ICO Issued the First UK GDPR Notice to AggregateIQ

AggregateIQ is an analytics company based in Canada that acted for the Vote Leave campaign. The Information Commissioner’s Office (ICO) issued the first UK GDPR notice to AggregateIQ in connection with business executed in that area.

ICO stated that, though the data was collected prior to the May 25 when GDPR was enforced, it has several issues regarding the ‘continued retention and processing’ of data following that date. For this reason, ICO decided to penalize AggregateIQ’s for the way it handled the information.

The company talks of its service as ‘combining, acquiring and normalizing data from different sources’. During the Brexit campaign, AggregateIQ received £3.5 million($4.5 million) from four Pro-Brexit campaign groups, Vote Leave, BeLeave, Northern Ireland’s Democratic Unionist Party and Veterans for Britain.

AggregateIQ was linked to Cambridge Analytica in the past. Cambridge Analytica is an analytics company based in the UK that was accused of wrongly obtaining the information of 50 million Facebook users through a third party. AggregateIQ denied having any connection with the now defunct Cambridge Analytica.

ICO released the official GDPR notice on 20 September 2018, but AggregateIQ already made an appeal at the first level tribunal, which is a legal system for challenging ICO notices. If the appeal is disapproved, Aggregate IQ might be penalized with a maximum of €20 million or 4% of yearly global revenues, whichever is greater.

Aggregate IQ issued an official statement that the company is operating in complete compliance with the legal and regulatory prerequisites in all areas where it operates. It has not engaged in any unlawful activity. All projects AggregateIQ performs for every client is separated from any other client. AggregateIQ has never handled, nor accessed any Facebook information or database purportedly obtained wrongly by Cambridge Analytica.

Other major points contained in the notice that ICO issued are:

  • AggregateIQ’s use of methods ‘restricted to commercial behavioral advertising for political campaigning’ in the last elections as well as the 2016 EU referendum campaign.
  • The four Pro-Brexit groups mentioned above gave AggregateIQ the personal information of UK residents, which was used for targeting social media users with political advert messages.
  • The information involved was processed without the knowledge of the data subjects for reasons they wouldn’t have expected and with no legal basis for processing. Besides, the processing of data had goals which deviated from the intention for which the information was initially collected.
About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA