While summer can sometimes be a quieter time for antitrust enforcement, the debate about the role of antitrust in the tech sector is hotter than ever with a number of significant developments over the past few weeks.
Among these developments, the U.S. Federal Trade Commission (FTC) recently announced a US$5-billion settlement with Facebook to resolve issues regarding its data practices and initiated proceedings against Cambridge Analytica for deceptive representations regarding its use of personal data. The use and collection of personal data is also a hot topic in Canada and, as discussed below, the Competition Bureau may be looking to take enforcement action in this area.
Can Data/Privacy Policies Be Pursued as Misleading Representations?
Taking inspiration from the FTC’s approach to pursuing privacy representations as deceptive practices, the Competition Bureau has taken the view that it may use the Competition Act to challenge representations regarding the use and collection of data that are “false or misleading in a material respect.” This approach would allow the Bureau to seek, among other things, the imposition of administrative monetary penalties of up to $10 million against corporations whose representations are found to be false or misleading in a material respect.
According to the Bureau, “companies are putting themselves at risk when they collect information that consumers would not expect to be collected in the normal course of business and only disclose this material information in terms and conditions that are likely to be overlooked by consumers.” The Bureau has also taken the view that “the collection and use of data that go beyond what consumers would reasonably expect increases the likelihood of deception.”
Although the Bureau is clearly drawing inspiration from the U.S. enforcement approach, this approach may not work as well in Canada, where the collection of personal information without appropriate consent is already, and arguably more directly, within the mandate of the Office of the Privacy Commissioner (OPC) under Canada’s federal privacy legislation (Personal Information Protection and Electronic Documents Act, or PIPEDA). While it remains to be seen how the Competition Bureau would work with the OPC in respect of such investigations, the Commissioner of Competition (the head of the Bureau) has made it clear that enforcement in the digital sector remains a key priority.
As one of the first steps to increasing its enforcement capabilities in the digital sector, the Bureau recently appointed a Chief Digital Enforcement Officer (CDE Officer). The Commissioner has explained that the role of the CDE Officer is to provide the Bureau with “advice and expertise on a wide range of matters, including tools and skills development, in order to strengthen [the Bureau’s] investigations in the digital economy.” In the short time since he has assumed his position, the CDE Officer has used social media to draw attention to the approach to collecting and using personal data by app developers such as FaceApp. In fact, in a recent social media post, the CDE Officer referred to FaceApp as “an example of trading your #privacy for convenience or for a cool service…likely without your knowledge” and he included the hashtag “deceptive” in reference to FaceApp’s terms and conditions. This is despite the fact that the terms highlighted in the post appear to disclose the intended collection and use of personal data by FaceApp. In another recent post, referring to the recent Facebook settlement with the U.S. FTC, the CDE Officer explained that he had “posted about Facebook having poor #data governance and #dataprivacy practices in the past.” While these social media posts do not describe a specific legal basis for concerns, the fact these statements are being made by a Competition Bureau official in a public forum suggests that enforcement in this area may be expected.
That said, should the Bureau seek to challenge the use and collection of data as potentially “false or misleading,” it is likely to face a number of hurdles. For example, the misleading representation provisions of the Competition Act require that the representation in question be false or misleading in “a material respect.” To date, the jurisprudence on materiality has focused on whether the representation at issue would influence a consumer’s purchasing decision. As a result, the Bureau would presumably need to show that the specific data collection representations are, in fact, material to the consumers who are being targeted. However, recent research suggests that consumers’ approach to privacy considerations varies widely (and thus may not be “material” to many consumers).
Furthermore, if a company’s disclosure about its use and collection of personal data meets the statutory requirements of PIPEDA for obtaining informed consent, it may be difficult for the Bureau to persuade a court that the representations at issue are nonetheless false or misleading in a material respect. That said, the Bureau might attempt to do so on the basis, for example, that other aspects of a company’s representations or marketing materials convey a general impression about its data collection practices that is contradicted by the disclosure in its terms and conditions. To take a hypothetical example, if a company’s marketing materials were to state “We protect your personal data,” but then permitted an unlimited collection and sharing of an individual’s personal data in the terms and conditions, the Bureau may take the view that the company’s representations are false or misleading in a material respect.
Finally, and perhaps most important from a compliance perspective, the misleading representation provisions of the Competition Act allow for the application of a due diligence defence. If a company can show that it exercised due diligence to prevent the false or misleading representations from occurring, then no administrative monetary penalties may be imposed. In particular, the Bureau has acknowledged in its Corporate Compliance Bulletin that “documented evidence of a credible and effective corporate compliance program will assist a company in advancing a defence of due diligence, where available.”
Although any attempt by the Competition Bureau to challenge privacy or data practices and policies under the Competition Act may be met with significant hurdles, companies operating in Canada should consider taking the following steps to help avoid the costs of investigation and possible challenge:
- Maintain a credible and effective compliance policy that addresses the company’s data and privacy practices . Having such a policy is more important than ever and may allow a company to rely upon the due diligence defence if the Competition Bureau were to raise concerns.
- As part of any effective compliance policy, ensure that the personnel who are most directly involved with the collection and use of data (e.g., systems or software engineers and marketing personnel) are both aware of the various uses and collection of personal data by the company and regularly trained in respect of the appropriate use and collection of personal data.
- Regularly review and update the company’s data and privacy policies to make sure that the policies reflect the way that the company is using and collecting data (and is not false or misleading).
- Regularly review marketing representations to make sure that they are not contradicted by the detailed terms and conditions governing the collection and use of personal data.
- If doing business with third-party app developers or providing data to third parties, consider reviewing or auditing the use and collection of such data by such third parties.
- Have an appropriate process in place for raising and responding to complaints or concerns (internal or external) regarding the use and collection of personal data.