Should marketers be worried by the latest OPC decision?

Canadians would likely find it difficult to argue with the outcome of a recent Report of Findings issued by the Office of the Privacy Commissioner of Canada (OPC) involving the repurposing of public profile information of Facebook users by a New Zealand company. However, one aspect of the case may have implications that will concern companies that use publicly available social media profile information for sales, marketing and advertising.

Company obtains social media profile information

The OPC alleged that a New Zealand based company had taken public information from the profiles of Facebook users to populate the company’s own social network platform. The OPC alleged that the company’s purpose for collecting the Facebook public profile information may have originally been to develop advanced search capability for Facebook users. However, at some point, this purpose changed. The company began developing its own social network using the information that it took from public profiles of Facebook users without the knowledge of those individuals.

Use for a parallel social media account was not appropriate

The OPC found that the company’s activities failed the “appropriate purpose” test under the Personal Information Protection and Electronic Documents Act (PIPEDA). The “appropriate purpose” test is found in section 5(3) of PIPEDA. It states that:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The OPC concluded that the development of a parallel social network profile without the involvement of the individual about whom that information related failed the test of appropriateness.

[…] we are of the view that the creation and display of this static replicate of an individual’s Facebook page for the purpose of developing and populating the respondent’s website, which persists outside the individual’s control, and which is not changed or updated or deleted as the individual intends it to be, is not a purpose that a reasonable person would consider to be appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA.

OPC finds public information was not really publicly available information

Although the OPC’s finding that the collection and use of the personal information failed the “appropriate purposes” test was dispositive, the OPC went further. The OPC decided that an individual’s publicly available profile information on Facebook was not actually “publicly available information” within the meaning of PIPEDA.

It is unclear why the OPC thought it needed to address this issue. However, the OPC’s discussion and conclusions are consistent with its ongoing policy objectives of strengthening the consent requirement under PIPEDA (further limiting the use of information for sales, marketing and advertising) and attempting to develop a “right to be forgotten” (if consent is required, the individual can also withdraw consent).

One of the exceptions to the requirement for consent to the collection and use of information is that the information is “publicly available information” as specified in the Regulations to PIPEDA. Section 1(e) of the Regulations Specifying Publicly Available Information states that publicly available information includes:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

The OPC interpreted “publication” narrowly. The OPC asserted that a social media profile is not published within the meaning of paragraph 1(e) of the Regulations. The OPC did so without relying on any judicial authority for such a narrow interpretation of the word “publication”.

The OPC’s argument rested on the following propositions.

  • Paragraph 1(e) of the Regulations requires the inference of consent by the individual to making it public. However, the information was created at a time when profiles were indexed by search engines by default. Individuals may not have realized the consequences of leaving the information public.
  • The intention of the individuals could not be inferred. Individuals may have posted the information for the purposes of being contacted by friends and not to disseminate the information to the public at large.
  • The profiles are dynamic and the information might no longer be public.

These arguments are not convincing. A publication does not lose its character of being a publication merely because it can change. Paragraph 1(e) of the Regulations requires that the person “provide” the information. It says nothing about the individual’s ongoing intentions. Finally, the Regulations do not require that the individual consent to the types of future uses that could be made of the information. The test is simply voluntariness in the sense that the individual volunteered the information that is in the publication.

The OPC’s conclusions in this case have very significant implications for sales, marketing and advertising. These implications must have been known to the OPC. The OPC should clarify through additional guidance how organizations should apply the principles in this decision to sales, marketing and advertising activities that rely on public social media profile information.

Read PIPEDA Report of Findings #2018-002 here.

Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.

ETHI Report on PIPEDA is Coming Soon

The Standing Committee on Access to Information, Privacy and Ethics will be tabling its report sometime soon following the resumption of Parliament on Monday, February 26th. The Report title will be “Towards Privacy by Design: A Review of the Personal Information Protection and Electronic Documents Act.” The title provides a strong hint that the report will be advocating including an express obligation in PIPEDA to require organizations to adopt privacy by design and by default. If adopted, this would bring Canada’s laws one step closer to Europe’s General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. Privacy by Design is a made-in-Canada concept and so it would be fitting for it to “come home”.

