Compliance Agreement Between: The Privacy Commissioner of Canada and Avid Life Media Inc. (Ruby Corp.)

Compliance Agreement Between: The Privacy Commissioner of Canada and Avid Life Media Inc. (Ruby Corp.)

WHEREAS the Privacy Commissioner of Canada (“the Commissioner”) is responsible for the administration and enforcement of Part 1 of the Personal Information Protection and Electronic Documents Act (the “Act”), which governs the collection, use or disclosure of personal information by organizations in the course of commercial activities;

AND WHEREAS Avid Life Media Inc. (renamed “Ruby Corp.” on July 12, 2016 and referred to as “ALM” within this agreement) is a company based in Toronto, Ontario, which operates several dating websites including AshleyMadison.com;

AND WHEREAS on August 21, 2015 the Commissioner initiated a complaint against ALM, pursuant to section 11(2) of Act, on the basis that there were reasonable grounds to investigate ALM’s information handling practices subsequent to a data breach discovered on July 12, 2015, affecting personal information held by ALM (the “breach”);

AND WHEREAS the Commissioner, in the course of his investigation that was conducted jointly by the Office of the Privacy Commissioner of Canada (“OPC”) and the Office of the Australian Information Commissioner (“OAIC”), found that ALM had contravened several provisions of Division 1 of the Act, as described in a report of findings issued jointly with the Australian Information Commissioner (“Report of Findings”);

AND WHEREAS in the Report of Findings the Commissioner made several recommendations to ALM to ensure ALM’s compliance with the Act;

AND WHEREAS ALM acknowledges the Commissioner’s findings and, while it does not admit the truth of the findings, claims or arguments set out in the Report of Findings,agrees to fully implement the Commissioner’s recommendations; 

AND WHEREAS the Parties agree that while entering into this Agreement is voluntary, once entered into, it binds the parties to the obligations herein and failure to comply may trigger the application of s. 17.2 of the Act;

NOW THEREFORE, pursuant to ss. 17.1 and 17.2 of the Act, the Commissioner and ALM hereby agree as follows:

I. INTERPRETATION

  1. For the purpose of this Agreement, the following definitions shall apply:
    1. “Act” means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5;
    2. “Agreement” means this Compliance Agreement entered into by ALM and the Commissioner pursuant to s. 17.1 of the Act;
    3. “Commissioner” means the Privacy Commissioner of Canada appointed pursuant to s. 53(1) of the Privacy Act, R.S.C. 1985, c. P-21 and his authorized representatives;
    4. “Parties” means the Commissioner and ALM;

II. REMEDIAL MEASURES

Safeguards

  1. In order to address the Commissioner’s recommendations relating to safeguards contained in the Report of Findings, ALM shall (including through  measures it has already taken):
    1. by December 31, 2016, conduct a comprehensive review of the protections it has in place to protect personal information;
    2. by May 31, 2017, augment its information security framework to an appropriate level and implement that framework;
    3. by May 31, 2017, adequately document the framework and its information security processes generally;
    4. Take steps to ensure that staff are aware of and follow security procedures, including developing an appropriate training program and delivering it to all staff and contractors with network access (the Commissioner notes that ALM has reported completion of this recommendation); and
    5. by July 31, 2017, provide the OPC with a report from an independent third party documenting the measures it has taken to come into compliance with the above recommendations or provide a detailed report from a third party certifying compliance with a recognized privacy/security standard satisfactory to the OPC.

Retention

  1. In order to address the Commissioner’s recommendations relating to the retention of personal information of users whose accounts are deactivated, inactive or deleted, ALM shall, by March 31, 2017:
    1. cease its practice of retaining indefinitely personal information of users whose accounts are deactivated or inactive; determine an appropriate period following account deactivation, or following an extended period of inactivity, upon which to delete personal information, based on ordinary usage patterns and its business needs; and inform users of these policies;
    2. ensure that it is not holding personal information beyond the retention period described above, and thereafter periodically review its retention policy to ensure that the retention period chosen remains the appropriate period;
    3. implement the retention schedule for both future and currently deactivated accounts;
    4. implement the retention schedule for both future and currently inactive accounts;
    5. commit to continuing to provide a no-cost option for individuals to withdraw their consent for ALM to hold their account profile information (this need not include all of the premium deletion services currently offered as part of the full delete service, such as the deletion of personal information sent to other ALM users from those users’ in-boxes); and
    6. submit to the OPC details of the steps it has taken to comply with above.

