a $250,000 reminder that “casl” is not just an anti-spam law •

VOLUME 19, NUMBER 5 Cited as (2017-18), 19 I.E.C.L.C. SEPTEMBER 2018

• A $250,000 REMINDER THAT “CASL” IS NOT JUST AN ANTI-SPAM LAW •

Ryan J. Black, Co-Chair Information Technology, Janine MacNeil, Partner, and Lyndsay A. Wasser, Co-Chair Privacy & Data Protection and Co-Chair Cybersecurity

© McMillan LLP, Vancouver, Toronto

Ryan J. Black Janine MacNeil Lyndsay A. Wasser

On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (“CRTC”) announced that it has taken enforcement action against Datablocks Inc. (“Datablocks”) and Sunlight Media

Network Inc. (“Sunlight Media”), two apparently related companies. This marks the first time that an action has been taken under Canada’s “Anti-Spam Law”1 (“Act”) using section 8 of the Act, which prohibits the installation of software without consent, including malware.

DATABLOCKS AND SUNLIGHT MEDIA

Datablocks and Sunlight Media were each issued notices of violation by the CRTC alleging that each had committed a violation of section 9 of the Act through their actions or omissions, by aiding in the commission of acts contrary to sections 6–8 of the Act: in their case, section 8, the installation of computer programs on another person’s computer system without express consent.2

The CRTC found that Datablocks and Sunlight Media enabled Sunlight Media’s clients to repeatedly

• In This Issue •

A $250,000 REMINDER THAT “CASL” IS NOT JUST AN ANTI-SPAM LAW

Ryan J. Black, Janine MacNeil and Lyndsay A. Wasser .........................................33

PUBLIC FACEBOOK PROFILES NOT EQUIVALENT TO PUBLIC INFORMATION UNDER PIPEDA

Éloïse Gratton and Vinay Desai...........................36

VOLUME 19, NUMBER 5 Cited as (2017-18), 19 I.E.C.L.C. SEPTEMBER 2018

• A $250,000 REMINDER THAT “CASL” IS NOT JUST AN ANTI-SPAM LAW •

Ryan J. Black, Co-Chair Information Technology, Janine MacNeil, Partner, and Lyndsay A. Wasser, Co-Chair Privacy & Data Protection and Co-Chair Cybersecurity

© McMillan LLP, Vancouver, Toronto

Ryan J. Black Janine MacNeil Lyndsay A. Wasser

On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (“CRTC”) announced that it has taken enforcement action against Datablocks Inc. (“Datablocks”) and Sunlight Media

Network Inc. (“Sunlight Media”), two apparently related companies. This marks the first time that an action has been taken under Canada’s “Anti-Spam Law”1 (“Act”) using section 8 of the Act, which prohibits the installation of software without consent, including malware.

DATABLOCKS AND SUNLIGHT MEDIA

Datablocks and Sunlight Media were each issued notices of violation by the CRTC alleging that each had committed a violation of section 9 of the Act through their actions or omissions, by aiding in the commission of acts contrary to sections 6–8 of the Act: in their case, section 8, the installation of computer programs on another person’s computer system without express consent.2

The CRTC found that Datablocks and Sunlight Media enabled Sunlight Media’s clients to repeatedly

• In This Issue •

A $250,000 REMINDER THAT “CASL” IS NOT JUST AN ANTI-SPAM LAW

Ryan J. Black, Janine MacNeil and Lyndsay A. Wasser .........................................33

PUBLIC FACEBOOK PROFILES NOT EQUIVALENT TO PUBLIC INFORMATION UNDER PIPEDA

Éloïse Gratton and Vinay Desai...........................36

34

September 2018 Volume 19, No. 5 Internet and E-Commerce Law in Canada

violate section 8 by providing the means to commit the prohibited acts, and benefitted financially from the commission of these prohibited acts.

Datablocks, through its software and network infrastructure, provides a real time bidding platform through which website advertisements may be customized for visitors. Sunlight Media, using Datablocks’ platform, operates an ad network through which it acts as a broker between advertisers and publishers of online content. The CRTC found evidence that these services had been used by Sunlight Media’s clients to display advertisements that surreptitiously installed malicious programs onto the systems of those that received them.

If true, each instance of installation constitutes a violation of the Act — under section 8 for the person who actually installs the program, and under section 9 for the parties that “aid, induce, procure or cause to be procured” a section 8 violation.

In finding a contravention of section 9, the CRTC determined that the companies failed to implement basic safeguards common in the industry, despite evidence that they had been made aware that their services were being used to commit prohibited acts. Importantly, the CRTC concluded that the companies had no written contracts in place with their clients requiring them to comply with the Act, no monitoring measures in place to govern how clients used their services, and no corporate compliance policies and procedures in place. Unhelpfully, other “safeguards common in the industry” are not suggested by the CRTC.

As a result of these violations, the CRTC assessed monetary penalties of $100,000 against Datablocks and $150,000 against Sunlight Media. Datablocks and Sunlight Media have 30 days to file written representations to the CRTC or to pay the penalties.

BEYOND SPAM

While the Act is colloquially known as “Canada’s Anti-Spam Law” or “CASL” for short, it is important to bear in mind that its full breadth extends far beyond simply regulating “spam”. The stated purpose of the Act is to, “promote the efficiency and adaptability of the

INTERNET AND E-COMMERCE LAW IN CANADA

Internet and E-Commerce Law in Canada is published six times per year by LexisNexis Canada Inc., 111 Gordon Baker Road, Suite 900, Toronto ON M2H 3R1 by subscription only.

All rights reserved. No part of this publication may be reproduced or stored in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright Act. © LexisNexis Canada Inc. 2018

ISBN 0-433-42472-9 (print) ISSN 1494-4146ISBN 0-433-44674-9 (PDF)ISBN 0-433-44385-5 (print & PDF)

Subscription rates: $275.00 per year (print or PDF) $400.00 per year (print & PDF)

General EditorProfessor Michael A. GeistCanada Research Chair in Internet and E-Commerce LawUniversity of Ottawa, Faculty of LawE-mail: [email protected]

Please address all editorial inquiries to:

LexisNexis Canada Inc.Tel. (905) 479-2665Fax (905) 479-2826E-mail: [email protected] site: www.lexisnexis.ca

EDITORIAL BOARD• Peter Ferguson, Industry Canada, Ottawa • Bradley J. Freedman, Borden Ladner Gervais, Vancouver • John D. Gregory, Ministry of the Attorney General, Toronto • Dr. Sunny Handa, Blake Cassels & Graydon, Montreal • Mark S. Hayes, Hayes eLaw LLP, Toronto • Ian R. Kerr, University of Ottawa, Faculty of Law • Cindy McGann, Ottawa • Suzanne Morin, Sun Life, Montreal • Roger Tassé, Gowling Lafleur Henderson, OttawaNote: This newsletter solicits manuscripts for consideration by the Editors, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Internet and E-Commerce Law in Canada reflect the views of the individual authors and do not necessarily reflect the views of the editorial board members. This newsletter is not intended to provide legal or other professional advice and readers should not act on the information contained in this newsletter without seeking specific independent advice on the particular matters with which they are concerned.

34


violate section 8 by providing the means to commit the prohibited acts, and benefitted financially from the commission of these prohibited acts.

Datablocks, through its software and network infrastructure, provides a real time bidding platform through which website advertisements may be customized for visitors. Sunlight Media, using Datablocks’ platform, operates an ad network through which it acts as a broker between advertisers and publishers of online content. The CRTC found evidence that these services had been used by Sunlight Media’s clients to display advertisements that surreptitiously installed malicious programs onto the systems of those that received them.

If true, each instance of installation constitutes a violation of the Act — under section 8 for the person who actually installs the program, and under section 9 for the parties that “aid, induce, procure or cause to be procured” a section 8 violation.

In finding a contravention of section 9, the CRTC determined that the companies failed to implement basic safeguards common in the industry, despite evidence that they had been made aware that their services were being used to commit prohibited acts. Importantly, the CRTC concluded that the companies had no written contracts in place with their clients requiring them to comply with the Act, no monitoring measures in place to govern how clients used their services, and no corporate compliance policies and procedures in place. Unhelpfully, other “safeguards common in the industry” are not suggested by the CRTC.

As a result of these violations, the CRTC assessed monetary penalties of $100,000 against Datablocks and $150,000 against Sunlight Media. Datablocks and Sunlight Media have 30 days to file written representations to the CRTC or to pay the penalties.

