Should marketers be worried by the latest OPC decision?

Canadians would likely find it difficult to argue with the outcome of a recent Report of Findings issued by the Office of the Privacy Commissioner of Canada (OPC) involving the repurposing of public profile information of Facebook users by a New Zealand company. However, one aspect of the case may have implications that will concern companies that use publicly available social media profile information for sales, marketing and advertising.

Company obtains social media profile information

The OPC alleged that a New Zealand based company had taken public information from the profiles of Facebook users to populate the company’s own social network platform. The OPC alleged that the company’s purpose for collecting the Facebook public profile information may have originally been to develop advanced search capability for Facebook users. However, at some point, this purpose changed. The company began developing its own social network using the information that it took from public profiles of Facebook users without the knowledge of those individuals.

Use for a parallel social media account was not appropriate

The OPC found that the company’s activities failed the “appropriate purpose” test under the Personal Information Protection and Electronic Documents Act (PIPEDA). The “appropriate purpose” test is found in section 5(3) of PIPEDA. It states that:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The OPC concluded that the development of a parallel social network profile without the involvement of the individual about whom that information related failed the test of appropriateness.

[…] we are of the view that the creation and display of this static replicate of an individual’s Facebook page for the purpose of developing and populating the respondent’s website, which persists outside the individual’s control, and which is not changed or updated or deleted as the individual intends it to be, is not a purpose that a reasonable person would consider to be appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA.

OPC finds public information was not really publicly available information

Although the OPC’s finding that the collection and use of the personal information failed the “appropriate purposes” test was dispositive, the OPC went further. The OPC decided that an individual’s publicly available profile information on Facebook was not actually “publicly available information” within the meaning of PIPEDA.

It is unclear why the OPC thought it needed to address this issue. However, the OPC’s discussion and conclusions are consistent with its ongoing policy objectives of strengthening the consent requirement under PIPEDA (further limiting the use of information for sales, marketing and advertising) and attempting to develop a “right to be forgotten” (if consent is required, the individual can also withdraw consent).

One of the exceptions to the requirement for consent to the collection and use of information is that the information is “publicly available information” as specified in the Regulations to PIPEDA. Section 1(e) of the Regulations Specifying Publicly Available Information states that publicly available information includes:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

The OPC interpreted “publication” narrowly. The OPC asserted that a social media profile is not published within the meaning of paragraph 1(e) of the Regulations. The OPC did so without relying on any judicial authority for such a narrow interpretation of the word “publication”.

The OPC’s argument rested on the following propositions.

  • Paragraph 1(e) of the Regulations requires the inference of consent by the individual to making it public. However, the information was created at a time when profiles were indexed by search engines by default. Individuals may not have realized the consequences of leaving the information public.
  • The intention of the individuals could not be inferred. Individuals may have posted the information for the purposes of being contacted by friends and not to disseminate the information to the public at large.
  • The profiles are dynamic and the information might no longer be public.

These arguments are not convincing. A publication does not lose its character of being a publication merely because it can change. Paragraph 1(e) of the Regulations requires that the person “provide” the information. It says nothing about the individual’s ongoing intentions. Finally, the Regulations do not require that the individual consent to the types of future uses that could be made of the information. The test is simply voluntariness in the sense that the individual volunteered the information that is in the publication.

The OPC’s conclusions in this case have very significant implications for sales, marketing and advertising. These implications must have been known to the OPC. The OPC should clarify through additional guidance how organizations should apply the principles in this decision to sales, marketing and advertising activities that rely on public social media profile information.

Read PIPEDA Report of Findings #2018-002 here.

De-identified information is still particular

On Friday, July 13, the Supreme Court of Canada had occasion to consider whether the personal health information of residents of British Columbia should be disclosed to tobacco companies in a fight over whether those companies are responsible for reimbursing B.C. for healthcare treatments for smoking-related diseases. Anyone expecting the court to lay out policy framework for balancing privacy rights and trial fairness was disappointed. The court treated the issue as a fairly dry (but still fascinating) exercise of statutory interpretation.

What was at stake

Like many other provinces, British Columbia has been in a battle with tobacco companies to recover costs relating to diseases caused or contributed to by smoking and second-hand exposure to tobacco products.