Read my article for the International Association of Privacy Professionals (IAPP) titled “Legislating privacy by design in Canadahere.

Learn about Privacy by Design here.

Consent and the Connected Car – Is this the right choice?

Recently, Daniel Therrien, the Privacy Commissioner of Canada, made a written submission to the Standing Senate Committee on Transport and Communications on the privacy issues relating to connected vehicles. This submission supplemented the Commissioner’s oral remarks to the Committee on March 28, 2017.

The Commissioner’s written submission follows the release of the Office of the Privacy Commissioner’s draft guidelines on consent. Unsurprisingly, the Commissioner focused on the role of consent in protecting the privacy interests of consumers. The Commissioner allowed that “there may be some collections, uses or disclosures in which it might be inappropriate for the driver to control how the information is used.” The Commissioner cited the situation of  the use or disclosure of data is “necessary” for road safety as an example. However, overall, the Commissioner’s emphasis is on consent and meaningful user choice.

The Commissioner’s room to manoeuvre is constrained by the requirements of the governing legislation that the Commissioner must enforce — the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires meaningful, informed consent for the collection, use and disclosure of personal information. The Commissioner’s emphasis on consent is understandable. pexels-photo-409701.jpeg

However, if we think beyond PIPEDA, would we really design a consent-based model for the features of a connected car? Would this be the right way to balance the interests of vehicle manufacturers, vehicle owners/lessees, rental car companies, passengers, insurers, law enforcement, urban planners, cyclists, pedestrians, and others stakeholders? Given the stakeholders and the context — driving is a licensed activity — is this an area where there might be more room to apply a broader set of policy considerations instead of focusing on consumer choice? Should the focus really be on notice and consent?

A multi-faceted approach would acknowledge that certain interests may take priority over consumer choice when engaging in a licenced activity. For example, manufacturers and Transport Canada have a legitimate interest in detecting vehicle flaws that could endanger passengers and others. Manufacturers and environmental protection agencies also have a legitimate interest in continual improvement of the longevity and energy efficiency of vehicles. Moreover, city planners and transportation managers have legitimate interests in affecting traffic flows in real time and understanding driving behaviour with greater precision using larger data sets. Do these interests rise to the level of “necessity” as the Commissioner would suggest might be required in order to jettison a notice and consent model? Should they have to?

There are also other means to regulate uses of information in order to mitigate harms to individuals without focusing on consumer choice. Manufacturers and others could be encouraged to implement privacy enhancing features by eliminating the need for consent when the collection, use and disclosure of information falls within a socially acceptable zone that involves few risks. Using technology to limit harm could be supplemented with targeted regulatory protections that do not prohibit the collection of data but rather discriminatory or other harmful uses of the data. Long before we had statutory privacy laws in most of the country, we had human rights legislation prohibiting certain harmful, discriminatory uses of personal information.

Just a thought.

Click to read the Commissioner’s Submission to the Standing Committee.

Click to read the draft Guidelines on Consent.

Guide to PIPEDA 2018

The 2018 Edition of the Guide to the Personal Information Protection and Electronic Documents Act is available.

New Edition

You can find it at the LexisNexis Online Store. The new edition contains information on cases up to the last quarter of 2017. The edition includes discussion of:

  • – the privacy breach regulations
  • – the Supreme Court of Canada’s decision on implied consent
  • – how PIPEDA compares with the GDPR
  • – how to address international data transfers

It could have been worse – Canada’s Breach Regulations

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguard Regulations. These Regulations fill in some missing elements of Canada’s federal data breach law that was enacted as part of the Digital Privacy Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

For the most part, ISED came through with manageable requirements for organizations. Here’s my take on the good stuff:

