How far can companies go using personal information of people copied from a publicly-available website? Not far at all if it involves Canadians who don’t give their consent, according to a decision released Wednesday by Canada’s privacy commissioner.
New Zealand’s Profile Technology Ltd. violated the privacy rights of potentially some 4.5 million Canadians by copying the profiles of Facebook users around the globe and posting them on its own website, the office of the federal privacy commissioner has ruled.
The company said it merely indexed information publicly accessible on Facebook, with the data on Canadians just some of the profiles of 420 million people around the globe. It also argued Canadian law didn’t apply. However, the commission said under Canadian law these people had to give their consent because Profile Technology used the information not just for indexing but also to start its own social networking website called the Profile Engine. Re-using personal information for that new purpose for which consent had not been given violates the Personal Information Protection and Electronic Documents Act (PIPEDA), said the commission.
Not only that, the personal information it collected was old and potentially damaging. One complainant said the information had been lifted from a Facebook profile she had as a teenager, and anyone searching her name — including potential employers — would assume she was very immature. Another stated that unfounded allegations of assault, which had been originally posted and then removed from Facebook, continued to appear on the Profile Engine.
“In our view, even if the respondent had originally collected individuals’ profile information from Facebook for the purposes of providing search engine services, it subsequently copied and used that information for the new purpose of establishing its own social networking website,” the commission said.
The company “repurposed profile information without the knowledge or consent of individuals, and without taking into account, over time, any updates, changes in privacy settings, or removal of content individuals would have subsequently made to their Facebook account since the information was copied from Facebook. It did so with full knowledge that much of the profile information used and disclosed on its website was outdated and/or no longer public on Facebook.”
Business abandoned
The commission recommended the Canadian data be removed from its website and deleted. Instead, in March Profile Technology abandoned the Profile Engine. It and the data were taken off the site but uploaded to the Internet Archive where it’s still publicly-available through peer-to-peer sharing, although it’s no longer indexed.
The OPC has sent its findings to the Office of the Privacy Commissioner of New Zealand, which is considering what options may be available under that country’s laws.
Profile Technology didn’t get personal profile information from Facebook using an API. It says it had an agreement with Facebook around 2008 to capture the data.
A privacy policy statement on the Profile Technology’s website said personal data collected includes “any parts of your profile on another social network which that social network has allowed our search engine to download and store at a time when your privacy settings permitted search engines to index those parts of your profile … Information collected in this way is treated by us as ‘Public information.’”
“Facebook made available about 420 million public profiles and contracted with us to provide a powerful search engine for Facebook (originally simply called “Advanced Search for Facebook” and later renamed “The Profile Engine”.[)],” says the website. “We added these profiles from Facebook to the profile engine database with the full knowledge, approval and permission of Facebook. Facebook agreed to this because we provided them with powerful and innovative search engine features which are not available on Facebook itself.”
‘People gave permission’
In its report the commission noted that on an FAQ page on Profile Technology’s in response to a query that “I don’t think I gave permission for my profile engine profile to be created”, the company stated: “In most cases, people gave permission for their profile engine profile to be created when they ticked a box in their Facebook privacy settings: ‘Allow my profile to be indexed by search engines.’”
Profile Technology refused to give the privacy commission a copy of its contract with Facebook, citing confidentiality concerns. Facebook told the commission that Profile Technology fully agreed and committed to Facebook’s standard developer terms that govern a developer’s use of its, including the access and use of Facebook users’ profile data. It says Profile Technology violated the agreement respondent because it “retrieved, copied, indexed and displayed selected public user profile data for its own purposes.”
The two companies have sued each other, which resulted in Facebook blocking access to the Profile Engine. That led Profile Technology to complain it can’t update the profiles it copied, including whether the user had chosen to no longer have a public profile.
The commission notes that the Federal Court of Canada has ruled PIPEDA can apply to a foreign-based organization engaged in a commercial activity where there is a real and substantial connection to Canada. That applies in this case where the five complainants are Canadian.
The Canadian privacy commission also noted that New Zealand’s privacy commissioner ruled that “any information on the Internet is considered to be generally available to the public and can be copied or re-used by others.” But that was when the Profile Engine was only a Facebook search tool. The Canadian ruling dealt with the information used on the social media website, which raised the issue of secondary consent. It also argued PIPEDA has a narrower definition of publicly available information than New Zealand law.