In late 2019, the Office of the Information & Privacy Commissioner for British Columbia ("OIPC") and the Office of the Privacy Commissioner of Canada ("OPC") collaborated in the investigation of a company connected to the use of personal information for political campaign efforts. Several companies including Facebook, Cambridge Analytica and SCL Elections recently have been investigated in connection with the leveraging of voter personal information for targeted political advertising. The latest entity to be investigated is AggregateIQ Data Services Ltd. ("AIQ"), a small campaign service provider located in British Columbia. On November 26, 2019, the two Canadian privacy regulators released their joint Investigation Report (the "Report") into AIQ.
The OIPC and OPC are not the only privacy regulators worldwide to examine AIQ's privacy practices. Privacy regulators are clearly grappling with how to regulate companies that provide information-based services spanning multiple jurisdictions, particularly when personal information is leveraged for political purposes. In fact, the Report emphasizes the need for communication and collaboration amongst privacy regulators in meeting these challenges. However, the Report raises a number of concerns with respect to the potential negative consequences for Canadian data processors competing for international business, and also raises questions as to whether Canadian privacy laws are being stretched beyond their express drafting and previous case law.
The Service Provider: AggregateIQ Data Services Ltd.
According to the Report, AIQ is a British Columbia-based company that provides data-related services for high-profile political campaigns. Specifically, AIQ provides election and campaign-oriented software, website development and digital advertising services. Therefore, its "processing" of personal information includes, among other campaign-specific services, loading information into software, testing software functionality, supporting or administering customer relationship management tools, identifying and segmenting individuals into datasets, delivering targeted advertising, cleansing databases and reporting on advertising campaign results. AIQ's clients are located across the globe – in Canada, the United States ("US"), and the United Kingdom ("UK"), as are the individuals whose information it may process for those clients.
In many of the cases at issue in the investigation, AIQ functioned as a data processor and relied on the consent purportedly obtained by its clients to use and disclose personal information provided to it by those clients, in order to perform various functions on their behalf.
The Investigation: Issues, Findings and Recommendations
The investigation assessed AIQ's compliance with the Canadian federal and applicable provincial data privacy laws; respectively, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and the British Columbia Personal Information Protection Act ("PIPA"). The consent and data security requirements of these laws were a specific focus of the investigation.
In general terms, the investigation found several instances where the OPC and OIPC believed that AIQ's services exceeded the scope of the consent that had been provided by individuals to AIQ's clients. The investigation also found that reasonable security measures had not been taken in relation to a reported privacy breach.
"Brexit"/United Kingdom: During the 2016 UK referendum on European Union membership, AIQ provided targeted advertising, website development, and database management services to various Brexit campaigns. As it relates to the BeLeave campaign, the Report held that the consent relied on by AIQ did address all of the activities performed by AIQ. The Commissioners found that the use of phone numbers to send SMS messages was authorized by the recipients. However, as it relates to the Vote Leave campaign, the OIPC and OPC found that the consent relied on by AIQ was inadequate as the disclosure of personal information to Facebook for advertising purposes was not covered by the consent.
SCL Elections/United States: AIQ worked with SCL Elections Ltd. ("SCL") on various political campaigns in the US. This included several 2014 midterm elections, a political action committee, and a presidential primary campaign. In the context of the US campaigns, the Report held that AIQ did not attempt to determine whether its clients had obtained consent that AIQ could rely on for its use and disclosure of US voter personal information. AIQ believed that US law did not require such consent.
Municipal and Provincial campaigns/Canada: AIQ was responsible for providing a range of services to a variety of British Columbia political clients at the municipal and provincial levels. The investigation found that the social media and analytical uses of personal information were not covered by the scope of the consent obtained by AIQ's clients.
The OIPC and OPC also found that AIQ failed to take reasonable security measures to ensure that the personal information under its control was secured from unauthorized access or disclosure. Specifically, the Report held that the personal information of over 35 million people was put at risk via access to an unsecured data repository, which contained personal information, encryption keys and login information.
In light of the above, the OIPC and OPC recommended that AIQ take reasonable measures to ensure that the consent upon which it relies is compliant with Canadian data privacy laws. The OIPC and OPC stated that this should include contractual measures, reviewing consent language used by the client and verifying the third-party consent. The Report also recommended that AIQ put in place and maintain reasonable security measures to secure personal information from unauthorized access or disclosure, including fully implementing the planned remedial measures and deleting personal information in its custody/control that is no longer necessary.