In the case of British Columbia, the province stacked the deck in their favour in the litigation in two important ways using the Tobacco Damages and Health Care Costs Recovery Act. First, the province is permitted to sue to recover the health care costs of individuals on an aggregate basis instead of  in respect of each affected individual.  Second, the province protected itself from having to disclose individual health records.

To calculate its damages, the province had created databases containing coded health care information of affected individuals. The province was going to use this information to prove that the tobacco companies were liable and to prove the amount of the claim. Naturally, tobacco companies wanted access to the data. Philip Morris brought a motion to compel production and said that trial fairness required disclosure.

Particular vs. Identifiable

The problem with the Philip Morris’ position was that s. 2(5)(b) of the Act stated that “the health care records and documents of particular individual insured persons or the documents relating to the provision of health care benefits for particular individual insured persons are not compellable”.

Philip Morris said that once the information was de-identified, it was no longer covered by s. 2(5)(b). It was no longer about a particular individual. Philip Morris won two times but lost when it counted – in the Supreme Court of Canada.

The Supreme Court focused on the meaning of the word “particular” in different places in the Act. The court concluded that treating the word “particular” as meaning “identifiable” rendered some of the provisions of the legislation absurd or superfluous. The word particular meant “distinct” or “specific”. Even if the information was no longer about an identifiable individual, it was still about a “distinct” or “specific” individual.

The BC Privacy Commissioner commented:

“I am pleased the Supreme Court has held that the province of BC will not be compelled to provide the personal health records of millions of British Columbians to Phillip Morris.” — Privacy Commissioner Michael McEvoy

I’m not sure that there is that much to cheer about for privacy advocates. The court’s distinction here that has within it a central problem facing privacy lawyers today. We often worry about the possibility of re-identification and argue that even de-identified data may still be about an “identifiable” individual because it could be combined with other information. That position requires reading some words into the definition of “personal information” in privacy statutes that are not there. So far, the courts have acceded to this interpretation but it is possible that they could reverse course unless legislatures clarify what they mean.

Trial Fairness

As for the argument that this was unfair, the court said it was premature.

In any event, the concern of “trial fairness” is, at best, premature. Data might be produced if it were relied on by an expert witness at trial. Also, the court could order the production of a “statistically meaningful sample” of the records in the database.

So, the cheers of the Privacy Commissioner may also be premature. It is unknown how big a sample of records will constitute a “statistically meaningful sample”.

Read the Supreme Court Decision here.

Find the BC Privacy Commissioner Press Release here.

Does the OPC really need a massive increase in funding?

In a recent letter to the Standing Committee on Access to Information, Privacy and Ethics, Daniel Therrien, the Privacy Commissioner of Canada, suggested that a 90% increase in funding for the Office of the Privacy Commissioner (OPC) was required to have a “true impact in protecting Canadians’ privacy rights”.

OPC receives $25 million already

The OPC’s current funding is approximately $25 million per year. The Commissioner considered a $23 million increase to be “realistic”. However, the Commissioner added that it had only sought a more “modest” $8 million increase, which represented a 30% increase to permanent funding. The Commissioner cited “rapidly evolving privacy threats” for the budgetary increases and noted that a 90% increase in funding would be in-line with increases to the UK Information Commissioner’s Office.

What a 90% increase buys

The Commissioner argues that a 30% increase would allow for a “limited number of proactive promotion and compliance activities”. The backlog of existing complaints would be “reduced” but not eliminated.

However, with a 90% increase, the Commissioner says that the OPC could provide more advisory services to businesses than it does at present. The increase in funding would also be used to engage in “targeted advertising to bring individuals to our site when they are about to make a decision on whether to disclose their personal information.” Backlogs could be reduced and more proactive activities could be undertaken.

Is a 90% increase necessary?

One of the justifications for a 90% increase is the desire to provide more advisory services. However, the OPC has not demonstrated that it has explored available options to work with stakeholders when developing guidance. The Personal Information Protection and Electronic Documents Act (PIPEDA) was borne out of a voluntary industry code. Quite literally, the main substantive protections in PIPEDA are in Schedule 1 to the legislation, which was that industry code. Arguably, PIPEDA has stood the test of time precisely because the provisions of Schedule 1 were developed by industry stakeholders with an understanding of the operational impacts of the provisions they were drafting.

