Company’s re-use of millions of Canadian Facebook user profiles violated privacy law

PIPEDA Report of Findings #2018-002

June 12, 2018

Complaints under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”) against Profile Technology Ltd.

Complaints

1. This investigation relates to the complaints of five individuals in respect of the collection and use of their personal information from old Facebook profiles and groups (collectively “profile information”) by Profile Technology Ltd. (“Profile Technology” or the “respondent”) for purposes associated with its website, www.profileengine.com (the “website” or “The Profile Engine”).
2. The five complainants alleged that Profile Technology collected and used their personal information without their knowledge and consent.
3. The complainants also sought our Office’s assistance to have their personal information removed from the website. In that respect, the complainants raised a number of concerns with the respondent’s collection, use and disclosure of their personal information on the website, including:
   1. in certain circumstances, individuals were unable to have their personal information removed from the website;
   2. the personal information used by Profile Technology was not accurate; and
   3. Profile Technology had inadequate procedures in place to receive and respond to complaints and inquiries about its policies and practices relating to the handling of personal information.
4. During the course of the investigation, we identified additional concerns with respect to whether Profile Technology was: (i) using and disclosing personal information for a purpose that a reasonable person would consider appropriate in the circumstances; and (ii) retaining help-desk ticket information (i.e., that collected from individuals wishing to having their Profile deleted) for longer than necessary.

Summary of investigation

Preliminary Findings

5. Upon completion of our initial assessment of this matter, we issued a Preliminary Report of Investigation (“PRI”) to Profile Technology, wherein we shared our preliminary views that the respondent: (i) had not obtained consent for its collection and use of profile information for the purposes of populating Profile Technology’s own social networking site; and (ii) had, through the indefinite retention of helpdesk ticket information, retained personal information longer than required to fulfill the purpose for which it was collected.
6. In our PRI, we recommended that Profile Technology remove and delete all individual profiles and groups associated with Canadian(s), and introduce a retention policy for its helpdesk system information (see paragraph 120 for full recommendations).
7. Profile Technology did not agree to implement the recommendations proposed in our PRI, providing further materials and arguments supporting its position. The respondent made several representations in respect of jurisdiction, procedural fairness, legislative interpretation, our recommendations, and the constitutionality of PIPEDA.
8. In our response to these submissions, we shared our additional preliminary view, and associated analysis, that Profile Technology was not using profile information for purposes that a reasonable person would consider appropriate in the circumstances, and invited Profile Technology to make additional submissions on this issue.
9. The facts and analysis below reflect: (i) our consideration of the representations made by the respondent, both prior to and after the issuance of our PRI; as well as (ii) information provided by the complainants; and (iii) our own research.

Jurisdiction

10. The respondent, a company based in New Zealand, operates the website. While the respondent cooperated with our Office in the course of the investigation, it indicated to us that the Office of the Privacy Commissioner of New Zealand (the “NZ-OPC”) had already published a detailed report in respect of the respondent’s collection of data and its procedure for processing deletion requests. The respondent took the position, from the outset of our investigation, that any complaint about the website should be investigated by the Office of the Privacy Commissioner of New Zealand, claiming that the organization had no presence of any kind in Canada. Our Office considered that there were several factors (outlined in paragraph 78 below) indicating a real and substantial connection between the respondent’s activities and Canada to support our Office’s jurisdiction to investigate the complaints.
11. We note, additionally, that we communicated with each of the five complainants via a Canadian address and telephone number.

Collection

12. Complainants submitted that they learned that their information appears on the website after conducting Internet searches for their own names. Our Office confirmed that each complainant is the subject of an individual profile or a “group” (i.e., a group of people with a common interest or opinion) on the website.
13. Based on our review, the profile information varies between complainants. Overall, the profile information contains a range of personal information, including some or all of the types of information shown in Figure 1, below.
    Figure 1: Profile information

    • Name;
    • Gender;
    • Date of birth (e.g., day and month)
    • Username;
    • Photo;
    • Relationship status (e.g., single);
    • Politics (e.g., very Liberal);
    • Communication status (e.g., Contactable – email address available);
    • Location (e.g., city and country);
    • Relevant schools, colleges and/or universities;
    • Relevant groups and fan clubs (i.e., interests shared with others);
    • Names of friends;
    • Music playlist;
    • Estimated IQ;
    • Social influence (e.g., no measurable influence; influences many friends); and
    • Allegations regarding social behaviour (e.g., bullying).
14. Complainants claimed that the aforementioned information had originated from Facebook. The respondent confirmed that it had collected profiles from Facebook.
15. In that respect, the respondent stated the following to our Office:

    Facebook contracted with us to provide Advanced Search functions for their site from 2007, and in April 2008 agreed to provide us with unlimited access to information which their users had consented to make public and accessible to search engines.

16. The website contained a privacy policy which explained what information the respondent collected about individuals, including:

    Any parts of your profile on another social network which that social network has allowed our search engine to download and store at a time when your privacy settings permitted search engines to index those parts of your profile. Note that such information is not obtained via the “Platform APIs” and therefore our use of this information is not controlled by the developer policies of the social network Developer Policy. Information collected in this way is treated by us as “Public information”. Note: We are not notified if you revoke the permission for search engines to index your profile and doing so will not remove your profile from our database. Revoking that permission only prevents search engines from accessing changes make [sic] to your profile after you revoked the permission. [Emphasis added]

17. The website also contains Help Pages and Frequently Asked Questions (the “FAQs”) which explain where and how the respondent collected the information on the website. In particular, we noted:

    Profiles on the Profile Engine were collected from two sources:

    1. Profile Engine launched in 2007 and since then about ten million people have directly created a profile on profile engine and requested that we make it public and searchable in order [that] it is easier for other people to find them.
    2. Facebook made available about 420 million public profiles and contracted with us to provide a powerful search engine for Facebook (originally simply called "Advanced Search for Facebook" and later renamed "The Profile Engine".[)] We added these profiles from Facebook to the profile engine database with the full knowledge, approval and permission of Facebook. Facebook agreed to this because we provided them with powerful and innovative search engine features which are not available on Facebook itself.

