How far can an organization go to collect an outstanding debt from a customer? While the answer is not altogether clear-cut, CBC recently reported that Canada’s Privacy Commissioner is of the view that identifying your customers’ overdue accounts on Facebook goes too far. While PIPEDA allows an organization to disclose personal information without consent for the purpose of debt collection, the office of the Privacy Commissioner has emphasized that disclosure must be made in a reasonable manner and the amount of information disclosed must be limited to what is absolutely necessary to achieve this purpose.

The CBC articles report that sometime in early December 2015, a Canadian telecommunications provider based in a small town in the Northwest Territories publicly posted the list of 25 overdue customer accounts. The list reportedly included both the names of the debtors and the actual amounts owed, ranging from roughly $100 to $1,400. The company is said to have first posted the list on its own Facebook page, and then to have reposted it on a number of community Facebook pages. The articles indicate that the Office of the Privacy Commissioner of Canada requested that the posts be taken down and the company complied.

The applicable federal private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), allows the disclosure of personal information about an individual without their consent for the purpose of collecting a debt owed by the individual. However, based on the position reportedly taken by the Privacy Commissioner in this case, publicly posting private financial information of identifiable individuals does not fit within the ambit of the exception and the exception does not give a blanket permission to indiscriminately disclose a debtor’s personal information.

PIPEDA allows personal information to be collected, used and disclosed only for purposes to which the individual has consented. Additionally, even where consent has been obtained, collection, use and disclosure of personal information must be limited to purposes that a reasonable person would consider appropriate in the circumstances. Principle 4.3 of PIPEDA stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, subject to limited exceptions. Section 7(3)(b) of the Act contains a limited exception to principle 4.3, allowing an organization to disclose personal information without the knowledge or consent of the individual if the disclosure is for the purpose of collecting a debt owed by the individual to the organization.

In addition to the actions reportedly taken by the Privacy Commissioner in the circumstance of this case, in prior findings of the Privacy Commissioner dealing with disclosure of personal information in the process of debt collection, the Commissioner has taken the position that although the Act provides for an exception to the requirement for consent to disclose, it does not confer a carte blanche upon an organization to disclose however much information it wishes in pursuing a debt. (See PIPEDA Case Summary #2003-130.) The Commissioner has signaled that in situations where the debtor’s consent is not obtained, creditors must be careful as to how and why they disclose the debtor’s personal information for debt-recovery purposes. Only certain debt-recovery situations are eligible for such disclosures without consent.

In PIPEDA Case Summary #2004-282, an individual complained that a bank disclosed a significant amount of his personal information to his company’s employees without his consent, and that these disclosures were extremely damaging to his reputation and contributed to his decision to resign as head of the company. According to the decision, the bank had told the complainant’s company’s employees that the complainant’s account was delinquent, his credit card was suspended, his payment history was sketchy and that the bank was going to garnish the complainant’s wages as part of their enforcement. The Assistant Privacy Commissioner found that an excessive amount of information was divulged during the bank’s debt collection activities. While an organization must disclose some information to a debtor’s employer when seeking to garnish the debtor’s wages, the Assistant Privacy Commissioner determined that the bank went too far in its attempt to recover the debt. The Assistant Privacy Commissioner also found that it was not necessary to reveal the amount of money owed by the debtor. The bank was therefore found to be in contravention of Principle 4.3 of PIPEDA.

In the case recently reported by CBC, it is unknown whether the company’s customers were previously advised that their account information could be made public should payment become overdue. In any event, based on previous decisions of the Commissioner, a broad disclosure may be unlikely to be considered a reasonable debt collection measure if it is considered excessive and unnecessary in order to collect the debt.