Accuracy

  1. In order to address the Commissioner’s recommendations relating to accuracy of information, ALM shall, by March 31, 2017:
    1. amend its account creation process to allow users to join the Ashley Madison website without providing an email address, or if it continues to require email addresses from new users, implement technical measures to enhance the accuracy of email addresses provided, to the reasonable satisfaction of the OPC; and
    2. submit to the OPC details of the steps it has taken to comply with the above.

Transparency

  1. In order to address the Commissioner’s recommendations relating to transparency, ALM shall, by February 28, 2017:
    1. review its Terms and Conditions, Privacy Policy, and other information made accessible to users for accuracy and clarity with respect to its information handling practices. This should include, but is not limited to, making it clear in its Terms and Conditions, and on the page on which people choose how to deactivate their accounts, the details of all the deactivation and deletion options available;
    2. review all of its representations, on its website and elsewhere, relating to personal information handling practices to ensure it does not make misleading representations; and
    3. submit to the OAIC and the OPC details of the steps it has taken to comply with the above.

III. COMPLIANCE REPORTING, MONITORING AND ENFORCEMENT

  1. ALM shall confirm in writing to the Commissioner that it has implemented each remedial measure referred to in section 2. ALM shall include sufficient details and supporting documentary and electronic evidence to establish that it has complied with the Agreement, such as copies of its information security management framework and processes, privacy policies and procedures, training material and the independent third party’s final report, and any response by ALM to the third party’s recommendations.
  2. The Commissioner may, at his discretion and from time to time, request information and documents from ALM for the purpose of verifying its compliance with this Agreement.
  3. The Commissioner may also visit ALM’s principal place of business for the purpose of verifying compliance with this Agreement at any time, subject to providing 10 days prior notice by the Commissioner to ALM.
  4. ALM acknowledges that if the Commissioner is of the opinion that ALM is not complying with the terms of this Agreement, the Commissioner may, after providing written notice to that effect to ALM, apply to the Federal Court for an order requiring ALM to comply with the Agreement or such other relief as may be available in law, in accordance with s. 17.2(2) of the Act.

IV. GENERAL

  1. ALM will pay the costs of its compliance with this Agreement.
  2. Notices, reports and other communications required or permitted pursuant to any of the terms of this Agreement shall be in writing and shall be considered to be given if delivered, either by hard copy or electronic copy, to the following addresses:
    1. The Commissioner

      Commissioner Daniel Therrien
      C/O Joel Scott-Mignon
      30 Victoria, 8th floor
      Gatineau, QC  K1A 1H3
      Joel.scott-mignon@priv.gc.ca
    2. ALM

      Avid Life Media, Inc./Ruby Corp.
      C/O David Elder
      Stikeman Elliott LLP
      Suite 1600, 50 O'Connor Street
      Ottawa, ON  K1P 6L2
      delder@stikeman.com
  3. Nothing in this Agreement shall prevent or otherwise limit the Commissioner from exercising or performing any of his powers and duties under the Act, including his duty to investigate complaints under s. 12(1), his power to initiate a complaint under s. 11(2), or his power to audit personal information management practices under s. 18(1) of the Act.
  4. Nothing in this Agreement derogates from the rights and remedies available under Part 1 of the Act to any other person arising from the conduct described in this Agreement and in the Report of Findings or arising from future conduct.
  5. ALM acknowledges that the terms of this Agreement as well as the Report of Findings may be disclosed or made public in accordance with the Commissioner’s authorities under s. 20(2) of the Act or as required by law.
  6. ALM acknowledges that it has had the opportunity to be represented by counsel and to obtain legal advice with respect to this Agreement.
  7. This Agreement comes into effect when it has been signed by both Parties, and terminates upon written confirmation by the Commissioner that remedial measures described in Section II (items 2 to 5) referred to above have been satisfied, which confirmation the Commissioner shall provide promptly to ALM after he determines that they have been satisfied.

DATED at Toronto, this         day of                     2016.

Ruby Corp.
James Millership, President
I have authority to bind the corporation.

DATED at Gatineau, in the Province of Quebec, this         day of                     2016.

Privacy Commissioner of Canada
Daniel Therrien

Date modified: