The Information Commissioner’s Office is investigating the relationship between the Canadian data firm AggregateIQ, Vote Leave and a number of other leave campaigns, the body has said in a report published on Wednesday.
The investigation is one of the many started by the ICO in response to reporting by the Observer and Guardian suggesting that widespread data misuse may have occurred during the EU referendum period.
The ICO report, citing data handed over by Facebook in May, says: “AIQ created and, in some cases, placed advertisements on behalf of the DUP Vote to Leave campaign, Vote Leave, BeLeave, and Veterans for Britain.
“AIQ ran 218 ads solely on behalf of Vote Leave and directed at email addresses on Facebook. Vote Leave and BeLeave used the same data set to identify audiences and select targeting criteria for ads. However, BeLeave did not then go on to run any ads.
“Payment for all of these Facebook ads was made by AIQ, and amounted to around $2m [£1.5m] … Our regulatory concern is therefore whether, and on what basis, the two groups have shared data between themselves and others.”
The ICO is only able to investigate breaches of data protection law, but the Electoral Commission is separately investigating allegations of unlawful coordination between Vote Leave (the official pro-Brexit campaign during the EU referendum) and BeLeave.
Since AIQ is based in Canada the company has presented “jurisdictional challenges” to the ICO, the report explains.
In March 2018 AIQ had stated that it was “not subject to the jurisdiction of the ICO” and ended with a statement saying it considered its involvement in the ICO’s investigation “closed”.
But after Elizabeth Denham, the information commissioner – who is Canadian – gave evidence to the Canadian parliament about the lack of cooperation, AIQ changed its tone.
The involvement of AIQ could also pose trouble for Vote Leave, since it may represent an unlawful transfer of personal data outside the UK and unfair processing of that data, the ICO’s report says.
The ICO is seeking information from the former head of Vote Leave, Dominic Cummings, which it believes “is of relevance to the investigation”. An information notice was served on the organisation last month.
The investigation is just one of a number confirmed by the ICO in its interim report, ahead of the publication of the full findings in October.
The regulator is also following other Guardian and Observer reports from the past two years, launching investigations to examine:
Potential sharing of data between Leave.EU, the Leave campaign run by Arron Banks, and Banks’ own insurance firm, Eldon Insurance, as well as whether or not Eldon data was sent to the US.
The extent to which Cambridge Analytica worked with Leave.EU during and before the EU referendum.
The relationship between AIQ and Cambridge Analytica and its parent company, SCL.
Although many of the investigations are still in their early stages the ICO has already uncovered previously unreported evidence in some cases.
The report says that AggregateIQ “consistently denies having any relationship with SCL closer than software developer and client”. However, the ICO says it has uncovered some evidence of a financial relationship between SCL Elections (which owns the SCL Group) and AIQ in relation to an advertising account.
According to the ICO, SCL paid AIQ for ad accounts at least twice, and SCL Elections was listed as a main contact for one of the AIQ Facebook accounts. The email address of that contact belonged to an SCL employee involved in the two payments.
The investigations are in addition to the ICO’s headline decision that it intends to fine Facebook £500,000 for breaching data protection law in its work with the Cambridge University researcher Aleksandr Kogan. Facebook has the opportunity to provide further information to the ICO on those issues, which the ICO will take into account before making a final decision about the levy.
The ICO’s investigations go further than just use of personal data among various leave campaigns.
The body has also opened an investigation into the official remain campaign and its involvement with a data broker, “looking at inadequate third-party consent and the fair processing statements used to collect personal data”. Last month the ICO served an information notice against Open Britain, the successor organisation to the remain campaign.
The investigation has also drawn in every UK political party with MPs in the Commons, and the data brokers who serve them.
All parties voluntarily cooperated with the ICO, except Ukip, which appealed to the information tribunal. The appeal was dismissed, holding that Ukip’s response was “brief, inadequate and in some instances possibly inaccurate”.
One concern was that political parties had purchased data from brokers, and used it for election purposes, the ICO says.
The first data brokerthat the ICO says it intends to take regulatory action against is Emma’s Diary, which specialises in gathering data about new mothers. According to the notice of intent filed by the ICO, the company sold a dataset to Experian, under an agreement that listed the Labour party as a client, that included more than a million records about parents, including their address, number of children, and birth dates of both parent and child. The privacy policy under which the data was gathered made no mention of it being used for political purposes.