BEYOND SPAM

While the Act is colloquially known as “Canada’s Anti-Spam Law” or “CASL” for short, it is important to bear in mind that its full breadth extends far beyond simply regulating “spam”. The stated purpose of the Act is to, “promote the efficiency and adaptability of the

INTERNET AND E-COMMERCE LAW IN CANADA

Internet and E-Commerce Law in Canada is published six times per year by LexisNexis Canada Inc., 111 Gordon Baker Road, Suite 900, Toronto ON M2H 3R1 by subscription only.

All rights reserved. No part of this publication may be reproduced or stored in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright Act. © LexisNexis Canada Inc. 2018

ISBN 0-433-42472-9 (print) ISSN 1494-4146ISBN 0-433-44674-9 (PDF)ISBN 0-433-44385-5 (print & PDF)

Subscription rates: $275.00 per year (print or PDF) $400.00 per year (print & PDF)

General EditorProfessor Michael A. GeistCanada Research Chair in Internet and E-Commerce LawUniversity of Ottawa, Faculty of LawE-mail: [email protected]

Please address all editorial inquiries to:

LexisNexis Canada Inc.Tel. (905) 479-2665Fax (905) 479-2826E-mail: [email protected] site: www.lexisnexis.ca

EDITORIAL BOARD• Peter Ferguson, Industry Canada, Ottawa • Bradley J. Freedman, Borden Ladner Gervais, Vancouver • John D. Gregory, Ministry of the Attorney General, Toronto • Dr. Sunny Handa, Blake Cassels & Graydon, Montreal • Mark S. Hayes, Hayes eLaw LLP, Toronto • Ian R. Kerr, University of Ottawa, Faculty of Law • Cindy McGann, Ottawa • Suzanne Morin, Sun Life, Montreal • Roger Tassé, Gowling Lafleur Henderson, OttawaNote: This newsletter solicits manuscripts for consideration by the Editors, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Internet and E-Commerce Law in Canada reflect the views of the individual authors and do not necessarily reflect the views of the editorial board members. This newsletter is not intended to provide legal or other professional advice and readers should not act on the information contained in this newsletter without seeking specific independent advice on the particular matters with which they are concerned.

Internet and E-Commerce Law in Canada September 2018 Volume 19, No. 5

35

Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities”. To that effect, the Act regulates a number of activities that may hinder electronic commerce, including sending unsolicited commercial electronic messages, altering data transmission and installing computer programs. The Act broadens these prohibitions by prohibiting any person from aiding, inducing, procuring, or causing a CASL contravention.

Section 6, commonly known as the “anti-spam” provision, is the most well-known provision within the Act, prohibiting commercial electronic messages without the consent, whether express or statutorily implied, of the intended recipient. Because a commercial electronic message is essentially any message sent by means of telecommunication for the purpose of encouraging participation in a commercial activity,3 this definition extends beyond the traditional conception of “spam” and regulates genuine business activities, subject to limited exceptions.

Section 7 prohibits the alteration of transmission data in an electronic message that causes the message to be delivered to a destination other than that specified by the sender without the express consent of the sender or the intended recipient. This section notably targets “phishing” and “man-in-the-middle” attacks whereby information is surreptitiously misdirected or misappropriated, but, in the same way that section 6 is agnostic about what “spam” is, section 7 prohibits the action without giving much regard to intent or maliciousness.4

Section 8, which gave rise to this CRTC action, prohibits the installation of computer programs on another person’s computer system without their express consent, and further prohibits causing a computer system to communicate with another computer system if one has so installed a computer program. While this section notably targets malware, spyware, viruses or other malicious computer programs it extends to all computer programs, with certain exceptions.5

ConClusion

The term “CASL” is a misnomer. The scope of the Act extends far beyond simply regulating spam emails,

and even the word “spam” is subjective enough that one rarely applies it to one’s own communications. This has been known for some time,6 and in fact when the Standing Committee on Industry, Science and Technology released its 2017 report entitled “Canada’s Anti-Spam Legislation: Clarifications are in Order”,7 its first recommendation was that the Act be given a short title more befitting its scope. (The Standing Committee’s suggestion was “Electronic Commerce Protection Act”. The authors of this article have previously suggested “Prohibited Electronic Interactions Act” or the “Regulation of Electronic Interactions Act”.)

Furthermore, the Act applies not only to those who commit prohibited acts, but to those who enable, facilitate or solicit the commission of prohibited acts, as the CRTC’s findings with respect to Datablocks and Sunlight Media have made clear in the present case. The CRTC plainly found that the acts, or omissions, of those companies crossed the line into prohibited territory. Yet, there are many intermediaries involved in displaying content on websites, and there has been little guidance from the CRTC about what responsibility each party has under the Act. What of the website and content publishers, who may have been able to do something to prevent the malicious advertisements from being displayed? Could, and should, the ISP or website host have filtered such content? What about search results from search engines that point to websites with malicious content?

While this case indicates that the CRTC expects a degree of diligence on the part of service providers and content publishers, including the implementation of basic safeguards to prevent the commission of prohibited activities, businesses that are involved in the dissemination of content that potentially violates the Act must seriously consider what measures they are taking to prevent themselves from being found to aid, induce, procure, or cause a third party, even an unrelated one, to commit a violation.8

[Ryan J. Black practises technology-related business law, and is a member of the Technology, Intellectual Property and Privacy group as well as Co-Chair, Information Technology, at McMillan’s Vancouver office.


35

Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities”. To that effect, the Act regulates a number of activities that may hinder electronic commerce, including sending unsolicited commercial electronic messages, altering data transmission and installing computer programs. The Act broadens these prohibitions by prohibiting any person from aiding, inducing, procuring, or causing a CASL contravention.

Section 6, commonly known as the “anti-spam” provision, is the most well-known provision within the Act, prohibiting commercial electronic messages without the consent, whether express or statutorily implied, of the intended recipient. Because a commercial electronic message is essentially any message sent by means of telecommunication for the purpose of encouraging participation in a commercial activity,3 this definition extends beyond the traditional conception of “spam” and regulates genuine business activities, subject to limited exceptions.

Section 7 prohibits the alteration of transmission data in an electronic message that causes the message to be delivered to a destination other than that specified by the sender without the express consent of the sender or the intended recipient. This section notably targets “phishing” and “man-in-the-middle” attacks whereby information is surreptitiously misdirected or misappropriated, but, in the same way that section 6 is agnostic about what “spam” is, section 7 prohibits the action without giving much regard to intent or maliciousness.4

Section 8, which gave rise to this CRTC action, prohibits the installation of computer programs on another person’s computer system without their express consent, and further prohibits causing a computer system to communicate with another computer system if one has so installed a computer program. While this section notably targets malware, spyware, viruses or other malicious computer programs it extends to all computer programs, with certain exceptions.5

ConClusion

The term “CASL” is a misnomer. The scope of the Act extends far beyond simply regulating spam emails,

and even the word “spam” is subjective enough that one rarely applies it to one’s own communications. This has been known for some time,6 and in fact when the Standing Committee on Industry, Science and Technology released its 2017 report entitled “Canada’s Anti-Spam Legislation: Clarifications are in Order”,7 its first recommendation was that the Act be given a short title more befitting its scope. (The Standing Committee’s suggestion was “Electronic Commerce Protection Act”. The authors of this article have previously suggested “Prohibited Electronic Interactions Act” or the “Regulation of Electronic Interactions Act”.)

Furthermore, the Act applies not only to those who commit prohibited acts, but to those who enable, facilitate or solicit the commission of prohibited acts, as the CRTC’s findings with respect to Datablocks and Sunlight Media have made clear in the present case. The CRTC plainly found that the acts, or omissions, of those companies crossed the line into prohibited territory. Yet, there are many intermediaries involved in displaying content on websites, and there has been little guidance from the CRTC about what responsibility each party has under the Act. What of the website and content publishers, who may have been able to do something to prevent the malicious advertisements from being displayed? Could, and should, the ISP or website host have filtered such content? What about search results from search engines that point to websites with malicious content?

While this case indicates that the CRTC expects a degree of diligence on the part of service providers and content publishers, including the implementation of basic safeguards to prevent the commission of prohibited activities, businesses that are involved in the dissemination of content that potentially violates the Act must seriously consider what measures they are taking to prevent themselves from being found to aid, induce, procure, or cause a third party, even an unrelated one, to commit a violation.8

[Ryan J. Black practises technology-related business law, and is a member of the Technology, Intellectual Property and Privacy group as well as Co-Chair, Information Technology, at McMillan’s Vancouver office.

36


Janine MacNeil is a partner in the firm’s Competition and Marketing Law Group. Janine’s practice includes advising on advertising matters, promotional contests, games and sweepstakes, related privacy matters, compliance with consumer protection legislation, marketing and advertising-related agreements, and packaging and labelling requirements.