Purposes

Search Engine / Social Network

18. The website indicates that its purpose, since 2011, was to be a “fully fledged social network”. In that respect, the website claims that users can, “[c]hat to friends, browse your newsfeed, meet new people or find a date, all while listening to your favourite music and your friends’ playlists, completely free of charge.” In its FAQs, the respondent refers to profiles it copied from Facebook and displays on its website as “profile engine profiles” regardless of whether an individual has claimed them or not.
19. We observed that, consistent with such purposes, the respondent: (i) displays content (i.e., profile information) on its own website; (ii) allows users to search for profiles and groups on that website; and (iii) offers other social networking functionality. When the user is not logged in, he or she can search and view profiles and groups on the website (i.e., use the Finding People feature), but is blocked from further searches after multiple visits. To be able to log in to the website, an individual must first claim his/her profile. The logged in user can then access the various other features we located on the website, as shown in Figure 2, below.
    Figure 2: Website features

    • Finding People (e.g., individual profiles);
    • Finding Groups of People (e.g., the group at issue in this investigation);
    • Dating Search: Finding Single People (e.g., an individual with the applicable relationship status);
    • Music Search (e.g., access to streaming music tailored to the individual’s interests);
    • Games;
    • Research Tools (as detailed in paragraph 25, below); and
    • “Apps” (i.e., an IQ test where the results are only available to a user who is logged in).
20. The respondent’s “About” page indicates that it used Facebook profiles to build its social network, stating in part:

    In early 2008 a major social network granted permission for the Profile Engine to index the public parts of people's profiles (in the same way as Google and other search engines do). After that we grew to include profiles for more than 420 Million people and 50 Million groups, making Profile Engine the second largest social network in the world!

21. Further, in the Respondent’s FAQ on its website, in response to “I don't think I gave permission for my profile engine profile to be created”, the respondent stated: “In most cases, people gave permission for their profile engine profile to be created when they ticked a box in their Facebook privacy settings: ‘Allow my profile to be indexed by search engines’”.
22. The respondent asserted that, with respect to the complainants, the respondent’s site is simply a search engine. It claimed that it only uses profile information for the social networking purpose in respect of those individuals who have claimed their profiles and agreed to its privacy policy, and that the information of users who have not claimed their profiles, like the complainants, is only handled in connection with its search engine function. As the complainants’ had not claimed their profiles, the respondent asserts that it only handles the complainants’ information in connection with its search engine function.
23. Profile Technology also asserted that “We are no different from [G]oogle in that we simply indexed information which was already available on a public website, however unlike most search engines we have a specific written agreement [i.e., contract] with Facebook allowing us to collect the data.”

Other Purposes

24. In its privacy policy on the website, the respondent states that it may use personal information “to help advertisers reach the kind of audience they want to target. We may make use of the Personal Information we collect from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to you.” As outlined in paragraph 78, we found advertising targeted at Canadians on the website.
25. Under the Research Tools feature, the website advertises that The Profile Engine could provide “[…] a huge range of fascinating research data and social network analytics”. However, the respondent claimed in its representations to our Office that it has “[…] never provided any commercial marketing or analytics service. We have explored those possibilities but have never found a client who we felt intended to use the information in a way we approved of.”

Consent

26. The FAQs on the website include the following, under “I don’t think I gave permission for my profile engine profile to be created”:

    In most cases, people gave permission for their profile engine profile to be created when they ticked a box in their Facebook privacy settings: “Allow my profile to be indexed by search engines”.

    We added these profiles from Facebook to the profile engine database with the full knowledge, approval and permission of Facebook. Facebook agreed to this and contracted with us to provide powerful and innovative search engine features which are not available on Facebook itself.

Publicly Available Information

27. The respondent claimed that the profile information was “publicly available” under the Act, in that it “[…] was in the public domain before we collected it and was placed in the public domain by the users themselves.” The respondent asserted that it therefore did not require individuals’ consent for its use of that information for The Profile Engine.
28. The respondent also asserted that Facebook was responsible for “[…] obtaining permission to make the information public and available to search engines […]”.
29. Profile Technology provided excerpts from Facebook’s privacy policies and a Facebook Blog it claimed were in place during part of the time period Profile Technology would have collected the Facebook profiles to support its assertion that the information was publicly available, or that in the alternative, Facebook users had consented to its use of their profile information for the Profile Engine – these included:
    1. from the November 2009 Facebook Privacy Policy,

       Information set to “everyone” is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to “everyone.” You can review and change the default settings in your privacy settings.

    2. from the December 2010 Facebook Privacy Policy

       Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings.

    3. from a Facebook 2007 blog post:

       Starting today, we are making limited public search listings available to people who are not logged in to Facebook … In a few weeks, we will allow these Public Search listings to be found by search engines … As always, if you do not want your public search listing to be visible to people searching from outside Facebook, you can control that from the Search Privacy page.

30. In particular, the respondent asserted that these communications indicate that:

    Every piece of data that is included in the respondent’s service was “considered publically available to everyone”, was “subject to indexing by third party search engines” and “may be associated with you outside Facebook.” At the relevant time, this was the understanding of all individuals who signed up for or who had a Facebook account. To put it simply, the information was public and whether it was public was under the control of the relevant individuals.

31. More specifically, the respondent asserted that publicly accessible Facebook profiles should be considered a “publication” under PIPEDA’s Regulations Specifying Publicly Available Information (the “Regulations”). Section 1(e) of the Regulations refers to “personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.” The respondent indicated that it would be an error of interpretation to find that the Regulations do not capture Facebook profiles in the definition of “publication”. Specifically the respondent indicated that a person who places information on their Facebook profile “publishes” the information, making Facebook profile information a “publication” for the purposes of the Regulations. The respondent further argued that the use of the word “include” in section 1(e) of the Regulations is expansive, meaning that the examples following are not meant to limit the meaning of “publication” but to simply be illustrative. It also noted, given the nature of Facebook as an online platform, that the Regulations include the words “in printed or electronic form”.
32. The respondent also cited a July 2010 media statement by Facebook in response to a situation where a security researcher “crawled” and indexed millions of publicly accessible Facebook profiles^{Footnote 2}. In respect of that statement, Profile Technology asserted that “Facebook said, in 2010, that the [indexed] profiles are information that individuals had elected to make public and it was available via other search engines. Any subsequent statement by Facebook (which we cannot verify) would not change the reality that existed at that time, which is largely contemporaneous with the Respondent’s indexing of Facebook.”
33. The organization also asserted that any reading of PIPEDA that has the effect of regulating the indexing of public content and providing links to users via a search engine is contrary to section 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”). More specifically, it argued that regulating the operations of a search engine violates the right to freedom of expression for both search engine operators (by restricting their right to communicate meaning from its indexing of websites and making this content available to others) and internet users (by restricting their right to receive expressive content).

Contract with Facebook

34. We asked the respondent to provide evidence (e.g., a copy of, or excerpts from, its contract with Facebook) to substantiate its claim that Facebook had granted it access to profile information for purposes of The Profile Engine, and that Facebook was contractually required to obtain consent for the respondent’s subsequent use and disclosure of profile information via The Profile Engine.
35. Profile Technology opted not to provide the OPC with a copy of its contract with Facebook, citing confidentiality concerns. The OPC offered to discuss these confidentiality concerns with a view to finding a solution, but the respondent did not accept our offer to have this discussion.
36. In response to our PRI, the respondent did, however, assert that Facebook had, in contravention of the contract between the parties, blocked its access to Facebook, thus rendering it “impossible for the Profile Engine to determine what information had changed in public profiles, including whether the user had chosen to no longer have a public profile.”

Representations from Facebook

37. Our Office contacted Facebook to inquire whether it had granted the respondent access to profile information, and to clarify any limitations as to the purposes for which it may have provided such access. Facebook confirmed that it had had a contractual relationship with the respondent. More specifically, Facebook asserted that the respondent, as an app developer on the Facebook platform, fully agreed and committed to Facebook’s standard developer terms that govern a developer’s use of the Facebook platform, including the access and use of Facebook users’ profile data. Facebook further asserted that in contravention of this agreement and commitment, the respondent “retrieved, copied, indexed and displayed selected public user profile data for its own purposes (i.e., for a website off the Facebook platform) (i) in direct contravention of Facebook’s terms and (ii) without obtaining users’ consent via Facebook (or otherwise) to do so.”
38. We also requested that Facebook provide its views regarding certain litigation between Facebook and the respondent focussed specifically on this contractual issue. Facebook asserted as follows:

    “[A]s a result of [the respondent’s and its owner/operator’s] use of Facebook user data in clear violation of [its contractual agreements with Facebook] and refusal to bring their activities into compliance, Facebook commenced legal proceedings against the Respondents in March 2013. […] The Court determined that [a confidential memorandum of understanding (MOU) entered into by the parties to settle the litigation] was an enforceable agreement and it established deadlines for compliance. Respondents complied in part by indicating that they had deleted some data but Facebook had continuing concerns about the Respondents’ continued retention and use of other public user profile data. Facebook filed a motion with the federal court in California for an Order Compelling Respondents to Comply with the Settlement Agreement (or MOU) in June 2014. Respondents opposed and the parties completed briefing on the issue in August 2014. […] The court has had the issues under submission since that time…”

39. In our PRI, and in subsequent communications, we provided the respondent with an opportunity to respond to Facebook’s representations, including by providing excerpts which we considered material to our analysis.
40. The respondent confirmed that the relationship between the parties had turned adversarial, and that there had been litigation between the parties (including a complaint initially filed by Profile Technology against Facebook, and a counter-complaint by Facebook) which has been settled (we note that, as referenced in paragraph 38 above, Facebook claimed that the respondent had not complied with the requirements of that settlement). It also claimed that Profile Technology has been “the victims of an ongoing campaign of misinformation including by Facebook”. The respondent asserted that it is not able to provide us with a copy of its agreement or settlement with Facebook, as it is subject to a confidentiality agreement.
41. Further, the respondent claimed that by blocking all of the Profile Engine’s access to Facebook, in contravention of the agreement between the parties, Facebook made it impossible for the Profile Engine to determine what information had changed in public profiles, including whether the user had chosen to no longer have a public profile. It further represented that if Facebook were to provide the necessary access, it would be pleased to delete or remove those profiles that are no longer public.

Additional concerns raised in the complaints

Removal of information

Individual profiles

42. The website itself explains that there are two options by which an individual can delete his/her profile:
    1. Under Option 1, an individual can delete the profile themselves by: (a) entering the email address associated with the profile on the website; (b) logging in with the username and password which they subsequently receive by email; and (c) deleting the profile.
    2. Under Option 2, an individual can submit a deletion helpdesk ticket on the website, accompanied by: (a) an email address for communication about the helpdesk ticket; (b) the URL of the profile to be deleted; and (c) a scan or photo of his/her official photo identification.
43. The website explains that the individual may black out certain information from the identity document provided with the deletion request, but that the document must show: (a) the name matching The Profile Engine profile; and (b) where The Profile Engine profile has a photo, a photograph that is recognisable as the same person.
44. In respect of Option 1, certain complainants claimed that the respondent collected their Facebook information without an email address, such that they would have no choice but to attempt to effect deletion via Option 2. One complainant characterized the deletion requirements as an effort by the respondent to thwart individuals from accessing and controlling their own information.
45. In respect of Option 2, certain complainants informed our Office that they were reluctant to submit identification documents to the respondent where they considered that it had already collected and used their personal information, without their knowledge and consent. Complainants also indicated to our Office that they found it difficult to understand and implement the instructions for the above-mentioned profile deletion options.
46. Specifically, we received evidence that one complainant was successful in having her profile deleted after: (i) multiple attempts, which she alleged were necessary due to confusing explanations provided by the respondent; and (ii) submitting photo identification with certain information blacked out.
47. We also noted that the copy of the helpdesk ticket correspondence we received from the complainant, as evidence of her attempt to delete her profile from the website, contained: (i) her name; (ii) an attachment with her redacted photo identification; and (iii) her email address.
48. The respondent took the position that it does not collect any of the information in respect of deletion helpdesk tickets. Rather, the respondent claimed that the records are held by a third-party helpdesk service provider, and the respondent only views photo IDs to confirm the identity of the individual making the deletion request. According to the respondent, it deletes the identification image after confirming the identity of the individual except where it believes the deletion request is fraudulent, in which case, it may retain “an obviously photoshopped or otherwise unacceptable ID image” as evidence that it processed the deletion request correctly. Further, the respondent submitted to our Office that “[w]e do not ever delete helpdesk tickets because they may be needed as evidence in an investigation such as yours.”
49. In respect of the retention of helpdesk tickets, we observed that the FAQs on the helpdesk site speak to the matter. In particular, we noted:

    Helpdesk tickets are stored and processed on servers operated by helpdesk provider DeskPRO in accordance with DeskPRO terms of service and privacy policy. Your Helpdesk account is entirely separate from your Profile Engine account. This information is never transferred to Profile Technology websites or servers except if you choose to claim your profile then we will add the email address you registered with on the helpdesk to your profile engine profile.

    Any attachments containing images of identity documents will be deleted when your helpdesk ticket is closed. The remainder of your helpdesk correspondence will be retained by DeskPRO. This will only be used for purposes related to your support request, for example if there is a complaint that your request was not processed correctly then we may refer back to this correspondence.

50. We noted that the respondent’s terms of use and privacy policy on its website each contain a link which directs individuals to its helpdesk site (i.e., “our helpdesk site”). The Help page on the website also directs individuals to “our new helpdesk and knowledgebase system”. In particular, we noted:

    We now require all support requests to be filed using the ticketing system in the new helpdesk. CLICK HERE FOR THE NEW HELP PAGES AND SUPPORT TICKETING SYSTEM.