Application of Canadian Data Privacy Laws
In this decision, the OIPC and OPC appear to have adopted a novel and expansive approach to the jurisdictional reach of Canadian data privacy laws. This warrants careful consideration by Canadian data processors and service providers that work with foreign clients, those clients themselves, and Canadian legislators.
The Position of the OIPC (BC) and OPC
The Report clearly finds that PIPEDA and PIPA apply to data processors and service providers who use and disclose personal information, regardless of the jurisdiction in which that information was collected:
Even where the information was collected in a different jurisdiction, whether that be the UK or the US, AIQ is still required to meet its obligations under Canadian law with respect to its handling of that personal information in Canada.
However, the Report does not address whether the mere processing in Canada of the personal information of foreign data subjects, collected in a foreign jurisdiction at the behest of a foreign data controller, will create a real and substantial connection to Canada sufficient to trigger the consent requirements of Canadian privacy laws. This consideration strikes us as particularly relevant in cases where the personal information of a person outside of Canada is collected in a foreign jurisdiction by a data controller in that jurisdiction in compliance with the legal requirements of that jurisdiction and is subsequently transferred to Canada for processing. While the Report acknowledges that AIQ's foreign clients are not subject to PIPEDA or PIPA, in effect, they would need to comply with these laws should they wish to use a Canadian data processor:
To be clear, we are not finding, in this section or below, that AIQ's foreign clients were required to comply with Canadian and BC privacy laws. The practices of those political organizations would generally fall outside the scope of PIPA and PIPEDA, and in any event, were not the subject of this investigation. That said, to the extent that AIQ wished to rely on the consent obtained by foreign clients for its own collection, use, and disclosure of personal information on their behalf, it would need to ensure that such consent was sufficient, under Canadian or BC law as the case may be, for its purposes.
In effect, the Report applies Canadian data privacy laws indirectly in a situation where they could not be applied directly. While foreign entities processing foreign data are not subject to Canadian data privacy laws, the OPC and OIPC suggest they nevertheless will find that a Canadian service provider is offside Canadian law if its foreign client does not obtain consent in accordance with laws the OPC and OIPC recognize the foreign client is not subject to. This creates a tension in the reasoning stated in the Report. On the one hand, the regulators purport not to impose a requirement on the foreign clients to comply with Canadian consent requirements. On the other hand, the regulators are, by necessary implication, imposing this requirement on the foreign clients indirectly through their service providers, in that the regulators have determined that the consent relied upon by AIQ to process personal information will be invalid if it does not comply with the Canadian requirements.
In the Facebook investigation, the OPC and OIPC asserted their jurisdiction in the broad scope of the complaint and the fact that the personal information of Canadians may be implicated: "The Offices' jurisdiction does not depend on the narrow issue of whether it can be proven that Canadians' personal information was ultimately disclosed to SCL". While the threshold for finding a jurisdictional basis to investigate companies may not be a high one, by finding that PIPEDA and PIPA applies to AIQ when processing information obtained in a foreign jurisdiction in a manner that triggers Canadian consent standards, the OIPC and OPC appear to expand their jurisdiction in a manner not evident in the drafting of the statutes they are charged with enforcing, and that has the potential to create several jurisdictional issues.
Issue 1: Indirect Application of Private-Sector Data Privacy Laws to Non-Commercial Entities
PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activity. It does not apply to political parties, or to other entities that are not engaged in commercial activity. AIQ was engaged as a service provider acting for foreign clients involved in the course of various political campaigns. In the Report, the OPC indirectly extends the application of PIPEDA to non-commercial actors by finding that a service provider must ensure that its clients obtain consent in compliance with PIPEDA, when that client is not engaged in commercial activity and not subject to PIPEDA in the first place. In essence, this approach would expand the application of PIPEDA indirectly to entities not subject to it directly, should they wish to engage a third party service provider on the basis that the service provider is engaging in commercial activity.
We note this expansive interpretation would allow the OPC to seek to apply PIPEDA to service providers processing personal information for other entities that are not engaged in commercial activity themselves and are not subject to PIPEDA, such as the constituency office of a Canadian politician or a political party. Conceptually, it would also serve to indirectly extend the application of PIPEDA to other non-commercial entities such as charities, not for profits or labour unions, should they engage a third party service provider to process the personal information they have collected and used for their non-commercial activities.
It should be noted that British Columbia does regulate the privacy practices of political parties via PIPA. Unlike PIPEDA, it applies to entities that are not engaged in commercial activity. However, targeting data processors for compliance and enforcement purposes in respect of foreign data controllers would nevertheless result in the privacy regulators applying the legislation indirectly to data controllers not otherwise subject to the law, via their Canadian service provider. For example, PIPA does not apply to the collection, use or disclosure of personal information, if that collection, use or disclosure is for journalistic, artistic or literary purposes. However, based on the findings in the Report, if an organization involved in journalistic activities engaged a Canadian data processor, that data processor may be considered subject to PIPA and the consent requirements thereunder under the reasoning in the Report.
