ personal information to Facebook for data analytics, via its “lookalike audience” feature, does not achieve or relate to either of those objectives. Instead, this disclosure is made to allow Facebook to link supporters to their Facebook profiles and analyze those profiles in order to identify, target, and persuade other similar or like-minded individuals. This is for Vote Leave’s benefit and can certainly not be viewed, in any way, as performing a service on behalf of the voter whose information was processed.
Organizations using the Facebook lookalike service or similar services should pay heed and revisit their source of authorization. More broadly, this quote speaks to the HUGE question, “Is using data to generate insights about a population a use of personal information at all?” The quote suggests the commissioners say “yes,” though there is a reference to data matching done by Facebook that may render this scenario unique. (I like to believe the answer is “no.”)