    This will help to improve the efficiency and reduce the response time of dealing with your support enquiries. […]

51. Further, we visited the DeskPRO website where, in the “About Us” section, we noted the following explanation in respect of control over data:

    You’re in control

    As our customer [e.g., Profile Technology], you own your data and have the right to control your own helpdesk. We offer you the choice to deploy our software on your own infrastructure as well as on our Cloud platform. [Emphasis in original]

Group

52. One of the complaints concerned a group (i.e., a group of people with a common interest or opinion). We reviewed this group and confirmed that it: (i) refers to the complainant’s full name; (ii) has other members (i.e., third parties other than the complainant); and (iii) relates to serious allegations against the complainant, regarding assault.
53. The complainant characterized the information therein as: (i) an act of bullying; and (ii) defamatory. The complainant submitted to our Office that, although the creator of the original Facebook group had deleted the group from Facebook, the group persisted on the respondent’s website. The complainant claimed that this had negatively affected her reputation and career. Further, the complainant submitted that the respondent had made it impossible to have the group removed from its website.
54. Our Office confirmed that the aforementioned group does not currently appear on Facebook.
55. The website includes the following FAQ, “Can I modify or delete a Profile Engine group?” which states that the respondent does “[…] not currently allow changes to public groups because changing a group would affect all of the people who have joined that group and might misrepresent their interests.” Further, “We treat the group description as part of the profile of every person who has joined that group, therefore modifying the group would be like modifying all of those people’s profiles and we cannot modify their profiles without their consent.”

Accuracy of information

56. All of the complainants claimed that their information on the website was either:
    1. never accurate (e.g., the aforementioned group); or
    2. inaccurate by virtue of being out of date (e.g., a former place of residence; information about an adult complainant’s teenage years).
57. One complainant claimed that information posted on Facebook as a teen is now on the website and accessible to potential employers via a simple web search. From the complainant’s submission, we noted:

    The information kept is all from when I was a teenager, so it portrays me as immature and childish. […] Now potential employers see a profile that makes me look like a child.

58. Our Office confirmed, based on a search of Facebook, that the subject profiles and group which appear on The Profile Engine, have been removed from, or changed on, Facebook.
59. The respondent claimed that it is unnecessary for an individual to be able to challenge the accuracy of personal information appearing on the website, as a user can simply: (i) delete their information if they believe it to be inaccurate; or (ii) they can claim their profile and modify it.
60. The respondent also submitted that its website provides information on the limitations of profile accuracy. Specifically, it asserted that “[…] every page of the site includes links at the bottom to our terms of service and privacy policy. These terms clearly state that information on the site may be out of date or inaccurate and should not be relied upon.”
61. Our Office reviewed the Terms of Use, which were available via link in small light gray font at the bottom of the website, and found the following:

    Reliance on information posted

    Discussions, chats, postings, transmissions, dialogue, commentary or any other material available on our Sites are not necessarily accurate or current and are not intended to amount to advice on which reliance should be placed.

Contacting the respondent with concerns

62. Certain complainants raised concerns that: (i) they were unable to contact Profile Technology to raise concerns; or (ii) they received no meaningful response to the issues they raised.
63. With respect to these concerns, the respondent submitted that its helpdesk site provides detailed instructions on how to: (i) claim a profile; (ii) submit a deletion request; and (iii) report inappropriate content.
64. Our Office visited the website and established that it contains certain Help Pages and FAQs which relate to the allegations under investigation (e.g., the FAQ, Where did the information on Profile Engine come from, when and how?).
65. Our Office also noted the following content under the FAQ, How can I contact you?:

    Please note that this service is currently provided free of charge and our staff have very limited time so we do not reply to any support ticket which asks questions we have already answered on one of these pages. All common queries are answered somewhere on these pages.

    If you are sure your query cannot be answered by the knowledgebase then you can create a support ticket using the "Contact Us" tab at the top of the page and we will aim to reply within 28 days. [Emphasis in original]

Application

66. In analyzing the facts, our Office considered the application of subsection 5(3), paragraphs 7(1)(d), 7(2)(c.1) 7(3)(h.1) and subsection 13(1) of Part 1 of PIPEDA, and the accompanying Regulations Specifying Publicly Available Information (the “Regulations”), as well as Principles 4.3, 4.3.2, 4.3.4, 4.3.5, 4.3.6, 4.5, and 4.5.2 of Schedule 1 of the Act.
67. Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
68. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 further states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 provides that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Principle 4.3.5 further provides that in obtaining consent, the reasonable expectations of the individual are also relevant.
69. Paragraph 7(1)(d) of the Act provides that, for the purpose of clause 4.3 of Schedule 1, an organization may, without the knowledge or consent of the individual, collect personal information if it is publicly available and is specified by the Regulations.
70. Paragraph 7(2)(c.1) of the Act provides that, for the purpose of clause 4.3 of Schedule 1, an organization may, without the knowledge or consent of the individual, use personal information if it is publicly available and is specified by the Regulations.
71. Section 1 of the Regulations specifies information and classes of information for the purposes of paragraphs 7(1)(d), (2)(c.1) and 3(h.1) of the Act. These classes of information include personal information that appears in a:

    e) publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

72. Principle 4.5 provides that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Further, Principle 4.5.2 states that organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
73. Subsection 13(1) of PIPEDA states that the Commissioner shall, within one year after the day on which a complaint is filed or is initiated, prepare a report.

Analysis

Jurisdiction

74. Throughout the investigation, and in response to our PRI, the respondent submitted that our Office should decline jurisdiction and refer the complainants to the NZ-OPC.
75. After a thorough analysis, and as indicated in our PRI, our Office determined that we have jurisdiction to investigate the five complaints, despite the fact that Profile Technology is headquartered in New Zealand.
76. In our view, Profile Technology collects, uses and discloses personal information in the course of commercial activities, within the meaning of the Act in connection with its website. We view Profile Technology’s activities as being commercial in character given that the website engages in advertising and offers social network functions along with research and analytics services. In particular, the website states that its research and analytics services “are available to premium clients only. For a quote please contact us through the Helpdesk selecting ‘Business partnership’ as the department.”