Lyndsay A. Wasser is the Co-Chair of McMillan’s Privacy & Data Protection Group and its Cybersecurity Group. She is a Certified Information Privacy Professional/Canada, and regularly advises and assists clients on a broad range of privacy and cybersecurity issues, including advising on access requests, legal requirements related to data security, workplace privacy issues (e.g. background checks, computer/video/phone monitoring, GPS tracking, drug and alcohol testing), handling personal health information, CASL compliance, and transferring personal information across borders, as well as helping organizations to develop privacy compliance programs, privacy and social media policies, data sharing agreements and consent forms.]

1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of

carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, R.S.C., 1985, c. C-22, the Competition Act, R.S.C., 1985, c. C-34, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 and the Telecommunications Act, S.C. 2010, c. 23.

2 Investigation into the installation of malicious computer programs through online ads.

3 Andrew Aguilar & Ryan Black, Internet Law Essentials: Canada’s Anti-Spam Law (CASL), 2nd ed (Vancouver: Specialty Technical Publishers, 2017) at 19 [Internet Law Essentials].

4 Ibid., at 455 Ibid., at 50. See our Bulletin Green Eggs And Spam:

The Surprising Side Dish to Canada’s Anti-Spam Law that May Catch Software Businesses Off Guard (“Green Eggs”).

6 See Green Eggs.7 See Canada’s Anti-Spam Legislation: Clarifications

are in Order.8 This case is a clear demonstration the wisdom of the

government’s decision to delay the “Private Right of Action”, whereby individuals (or more likely, classes of individuals) would have had a remedy under CASL; until there is clear guidance or amendments to the Act about just how far section 9 goes, it should not be up to creative plaintiff lawyers to decide what constitutes a violation of section 9.

• PUBLIC FACEBOOK PROFILES NOT EQUIVALENT TO PUBLIC INFORMATION UNDER PIPEDA •

Éloïse Gratton, Partner, Vinay Desai, Associate, Borden Ladner Gervais© Borden Ladner Gervais Montreal

Éloïse Gratton Vinay Desai

The OPC dealt with the often murky issue of personal information that is publicly available and confirmed its view that Facebook profiles that are set to public are not considered “publicly available” information under the PIPEDA.

In its most recent report of findings entitled “Company’s re-use of millions of Canadian Facebook user profiles violated privacy law”, the Office of the Privacy Commissioner (the “OPC”) dealt with the often confusing issue of personal information

36


Janine MacNeil is a partner in the firm’s Competition and Marketing Law Group. Janine’s practice includes advising on advertising matters, promotional contests, games and sweepstakes, related privacy matters, compliance with consumer protection legislation, marketing and advertising-related agreements, and packaging and labelling requirements.

Lyndsay A. Wasser is the Co-Chair of McMillan’s Privacy & Data Protection Group and its Cybersecurity Group. She is a Certified Information Privacy Professional/Canada, and regularly advises and assists clients on a broad range of privacy and cybersecurity issues, including advising on access requests, legal requirements related to data security, workplace privacy issues (e.g. background checks, computer/video/phone monitoring, GPS tracking, drug and alcohol testing), handling personal health information, CASL compliance, and transferring personal information across borders, as well as helping organizations to develop privacy compliance programs, privacy and social media policies, data sharing agreements and consent forms.]

1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of

carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, R.S.C., 1985, c. C-22, the Competition Act, R.S.C., 1985, c. C-34, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 and the Telecommunications Act, S.C. 2010, c. 23.

2 Investigation into the installation of malicious computer programs through online ads.

3 Andrew Aguilar & Ryan Black, Internet Law Essentials: Canada’s Anti-Spam Law (CASL), 2nd ed (Vancouver: Specialty Technical Publishers, 2017) at 19 [Internet Law Essentials].

4 Ibid., at 455 Ibid., at 50. See our Bulletin Green Eggs And Spam:

The Surprising Side Dish to Canada’s Anti-Spam Law that May Catch Software Businesses Off Guard (“Green Eggs”).

6 See Green Eggs.7 See Canada’s Anti-Spam Legislation: Clarifications

are in Order.8 This case is a clear demonstration the wisdom of the

government’s decision to delay the “Private Right of Action”, whereby individuals (or more likely, classes of individuals) would have had a remedy under CASL; until there is clear guidance or amendments to the Act about just how far section 9 goes, it should not be up to creative plaintiff lawyers to decide what constitutes a violation of section 9.

