By: Darragh Dzisiak

Data privacy is an issue that is becoming increasingly more relevant as technology improves and invades every aspect of daily living. Data privacy laws are concerned with what details organizations can collect, use, and share about individuals. In Canada, a complex set of federal and provincial laws combine to regulate how “identifiable details” are disseminated (“identifiable details” are details such as race, national or ethnic origin, religion, age, marital status, medical, education or employment history, financial information, or DNA).[1]

Canada has two federal Acts regarding data privacy: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).[2] The Privacy Act governs how the Government of Canada uses identifiable details when providing services, while PIPEDA governs how private-sector organizations use identifiable details in the context of commercial activities.

PIPEDA and Social Media

Social media platforms collect a lot of identifiable details from users. For example, when setting up a social media account, you may be asked to input your date of birth, gender, and other such information. You will also be required to accept the terms and conditions of the platform. Data leaks from social media platforms are common, leaving users open to exploitation from cyber criminals.

Even without a data leak, the social media platform has access to all your personal details and will often sell this information to third parties. By accepting the terms and conditions of the platform, you are agreeing to the collection, use and disclosure of your personal information. However, under section 6.1 of the PIPEDA, consent of the user would only be valid if it would be reasonable for the user to understand the nature, reason, and consequences of the collection, use, and disclosure of their personal information.[3]

In a recent Canadian case, the Privacy Commissioner of Canada made an application against Facebook, stating that Facebook allowed Cambridge Analytica to access Facebook users’ information without their knowledge or consent.[4] The complaint alleged that Cambridge Analytica was able to access tens of millions of users’ profiles in order to assess political opinions and inform political analytics by way of a “personality quiz”.

Cambridge Analytica’s political profiles from Facebook Users’ analyses were then linked to data that informed Trump’s 2016 presidential campaign. The complaint also alleged that 621,889 Canadians’ personal information was potentially exploited by Cambridge Analytica.[5] As a result of these findings, the Office of the Privacy Commissioner made several recommendations to Facebook to bring them into compliance with the PIPEDA, including the following:

“Facebook should implement measures, including adequate monitoring, to ensure that it obtains meaningful and valid consent from Installing Users and their Facebook Friends. That consent must: (i) clearly inform Users about the nature, purposes and consequences of the disclosures; (ii) occur in a timely manner, before or at the time when their personal information is disclosed; and (iii) be express where the personal information to be disclosed is sensitive.”[6]

This case demonstrates the level of exploitation frequently committed by social media platforms and third-party companies. It is reasonable to assume that the average Facebook user would not have given valid consent for extraction of their personal information to create psychological profiles which would in turn inform a presidential election. Users should be aware of the potential exploitation of their personal data by social media platforms. The Office of the Privacy Commissioner of Canada’s website also provides information on how to limit the exploitation of your personal information via social media settings.[7]

Issues with Data Privacy and the COVID-19 Pandemic

The COVID-19 Pandemic was a major event that raised issues of data privacy in Canada (and globally). The Privacy Act, subsection 8(m)(i) states that:

“Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure”.[8]

This means that governments have had to balance individual privacy against public health, with some public health measures overly impinging on that privacy. Literature on the subject of data privacy during the pandemic has noted that governments internationally have had the ability to use location data from mobile phone companies to track the spread of the virus.

Additionally, the literature notes that political actors may use the pandemic and the issue of public health to justify more invasive data-tracking and use in the future.[9] Such invasive data collection methods indicate that people are vulnerable to having their personal information exploited just by nature of owning and carrying technology.

Conclusion

In today’s world, it is next to impossible to be disconnected from the internet. Neither is it necessary to completely unplug since there are measures in Canada that do protect the data privacy of users. Social media users should simply be aware of the risks related to data collection from social media platforms and third-party companies, and users should choose what they share and sign up for wisely.

However, COVID-19 has increased the prevalence and extent to which governments may use technological data to track personal information in the interests of public safety, which raises concerns about the extent to which such laws protect citizens from exploitation from their own government and presents risks related to the very act of owning technology.

Disclaimer: The information provided in this response is for general informational purposes only and is not intended to be legal advice. The content provided does not create a legal client relationship, and nothing in this response should be considered as a substitute for professional legal advice. The information is based on general principles of law and may not reflect the most current legal developments or interpretations in your jurisdiction. Laws and regulations vary by jurisdiction, and the application and impact of laws can vary widely based on the specific facts and circumstances involved. You should consult with a qualified legal professional for advice regarding your specific situation.


[1] “Summary of privacy laws in Canada” (31 January 2018), online: The Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/>

[2] Privacy Act, RSC 1985, c P-21; Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

[3] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 6.1.

[4] Canada (Privacy Commissioner) v Facebook, Inc, 2021 FC 599.

[5] Ibid.

[6] Supra, note 4.

[7] “Social Media” (24 January 2022), online: The Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/online-privacy/social-media/>

[8] Privacy Act, RSC 1985, c P-21, s 4.8(m)(i).

[9] Andrej Zwitter & Oskar J. Gstrein, “Big data, privacy and COVID-19 – learning from humanitarian expertise in data protection” (2020) 5:4 Int J Humanitarian Action