back to article Brexit campaigner AggregateIQ challenges UK's first GDPR notice

A Canadian data analytics firm on the receiving end of the UK's first-ever violation notice of Europe's new data privacy laws is appealing the claims against it. The GDPR notice was sent by Blighty's Information Commissioner (ICO) against AggregateIQ, an organization linked to the Facebook-Cambridge Analytica scandal. The biz …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Has GDPR given the ICO balls or just a quick power trip

    Here's hoping it's a set of shiny balls that last beyond Christmas and brexit.

    1. OliP

      Re: Has GDPR given the ICO balls or just a quick power trip

      from what i can see the ICO's problem isn't a lack of balls, its a lack of staff.

      either way, great to hear this is quietly rumbling on in the background

      1. Scunner

        Re: Has GDPR given the ICO balls or just a quick power trip

        20 million could go a long way towards fixing that if they're allowed to keep any of the fines collected for their own use. Assuming AIQ don't just immediately claim insolvency and fold if found guilty, of course.

        1. Korev Silver badge

          Re: Has GDPR given the ICO balls or just a quick power trip

          There would be a huge conflict of interest if the ICO judges and fines the naughty organisation when it relies on the funding for its own existence.

  2. smartse
    Facepalm

    An amazing coincidence

    AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office: Compare https://opengovca.com/victoria-business/27499 with https://web.archive.org/web/20160317101833/https://sclelections.com/contact/

    The phone number was also tweeted by Massingham: https://archive.fo/0R4Nf I'm amazed that the farcical nature of their denial isn't made clear by journalists.

    1. Jack of Shadows Silver badge

      Re: An amazing coincidence

      Journalists generally aren't up on practicing OSINT. Heck, even researchers for the media firms aren't either.

    2. Arthur the cat Silver badge

      Re: An amazing coincidence

      AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office

      That's doesn't necessarily mean anything. Here in Cambridge (UK) many companies use the St John's Innovation Centre as their address. It's a business incubator. It could equally be a law firm's address used as a registered office - the father of an ex of mine was a Jersey lawyer and had around a hundred company brass plates by his office door.

      1. Tomato42 Silver badge

        Re: An amazing coincidence

        @Arthur the cat and if we were talking about any random firms, that could be true. But here we are dealing with crooks. Filing for "bankruptcy" and creating new front for the old operation is crook 101 behaviour.

      2. Anonymous Coward
        Anonymous Coward

        Re: An amazing coincidence

        Didn't they also share an office above a shop together...could be fueling a conspiracy...a seed of doubt...sprinkled with the odd grain of truth...that's how the three comapies worked together.

    3. phuzz Silver badge

      Re: An amazing coincidence

      According to the link smartse posted, AIQ's registere'd address is "320-1070 DOUGLAS ST VICTORIA BC V8W 2C4 ". That's actually number 1070 on Douglas street (320 must be the office number), which is a generic looking office block.

    4. Mike Moyle Silver badge

      Re: An amazing coincidence

      ".AIQ continue to deny that they are linked to SCL, the parent of Cambridge Analytica and yet their registered address is identical to SCL Canada's office.."

      Don't know about elsewhere, but offices buildings in Delaware in the U.S. host hundreds or thousands of companies in registration addresses of convenience. In Delaware's case, being the second-smallest state in physical size, they apparently decided that business incorporations are the most remunerative cash crop per acre and offer companies tax incentives to register there -- often in a mail slot in a lawyer's or accountant's office. Could the building in question be one of those?

      https://www.businessinsider.com/building-wilmington-delaware-largest-companies-ct-corporation-2017-4

  3. Hans 1 Silver badge
    Happy

    Yeah, their denial does not quite work out for them ... they should have claimed they deleted the data before GDPR came into effect and doctored the logs and denied holding said data.

    Maybe the first to cough up ...

  4. Tom 35 Silver badge

    Who was paying for this I wonder?

    I'm sure it was not their money paying for the ads.

    I see an empty shell going bankrupt in the near future.

  5. Anonymous Coward
    Anonymous Coward

    Serious question but how are the ICO going to enforce the GDPR against a Canadian company?