Real and Substantial Connection

77. It has been established that PIPEDA can apply to a foreign-based organization engaged in a commercial activity where there is a real and substantial connection to Canada [emphasis added].^{Footnote 3}
78. In the case at hand, the following facts and evidence support our conclusion that there is such a real and substantial connection to Canada:
    1. our Office established, by our own testing, that the website claims to contain information about 4.47 million Canadian profiles;
    2. individuals can search specifically for Canadians on the website;
    3. the respondent requires personal information of Canadians to be able to offer services to Canadians through its website, as well as to remove Canadians’ information from the website;
    4. our testing demonstrated that the website delivers Canadian-based advertising, including for companies which are located in, and market within, Canada;
    5. the respondent seeks to attract Canadian users, as it copies and posts profiles of Canadians and invites them to “claim” their profiles; and
    6. the impact of the respondent’s display of Canadians’ personal information on its website is felt by members of the Canadian public.
79. With respect to the respondent’s assertion that the OPC should refer the complaints to the NZ-OPC, as outlined above, the OPC is proceeding on the basis that there is a real and substantial connection between the complaints and Canada, such that the OPC has jurisdiction to investigate. In this regard, the OPC’s jurisdiction is tied to the connection between Canada and the activities of the respondent resulting in alleged privacy violations in Canada. Although the NZ-OPC has looked at aspects of the respondent’s practices, it does not address the Canadian situation. We are looking at the matter through the application of Canadian privacy law, which, while similar, is different from New Zealand law. Moreover, the OPC’s findings and recommendations relate only to the personal information of Canadians. We note also that we have discussed the matter with the NZ-OPC who has not objected to the OPC’s investigation.

Delay

80. In response to our PRI, the respondent claimed that our Office had lost jurisdiction over this matter because we have not prepared a report of findings within one year, in accordance with subsection 13(1) of PIPEDA.
81. The respondent cites the case of Alberta Teachers’ Assn. v. Alberta (Information and Privacy Commissioner)^{Footnote 4} (“Alberta Teachers’ Assn”) as the main basis for its position.
82. In our view, Alberta Teachers’ Assn, which deals with provisions under Alberta’s privacy legislation does not directly impact the interpretation of PIPEDA’s timelines and conduct of OPC’s investigations. That said, it is clear from the Court’s analysis in Alberta Teachers’ Assn that a failure to meet the statutory timeline did not result in an automatic loss of jurisdiction. Rather, the Court held that the consequences flowing from non-compliance would depend on the circumstances of the particular case^{Footnote 5}. As such, even if one were to apply a similar analysis to the case at hand, we are of the view that the OPC would have maintained jurisdiction.
83. Our Office is of the view that we have not lost jurisdiction to prepare a report of findings in this matter by operation of subsection 13(1) of PIPEDA. While it can be expected that in most cases, the time limit provided in subsection 13(1) will be met, in our view, this provision is most appropriately construed as directory in nature and not mandatory. In this regard, we note that subsection 13(1) does not provide for a penalty for failure to comply with the timeline in issue. Moreover, this investigation has been lengthy due to various factors, including the number of complaints received (which we have continued to receive throughout the investigation), efforts undertaken by the OPC to resolve, discontinue or combine a number of complaints, interactions with the complainants and third parties, review of lengthy multi-variate submissions by the respondent and the complexity of the issues. In our view it would cause injustice to the complainants and frustrate the objects of PIPEDA if the complainants were to lose their rights to seek a remedy for any privacy violation in this matter because of circumstances entirely beyond their control.

Constitutionality

84. In response to our PRI, the respondent submitted that PIPEDA, as it applies to the collection, use and disclosure of personal information in the course of commercial activity, is ultra vires as it cannot be justified as valid federal legislation under the “general branch” of the federal “Trade and Commerce” power under s. 91(2) of the Constitution Act, 1867.
85. Our Office operates on the premise that PIPEDA is presumed to be constitutionally valid in respect of the limits of federal jurisdiction over the matters covered by PIPEDA and, until and unless told otherwise by a Court, the OPC is proceeding on this basis.

Consent

86. We do not accept the respondent’s assertion that profile information is “publicly available”, such that it was exempt from the requirement to obtain consent. Furthermore, even if we were to accept that the respondent had individuals’ consent for its original collection of profile information for purposes of offering search engine services, in our view, it did not have consent to subsequently use that information for purposes of creating and populating its own social networking website.

Publicly Available

87. At issue is whether the respondent could rely on a combination of paragraphs 7(1)(d) and (2)(c.1) of PIPEDA and section 1(e) of the Regulations collectively to collect and use the personal information at issue in the complaints without consent of individuals concerned. To do so, in accordance with section 1(e) of the Regulations, the personal information must appear in a publication, the publication must be available to the public, and the personal information has to have been provided by the individual. In our view, as outlined below, Facebook profiles are not a “publication”, and while the Facebook profiles at issue may have been available to the public, not all information therein would have been provided by the individuals concerned.
88. The term “publication” is not defined in PIPEDA. The respondent argues the ordinary meaning of “publication” is broad enough to include Facebook profiles. It further asserts that the examples provided in section 1(e) are not meant to limit the meaning of “publication”.
89. We agree that the ordinary meaning of publication may be construed broadly in some contexts and that the examples of what constitutes a publication in section 1(e) presents a non-exhaustive list. However, we must interpret this term in light of the scheme of the Act, its objects, and the intention of the legislature. In that context, for the reasons set out below, we are of the view that a Facebook profile or group should not be considered to be “a publication”.
90. We note at the outset that PIPEDA recognizes that not all information in the public domain will be considered “publicly available”, only the specific categories of information specified in the Regulations. In this regard, there is a recognition that information that may be in the public domain is still worthy of privacy protection.
91. In addition, since the Act has been considered to be quasi-constitutional legislation^{Footnote 6}, the rights accorded under it should be given a broad, purposive and liberal interpretation and restrictions on those rights should be interpreted narrowly^{Footnote 7}. Given that the exception in section 1(e) removes a fundamental protection of the Act (i.e., an exception to the general requirement for consent to commercial uses of personal information), it should be interpreted restrictively.
92. In our view, based on a review of the Regulatory Impact Analysis Statement for the Regulations^{Footnote 8}, the rationale underlying the exception for publicly available information in the Regulations indicates that the publicly available information described is of a particular kind or quality such that either the individuals’ consent to make it public can be inferred by virtue of the fact that the individual provided it or otherwise did not object to it being made public, or its publication serves a broader public purpose. In the case of Facebook profiles, it is not clear, in our view, that individuals would have intended to make their information public, particularly in this case, as the Facebook profiles at issue were created at a time when Facebook was relatively new and its policies were in flux. Also, at that time, Facebook profiles were set, by default, to be indexed by search engines. However, as detailed in our PIPEDA Report of Findings #2009-008, our Office took issue with this default setting, indicating that it would not have been consistent with users’ reasonable expectations and was not fully explained to users. In addition, individuals may post information on Facebook for a variety of reasons (for example to be found and contacted by friends), and not necessarily to disseminate information to the public at large.
93. Furthermore, Facebook profiles are unlike other publications noted in section 1(e) in that they are dynamic. Individuals maintain significant control over their profiles’ contents and accessibility over time. A profile owner can edit or remove content from their publicly accessible profile, and can decide to edit their settings so that their profile would no longer be publicly accessible. In our view, treating a Facebook profile as a publication would be counter to the intention of the Act, undermining the control users otherwise maintain over their information at the source. In this regard, it has been noted that control is a fundamental component of privacy protection^{Footnote 9}.
94. With respect to other requirements in section 1(e), it would appear based on the facts, that the information the respondent collected would have been “available to the public”. However, it is difficult to see how the respondent would be in a position to determine that all of the personal information it collected from Facebook and posted on its website would have been provided by the individual concerned. In this regard, we note that content in Facebook profiles and groups can include other individuals’ personal information that was not provided by them. For example, in the cases at hand, we have determined that the group noted above contains personal information about the complainant that was provided by others in the group. In addition, one of the profiles at issue in this matter contains images of other individuals in the complainant’s profile picture.
95. Our Office is therefore of the view that the personal information at issue in the complaints was not publicly available within the meaning of the Act. As such, in our view, the respondent was required to ensure individuals’ consent for its use of their personal information it copied from Facebook and posted on its website.
96. With respect to the respondent’s arguments that this interpretation would offend s. 2(b) of the Charter, we note that the respondent’s submissions focus on how it views s. 2(b) would apply to a search engine. However, our Office is of the view that the respondent’s practices differ materially from those of a search engine. In this regard, we see a clear difference between a search engine, which provides a tool enabling users to navigate and find information where it is located on the internet, and the respondent’s self-admitted practice of copying information from Facebook and providing it to users on its own website. Without taking a position on the application of s. 2(b) of the Charter to a search engine, we are of the view that because the respondent’s s. 2(b) arguments focus solely on the search engine scenario, we are not convinced that its arguments hold sway in the present context (i.e., the respondent’s copying and posting of profile information on its website). Moreover, we are not of the view that there is an overriding public interest in maintaining the accessibility of the information displayed on the respondent’s website which, as the respondent admits, includes outdated, and often inaccurate information that in many cases will not reflect, in real-time, the information as it appears at its source.

