A controversial Canadian data analytics firm that helped Vote Leave target voters during the EU referendum could be facing the first ever GDPR fine to be issued by the UK data protection regulator.
Aggregate IQ (AIQ) processed voters’ personal data including names and email addresses for Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaigns, according to the Information Commissioner’s Office (ICO).
An enforcement notice claimed that the firm had failed to comply with articles 5 and 6 of the GDPR.
“This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing,” it explained.
“Furthermore the processing was incompatible with the purposes for which the data was originally collected. AIQ has also failed to comply with Article 14 of the GDPR in that it has not, to the commissioner’s knowledge, provided data subjects with the information set out in Articles 14 (1) and (2) and none of the exceptions set out in Article 14(5) apply.”
The ICO added that damage or distress could be caused for individuals because they have been “denied the opportunity of properly understanding what personal data may be processed about them,” and have not been able to exercise their rights under the GDPR.
Although the data was collected before the GDPR came into force, it was apparently retained and processed after that date.
Although the notice amounts more to a data protection technicality, it will be seized on by anti-Brexit campaigners as yet another example of what they see as an illegal leave campaign fought on lies and half-truths.
Vote Leave has already been fined and referred to the police by the Electoral Commission after it was found to have exceeded spending limits by gaining extra funding via BeLeave.
There are also links between AIQ and the infamous Cambridge Analytica, the firm which helped Donald Trump to the White House on the back of Facebook user data which was acquired by breaking developer rules at the social network. AIQ and Cambridge Analytica have both been suspended by Facebook as a result.
AIQ is reportedly appealing the ICO notice. Infosecurity has reached out to the ICO for more information.