In its most recent report of findings entitled "Company’s re-use of millions of Canadian Facebook user profiles violated privacy law," the Office of the Privacy Commissioner (the "OPC") dealt with the often confusing issue of personal information that is publicly available and confirmed its view that Facebook profiles that are set to public are not considered "publicly available" information under the Personal Information Protection and Electronic Documents Act ("PIPEDA"). As such, this finding reinforces the notion that the colloquial meaning of "public information" does not correspond to the legal definition of "publicly available" under Canadian privacy law and confirms the OPC’s jurisdiction in investigating foreign entities collecting personal information from Canadians.
The OPC investigated the practices of a New Zealand company — Profile Technology — which operated a website called The Profile Engine, which collected profile information originally set to "public" on Facebook while providing search function services for users. The operator of the website argued that it simply allowed users to search for and find information which was already publicly available on Facebook and therefore consent from these individuals was not necessary. At issue was whether the company could rely on paragraphs 7(1)(d) and (2)(c.1) of PIPEDA and section 1(e) of the associated Regulations Specifying Publicly Available Information (the "Regulations") collectively to collect and use the personal information in question (i.e., Facebook profiles) without the consent of the individuals concerned. Under PIPEDA, "publicly available" personal information is defined restrictively and does not necessarily include all information that can be freely accessed by anyone. In particular, under section 1(e) of the Regulations, in order for personal information to be considered "publicly available" and for which consent to collect, use and disclose is not required, the personal information must appear in a publication, the publication must be available to the public, and the personal information has to have been provided by the individual.
The OPC disagreed with the company’s argument and reiterated that the profile information at issue was not "publicly available" as set out in PIPEDA. The OPC determined that while the term "publication" used in section 1(e) of the Regulations is not defined in PIPEDA, it must be interpreted restrictively to cover information that is of a particular kind or quality such that either (i) the individuals’ consent to make it public can be inferred by virtue of the fact that the individual provided it or otherwise did not object to it being made public, or (ii) its publication serves a broader public purpose. In its investigation, the OPC concluded that Facebook profiles are dynamic — a profile owner can edit or remove content from their publicly accessible profile at any time, and can decide to edit their settings so that their profile would no longer be publicly accessible. As such, a Facebook profile could not be considered a publication and therefore public Facebook profile information was not "publicly available" within the parameters of PIPEDA and the Regulations. Consequently, the company was required to obtain the consent of individuals whose personal information it copied from Facebook and posted on its website.
The OPC further identified concerns with respect to the fact that the organization was not using and disclosing personal information for a purpose that a reasonable person would consider appropriate in the circumstances and furthermore, was retaining certain information (i.e., help desk ticket information collected from individuals wishing to having their profile deleted) for longer than necessary.
As a result of the OPC’s investigation, the website operator removed all Facebook profile information from its website. However, it had uploaded much of the information to an internet archive service, making it available for mass download via peer-to-peer sharing, including on the dark web. The OPC has shared its findings with the Office of the Privacy Commissioner of New Zealand. Facebook has also been engaged in litigation with Profile Technology in relation to its website.
Takeaway for Business
This investigation is a reminder of the OPC’s position as reported in its 2015 Report of findings following the OPC’s investigation of Globe24h, that a business model involving the online republication of publicly available court decisions (and allowing them to be indexed by search engines) contravened PIPEDA, and which was confirmed by the Federal Court of Canada. The OPC further lists the Globe24h business model as an example of inappropriate data practices in its recently published "Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)."
In this recent report of findings, the OPC confirmed that Facebook profiles are not "publicly available" within the meaning of PIPEDA and clarified the common misconception with regards to whether personal information that is accessible to the public can be collected, used and disclosed without the individual’s consent. This should not come as a surprise given that the OPC had already articulated its view on this issue in its recent consent report from September 2017 in which it stated: “(…) we caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it.” Businesses should be aware that collecting personal information from publicly available sources (including from social media websites) does not necessarily obviate the requirement to obtain the individual’s consent unless the information falls under one of the exceptions found in PIPEDA, which are interpreted restrictively. This decision may therefore have an impact on various business models including social listening activities.
Businesses should keep an eye on upcoming amendments to the Regulations Specifying Publicly Available Information. Recall that the Standing Committee on Access to Information, Privacy and Ethics, in its 2018 report, Towards Privacy By Design, recommended that the Government of Canada "modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral."
This report of findings is also a reminder to foreign entities that the OPC will not hesitate to exercise its authority to investigate them if they are conducting commercial activities involving the collection, use or disclosure of Canadians’ personal information.