Privacy Commissioner Says Public Profiles Are Private

  • 22 octobre 2018
  • Imran Ahmad, Katherine Barbacki, and Alexia Magneron

On June 12, 2018, the Office of the Privacy Commissioner (OPC)[1] released its report[2] into Profile Technology Ltd.’s (Profile Technology) use of “publicly available” Facebook profiles. The OPC concluded that Profile Technology had not obtained the necessary consents from individuals whose Facebook profiles they were collecting for the purposes of establishing its own social networking website. The case is an important one since it sheds light on what limits may be imposed by Canadian privacy regulators on the use of personal information that may be available to the public from time-to-time on social networking platforms.

Background

Profile Technology, a New Zealand-based company, had been retained by Facebook in 2007 to provide advanced search functions for its site. Specifically, it indexed the public parts of users’ profiles – in a manner that is similar to how Google and other search engines index information on the internet more broadly. To this end, Profile Technology claimed that it was provided unlimited access by Facebook to information that its users had consented to make public and accessible to search engines.

Profile Technology subsequently used the information that it had collected from Facebook to build its own social networking site, never seeking the consent – implied or express – of the users whose profiles were being migrated and incorporated into its site.

Subsequently, five Canadian individuals filed complaints with the OPC, alleging that Profile Technology had collected and used their personal information without their knowledge and consent. These complainants explained: (i) in certain circumstances, they were unable to have their personal information removed from the website; (ii) the personal information used by Profile Technology was not accurate; and (iii) Profile Technology had inadequate procedures in place to receive and respond to complaints and inquiries about its policies and practices relating to the handling of personal information.

Findings

Profile Technology Did Not Have Users’ Consent

The Canadian complainants indicated to the OPC that they learned that their information appeared on Profile Technology’s website after they conducted internet searches for their own names.

The complainants pointed out in their claims that Profile Technology never sought their consent for the collection and use of their personal information. Interestingly, Profile Technology argued that such information was “publicly available” and that it was not required to obtain consent of the users. Further, Profile Technology claimed that Facebook was responsible for obtaining permission to make the information public and available to search engines. It relied on Facebook’s privacy policies from 2009 and 2010 and Facebook’s blog post from 2007 to assert that notice had been given to users that their public information may be found by external search engines.

More specifically, Profile Technology claimed that publicly accessible Facebook profiles should be considered a “publication” under PIPEDA’s Regulations Specifying Publicly Available Information[3] (the “Regulations”). Subsection 1(e) of the Regulations refers to “personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.” Profile Technology submitted that a person who places information on their Facebook profile “publishes” the information, making Facebook profile information a “publication” for the purposes of the Regulations.

The OPC flatly rejected Profile Technology’s assertion that profile information is “publicly available,” such that it is exempt from the requirement to obtain consent. Even if the OPC accepted that Facebook users’ consent for its original collection of profile information for the purposes of offering search engine services, it did not have consent to subsequently use that information for purposes of creating and populating its own social networking website.[4]

Not All Public Information is “Publicly Available”

The OPC noted that PIPEDA recognizes that not all information in the public domain will be considered “publicly available”. In this regard, there is an acknowledgment that information that may be in the public domain is still worthy of privacy protection. Treating a Facebook profile as a publication would be counter to the intention of PIPEDA, undermining the control users otherwise maintain over their information at source.

The OPC concluded that the personal information at issue was not publicly available within the meaning of PIPEDA.[5]  As such, the respondent was required to ensure individuals’ consent for its use of their personal information copied from Facebook and posted on its website.

OPC Recommendations

The OPC recommended that, among other things, Profile Technology remove from its website and delete from its records, all individual profiles and groups associated with any Canadian (or Canadians), including those associated with the complainants. Profile Technology did proceed with the bulk deletion of Canadian data.

Prior to issuance of the OPC report, Profile Technology had removed the profiles from its website. As of April 1, 2018, the website simply consisted of a notice page titled “Profile Engine has now been donated to the Internet Archive (31st March 2018).” On April 9, 2018, the OPC observed that the files were becoming increasingly difficult to find via search engines (which had presumably de-indexed the links to the torrent files[6]) but the OPC was still able to find the torrents on the dark web.

Key Takeaways

The OPC’s decision in the Profile Technology case is important given that an increasing number of individuals regularly share their personal information with multiple social networking websites. As these websites become increasingly sophisticated and use third party vendors to get insights about their users (e.g., through the use of analytics), they provide vendors access to their users’ personal information. Implied consent in lengthy privacy policies that very few users read and understand is not sufficient from a Canadian privacy standpoint, as stated by the OPC in its recently released Guidelines for Obtaining Meaningful Consent.[7] Accordingly, to the extent that a vendor is relying on the consent obtained by the entity collecting the personal information in the first instance, it should ensure that it has taken necessary steps to demonstrate – e.g., through contractual language – that the requisite consents were obtained for the purposes contemplated by the vendor.

Another key takeaway is that simply because a third party may be able to publicly access an individual’s personal information does not mean that it is “publicly available,” as defined in PIPEDA and the Regulations. In fact, information that may be in the public domain is still worthy of privacy protection and appropriate consents should nonetheless be obtained.

From a jurisdictional standpoint, Profile Technology was unsuccessful in arguing that the OPC had no jurisdiction on that basis of the company not having a physical presence in Canada. PIPEDA has extraterritorial scope if a real and substantial connection can be established. That said, in cases where the OPC’s jurisdiction may be established, enforcement is another matter, one which was not tested in this case. However, the extraterritorial scope issue is likely to be an important topic as the EU’s General Data Protection Regulation[8] and the California Consumer Privacy Act of 2018[9] both have extraterritorial reach.

 

About the authors

Imran Ahmad is a partner at the national Canadian law firm Miller Thomson LLP and specializes in the areas of cybersecurity, privacy and technology law. Katherine Barbacki and Alexia Magneron are associates in Miller Thomson LLP’s Montreal office and specialize in the areas of cybersecurity and privacy law.

This article originally appeared on the Miller Thomson Cybersecurity Blog.

 

[1] The Office of the Privacy Commissioner of Canada is an agent of the Canadian Parliament responsible for the protection and promotion of privacy rights. It oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Canada’s federal private-sector privacy law.

[2] Office of the Privacy Commissioner, Complaints under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”) against Profile Technology Ltd., PIPEDA Report of Findings #2018-002, June 12, 2018, available online.

[3] Regulations Specifying Publicly Available Information, SOR/2001-7.

[4] Supra note 3, para 86.

[5] Supra note 3, para 95.

[6] A “torrent” is a file that facilitates efficient dissemination of the file via peer-to-peer sharing, whereby any person who “replicates” (i.e., downloads) a file can then “seed” it (i.e., make it available for download by others).

[7] Office of the Privacy Commissioner of Canada, Guidelines for Obtaining Meaningful Consent, May 2018, available online.

[8] General Data Protection Regulation, (EU) 2016/79, available online.

[9] California Consumer Privacy Act 2018, Bill No. 375, Chapter 55, June 29, 2018, available online.

 

Any article or other information or content expressed or made available in this Section is that of the respective author and not of the OBA.