The Use of Publicly Available Personal Information is Further Narrowed

Purposes of Publication

I recently reviewed a client’s privacy policy and rung the warning bells because it stated that “personal information will be collected, used or shared if it is publicly available”. Period. I’ve had other clients argue “what’s the harm if it’s already out there?” Harm can indeed result from inconsistent reasons for using the information. And thus, according to Canada’s private sector law, PIPEDA, any collection, use or disclosure of publicly available personal information must relate directly to the purpose for which the information was published in the first place.

The Globe24h decision is a case on point. It involved a site that republished Canadian court and tribunal decisions and then charged individuals to have their personal information taken down. Globe24h stated that its purpose was to promote transparency in the judicial system, which was ‘directly related’ to the purpose for which the personal information appeared in the public record. However, the Office of the Privacy Commissioner of Canada (OPCC) disagreed, and found that indexing by search engines allowed for personal information contained in court and tribunal decisions to be found even when one is not searching for this information. Globe24h’s true purpose was the for-profit exploitation of individuals’ desire to maintain some degree of privacy in relation to court and tribunal proceedings.

Timeframe of Publication

Last week, the OPCC issued a decision finding a New Zealand company in violation of PIPEDA when re-using some 4.5 million Canadian Facebook user profiles. Profile Technology collected profile information originally set to “public” on Facebook and then used the information to start its own social networking website. Complaints received by the Office were primarily from individuals whose old or discontinued Facebook profiles now appear on Profile Technology’s search engine.

Profile Technology argued that consent was not needed as their search engine allowed people to find information that was already publicly available on Facebook. The OPCC took the opportunity to read into the definition of ‘publicly available’ the requirement that the information be public at the time of its further use and disclosure. Facebook profiles can change over time, be deleted or made inaccessible to the general public. The consent exemption does not apply to personal information that was publicly available at one point in time. Profile Technology’s use of personal information resulted in out-of-date and inaccurate information about individuals becoming easily accessible on-line.

Unfortunately, Profile Technology uploaded much of the information taken from Facebook to an Internet archive service, making it available for mass download via peer-to-peer sharing, including the dark web. The OPCC has thus shared its findings with the Office of the Privacy Commissioner of New Zealand to determine what options may be available under New Zealand laws. Facebook itself has been embroiled in litigation with Profile Technology for years.

In conclusion, it is important for organizations to keep in mind that what data is considered ‘publicly available’ must be narrowly interpreted – look at whether it’s still publicly available, and make sure you are using and sharing it for the very purpose for which it was published in the first place.

For assistance with your organization’s PIPEDA compliance or use of consent exemptions, contact PRIVATECH.

1