    1. Aqua Marina Silver badge

      "how are the ICO going to enforce the GDPR against a Canadian company?"

      This is going to be a very unpopular answer, but, first of all I'll do what no other commentard on this topic has ever done, and post chapter and verse of the actual law rather than say, spout bollocks about how EU law applies abroad, or that to do business in the EU you must adhere to the GDPR:-

      Enforcement Outside EU: Chapter 5 of the GDPR relates to handling of data by non-member countries or organizations. The relevant text relating to enforcement of fines is from Article 50, titled "International cooperation for the protection of personal data":

      (1) In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

      a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

      b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

      c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;

      d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

      So, to answer your question, they haven't a hope in hell.

      Section 1a) says they will need to negotiate new agreements with other countries, so we can prosecute their citizens.

      b) We'll offer to help other countries let us prosecute their citizens.

      c) Ask nicely if we can prosecute their citizens,

      and d) if all else fails, keep telling everyone involved what a great idea it would be if other countries would let us prosecute their citizens.

      1. Mike 137

        Re: "how are the ICO going to enforce the GDPR against a Canadian company?"

        Article 27 requires any organisation not established in the Union that processes the personal data of subjects in the Union in order to monitor their behaviour, and particularly in respect of the special categories, to appoint a representative in the Union.

        Performing data analytics in political campaigning falls into both these categories (monitoring and special category data). Consequently the ICO could in principle enforce the notice on the representative.

        Should there not be a representative, that might in its own right constitute a breach of Article 27.

      2. Anonymous Coward
        Anonymous Coward

        Re: "how are the ICO going to enforce the GDPR against a Canadian company?"

        > This is going to be a very unpopular answer, but, first of all I'll do what

        > no other commentard on this topic has ever done,

        You've read every post then, you sure? 100%?

      3. I_am_not_a_number

        Re: "how are the ICO going to enforce the GDPR against a Canadian company?"

        Not sure I agree.

        --> https://gdpr-info.eu/issues/third-countries/

        "...At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations),"

        It suggests that the "Supervisory Authority" in Canada are obliged to assist to the extent that the existing (canadian) laws that govern data protection requires.

        Article 45 may also apply:

        https://gdpr-info.eu/art-45-gdpr/

        "Transfers on the basis of an adequacy decision"

        If so, then article 47 applies regarding "Binding corporate rules", which commit those entities to ensuring "Data Protection" principles that make them "their legally binding [..in..] nature, both internally and externally;"

        Here - https://gdpr-info.eu/art-47-gdpr/

      4. Lars Silver badge
        Happy

        Re: "how are the ICO going to enforce the GDPR against a Canadian company?"

        "they haven't a hope in hell."-

        The EU did fine Microsoft and there are many similar cases. perhaps those agreements exist.

        But as I am not an expert perhaps I have all the right answers.

    2. StargateSg7 Bronze badge

      They can't as we here in Canada or the USA can TELL THEM TO GO POUND SAND !!!

      GDPR LAWS DO NOT APPLY IN USA OR CANADA !!!!!! END OF STATEMENT -- PERIOD !!!!!

      if you are a user of CANADIAN or USA located, owned and operated systems you follow US or Canada laws NOT ANYONE ELSES !!!!!

      Only if the equipment and/or the company personnel are located or operate out of the EU or Britain does GDPR law apply. ONLY THEN !!!! Any US judge (or canadian one!) would DENY any extradition request and/or application of a fine in that jursidiction!

      1. Anonymous Coward
        Anonymous Coward

        Pay up or "eff"-off

        GDPR laws apply to companies that trade in Europe, so the answer is that the guilty (as defined by law) companies (and any companies that their executives have an interest in given that they are accountable) lose their license to trade in Europe.

        There are many, many ways to cause a company pain if you can't collect a fine.

        Please excuse the no capitals except where required, I was brought up not to shout.

      2. Adelio

        GDPR

        But there is nothing to stop them banning company trading with the EU

        1. Yet Another Anonymous coward Silver badge

          Re: GDPR

          >But there is nothing to stop them banning company trading with the EU

          Which doesn't help because DataTheft (Panama) LTD simply closes down and DataTheft (Grand Caymen) LTD takes over...