The OPC could take a lesson from that success. The OPC could increase the use of working groups of stakeholders to draft guidance on important topics. This shared responsibility model would have the benefit of developing industry and consumer group buy-in.  It would also shift the expense of developing that advisory guidance to stakeholders. It would be more likely to produce guidance that is relevant and attuned to operational realities.

The OPC also wants money for advertising. In particular, the OPC wants to “use contextual advertising to bring individuals to [the OPC’s] site when they are about to make a decision on whether to disclose their personal information”. There is a certain irony in the OPC wanting to engage in targeted online advertising of individuals when the OPC has been so hostile to the interest-based advertising industry.

The fact that the OPC feels the need to engage in this type of advertising is an indictment of its resistance to developing model privacy notices. The OPC missed an opportunity during the consultations on consent to modernize and standardize how disclosures are made.

The OPC could have identified types and uses of data that a reasonable person would expect when engaging in online activities. Disclosures regarding these uses could have been done in a short-form manner and only those uses falling outside of these categories would need to be highlighted.

In exchange for using the short-form disclosure, the organization could have been required to link back to educational material at the OPC website. While large, international organizations may not have adopted this approach due to potential operational complexities, this would have solved a problem for numerous small and medium-sized enterprises.

No, the OPC does not need a 90% increase in funding. It needs to work more creatively with industry.

Check out Commissioner Therrien’s letter here.

Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.

Trains, Voice and Video Recorders, and PIPEDA

In a late move, the Office of the Privacy Commissioner of Canada has raised concerns with the privacy exceptions in Bill C-49 regarding the use of locomotive voice and video recorders (LVVRs). The exceptions would diminish the protections of railway engineers under the Personal Information Protection and Electronic Documents Act, according to Commissioner Therrien. The Bill has already passed third reading before the House of Commons. When asked by the Senate Committee studying the Bill whether the OPC had raised the concerns before the House of Commons, Commissioner Therrien frankly admitted that the OPC had missed the significance of the amendments until they saw the debates in Parliament.

The LVVR Initiative

In 2015, the Transportation Safety Board of Canada (TSB) conducted a study on the potential use of LVVRs. The study was conducted in the wake of several high-profile railroad accidents in Canada. The TSB ultimately included that LVVR technology would enhance rail safety if implemented.

Photo by Irina Kostenich from Pexels

The Government of Canada included the mandatory use of LVVR in the Bill C-49, which promises to modernize aspects of Canada’s legislation governing rail, air and marine transportation. Unions have raised concerns regarding the privacy implications of the LVVR technology. Apart from the general objection to the constant surveillance that employees would be under in the locomotive, unions have objected to employers having access to LVVR recordings. Unions fear the data could be used against employees if it could be routinely reviewed by railway companies. They argue that the data should only be available to the TSB during an incident investigation.

The OPC’s Concerns

For privacy advocates, there is another aspect of Bill C-49 that is of interest and was the subject of concerns raised by the Privacy Commissioner of Canada, Daniel Therrien, when he appeared before the Senate Committee on Transportation and Communications to discuss Bill C-49. The role of the OPC in overseeing the privacy practices of the railway companies in connection with the LVVRs will be diminished, given the way that the Bill C-49 has been drafted.

It appears that the intention was to protect against the OPC scrutinizing the use of LVVR data by railway companies. To accomplish this, Bill C-49 provides explicit carve-outs from the application of the Personal Information Protection and Electronic Documents Act (PIPEDA). These carve-outs disturb the Commissioner. In particular:

  • Railway companies do not have to comply with section 7 of PIPEDA, which restricts the ability to collect, use or disclose personal information without consent
  • Railway companies do not have to comply with the principles in Schedule 1 of PIPEDA regarding the collection, use, disclosure and retention of information

The Commissioner is concerned that the OPC’s jurisdiction to investigate complaints under PIPEDA may be in doubt. Naturally, if a railway company may collect, use and disclose personal information in the LVVRs without regard to the section 7 of PIPEDA and Schedule 1 of PIPEDA, they will argue that the OPC has no jurisdiction to hear complaints on these issues.

Further, the OPC is concerned that an individual may not have a right of access to the personal information in the LVVRs as would otherwise be required by PIPEDA in light of section 28 of the Canadian Transportation Accident Investigation and Safety Board Act, which restricts to whom the LVVR data could be disclosed.