• PUBLIC FACEBOOK PROFILES NOT EQUIVALENT TO PUBLIC INFORMATION UNDER PIPEDA •

Éloïse Gratton, Partner, Vinay Desai, Associate, Borden Ladner Gervais© Borden Ladner Gervais Montreal

Éloïse Gratton Vinay Desai

The OPC dealt with the often murky issue of personal information that is publicly available and confirmed its view that Facebook profiles that are set to public are not considered “publicly available” information under the PIPEDA.

In its most recent report of findings entitled “Company’s re-use of millions of Canadian Facebook user profiles violated privacy law”, the Office of the Privacy Commissioner (the “OPC”) dealt with the often confusing issue of personal information


37

that is publicly available and confirmed its view that Facebook profiles that are set to public are not considered “publicly available” information under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). As such, this finding reinforces the notion that the colloquial meaning of “public information” does not correspond to the legal definition of “publicly available” under Canadian privacy law and confirms the OPC’s jurisdiction in investigating foreign entities collecting personal information from Canadians.

INVESTIGATION

The OPC investigated the practices of a New Zealand company — Profile Technology — which operated a website called The Profile Engine, which collected profile information originally set to “public” on Facebook while providing search function services for users. The operator of the website argued that it simply allowed users to search for and find information which was already publicly available on Facebook and therefore consent from these individuals was not necessary. At issue was whether the company could rely on paragraphs 7(1)(d) and (2)(c.1) of PIPEDA and section 1(e) of the associated Regulations Specifying Publicly Available Information (the “Regulations”) collectively to collect and use the personal information in question (i.e., Facebook profiles) without the consent of the individuals concerned. Under PIPEDA, “publicly available” personal information is defined restrictively and does not necessarily include all information that can be freely accessed by anyone. In particular, under section 1(e) of the Regulations, in order for personal information to be considered “publicly available” and for which consent to collect, use and disclose is not

required, the personal information must appear in a publication, the publication must be available to the public, and the personal information has to have been provided by the individual.

The OPC disagreed with the company’s argument and reiterated that the profile information at issue was not “publicly available” as set out in PIPEDA. The OPC determined that while the term “publication” used in section 1(e) of the Regulations is not defined in PIPEDA, it must be interpreted restrictively to cover information that is of a particular kind or quality such that either: (i) the individuals’ consent to make it public can be inferred by virtue of the fact that the individual provided it or otherwise did not object to it being made public, or (ii) its publication serves a broader public purpose. In its investigation, the OPC concluded that Facebook profiles are dynamic — a profile owner can edit or remove content from their publicly accessible profile at any time, and can decide to edit their settings so that their profile would no longer be publicly accessible. As such, a Facebook profile could not be considered a publication and therefore public Facebook profile information was not “publicly available” within the parameters of PIPEDA and the Regulations. Consequently, the company was required to obtain the consent of individuals whose personal information it copied from Facebook and posted on its website.

The OPC further identified concerns with respect to the fact that the organization was not using and disclosing personal information for a purpose that a reasonable person would consider appropriate in the circumstances and furthermore, was retaining certain information (i.e., help desk ticket information collected from individuals wishing to having their profile deleted) for longer than necessary.

ELECTRONIC VERSION AVAILABLE

A PDF version of your print subscription is available for an additional charge.

A PDF file of each issue will be e-mailed directly to you 6 times per year, for internal distribution only.


37

that is publicly available and confirmed its view that Facebook profiles that are set to public are not considered “publicly available” information under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). As such, this finding reinforces the notion that the colloquial meaning of “public information” does not correspond to the legal definition of “publicly available” under Canadian privacy law and confirms the OPC’s jurisdiction in investigating foreign entities collecting personal information from Canadians.

INVESTIGATION

The OPC investigated the practices of a New Zealand company — Profile Technology — which operated a website called The Profile Engine, which collected profile information originally set to “public” on Facebook while providing search function services for users. The operator of the website argued that it simply allowed users to search for and find information which was already publicly available on Facebook and therefore consent from these individuals was not necessary. At issue was whether the company could rely on paragraphs 7(1)(d) and (2)(c.1) of PIPEDA and section 1(e) of the associated Regulations Specifying Publicly Available Information (the “Regulations”) collectively to collect and use the personal information in question (i.e., Facebook profiles) without the consent of the individuals concerned. Under PIPEDA, “publicly available” personal information is defined restrictively and does not necessarily include all information that can be freely accessed by anyone. In particular, under section 1(e) of the Regulations, in order for personal information to be considered “publicly available” and for which consent to collect, use and disclose is not

required, the personal information must appear in a publication, the publication must be available to the public, and the personal information has to have been provided by the individual.