      3. gnasher729 Silver badge

        "Only if the equipment and/or the company personnel are located or operate out of the EU or Britain does GDPR law apply."

        That's where you are wrong. If your actions affect EU citizens, that's when the law applies.

      4. Hans Neeson-Bumpsadese Silver badge

        GDPR LAWS DO NOT APPLY IN USA OR CANADA !!!!!! END OF STATEMENT -- PERIOD !!!!!

        Interesting. I'm in the UK and in recent weeks I've tried visiting a few Canadian websites only to be met with a message with words to the effect of "We have detected which country you are in and are blocking access for you as we cannot guarantee that our website is compliant with GDPR"

        I'm fairly sure TVA Nouvelle was one of the websites in question. Can;t remember the other offhand.

        1. eionmac

          TVA

          https://www.tvanouvelles.ca/

          Access is refused in both French and English, as we do not comply or cannot comply with GDPR as at 2018-Sept -26

      5. cosmogoblin

        A bit one-sided then, seeing how many extradition requests the US make against British citizens operating in Britain breaking no British laws...

    3. Yet Another Anonymous coward Silver badge

      >Serious question but how are the ICO going to enforce the GDPR against a Canadian company?

      Assuming Canada wants to trade with the Eu in future - quite easily.

      Although if they can hold out till march it is likely the UK will be more understanding toward any future trading partners

      .

      1. a_yank_lurker Silver badge

        @YAAC - The EU would need to have an treaty signed with Canada to allow them to ask for extradition to the EU for the violations or they sue the EU subsidiary if one exists. However winning against the EU subsidiary may get an uneforceable judgment as the money would have to come from the Canadian parent and that would require the Canadian courts to meddle in the case. The same problem with the US, the EU will spend a ton of time and money arguing in the feral courts just to get the parent to pay up with dicey chances. But devil is the details of the various treaties as to how difficult getting money out of non-EU parent would be.

        1. Anonymous Coward
          Anonymous Coward

          Not really, It's all about being able to do business in Europe. Witness various US web services becoming unavailable in Europe when the GDPR deadline was reached earlier this year.

          Companies that are fined could in theory use the "we're registered to trade from the US/Canada/Mars so we're not subject to EU laws" defence if fined. Which may well work, as long as they no longer want to be able to do business in Europe, or at least the part of Europe that is protected by the EU.

      2. WolfFan Silver badge

        Serious question but how are the ICO going to enforce the GDPR against a Canadian company?

        Assuming Canada wants to trade with the Eu in future - quite easily.

        Oh? The ICO is going to take the whole of Canada to task over the action of one company? Really? And when the Canadian PM tells the Canadian High Commissioner in London to have a polite (they're Canadians, they're always polite, even when they're telling you to rotate on a cactus) word with the MayBot, about what Canada will or will not buy from Britain if the ICO takes any action at all against the whole country for the actions of a single company, what do you really think the MayBot will do? Back the ICO, or ruin the relationship with one of the pillars of the Commonwealth? Things will get awfully lonely after Brexit...

        1. gnasher729 Silver badge

          "Oh? The ICO is going to take the whole of Canada to task over the action of one company? Really? "

          You seem to be under the impression that Canadian courts would somehow be inclined to protect this company. They won't be. They have no reason to be. Canadian courts don't defend scumbags just because they are Canadian.

          If there is a UK court that signs off on it, and it can't make this company pay, then they send it to a court in Canada, and that court will make them pay.

    4. WolfFan Silver badge

      how are the ICO going to enforce the GDPR against a Canadian company?

      The only way that they could do anything would be if the company, from any jurisdiction outside the EU, had assets inside the EU. If the company, any company, does not have assets inside the EU there is absolutely nothing they can do unless and until the company, any company, either has assets inside the EU or does business with some entity inside the EU.

      In this case the company is Canadian and does not seem to have assets inside the EU and is not currently doing business with any entity within the EU. The ICO has zero leverage. They cannot compel the Canadian courts to do anything, which means that they cannot enforce the fine, or, indeed, anything whatsoever. Our Canadian heroes could, if they so wished, stand on a ship outside of the territorial waters of any EU country and make remarks about farting in the ICO's general direction and about how the parents of the ICO rep were funny-smelling rodents, and there would be nothing that the ICO could do about it.