Find Bill C-49 on LegisInfo here.

Read the TSB Railway Safety Issues Investigation Report R16H0002 here.

Read the transcript of Commissioner Therrien’s remarks before the Senate Committee here.

ETHI Report on PIPEDA is Coming Soon

The Standing Committee on Access to Information, Privacy and Ethics will be tabling its report sometime soon following the resumption of Parliament on Monday, February 26th. The Report title will be “Towards Privacy by Design: A Review of the Personal Information Protection and Electronic Documents Act.” The title provides a strong hint that the report will be advocating including an express obligation in PIPEDA to require organizations to adopt privacy by design and by default. If adopted, this would bring Canada’s laws one step closer to Europe’s General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. Privacy by Design is a made-in-Canada concept and so it would be fitting for it to “come home”.

Read my article for the International Association of Privacy Professionals (IAPP) titled “Legislating privacy by design in Canadahere.

Learn about Privacy by Design here.

Chasing the Autonomous Vehicle – International Trade Matters

What influence will the United States have on the public policy choices available to federal and provincial governments in Canada regarding autonomous and connected vehicles? That issue was not explored in any depth in the Canadian Senate’s important report on automated and connected vehicles (released January 29, 2018).  True, one of the Senate’s 16 recommendations focused on international cooperation with the United States. However, this recommendation was focused on making sure that vehicles “worked” in both countries from a technical perspective. However, this is simply table-stakes. International trade with the United States may be a critical factor in demarcating what practical option are available to Canadian regulators in important areas such as privacy and cybersecurity.

There were an estimated 263 million registered passenger vehicles in the United States in 2015. By comparison, Statistics Canada tells us that there were 24 million registered road motor vehicles in Canada in 2106. The total number of vehicles in Canada follows the general rule when comparing Canada and the United States. We have 1/10 the population. So, it won’t be surprising that we have very roughly 1/10 the number of passenger vehicles on the road. pexels-photo-799443.jpeg

The size of the Canadian market compared to that of the United States is an important context for determining design priorities for auto manufacturers. Another related factor is the speed with which the U.S. has moved in developing a regulatory environment. The U.S. Department of Transportation has already developed a voluntary code of safety design elements. It has also issued cybersecurity best practices.  The Senate noted that 21 U.S. States and Washington D.C. have enacted automated vehicle legislation. Federal U.S. legislation is likely inevitable. Although the U.S. Department of Transportation has not taken a prescriptive approach to safety design elements, it is likely only a matter of time before it does so. Once the technology matures, the U.S. regulatory approach is to be much more prescriptive than its Canadian counterparts. As between designing for a prescriptive standard and designing for a “principled-based” standard, the prescriptive standard wins.

The Senators clearly recognized the importance of cooperation with the United States. Recommendation 3 was for Transport Canada to strengthen its work on automated and connected vehicles with the United States through the Regulatory Cooperation Council “to ensure that these vehicle will work seamlessly in both countries.” However, there are many other areas in which cooperation might be required, in order to achieve public policy goals. For example, five of the Senate’s 16 recommendations related to privacy and cybersecurity

Recommendation 6: Transport Canada to work with the Communications Security Establishment and Public Safety Canada to develop cybersecurity guidance.

Recommendation 7: Transport Canada to work with Public Safety Canada, the Communications Security Establishment and industry stakeholders to address cybersecurity issues and a real-time crisis connect network.

Recommendation 8: Strengthen the powers of the Office of the Privacy Commissioner of Canada to proactively and enforce industry compliance with the Personal Information Protection and Electronic Documents Act.

Recommendation 9: The Government of Canada to continue to assess the need for privacy regulations specific to the connected Car.

Recommendation 10: Transport Canada to bring together stakeholders to develop a connected car framework, with privacy protection as one of its key drivers.

Apart from Recommendation 8, the question is whether deep “privacy-by-design” and “security-by-design” features can be embedded in automated and connected vehicles without close cooperation between Canada and the United States. This spans more than transportation regulatory authorities. It requires cooperation from multiple regulators — who have responsibilities for privacy – the Federal Trade Commissioner, U.S. State Attorneys General, Canadian federal and provincial Privacy Commissioners, and many others.

Read the Senate Report: Driving Change: Technology and the future of the automated vehicle.