ICO levels first ever GDPR notice against AggregateIQ

The company has 30 days to audit its data practises, or face the maximum £17 million fine

The Information Commissioner's Office (ICO) has handed out its first GDPR enforcement notice, against Canadian company AggregateIQ (AIQ). Earlier this year, the firm was accused of profiling voters using data improperly acquired from Facebook, and has been linked to several right-wing political organisations.

AggregateIQ now has 30 days to ‘audit, assess, implement and document' its data processing practises or face the maximum fine of £17 million or four per cent of annual global turnover.

According to Cambridge Analytica (CA) whistleblower Chris Wylie, AIQ used algorithms from Facebook data held by CA to build software to target Republican voters in the 2016 US election.

The company also worked on behalf of pro-Brexit groups Vote Leave (which paid AIQ nearly £2.7 million) and BeLeave during the Brexit referendum, as well as Northern Ireland's Democratic Unionist Party and Veterans for Britain. In total, the company made around £3.5 million from its anti-EU clients.

AIQ allegedly worked to profile and target voters during the Brexit campaign. The ICO told the BBC that, although the data used to do so was gathered before the GDPR came into force on the 25th of May, it was concerned about its ‘continued retention and processing'.

The ICO's notice lists a range of compliance breaches, including processing without a lawful basis and failing to provide transparency information to the individuals whom the data referred to.

Many links have been drawn between AggregateIQ and Cambridge Analytica, although the Canadia firm continues to deny them. A statement on the home page of its website (which visitors will see before reaching any sort of interactive portion) reads:

‘AggregateIQ is a digital advertising, web and software development company based in Canada. It is and has always been 100% Canadian owned and operated. AggregateIQ has never been and is not a part of Cambridge Analytica or SCL. Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ.

‘AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity. All work AggregateIQ does for each client is kept separate from every other client.

‘AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.'

The company is appealing the ICO's decision.