2020 is shaping up to be a significant year for regulation of privacy issues, with two significant events taking place so far this year. In early February, the Office of the Privacy Commissioner (OPC) commenced an action against Facebook arising from the Cambridge Analytica affair. Later in the month, the OPC announced a joint investigation into facial recognition technology. Both initiatives concern the ability of organizations to collect and use personal information without proper consent. These steps by the OPC are consistent with its December 2019 Report, which calls for reform to Canada's federal privacy laws and increased authority to regulate privacy matters. Organizations can expect that, going forward, they will be more heavily scrutinized with respect to how they manage personal information.

In early February, the OPC commenced a legal proceeding against Facebook in the Federal Court. The OPC seeks an order requiring Facebook to change its data protection practices in the wake of the Cambridge Analytica affair. In particular, the OPC seeks (among other things) a declaration that Facebook contravened various clauses of the Personal Information Protection and Electronic Documents Act (PIPEDA) and an order requiring Facebook correct its practices to comply with PIPEDA. This proceeding follows the OPC's investigation of this matter, the results of which are set out in the 2018-2019 annual OPC report dated December 2019 and the Report of Findings from the joint investigation of Facebook conducted by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia.

In its investigation report, the OPC asserted that the personal information of approximately 621,889 Canadians had been exposed to potential exploitation by Cambridge Analytica. The OPC found Facebook failed to obtain meaningful consent from users who installed a third-party app and did not provide for adequate safeguards to effectively protect users' personal information. In its report, the OPC further indicated that Facebook refused or failed to address the OPC's recommendations.

Facebook faces the possibility of significant fines in other jurisdictions for these actions, and has already been fined £500,000 in Great Britain from the Information Commissioner's Office in connection with the Cambridge Analytica matter. The OPC does not have the authority to impose such fines under PIPEDA or the authority to make orders regarding compliance with the statutory obligations. However, the Privacy Commissioner has called for such increased authority of his office.

The application by the OPC to obtain a court ordered remedy against Facebook signals the increasing resolve of the OPC to enforce the principles underlying PIPEDA, and the corresponding exposure for organizations that seek to commoditize personal information beyond the permitted scope.

Joint Investigation into Clearview AI Launched

Later in February, the OPC announced that it, along with the privacy protection authorities for Quebec, British Columbia and Alberta, are jointly investigating Clearview AI and its use of facial recognition technology. In the announcement, Clearview AI's technology is reported to be "using its technology to collect images and make facial recognition available to law enforcement for the purposes of identifying individuals". Clearview AI has also claimed to be providing its services to financial institutions.

The stated objective of the investigation is to determine whether the company's practices are in compliance with Canadian privacy legislation. Provincial and territorial privacy regulators have also agreed to jointly develop guidance for organizations on the use of biometric technology.

This announcement by the OPC and provincial privacy commissioners came days before Clearview AI reported its own data breach—it sent a notice to customers informing them an intruder gained unauthorized access to its customer list on February 26.

The investigation and the anticipated guidance on the use of biometric technology underscores the increasing regulatory focus on emerging technology and how such technology can be used to collect and use personal information beyond the permitted scope.

What does this mean for Organizations Carrying on Business in Canada?

Frequently, organizations collect personal information for one stated purpose but use it for another. This is often a matter of a lack of understanding within the organization as to: the scope of consent obtained from individuals for the use and disclosure of their information; the scope of personal information actually collected from individuals; or the restriction of reasonableness on the use of personal information. This discrepancy between the scope of consent and use gives rise to regulatory and litigation exposure.

Further, organizations may collect, use or store personal information which they do not collect directly from the individual. Because they are not collecting it directly from the individual, they are not always focused on issues of consent, permitted use and obligations to safeguard the information. When an organization has custody or control of personal information, regardless of whether they collected it directly from the individual, obligations under privacy legislation may apply.

Organizations carrying on commercial activity in Canada can expect increased regulatory scrutiny with respect to their practices in collecting, using, storing, disclosing, transferring and destroying personal information. Given the broad definition of what constitutes personal information in Canada (any information about an identifiable individual), management of this issue requires a comprehensive review an organization's operations as they relate to data management. To manage regulatory exposure and the corresponding litigation risk from mismanagement of information, organizations are encouraged to take a proactive approach to this risk.