Lyndsay Wasser of Canadian law firm McMillan and Kim Walker of UK law firm Shakespeare Martineau discuss the recent decision by the Privacy Commissioners in Canada that Canadian data analytics company AggregateIQ used voter personal data to target political advertising in breach of Canadian federal and provincial data protection laws. The UK's Information Commissioner's Office (ICO) ruled in 2018 that AggregateIQ failed to comply with the GDPR in several respects when it provided data analytics services to political parties during the UK's EU referendum in 2016. The decisions are evidence of global privacy regulators' continuing concern about the way in which personal information can be used for voter manipulation.
Lyndsay discusses the Commissioners' clarification of the requirement for service providers to ensure that customers who provide personal data for them to process have received consents from individuals as required by Canadian law and the steps that they are required to take in order to verify that adequate consents have in fact been obtained. Kim discusses the different approach taken by the ICO under the GDPR where consent is only one of several lawful bases for processing data and discusses the ICO's particular focus on AggregateIQ's failure to process the data fairly and transparently, so the individuals had no knowledge or expectation of how their data would be used.
Lyndsay and Kim then draw conclusions from the two decisions and propose practical steps for businesses to take, particularly those involved in digital marketing and the adtech industry.