In an increasingly digitized and public world, it is important not to lose sight of our existing privacy laws, and the protections they provide, but also the parameters they provide to the use of personal information that may be found in public. Most of us are familiar with Principle 4.3 of Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that the “knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” It is challenging for some Canadian organizations to understand that some information available in the public domain is not necessarily “publicly available information” under PIPEDA.
Section 7 of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may collect, use or disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the Regulations Specifying Publicly Available Information, SOR/2001-7 (13 December, 2000). However, that does not mean that PIPEDA does not apply to publicly available information, because all the other obligations under PIPEDA continue to apply to publicly available information including access, safeguards and reasonable purpose.
The regulations indicate that the following information and classes of information are considered publicly available information under PIPEDA:
- personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
- personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice that is available to the public, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the directory, listing or notice;
- personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the registry;
- personal information that appears in a record or document of a judicial or quasi-judicial body that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and
- personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.
In an increasingly digitalized world, this list may be out of touch with reality, as it only references formal and – as in the case of telephone directories – somewhat outdated classes of information. As a result, organizations must determine how to treat all the other information shared openly in the public domain, such as information uploaded by individuals to social media platforms, and determine whether they can collect and use such information, for what purpose and what form of valid consent they can rely on.
According to PIPEDA, the simple fact that information is accessible to the public does not mean it is exempt from consent requirements. In its interpretations to date, the Office of the Privacy Commissioner of Canada (OPC) has been clear that no other information beyond that which is specified by the Regulations is considered publicly available information under PIPEDA. This has been supported by court interpretations, which have maintained that consent should still be required for information that could be considered to be publicly available, such as online content shared by an individual with an audience – however large or small that audience might be. Similarly, the fact that an individual appears in public does not mean they do not want to retain control over their personal information.
Despite PIPEDA’s limited and non-technology neutral definition of publicly available information, one can still deduce that an organization could, in fact, use other kinds of public information beyond those listed in the Regulations if it was collected by a third party that can prove it adhered to PIPEDA guidelines, including relying on a form of valid consent.
Let’s bring this to life through an example. Suppose social media company X allows all its users’ data to be publicly viewable on its site, except for those users who specifically requested that their information be private. In company X’s terms of service, it is clear that users’ publicly available data will be used by other parties. These terms ensure company X’s compliance with PIPEDA, including identifying purposes, obtaining consent, and more. In this circumstance, company X complies with PIPEDA and can, therefore, sell that publicly available social media data to company Y.
Now, for its part, company Y might be able to collect and use that data from company X if it also complies with PIPEDA, such as in one of the following manners:
- company X has been clear about what types of companies may use its content;
- company Y has identified purpose for collection, in its customer privacy notice as an example;
- company Y has explained it may collect customer information indirectly from other sources, perhaps listing those sources; or
- company Y gives the customer the opportunity to opt out of such indirect collection.
The only thing company Y can’t do is collect the data from company X without relying on any form of consent. You can see from the above example how important it is for companies on both sides of the arrangement to ensure they are compliant with PIPEDA, and to ensure they evaluate the collection and use of public information on a case-by-case basis.
While PIPEDA was written to be technology-neutral, and in many ways has proved its ability to live up to that vision, this regulation in reality was not drafted in technology-neutral language. In addition, even the best-worded regulation may age a little after almost two decades of technological change. The use of publicly available information by businesses for legitimate business practices is one such age spot. This is why Innovation, Science and Economic Development Canada (ISED) committed to revisiting the definition of publicly available information in its May 2019 Proposals to modernize the Personal Information Protection and Electronic Documents Act, noting that the Regulations “reflect to some degree, the technology and uses of its time.”
ISED has been consulting with organizations over the summer to bring the definition of publicly available information into the 21st century, with the aim of providing more certainty and clarity for businesses while acknowledging concerns about the privacy interests and online reputation of individuals. It is an important conversation that the Canadian Marketing Association and other key stakeholders are actively participating in.
In the meantime, it is important to remember the protections currently offered through adherence to PIPEDA’s 10 principles. All organizations are responsible for being transparent about their uses of personal information, while ensuring adequate protections and adherence to fair information practices, whether the information is publicly available or not. The CMA Guide on Transparency for Consumers is a helpful tool for organizations wanting to improve their transparency practices.
The article was provided by the Canadian Marketing Association Privacy and Data Committee.
The committee consists of the following members: Amanda Maltby, General Manager, Compliance and Chief Privacy Officer, Canada Post; Sabrina Anzini, VP, Legal, Goeasy Ltd.; Ruby Barber, Assistant General Counsel, Legal & Regulatory, Bell Canada; David Elder, Digital Privacy Counsel to CMA, Stikeman Elliott LLP; Deborah Evans, Director, Consumer Policy & Associate Chief Privacy Officer, Rogers; Lisa McKay, Privacy Team Lead, Advisory Services and Head Privacy Canada, BMO; Suzanne Morin, VP Enterprise Services Compliance and Chief Privacy Officer, Sunlife Financial; Stephanie Rich, Principal Privacy Officer, Air Canada; Kimberly Eberwine, Senior Legal Counsel, Proctor & Gamble; James Smith, Chief Privacy Officer, Environics Analytics; Pam Snively, VP, Chief Data & Trust Officer, Telus; Colin McKay, Head, Public Policy and Government Relations, Google; Kevin Chan, Head of Public Policy, Canada, Facebook.