The Office of the Privacy Commissioner released a report yesterday on online tracking, profiling and targeting and cloud computing, Report on the 2010 Office of the Privacy Commissioner of Canada’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing. These areas are currently very hot and challenging topics for Canadians and Canadian businesses.
The privacy issues raised by online tracking, profiling and targeting and cloud computing raise many questions with important public policy and economic implications. The report, by and large, raises and does a good job of explaining the issues and challenges. Beyond explaining general principles, it does not purport to provide any real guidelines. After discussing the issues and generally applicable principles, the OPC asked for further comments and input on most of the intriguing questions.
The report did contain a few notable observations about how PIPEDA applies to certain online activities. These were mostly in areas that the OPC has already provided guidance. For example, the OPC repeated its views on its interpretation of the term personal information saying:
The OPC has generally taken a broad and contextual approach in determining whether certain information is or is not personal information. Of note is a finding from 2003, in which it was concluded that the information stored by temporary and permanent cookies was personal information. The Office has also determined that an IP address is personal information if it can be associated with an identifiable individual.
Other noteworthy examples include an investigation into the collection and use of Global Positioning System information placed in a company’s vehicles, in which it was concluded that such information is personal information since it could be linked to specific employees driving the vehicles. It was noted that the employees were identifiable even if they are not identified at all times to all users of the system.Information collected through radio frequency identification tags (RFID) to track and locate baggage, retail products and individual purchases may constitute the personal information of any identifiable individual associated with those items.
The OPC also summarized its guidelines for the use of opt-out consents:
The OPC has had opportunity to consider the use of opt-out in a number of different contexts. A common use of opt-out is in the context of using or disclosing personal information for secondary purposes of marketing. Secondary purposes are additional to those for which the information needed to be collected in the first place. The Office considers that an organization must satisfy the following requirements when using opt-out, for example, to obtain consent for secondary marketing purposes:
- The personal information must be demonstrably non-sensitive in nature and context.
- The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
- The organization’s purposes must be limited and well-defined, and stated in a clear and understandable manner.
- As a general rule, organizations should obtain consent for the use or disclosure at the time of collection.
- The organization must establish a convenient procedure for opting out of, or withdrawing consent to, secondary purposes. The opt-out should take effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.
A very difficult issue in cloud environments is to determine who is responsible for obtaining consents for the collection, use and disclosure of personal information that is handled in such environments. The OPC continues to draw a distinction, between “consumer services” and “business services.” Where the cloud service is offered directly to consumers, the provider, according to the OPC, is the “data controller”. However, where the services are offered to enterprise customers, the provider is the “data processor”.
Generally speaking, in Louise’s case, when she uses her social networking site or e-mail for fun, the social networking site or e-mail provider is the data controller. When she wishes to use a cloud service to help her handle her jewellery customer data, the provider is a data processor and Louise is the data controller. This distinction is important because it means that when Louise is the data controller, she has certain obligations to her customers in terms of privacy protection.
Unfortunately, the report does not provide any statutory basis for this distinction. Nor does the report explain how the EU concepts of “processor” and “controller” conceptually fit within the structure of PIPEDA.