      I suspect that I see the reason why the ICO failed to mention this (non)action.

    5. thames
      Boffin

      Anonymous Coward said: "Serious question but how are the ICO going to enforce the GDPR against a Canadian company?"

      I imagine it would involve the ICO going to a UK court asking that the judgement be enforced, followed by the UK court filing appropriate papers with a Canadian court asking them to enforce the UK decision. AggregateIQ would then appeal to a Canadian court asking that it not be enforced, and then after some back and forth with lawyers, the Canadian court approves the UK request and the ICO gets their judgement approved.

      UK law is considered to be close enough to Canadian law (closer than any other country) and the UK courts fair enough that the Canadian courts are not likely to question their judgements too much provided the proper paperwork has been filled out.

      The ICO may have to wait in line however. Cambridge Analytica, AggregateIQ, and Facebook are already under investigation for the same or related matters by the ICO's Canadian equivalent, the OPCC (Privacy Commissioner) over violations of PIPEDA, which is Canada's equivalent of GDPR.

      The OPCC web site mentioned six months ago that they are in contact with the UK ICO on their related investigation. It appears that the UK and Canada have been cooperating with each other on this matter for some time now.

      1. Yet Another Anonymous coward Silver badge

        The ICO, no because Britain has no power on the world stage - this isn't 1914

        But the Eu? Yes, it cannot have a trade deal with Canada that allows Canadian companies to snub their noses at Eu data protection law that other countries have to obey.

        If Canada refused to cooperate in prosecuting the offenders the simple result would be that Canadian companies cannot process data on Eu citizens.

        1. Anonymous Coward
          Anonymous Coward

          "But the Eu? Yes, it cannot have a trade deal with Canada that allows Canadian companies to snub their noses at Eu data protection law that other countries have to obey"

          EU just agreed to a trade deal with Canada ... anyone know if this situation was covered?

          "the simple result would be that Canadian companies cannot process data on Eu citizens."

          Technically I think the result would be that EU companies would not be able to send data to Canada for processing with the EU companies being the ones fined for non-compliance

    6. JL123456789

      Thanks

      Next in European Law. Force Facebook not to accept advertising from companies in breach of GDPR.

    7. Doctor Syntax Silver badge

      "Serious question but how are the ICO going to enforce the GDPR against a Canadian company?"

      Start by serving a notice on their bank to freeze their account. The company may or may not have assets in the UK. It's very likely their bank does. On the whole a bank is more likely to be prepared to throw a customer under the bus rather than tangle with the government of a country where it has assests and, presumably, a banking license.

  6. Notas Badoff Silver badge

    They screaming, me smiling

    "But it was still holding the data when the law came into effect, making it liable, the ICO has said."

    How many CxO's will wake up tomorrow screaming? It's a bad dream come true.

    1. Jack of Shadows Silver badge

      Re: They screaming, me smiling

      As Bruce Schneier has said: Data is a toxic asset. My question is: If you don't absolutely need it, why the fuck are you hanging on to it!?

      1. Pascal Monett Silver badge

        Because you might discover a need for it in the future.

        It's a compulsion thing.

      2. Anonymous Coward
        Anonymous Coward

        Re: They screaming, me smiling

        "Data is a toxic asset."

        ... you never know when it might be useful in future. Eg all those landing cards for West Indian migrants destroyed at a time when they had no real relevance but, due to subsequent requirements to prove residency became rather more important.

        Also, imagine the reaction here if the ICO went to investigate potential illegal data processing and the company being investigated simply said "nothing to see here, we deleted everything as soon as we'd processed it"

        1. Doctor Syntax Silver badge

          Re: They screaming, me smiling

          ".. you never know when it might be useful in future. Eg all those landing cards for West Indian migrants"

          From the PoV of the HO trying to build a hostile environment they were indeed a toxic asset. That's why they were destroyed. They turned out to be even more toxic in their absence, hence the HO is now rudderless.

