On June 12, 2018, the Office of the Privacy Commissioner of Canada (the "OPC") issued a report relating to allegations against Profile Technology Ltd. ("PTL"), a New Zealand-based company, concluding that PTL imported millions of Canadian Facebook users' profiles in violation of Canadian privacy law, to bolster its own social media platform called The Profile Engine.
The OPC's report came about as a result of five complainants who sought help from the office to have their personal information removed from the website. The main issues are:
- PTL was using personal information posted to Facebook, pursuant to a data sharing agreement between PTL and Facebook. Issues with data accuracy were key; and
- the process of deleting data from PTL's site was opaque and overly cumbersome.
The OPC's report finds the complaints well-founded as violations of Canada's Personal Information Protection and Electronic Documents Act (the "Act" or "PIPEDA")1, as well as the Regulations Specifying Publicly Available Information (the "Regulations")2.
Consent and Collection
PTL asserted that its agreement with Facebook provided it unlimited access to user data; data that users had 'consented' to make public and accessible.
The OPC found this to be a violation of Sections 7(1)(d) and 7(2)(c.1) of the Act that state that a company can use and collect personal information if "the information is publicly available and is specified by the regulations".3 Sections 1(e) of the Regulations specify that "personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information"4 is considered fair game for collection.
The OPC outright rejected the assertion that personal profiles are "publically available". They note that Facebook profiles are 'ever-changing' and are subject to user's personal privacy settings.
Accuracy of Information and Retention
The complainants claimed that the information they found on PTL's website was either never accurate or "inaccurate by virtue of being out of date". While Facebook's profiles would constantly update and change over time through its active users, PTL's information would be dated from when the user data was pulled in order to populate their site with information, but without corresponding users to keep them up to date.
The OPC took issue not only with the cumbersome process users were required to go through to attempt to delete inaccurate profile information, but also that the PTL helpdesk maintained personal information indefinitely. The OPC found this to be a violation of Section 5(3) of the Act, which states that "an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances"5. It is the opinion of the OPC that keeping information that is inaccurate or maintaining helpdesk data longer than needed to help the user is unreasonable.
In its Preliminary Report of Investigation (PRI), the OPC recommended the following two measures:
- "Remove from its website, and delete from its records, all individual profiles and groups associated with any Canadian (or Canadians), including those associated with the complainants. In order to respect any choices Canadians have made to use the respondent's social networking services, this recommendation would not apply to those profiles or groups that were: (i) created by an individual independently on the website; or (ii) claimed by an individual, where the individual has not also requested its deletion; and
- Introduce a retention policy for its helpdesk system information, which includes a reasonable retention period for personal information, and delete helpdesk tickets that are past this reasonable retention period."
In response to the PRI, PTL has begun making changes to its website. It has removed, anonymized and archived millions of profiles. The archives are still accessible but the ability to use search engines for the data has ceased.
Despite these changes, the OPC still maintains its concerns so long as the data is not destroyed completely. According to the OPC, the threat of commercializing this user data is still a live issue.
Data governance is an increasingly critical aspect of risk mitigation in a data-driven economy. It is important for companies to conduct an assessment of existing data to determine regulatory compliance as well as data monetization opportunities. Classifying information for ease of access, deleting duplicate or outdated records, and creating the policies and procedures to manage information responsibly is not only part of a good corporate governance system, but is also important to risk mitigation as well as revenue-generation opportunities.
 S.C. 2000, c. 5 [PIPEDA].
 SOR/2001-7 [Regs].
 PIPEDA, note 1, s. 7(1)(d) and 7(2)(c.1).
 Regs, note 2, s. 1(e).
 PIPEDA, note 1, s. 5(3).
To view original article, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.