Consent via Facebook

97. Profile Technology asserts that, in respect of the practices in question in this investigation, it relied on consent obtained via Facebook, asserting that: (i) its website is simply a search engine, which indexes information already available on Facebook; and (ii) Facebook was responsible for “[…] obtaining permission to make the information public and available to search engines […]”.
98. First, we do not accept the respondent’s assertion that The Profile Engine is, until such time as an individual claims their profile, simply a “search engine”. While the respondent’s original purpose for collecting and using the profile information may have been to provide search engine services to Facebook users, the respondent then copied and posted that information on its own website, for the new and additional purpose of developing its own social network. While the website includes a search capability, it does not link to information available on Facebook (in fact, the complainants’ profile information on the website is no longer available on Facebook or has been changed). To the contrary, we are of the view that, in accordance with the respondent’s description of its practices on its website, the respondent leveraged profile information to build its own social networking website, and encourage individuals to visit its website.
99. Second, even if we were to accept that the respondent did have consent to collect profile information for the purpose of providing search engine services to Facebook users (which is not the focus of our assessment in the present complaint), in our view, it did not ensure consent, via Facebook, for its subsequent use of that information for purposes of creating and populating its own social networking website.
100. As found in PIPEDA Case Summary #2010-002^{Footnote 10}, we are of the view that an organization that is a secondary collector of personal information that wishes to rely on consent obtained by a third party for its own use and disclosure of that information must exercise due diligence to ensure that such consent is obtained. In many cases, this due diligence could take the form of contractual provisions requiring the third party to obtain consent, or steps taken to ensure that consent was actually obtained by the third party.
101. In this case, the respondent did not demonstrate that it had taken steps, for example via a contract with Facebook, to ensure that Facebook had obtained consent from individuals for its subsequent use of profile information for the Profile Engine.
102. The respondent did point to certain excerpts from Facebook’s privacy policies available online for a period relevant to the complaints, as outlined in paragraph 29. We considered whether those excerpts could have provided a basis for the respondent to assume it had meaningful consent to use profile information for the purposes of its social networking website. The respondent argued that in accordance with these policies, Facebook users would have understood that the information the respondent collected was “publicly available to everyone”, “subject to indexing by third party search engines”, and “may be associated with you outside of Facebook” and within their control to change this with their privacy settings.
103. In our view, however, even where users had set their Facebook profiles to being searchable by search engines, they would not have reasonably expected a snapshot of their profile information to then be used and disclosed, by a third party with which they had no relationship, for the additional purposes of creating a new social networking profile on an entirely different website. Rather, Facebook users’ expectations would more likely have been that the search engine would link directly to their current profiles on Facebook, which would reflect their current content in accordance with their current privacy settings.
104. Finally, it is unclear how these Facebook privacy policy excerpts submitted by the respondent would apply to an individual whose information was included in a group by other Facebook users without the individual’s knowledge (see paragraphs 52-55).
105. For the above reasons, we are not of the view that the respondent could have relied on Facebook’s privacy policies as evidence of meaningful consent from Facebook users to post their Facebook profiles and groups on its website.

Form of Consent

106. In response to our PRI, Profile Technology argued that if it were required to obtain consent, opt-out consent would be appropriate, in accordance with Principle 4.3.4 of PIPEDA. In support of this argument, the respondent pointed to our Office’s position that opt-out consent may be acceptable for the use of non-sensitive information for online behavioural advertising (“OBA”), asserting that the information it uses is non-sensitive, since individuals have chosen to make that information public via Facebook.
107. We are not convinced that all of the personal information at issue would necessarily be non-sensitive simply because it was made available to search engines on Facebook at one time. However, even if one were to consider the information to be non-sensitive, we do not accept that opt-out consent would be acceptable in this case. The OPC has stated that opt-out consent may be acceptable provided certain conditions are met, including in the context of OBA^{Footnote 11}. For example, among other things, the organization must ensure that individuals are made aware of the purposes for the organization’s practices in a manner that is clear and understandable, and that individuals are informed of these purposes at or before the time of collection of personal information. We have not received any evidence that these conditions were met by the respondent in this case.
108. In particular, we have concluded that the Respondent’s website contains many profiles that were copied and posted on the website without the individuals’ knowledge. These individuals were not informed at or before collection of their information that a profile of them would be on the respondent’s website. They would likely never know they could “opt-out” by seeking deletion of their profiles, unless they happen to discover their profiles on the respondent’s website.

Conclusion regarding Consent

109. Based on the foregoing, in our view, Profile Technology collected, used and disclosed personal information for purposes of its social networking website, without the knowledge and consent of individuals whose profiles have been used to populate that website, in contravention of Principle 4.3 of the Act.