  7. Walter Bishop Silver badge
    IT Angle

    So this is punishment for supporting Brexit

    the European Union’s General Data Protection Regulation (GDPR) .. will be enforced after a two-year transition, beginning on May 25, 2018ref

    The report [PDF] title refers to the Cambridge Analytica scandal where the shady data company gathered information on millions of people by using a feature on social media giant Facebook where a company could suck in information on the friends of people who downloaded a particular app – in this case, a "survey."‘

    What was the name of the app, how was it loaded onto the client machines, what were the terms of the click-through agreement. doesn't the Facebook EULA say they own all your data anyway?

    That information was then used in a series of controversial political campaigns including the vote to remove the UK from the European Union (Brexit) and the election of Donald Trump as US president.

    I hadn't realized that people voting in their own leaders could now be deemed controversial. The Brexit campaign was never controversial, the Conservative government of the day implimented a referendum at which the people of UK voted out of the EU superstate. A referendum the Conservatives had repeatidly promised to impliment, if elected into office.

    Same with the election of Trump, the people decided. Unless we're in a late stage democracy where the real decisions are made by trans-national corporation. If so then as someone once said Goldman-Sachs rules the world.

    The ICO notice accuses AggregateIQ of violating Articles 5, 6 and 14 of the GDPR rules because

    Brexit took place on June 23 2016 and GDPR became legally enforceable May 25 2018. I thought GDPR was about protecting peoples personal data and not to be used as a political weapon. Besides anyone who thinks their personal data is private on facebook is deluding themselves.

    1. Mark 65 Silver badge

      Re: So this is punishment for supporting Brexit

      Brexit took place on June 23 2016 and GDPR became legally enforceable May 25 2018.

      You didn't read the bit about them still retaining the data post GDPR implementation did you Walter?

      Is it just me or does GDPR sound like a German state security service?

      1. Walter Bishop Silver badge
        Big Brother

        Re: So this is punishment for supporting Brexit

        @Mark 65: ‘You didn't read the bit about them still retaining the data post GDPR implementation did you Walter?

        TLDR .. I was hoping you would do the reading for me and provide a link to the relevent bits:

        Investigation into the use of data analytics in political campaigns:

        In summary, the app accessed up to approximately 320,000 Facebook users to take a detailed personality test that required them to log into their Facebook account. In addition to the data collected directly from the personality test itself, the app utilised the Facebook Login in order to request permission from the app user to access certain data from their Facebook accounts.” page 19 para 03

        To summarize, Facebook owns your data and by clicking on the GSR App 'personality test' license you grant AggregateIQ access to that data. Besides, political parties and the advertisers have been using such personal data for targeted campaigns for a long time and will continue to do so on into the future. Your storecard keeps track of what you buy which they aggerate and sell on. The only controversial thing about the whole affair is, why people are so nonchalant about handing over their personal data to so-called social media platforms. And finally, the term Facebook 'privacy settings' are a bit like a unicorn as in people can believe they saw one, but in fact they don't actually exist.

        1. Anonymous Coward
          Anonymous Coward

          Re: So this is punishment for supporting Brexit

          bollocks. facebook don't own that data. that's not how 'clickthroughs" work -- fortunately, they are not some corporate silver bullet against the law.

      2. dajames Silver badge

        Re: So this is punishment for supporting Brexit

        Is it just me or does GDPR sound like a German state security service?

        Nah ... stands for German Democratic People's Republic, dunnit?

        Isn't that what the old East (or was it West) Germany was (nearly) called?

        1. DropBear Silver badge

          Re: So this is punishment for supporting Brexit

          Close enough, although DDR comes from Double Data Rate (RAM) Dance Dance Revolution ...dammit brain, stop this at once... Deutsche Demokratische Republik.

    2. Anonymous Coward
      Anonymous Coward

      Re: So this is punishment for supporting Brexit

      Both the Trump and Brexit campaigns mentioned used tricks, underhand tactics, which werein some cases illegal.

      But you know this.

      Don't act as if they were honest democratic processes - the opposite is true.

      Your trumpite/brexiter typical paranoia shows in your post title, by the way.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019