The OPC disagreed with the company’s argument and reiterated that the profile information at issue was not “publicly available” as set out in PIPEDA. The OPC determined that while the term “publication” used in section 1(e) of the Regulations is not defined in PIPEDA, it must be interpreted restrictively to cover information that is of a particular kind or quality such that either: (i) the individuals’ consent to make it public can be inferred by virtue of the fact that the individual provided it or otherwise did not object to it being made public, or (ii) its publication serves a broader public purpose. In its investigation, the OPC concluded that Facebook profiles are dynamic — a profile owner can edit or remove content from their publicly accessible profile at any time, and can decide to edit their settings so that their profile would no longer be publicly accessible. As such, a Facebook profile could not be considered a publication and therefore public Facebook profile information was not “publicly available” within the parameters of PIPEDA and the Regulations. Consequently, the company was required to obtain the consent of individuals whose personal information it copied from Facebook and posted on its website.

The OPC further identified concerns with respect to the fact that the organization was not using and disclosing personal information for a purpose that a reasonable person would consider appropriate in the circumstances and furthermore, was retaining certain information (i.e., help desk ticket information collected from individuals wishing to having their profile deleted) for longer than necessary.

ELECTRONIC VERSION AVAILABLE

A PDF version of your print subscription is available for an additional charge.

A PDF file of each issue will be e-mailed directly to you 6 times per year, for internal distribution only.

38


RESULT

As a result of the OPC’s investigation, the website operator removed all Facebook profile information from its website. However, it had uploaded much of the information to an internet archive service, making it available for mass download via peer-to-peer sharing, including on the dark web. The OPC has shared its findings with the Office of the Privacy Commissioner of New Zealand. Facebook has also been engaged in litigation with Profile Technology in relation to its website.

TAKEAWAY FOR BUSINESS

This investigation is a reminder of the OPC’s position as reported in its 2015 Report of findings following the OPC’s investigation of Globe24h, that a business model involving the online republication of publicly available court decisions (and allowing them to be indexed by search engines) contravened PIPEDA, and which was confirmed by the Federal Court of Canada. The OPC further lists the Globe24h business model as an example of inappropriate data practices in its recently published “Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)”.

In this recent report of findings, the OPC confirmed that Facebook profiles are not “publicly available” within the meaning of PIPEDA and clarified the common misconception with regards to whether personal information that is accessible to the public can be collected, used and disclosed without the individual’s consent. This should not come as a surprise given that the OPC had already articulated its view on this issue in its recent consent report from September 2017 in which it stated: “(…) we caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it.” Businesses should be aware that collecting personal information from publicly available sources (including from social media websites) does not necessarily obviate the requirement to obtain the individual’s consent unless the information falls under one of the exceptions found in PIPEDA, which are

interpreted restrictively. This decision may therefore have an impact on various business models including social listening activities.

Businesses should keep an eye on upcoming amendments to the Regulations Specifying Publicly Available Information. Recall that the Standing Committee on Access to Information, Privacy and Ethics, in its 2018 report, Towards Privacy By Design, recommended that the Government of Canada “modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral”.

This report of findings is also a reminder to foreign entities that the OPC will not hesitate to exercise its authority to investigate them if they are conducting commercial activities involving the collection, use or disclosure of Canadians’ personal information.

[Éloïse Gratton is a partner at Borden Ladner Gervais LLP and National Co-Leader of the Privacy and Data Protection Practice Group. She advises clients from various industrial sectors on legal, practical and ethical issues relating to information technology, e-commerce, privacy protection, consumer protection or anti-spam, in connection with their new projects, products, practices and technologies, providing them, both nationally and internationally, with strategic advice on matters of risk management and regulatory compliance, advising as to best business practices, conducting privacy audits or privacy impact assessments and assisting them in crisis management situations (e.g., class actions, security breaches, privacy commissioners’ investigations). She has published several books on IT and privacy issues, which have been cited by the Supreme Court of Canada in some of its landmark privacy decisions. She authored Internet and Wireless Privacy: A Legal Guide to Global Business Practices, one of the first technology and privacy book in Canada (CCH, 2003). Her recent works include Privacy in the Workplace, 4th edition (LexisNexis, 2017), Practical Guide to e-Commerce and Internet Law (LexisNexis 2015), and Understanding Personal Information:

38


RESULT

As a result of the OPC’s investigation, the website operator removed all Facebook profile information from its website. However, it had uploaded much of the information to an internet archive service, making it available for mass download via peer-to-peer sharing, including on the dark web. The OPC has shared its findings with the Office of the Privacy Commissioner of New Zealand. Facebook has also been engaged in litigation with Profile Technology in relation to its website.