This indirect expansion of Canadian privacy law has the potential to seriously erode the limitations imposed on the application of such laws, many of which are set out in the drafting of the legislation itself, and exist to ensure a balance with other Canadian rights and freedoms, including political expression/the right to association as well as the right to freedom of expression.
The Report may be contrasted with a recent decision in the United States, in which the US Court of Appeals for the Fourth Circuit found that the legal burdens placed on news organizations, as platforms hosting online political advertisements, by the Maryland Online Electioneering Transparency and Accountability Act was contrary to the First Amendment. This law regulated the platforms hosting political ads in addition to the ad purchaser. It was found that the Act created a disincentive for platforms to publish political ads, as opposed to other kinds of advertising content. The imposition of obligations on third party publishers of political ads was at a cost to political debate.
In the context of PIPEDA, this aspect of the Report is also at odds with the Federal Court of Canada's decision in State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada. In that case, the Court held that when determining whether PIPEDA is applicable, what is relevant is the underlying activity that gives rise to the collection, use or disclosure of the personal information in issue. The court stated:
…on a proper construction of PIPEDA, if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties.
Accordingly, where an agent collects, uses or discloses personal information on behalf of a principal, the mere fact that the agent does so for remuneration does not make the activity a commercial activity that is subject to PIPEDA. By analogy, where a data processor performs services on behalf of a political party and collects, uses and discloses personal information in a non-commercial context, the underlying activity remains non-commercial and therefore not subject to PIPEDA.
Issue 2: The Application of Canadian Data Privacy Laws to Foreign Organizations
The Report also does not address the difficulty in the extraterritorial application of Canada's data privacy laws in circumstances where a data processor is apparently expected, on the reasoning in the Report, to apply Canadian privacy laws at the point of data collection by its client in a foreign jurisdiction. As illustrated by the circumstances of AIQ, in many circumstances, the Canadian data processor will not have direct contact with the individuals whose personal information is collected, and must rely on their foreign client to ensure that the applicable legal requirements regarding the collection, use and disclosure of personal information are met. Where those clients are in a foreign jurisdiction, they may be subject to privacy legislation that differs materially from PIPEDA and PIPA. A consequence of the Report is that it appears to impose on those foreign clients, indirectly via their Canadian service provider, should they choose to use one, a requirement to comply with both their jurisdiction's data privacy laws and with Canadian privacy law requirements. Remarkably, the Report appears to impose this requirement even in circumstances where no data is being obtained from residents or citizens of Canada, but is merely being processed in Canada by a Canadian service provider.
PIPEDA is silent on its extraterritorial application. However, the Federal Court of Canada has held that when Canadians' personal information is collected, used or disclosed from outside of the territory of Canada, PIPEDA will apply to the processing of personal information by an organization where there exists a "real and substantial connection" to Canada. This test applies to foreign-based organizations, and serves as the basis for the long established principle that a foreign entity collecting personal information about an individual in Canada must comply with PIPEDA.
It is instructive that in asserting the extraterritorial application of PIPEDA to Canadian personal information, Canadian courts have found that PIPEDA's application should be grounded in a sufficient connection to Canada. Stretching PIPA and PIPEDA to apply to a data processor that processes foreign personal information in Canada, at the behest of a foreign data controller, does not address whether the mere processing of personal information in Canada is sufficient to establish a connection to Canada as a jurisdiction for the purpose of applying Canadian law at the point of collection of the personal information by a foreign actor in a foreign territory. In the result, the Report applies the consent requirements in PIPA and PIPEDA at the point of data collection in a foreign jurisdiction, by a foreign entity, in any case where a Canadian data processor will be used. In mandating this surprisingly broad jurisdictional reach, the Report did not, on its face, address the presence of connecting factors to Canada as a jurisdiction, or whether there was a real and substantial connection to Canada to serve as a basis for applying PIPEDA and PIPA in these circumstances.
