BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2019-004: Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2019-004Well-founded & conditionally resolved
Flag of Canada

PIPEDA Findings #2019-004: Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia

Organization: AggregateIQ Data Services Ltd. (AIQ)
Decision: Nov 26, 2019Published: Nov 26, 2019
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

Key Issues
  • AIQ's collection, use, and disclosure of personal information for political campaigns.
  • AIQ's compliance with consent requirements for personal information.
  • AIQ's implementation of reasonable security measures to protect personal information.
  • Cross-jurisdictional data handling and privacy obligations.
Outcome

Complaint well-founded and conditionally resolved.

Reasoning

The investigation found that AIQ contravened PIPEDA and PIPA by failing to ensure adequate consent for its data handling practices and by not implementing reasonable security measures to protect personal information. AIQ has committed to implementing the recommendations made by the OPC and the IPC BC, leading to a conditionally resolved outcome.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

AIQ was recommended to take reasonable measures to ensure that the consent on which it relies is compliant with PIPA and PIPEDA, including reviewing consent language and ensuring express consent for sensitive information. AIQ was also required to maintain reasonable security measures and delete personal information no longer needed.

Statutory provisions cited
  • s. 34 of PIPA
  • Principle 4.7 of Schedule 1 of PIPEDA
  • Principle 4.7.1 of Schedule 1 of PIPEDA
  • Principle 4.3 of Schedule 1 of PIPEDA
  • s. 6 of PIPA
  • s. 6.1 of PIPA
  • s. 12(2) of PIPA
  • s. 15(2) of PIPA
  • s. 18(2) of PIPA
  • s. 35 of PIPA
  • Principle 4.5 of Schedule 1 of PIPEDA
  • s. 11(2) of PIPEDA
  • s. 36(1)(a) of PIPA

This summary is informational only and not legal advice.