Appropriate Purposes

110. Subsection 5(3) limits the purposes for which an organization may collect, use or disclose personal information to those that “a reasonable person would consider are appropriate in the circumstances.” This applies regardless of whether an individual consents or where consent is not required (for example, where the information is “publicly available” as defined in the Regulations).
111. As noted above, we do not accept the respondent’s assertion that The Profile Engine is simply a “search engine”. While the respondent’s original purpose for collecting and using the profile information may have been to provide search capability to Facebook users, the respondent then copied and posted that information on its own website, for the new and additional purpose of developing its own social network.
112. In the circumstances, the respondent repurposed profile information, without the knowledge or consent of individuals and without taking into account any updates, changes in privacy settings, or removal of content that individuals would have subsequently made to their Facebook account over time. In particular, Facebook’s original terms of use would have allowed individuals to update and change their profiles and privacy settings, including with respect to whether their profiles could be indexed by search engines. As a result, individuals’ personal information, which may have been updated or deleted from Facebook, persists on the respondent’s website until such time as an individual discovers that their information is there and takes steps to have it removed.
113. Finally, we note that the respondent is knowingly using and disclosing profile information that is outdated and/or no longer public on Facebook. The fact that it may be doing so, in part, due to a contractual dispute with Facebook, does not render this practice appropriate. It simply highlights that the respondent is unable to reflect the dynamic nature of the information as it appears on Facebook, or respect the control Facebook profile owners retain over such information.
114. In our view, the loss of privacy resulting from the respondent’s use of profile information is disproportionate to the benefits it gleans from the practice, namely the development and pre-population of its social network, with data sourced from another social network and used without permission. Furthermore, the respondent could have populated its social network in a less privacy invasive manner, by allowing individuals the choice to provide their information directly for that purpose.

Conclusion regarding Appropriate Purposes

115. As such, we are of the view that the creation and display of this static replicate of an individual’s Facebook page for the purpose of developing and populating the respondent’s website, which persists outside the individual’s control, and which is not changed or updated or deleted as the individual intends it to be, is not a purpose that a reasonable person would consider to be appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA.

Retention

116. During the course of our investigation, we identified concerns with respect to the respondent’s retention of personal information contained in helpdesk tickets, like those submitted by individuals with a view to having their Profile deleted. In our view, Profile Technology: (i) was responsible under the Act for such personal information (e.g., name, email address, and redacted photo identification); and (ii) retained certain information longer than required to fulfil the purpose for which it was collected (i.e., to process the helpdesk request).
117. Firstly, while we accept that DeskPRO (the respondent’s third-party helpdesk system provider), collects and retains the helpdesk ticket information, in our view, it does so on behalf of the respondent, who ultimately controls, and is therefore responsible for, such information. The respondent directs individuals, by means of its website, to DeskPRO, where such individuals enter their personal information. DeskPRO itself claims that its customers (e.g., Profile Technology) own such information. Further, Profile Technology, at its discretion: (i) accesses the helpdesk tickets; (ii) deletes copies of photo identification; and (iii) extracts email addresses.
118. Finally, the respondent retains helpdesk tickets indefinitely. It is our view that an indefinite retention period goes beyond that required to process the helpdesk request or respond to subsequent inquiries, and is not justified by the mere potential of a future regulatory investigation.

Conclusion regarding Retention

119. Therefore, our Office is of the view that the respondent failed to destroy, erase, or make anonymous personal information that is no longer required to fulfil the identified purposes, and that it has contravened Principle 4.5 of the Act.

Recommendations

120. In our PRI, we recommended that the respondent:
     1. Remove from its website, and delete from its records, all individual profiles and groups associated with any Canadian (or Canadians), including those associated with the complainants. In order to respect any choices Canadians have made to use the respondent’s social networking services, this recommendation would not apply to those profiles or groups that were: (i) created by an individual independently on the website; or (ii) claimed by an individual, where the individual has not also requested its deletion; and
     2. Introduce a retention policy for its helpdesk system information, which includes a reasonable retention period for personal information, and delete helpdesk tickets that are past this reasonable retention period.
121. The respondent did not respond to our second recommendation, even after a second request that they do so.
122. The respondent did however respond that our recommendation of bulk deletion of Canadian data (paragraph 120(i) above) is not appropriate in the circumstances, claiming that it does not know, and is not able to know, which profiles are Canadian, and that our recommendation would have the effect of requiring the deletion of information related to people who are not Canadian.
123. In response to this concern, our Office sought further information from the Respondent, including: further specific evidence with respect to how it returns search results for profiles related to “Canada” or those within “X” miles of a specific Canadian postal code (including a full list of the information elements it uses for such purposes); an explanation of why it could not leverage that information to implement our recommendations; and the proposal of adequate alternative compliance measures to address our recommendation.
124. The respondent did not respond to our request for a full list of information elements it uses to associate individuals with Canada, but explained how the process by which it identifies individuals as “Canadian” could return a range of individuals with a tie to Canada. For example, results could reflect an individual’s current location, a place they visited, their home or a place they like. The respondent did not provide sufficient evidence to persuade our Office that it was unable to identify profiles associated with Canadians.
125. The respondent proposed no measures to address our recommendations.

Recent Developments

126. Prior to issuance of this report, we discovered through our independent review that Profile Technology had removed the profiles from its website. As of 1 April 2018, the website simply consisted of a notice page titled “Profile Engine has now been donated to the Internet Archive (31st March 2018)”^{Footnote 12}, which:
     1. provided links to ‘torrents’^{Footnote 13} whereby profile engine database and image files (collectively, the “torrent files”) could be downloaded and shared with others; and
     2. displayed a message, which among other things:
        1. encouraged individuals to “preserve [the database files] by replicating and seeding (i.e., downloading and sharing) the torrents”, noting that “the files are huge, containing hundreds of millions of profiles with billions of group membership and friend connections… there are several [terabytes] of images too”;
        2. indicated that individuals “are free to download the entire Profile Engine database to create [their] own search engine with the historic archive of public Facebook data from the period 2007-2010”;
        3. invited individuals to “contact [a specified email address] if interested or if you are building something using the data”;
        4. indicated that downloaders are to “use this data responsibly and respectfully, in accordance with the wishes of the Facebook users who originally chose to make it public and available to search engines”;
        5. asked users to consider donating money to the respondent’s principal via a website that facilitates crowd funding (where he further requested individuals also “consider donating 10% of [their] profit from any commercial venture using the data [he has] made available”); and
        6. claimed that the respondent is “no longer in possession or control of [the profile information] and therefore [they] cannot process any form of deletion or removal requests.”
127. Upon our review of the respondent’s website on 5 April 2018, we observed, among other changes to the notice page, that the links to the torrents files had been removed.
128. We contacted the respondent to obtain further details regarding these developments. Their explanation included the following claims:
     1. Only a subset of the database was uploaded to the Internet Archive, and more specifically that:
        1. The data has been “anonymized” by removing certain elements of personal information including surnames, usernames and Facebook user IDs;
        2. the surnames and Facebook user IDs were uploaded separately in an encrypted format; and
        3. the encryption password is retained by the respondent and would only be revealed if “strict conditions on appropriate, ethical and legal use were attached.”
     2. The uploaded files included a “license” file which indicates that “the data is provided only for purposes which are legal, ethical and consistent with the permissions given by the users.”
     3. The data on the Profile Engine servers has been wiped or is in the process of being wiped.
129. Through our own research, we determined that:
     1. the Internet Archive seeds torrents for many community-contributed files (like those uploaded by the respondent), unless the contributor requests that this not be done^{Footnote 14};
     2. while the Internet Archive appears to have removed the files in question from its website, many of those files had already been, or were in the process of being, downloaded via torrents, and are now being seeded (shared) by third-parties. We were able to locate these torrents via search engines (e.g., Google) and on the ‘dark web’^{Footnote 15}; and
     3. while we were able to confirm that certain of these files had been downloaded by multiple entities, we were unable to determine if all of the torrent files have been downloaded by any one entity.
130. Our office was able to find and download the “license file” and the Profile Engine database file. We confirmed that the database included files containing information from Facebook profiles (e.g., first name, as well as information about friends and groups). Noting that we did not review all files in the database, which was extremely large, we were unable to confirm that surnames and Facebook user IDs had been uploaded separately in an encrypted format.
131. We contacted Facebook to determine what, if any, further information they could provide to inform our understanding of this development and the associated risks. Facebook confirmed that, among other things, based on publicly available information it was aware of the situation, and it was pursuing various avenues in respect of the profile engine information, including via the courts in relation to the court-recognized settlement referenced in paragraph 38 above.
132. On 9 April 2018, we observed that the files were becoming increasingly difficult to find via search engines (which had presumably de-indexed the links to the torrent files) but we were still able to find the torrents on the dark web.