  • The Regulations track the Alberta requirements. For the most part ISED has followed the Alberta requirements for the content of the regulatory reports and for individual notifications.
  • Organizations don’t need to speculate in writing about the “risk of harm” to individuals. The Alberta law that requires organizations to report to the Alberta Office of the Information and Privacy Commissioner (OIPC) whenever a “reasonable person” would consider there to be a “real risk of significant harm” from the loss of or unauthorized access to personal information. The OIPC then decides whether the organization must notify individuals by second guessing the organization’s real risk of significant harm analysis. This is a quirky feature of the Alberta law. Thankfully, that same quirk wasn’t carried over into PIPEDA. Perhaps as a result, the federal Regulations do not require organizations to engage in this speculative analysis in their reports to the OPC. Yay!
  • The Regulations contain some consumer-friendly enhancements to the individual notification requirements. Organizations must include a toll-free number or email address to ask questions about the incident. In addition, organizations must tell individuals about the organization’s internal complaints process and the right of affected individuals to complain to the OPC.
  • The Regulations provide for flexibility in terms of how organizations may notify affected individuals – email or other secure electronic methods (provided the individual has consented) or traditional means such as by a letter to the last known address, by phone or in person are all permitted. The Regulations also provide that indirect notification through posting on the organization’s website (conspicuously) for 90 days or more or by publishing advertisements that are likely to come to the attention of the individual are acceptable in some circumstances. Those circumstances include where the cost of direct notification would be prohibitive,  the organization doesn’t have current contact information, or direct notification could cause harm to the individual.
  • The record-keeping requirements are much less onerous than feared. Organizations are required to keep a record of every loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards. On its plain reading, this does not mean a record of every suspected or possible loss or unauthorized access or unauthorized disclosure. In terms of the content of the records, ISED has left that to the organization to decide provided that the records contain sufficient information for the OPC to assess whether the organization is meeting its obligations under the data breach provisions of PIPEDA. Records must be kept only for 2 years.

There is one area of major disappointment. ISED had an opportunity to short-circuit the long-running feud between the Canadian Commissioners who see the ghost of significant harm everywhere and organizations trying to apply the test of “real risk of significant harm” in a sensible way. The ISED could have decided, for example, that the unauthorized access to properly encrypted data did not create a real risk of significant harm. Frankly, the loss of a credit card number that has been reported to the card issuers hardly constitutes a risk of harm (once reported). Alas, the feud will continue unless the Commissioners take a more realistic approach.

The draft Regulations are subject to change, so check the final version! Read the draft here. There is a 30 day comment period. After that, ISED can either publish amended regulations or register the final version and specify a date on which they will come into force.

Advertising to Children, Invite-a-Friend, and the State of Consent – Friday Files

Looking for some weekend reading to catch up on developments? Here are three noteworthy developments and blog posts to consider.

  • Marketing to Children? The U.S. Federal Trade Commission has released a welcome guide to complying with the U.S. Children’s Online Privacy Protection Act (COPPA). In Canada, the Office of the Privacy Commissioner has set a high threshold for consent when collecting and using personal information of children under 13 years of age. Although the OPC has not issued similar detailed guidance, marketers will find the FTC’s guidelines to be useful in planning a Canadian strategy as well. These guidelines will not help marketers address Quebec’s unique rules that generally prohibit marketing to children under 13. Find the FTC COPPA Guidance here.
  • Invite-a-Friend Campaigns? Law 360 reports on the outcome of the Poshmark litigation in which the plaintiffs alleged violations of the Telephone Consumer Protection Act (TCPA). The issue was whether the Poshmark App’s “Find People” feature violated the TCPA as an unsolicited invitational text message. When a user of the app used this function, a text message would be sent on behalf of the user to all contacts in the individual’s address book. Poshmark was successful in dismissing the case on the basis that it was not the initiator of the message. Marketers seeking to use this strategy in Canada should exercise caution. Canada’s Anti-Spam Legislation operates differently and might not result in the same outcome without additional steps and due diligence. Read the Law 360 report here.
  • What do Canadians think of Consent? The Office of the Privacy Commissioner of Canada is engaged in a broad consultation on the state of “consent” as a means for individuals to exercise control over their personal information. The news hasn’t been good. Canadians want to be asked for consent but don’t feel they have the information and tools to provide meaningful consent. The OPC commissioned a focus group to gather qualitative information from Canadians on their perceptions. The report prepared for the OPC can be found on the OPC’s website here.