The Report, while asserting that data privacy laws across the world are generally rooted in fair information principles and that they "place great emphasis on the knowledge and consent of individuals", also acknowledged that such data privacy laws are not identical. Privacy regimes in other jurisdictions allow for the processing of personal information on a legal basis other than the consent of the individual. Should Canadian data processors, following this Report, seek to require UK and US organizations to meet the requirements in Canada's data privacy laws, there may be cases where the requirements of the Canadian laws differ from the law of the jurisdiction in which the organization and the data subjects reside. This may impose conflicting and/or heightened obligations on non-Canadian organizations to which they would not otherwise be subject, and conflicts with notions of international comity. This approach would also create uncertainty for data controllers. At the point of collection, one may not know what service provider will be used, or what jurisdiction they will be in. Moreover, a data controller could choose to change service providers having already collected the information. Applying the law of the jurisdiction of the service provider retrospectively to information collected by a foreign organization in their own jurisdiction would make it difficult, if not impossible, to know what legal standard one must comply with at the outset.
Fundamentally, the findings of the Report may prevent foreign organizations from engaging Canadian service providers to process personal information in a manner that is perfectly legal in their home jurisdiction. This has the potential to pose a serious impediment to Canadian service providers seeking foreign business and to negatively impact the competitiveness of Canada's data processing industry.
In the view of the writers, the essence of collaboration between privacy regulators worldwide is to respect that the data privacy laws of foreign jurisdictions may have distinct means to achieve policy objectives, and to collaborate and cooperate in enforcement efforts based on similar but distinct laws. Canadian privacy regulators should be wary of seeking to impose PIPEDA and other provincial data privacy laws on data processors in a manner that does not consider who ultimately has "control" over the information and its processing, and whether these activities have a real and substantial connection to Canada sufficient to trigger the consent requirements of the Canadian laws. Furthermore, applying the laws in this manner has the potential to erode the careful balance that has been established by the legislators between privacy and other fundamental values, including constitutionally enshrined rights to freedom of association and freedom of expression.
The application of Canadian data privacy laws to data processors and service providers raises new and surprising questions regarding legal compliance when servicing foreign clients. Key themes raised in the Report should be evaluated in light of a Canadian data processor's current privacy practices, including:
This Report expands the application of PIPEDA and relevant provincial data privacy laws to Canadian data processors and service providers working with foreign clients who are collecting foreign personal information in foreign jurisdictions. Under the Report, data processors are required to demonstrate that the consent through which they or their clients collect, use and disclose personal information is compliant with Canadian data privacy laws, even in cases where they are acting for a client not subject to those laws in the first place. They must be able to show that Canadian consent requirements have been met, regardless of the jurisdiction in which the personal information was collected.
As long as data processors and service providers are using and disclosing personal information in the course of their own commercial activities (i.e. providing services for a fee), it would appear that the purposes for which the personal information was originally collected, and whether the entity doing so was itself engaged in commercial activity (i.e. in the course of political processes) may not be considered by the OPC in seeking to apply PIPEDA. This is at odds with the jurisprudence of the Federal Court of Canada, and is an interpretation that appears to be open to legal challenge. Nonetheless, Canadian companies can be expected to be confronted with this interpretation if subject to an investigation by the OPC.
Verifying third-party consent
While the scope of the measures that must be taken to verify third party consent have not been explicitly detailed, Canadian data processors should be prepared to demonstrate what measures they have taken to verify third party consent for the personal information they receive from and process for their clients, including foreign clients. Preparing a policy or process with measures reasonable to a data processor's specific circumstances is advisable.
The recommendations provided in the Report leave a difficult roadmap for Canadian data processors and service providers to follow. To ensure effective compliance under Canadian law, a data processor may be tasked with implementing contractual measures, reviewing the consent language used by its clients, and verifying that its client's consent practices are compliant with Canadian data privacy law - even in cases where those activities are not subject to Canadian data privacy law in the first place. In some, but not all cases, contractual measures were in place and AIQ was aware of the consent language used by its clients. This leaves Canadian data processors with the critical question of what measures are reasonable and how far must they insert themselves in the operations of their foreign clients, or potentially, non-commercial Canadian clients, to ensure that valid consent under Canadian law was obtained, even if that law does not apply to the client. It also leaves foreign data controllers to consider whether they can work with Canadian service providers to process their personal information in Canada if those service providers are obliged to require them to comply with Canadian requirements in cases where the law of their jurisdiction is more permissive, even in circumstances where no data of Canadians will be collected. Likewise, Canadian political parties, charities and unions are left to consider whether all information processing must be done "in-house", to avoid service providers seeking to impose contractual consent obligations on them in cases where they would not otherwise apply.
Unfortunately, the impact on data processors may leave them, and Canada, in a less competitive commercial position compared to foreign service providers, resulting in a potential chilling effect on the use of Canadian businesses for data processing.
We would hope that these matters are considered carefully by Canadian lawmakers as they seek to update Canadian privacy legislation.