Evaluation of Recent Developments

133. In our view, the actions taken by the respondent, as outlined above, do not address our recommendations or resolve the contraventions identified in our report, and, in fact, they could exacerbate existing privacy risks and/or create new risks for effected individuals, depending on how the information may be used or disclosed in future.
134. We note certain mitigating aspects associated with this development. For example, given that old Facebook profiles can no longer be found on the website, they are no longer readily available or indexed by search engines. Also, from what we have been able to ascertain, there would be certain barriers for third-parties wishing to make full use the Profile Engine files. The profile information, including data and images (which represents personal information, in and of itself) are currently available for download in several very large separate files, and appear to have some identifiers removed and/or encrypted. To reassemble and organize the data and images into individual profiles would require several steps, including: (i) locating and downloading all the torrent files, which as noted above, have become increasingly difficult to find via search engines; (ii) independently creating a search tool or acquiring the Profile Engine source code, which the respondent claims he will make available at a later date; and (iii) obtaining the encryption password or independently decrypting the files in question.
135. On the other hand, we are unable to confirm that the respondent has, in fact, deleted the files from its servers, as it claims to have done. Even if it has, we note that the respondent, and/or its principal, could still have access to the data via the torrents they caused to be created.
136. The respondent claims to have “anonymized” the data as outlined in paragraph 128 above. However:
     1. While the removal of certain identifiers would likely render it more difficult to link the information to an identifiable individual, we question whether this data transformation would render the information anonymous, given that the profiles contained extensive information (including images) about individuals;
     2. even if the respondent has in fact released the identifiers in a separate encrypted file, that file has apparently been shared such that it could be held by a third-party for an indefinite period, while the strength of the encryption degrades due to the continual advancement of decryption capabilities; and
     3. In any event, the shared files include images which would in most instances include, and constitute, personal information.
137. The respondent, or its principal, claims that it maintains the encryption key, and that they will only share it with those who will use the information “for purposes which are legal, ethical and consistent with the permissions given by the users”. This provides no comfort to our Office given that the respondent itself was, in our view, using the information for inappropriate purposes in contravention of Canadian privacy law, and then refused to take measures to comply with PIPEDA.
138. While the profiles, having been removed from the Profile Engine website, are currently no longer readily available and indexed by search engines, we cannot know how that data may be used and disseminated in the future, to the extent that any party is able to download and recreate the respondent’s database files – e.g., by a website operator that charges for deletion, by data brokers that use the information for online targeting or re-sell it, or by parties that may exploit the information for potential nefarious and reputationally damaging purposes.

Conclusions

139. Accordingly, our Office finds the matter to be well-founded.

Other

140. In the course of the current investigation, we contacted the Office of the Privacy Commissioner of New Zealand to discuss and confirm our contextual understanding of the aforementioned report. In that respect, we noted the following information.
141. In 2012, the OPC-NZ investigated Profile Technology’s original collection of profile information from Facebook, when The Profile Engine was a search tool for Facebook users. More precisely, they considered whether Profile Technology should have collected the subject information directly from the individuals concerned. They found that it was not necessary for Profile Technology to have collected the information from the individuals as the information was publicly available and able to be indexed. In particular, the report stated: “Any information on the Internet is considered to be generally available to the public and can be copied or re-used by others.”
142. As noted in the Privacy Commissioner of New Zealand’s report^{Footnote 16} referred to above, they considered the application of Principle 2 of the New Zealand Privacy Act which states that “where an agency collects personal information it should collect information directly from the individual concerned. It is not necessary for an agency to comply with principle 2 if the agency believes, on reasonable grounds, that the information is publically available”.
143. Our assessment under PIPEDA, required consideration of whether consent was needed for the use of personal information on the respondent’s website and, in particular, whether the personal information at issue is publicly available as defined, in a strictly limited way, in the Regulations. In this respect, PIPEDA more narrowly defines what is “publicly available” information in accordance with the Regulations (as outlined in paragraphs 69 to 71 above).
144. We are of the view that this lends itself to a different assessment than that required by the New Zealand Privacy Act. Our Office also considered the appropriateness of the respondent’s purposes for using personal information in the circumstances, as well as certain retention obligations, which were not issues under consideration by the New Zealand Privacy Commissioner in the report noted above.
145. Given the recent developments outlined above, and that the respondent physically resides in New Zealand, we have been in further contact with the NZ-OPC to share our findings and continuing concerns. The NZ-OPC has undertaken to review our report and consider what compliance options may be available to it to pursue this matter under the New Zealand Privacy Act and/or whether the conduct in question may raise concerns under other domestic laws of New Zealand. Our Office will continue to collaborate with our New Zealand counterparts to the full extent allowable under PIPEDA to support any further action they take to address this ongoing issue.
146. Recognizing the ongoing risk associated with the availability of profile engine information on the web, we will continue to monitor this situation to determine if the profile information of Canadians is used or disclosed by the respondent or another third party in future. If we discover such a use or disclosure, we will determine the appropriate action to take at that time.