TAKEAWAY FOR BUSINESS

This investigation is a reminder of the OPC’s position as reported in its 2015 Report of findings following the OPC’s investigation of Globe24h, that a business model involving the online republication of publicly available court decisions (and allowing them to be indexed by search engines) contravened PIPEDA, and which was confirmed by the Federal Court of Canada. The OPC further lists the Globe24h business model as an example of inappropriate data practices in its recently published “Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)”.

In this recent report of findings, the OPC confirmed that Facebook profiles are not “publicly available” within the meaning of PIPEDA and clarified the common misconception with regards to whether personal information that is accessible to the public can be collected, used and disclosed without the individual’s consent. This should not come as a surprise given that the OPC had already articulated its view on this issue in its recent consent report from September 2017 in which it stated: “(…) we caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it.” Businesses should be aware that collecting personal information from publicly available sources (including from social media websites) does not necessarily obviate the requirement to obtain the individual’s consent unless the information falls under one of the exceptions found in PIPEDA, which are

interpreted restrictively. This decision may therefore have an impact on various business models including social listening activities.

Businesses should keep an eye on upcoming amendments to the Regulations Specifying Publicly Available Information. Recall that the Standing Committee on Access to Information, Privacy and Ethics, in its 2018 report, Towards Privacy By Design, recommended that the Government of Canada “modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral”.

This report of findings is also a reminder to foreign entities that the OPC will not hesitate to exercise its authority to investigate them if they are conducting commercial activities involving the collection, use or disclosure of Canadians’ personal information.

[Éloïse Gratton is a partner at Borden Ladner Gervais LLP and National Co-Leader of the Privacy and Data Protection Practice Group. She advises clients from various industrial sectors on legal, practical and ethical issues relating to information technology, e-commerce, privacy protection, consumer protection or anti-spam, in connection with their new projects, products, practices and technologies, providing them, both nationally and internationally, with strategic advice on matters of risk management and regulatory compliance, advising as to best business practices, conducting privacy audits or privacy impact assessments and assisting them in crisis management situations (e.g., class actions, security breaches, privacy commissioners’ investigations). She has published several books on IT and privacy issues, which have been cited by the Supreme Court of Canada in some of its landmark privacy decisions. She authored Internet and Wireless Privacy: A Legal Guide to Global Business Practices, one of the first technology and privacy book in Canada (CCH, 2003). Her recent works include Privacy in the Workplace, 4th edition (LexisNexis, 2017), Practical Guide to e-Commerce and Internet Law (LexisNexis 2015), and Understanding Personal Information:


39

Managing Privacy Risks (LexisNexis, 2013). She holds a doctorate degree in law (University of Paris II and U of M) and she has been teaching e-commerce law and privacy and IT law at University of Montreal for several years.

Vinay Desai is an associate in the BLG Privacy and Data Protection practice group. He advises and assists international and domestic clients from various sectors on a wide range of issues, including privacy

and anti-spam compliance, access to information requests and responses, information technology, advertising, marketing and sponsorship, trademarks, consumer protection, French language requirements as well as cybersecurity issues and data breach management. Vinay has also been involved in drafting e-commerce terms of use, information technology and privacy policies and license agreements for clients from various industries.]


39

Managing Privacy Risks (LexisNexis, 2013). She holds a doctorate degree in law (University of Paris II and U of M) and she has been teaching e-commerce law and privacy and IT law at University of Montreal for several years.

Vinay Desai is an associate in the BLG Privacy and Data Protection practice group. He advises and assists international and domestic clients from various sectors on a wide range of issues, including privacy

and anti-spam compliance, access to information requests and responses, information technology, advertising, marketing and sponsorship, trademarks, consumer protection, French language requirements as well as cybersecurity issues and data breach management. Vinay has also been involved in drafting e-commerce terms of use, information technology and privacy policies and license agreements for clients from various industries.]

40


40
