Imagine you’re gearing up for an epic road trip. You’ve got your bags packed, route planned, play list ready, and car snacks in tow. You and your bestie jump into your rental car only to find it devoid of the jack and other ports necessary to plug in your cellphone. You do a double-check of the dash and notice a hole that looks like it might be a smartphone holder but is also remarkably similar to a tape deck. To your horror, you confirm that it is, in fact, a slot for cassette tapes and begin to wonder why in this day and age you would find yourself in a situation so absurdly out of touch with reality.
Embarking on a modern day road trip in a vehicle that doesn’t recognize the use of current technology would be akin to the dilemma many Canadian organizations face when navigating the consent requirements for the treatment of “publicly available information” within Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). It’s a lot like being stuck with a mixed tape when everyone else has moved on to Spotify playlists. Or like being forced to rent a VHS at Blockbuster while Netflix and Amazon Prime have become the new norm.
The Act specifies that an organization may collect personal information without the knowledge or consent of the individual if the personal information is publicly available. This approach makes sense; it is publicly available after all! But the Act then departs from current-day use cases as it specifies that publicly available information only includes more traditional publications like “a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.” Wait, but what about all the other content that is publicly available on the Internet? Like the information found on social media sites? Nope, all other publicly available info appears to be out of bounds for collection.
Or is it? Following PIPEDA guidelines and relying on all forms of valid consent, include implied consent, one could deduce that an organization can, in fact, use other kinds of publicly available information if it was collected by a third party that can prove it adhered to PIPEDA guidelines.
Let’s bring this to life through an example. Suppose social media company X allows all its users’ data to be publicly viewable on its site, except for those users who specifically requested that their information be private. In company X’s terms of service, it is clear that users’ publicly available data will be used by other parties. These terms ensure company X’s compliance with PIPEDA, including identifying purposes, obtaining consent, and more. In this circumstance, company X complies with PIPEDA and can, therefore, sell that publicly available social media data to company Y.
Now, for its part, company Y might be able to collect that data from company X if it also complies with PIPEDA, such as in one of the following manners:
- company X has been clear about what types of companies may use its content;
- company Y has identified purpose for collection, in its customer privacy notice as an example;
- company Y has explained it may collect customer information indirectly from other sources, perhaps listing those sources; or
- company Y gives the customer the opportunity to opt out of such indirect collection.
The only thing company Y can’t do is collect the data from company X without relying on any form of consent.
You can see from this example how important it is for companies on both sides of the arrangement to ensure they are compliant with PIPEDA, and to ensure they evaluate the collection and use of public information on a case-by-case basis.
While PIPEDA was written to be technology-neutral and has proved its ability to live up to that vision, even the best-worded regulation begins to age a little after almost two decades of technological change. The use of publicly available information by businesses for legitimate business practices is one such age spot. What is important to remember is the protection offered through adherence to PIPEDA’s 10 principles. All organizations are responsible for being transparent about their uses of personal information, while ensuring adequate protections and adherence to fair information practices, no matter if it is publicly available or otherwise.
One of the proposals for PIPEDA reform put forward by the Government of Canada last month is to commit to exploring the definition of publicly available information. This is an important conversation that the CMA looks forward to participating in actively. In the meantime, we can all take comfort in the fact that the current framework allows for use of public information with appropriate protection, even though this narrow though important piece of the law is akin to a cassette tape deck.
Author: CMA Privacy and Data Committee