On June 12, 2018, the Office of the Privacy Commissioner (“OPC”)  released its report  into Profile Technology Ltd.’s (“Profile Technology”) use of “publicly available” Facebook profiles. The OPC concluded that Profile Technology had not obtained the necessary consents from individuals whose Facebook profiles they were collecting for the purposes of establishing its own social networking website. The case is an important one since it sheds light on what limits may be imposed by Canadian privacy regulators on the use of personal information that may be available to the public from time-to-time on social networking platforms.
Profile Technology, a New Zealand-based company, had been retained by Facebook in 2007 to provide advanced search functions for its site. Specifically, it indexed the public parts of users’ profiles – in a manner that is similar to how Google and other search engines index information on the internet more broadly. To this end, Profile Technology claimed that it was provided unlimited access by Facebook to information that its users had consented to make public and accessible to search engines.
Profile Technology subsequently used the information that it had collected from Facebook to build its own social networking site, never seeking the consent – implied or express – of the users whose profiles were being migrated and incorporated into its site.
Subsequently, five Canadian individuals filed complaints with the OPC, alleging that Profile Technology had collected and used their personal information without their knowledge and consent. These complainants explained: (i) in certain circumstances, they were unable to have their personal information removed from the website; (ii) the personal information used by Profile Technology was not accurate; and (iii) Profile Technology had inadequate procedures in place to receive and respond to complaints and inquiries about its policies and practices relating to the handling of personal information.
Profile Technology Did Not Have Users’ Consent
The Canadian complainants indicated to the OPC that they learned that their information appeared on Profile Technology’s website after they conducted internet searches for their own names.
The complainants pointed out in their claims that Profile Technology never sought their consent for the collection and use of their personal information. Interestingly, Profile Technology argued that such information was “publicly available” and that it was not required to obtain consent of the users. Further, Profile Technology claimed that Facebook was responsible for obtaining permission to make the information public and available to search engines. It relied on Facebook’s privacy policies from 2009 and 2010 and Facebook’s blog post from 2007 to assert that notice had been given to users that their public information may be found by external search engines.
More specifically, Profile Technology claimed that publicly accessible Facebook profiles should be considered a “publication” under PIPEDA’s Regulations Specifying Publicly Available Information  (the “Regulations”). Subsection 1(e) of the Regulations refers to “personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.” Profile Technology submitted that a person who places information on their Facebook profile “publishes” the information, making Facebook profile information a “publication” for the purposes of the Regulations.
The OPC flatly rejected Profile Technology’s assertion that profile information is “publicly available”, such that is exempt from the requirement to obtain consent. Even if the OPC accepted that Facebook users’ consent for its original collection of profile information for the purposes of offering search engine services, it did not have consent to subsequently use that information for purposes of creating and populating its own social networking website. 
Not All Public Information is “Publicly Available”
The OPC noted that PIPEDA recognizes that not all information in the public domain will be considered “publicly available”. In this regard, there is an acknowledgment that information that may be in the public domain is still worthy of privacy protection. Treating a Facebook profile as a publication would be counter to the intention of PIPEDA, undermining the control users otherwise maintain over their information at source.
The OPC concluded that the personal information at issue was not publicly available within the meaning of PIPEDA.  As such, the respondent was required to ensure individuals’ consent for its use of their personal information copied from Facebook and posted on its website.
The OPC recommended that, among other things, Profile Technology remove from its website and delete from its records, all individual profiles and groups associated with any Canadian (or Canadians), including those associated with the complainants. Profile Technology did proceed with the bulk deletion of Canadian data.
Prior to issuance of the OPC report, Profile Technology had removed the profiles from its website. As of April 1, 2018, the website simply consisted of a notice page titled “Profile Engine has now been donated to the Internet Archive (31st March 2018)”. On April 9, 2018, the OPC observed that the files were becoming increasingly difficult to find via search engines (which had presumably de-indexed the links to the torrent files ) but the OPC was still able to find the torrents on the dark web.
The OPC’s decision in the Profile Technology case is important given that an increasing number of individuals regularly share their personal information with multiple social networking websites. As these websites become increasingly sophisticated and use third party vendors to get insights about their users (e.g., through the use of analytics), they provide vendors access to their users’ personal information. Implied consent in lengthy privacy policies that very few users read and understand is not sufficient from a Canadian privacy standpoint, as stated by the OPC in its recently released Guidelines for Obtaining Meaningful Consent.  Accordingly, to the extent that a vendor is relying on the consent obtained by the entity collecting the personal information in the first instance, it should ensure that it has taken necessary steps to demonstrate – e.g., through contractual language – that the requisite consents were obtained for the purposes contemplated by the vendor.
Another key takeaway is that simply because a third party may be able to publicly access an individual’s personal information does not mean that it is “publicly available”, as defined in PIPEDA and the Regulations. In fact, information that may be in the public domain is still worthy of privacy protection and appropriate consents should nonetheless be obtained.
From a jurisdictional standpoint, Profile Technology was unsuccessful in arguing that the OPC had no jurisdiction on that basis of the company not having a physical presence in Canada. PIPEDA has extraterritorial scope if a real and substantial connection can be established. That said, in cases where the OPC’s jurisdiction may be established, enforcement is another matter, one which was not tested in this case. However, the extraterritorial scope issue is likely to be an important topic as the EU’s General Data Protection Regulation  and the California Consumer Privacy Act of 2018  both have extraterritorial reach.