Tag: Office of the Privacy Commissioner

Categories
Mobile Syrup

Home Depot failed to get consent before sharing customer data with Meta, privacy office found

The Office of the Privacy Commissioner (OPC) says Home Depot shared personal customer data with Meta without consent.

According to its investigation, the home repair store shared details, such as encoded email addresses and purchase information, from e-receipts with Meta through its Offline Conversions program. The feature contrasted in-store purchases with Home Dept ads shared on Facebook to examine how effective the ads were.

The investigation found Home Depot has been collecting email addresses to share e-receipts since at least 2018.

Information shared with Meta verified if customers had a Facebook account through an automated process. The emails were encoded, and Facebook employees couldn’t read them. However, Meta used personal information for user profiling and targeted advertising unrelated to Home Depot. The investigation says this was possible through Offline Conversions’ contractual terms.

Emails not connected to Facebook accounts weren’t linked to individual customers.

“While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality” a press release outlining the investigation states.

Home Depot said it “relied on implied consent,” and its privacy statement explains the company’s actions. The statement is available online or in print upon request at its retail locations. The company further said it didn’t share this information with customers before issuing e-receipts over “consent fatigue” concerns.

However, the OPC rejects the arguments, stating the privacy statement wasn’t “readily available” at retail locations, customers wouldn’t have any reasons to request such documents, and the practice wasn’t clearly explained.

“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company,” Commissioner Philippe Dufresne said. “This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”

Home Depot stopped sharing information with Meta in October 2022 and agreed to implement several OPC recommendations. This includes no longer sharing personal customer information with Meta until further notice and obtaining express consent from customers.

Image credit: Shutterstock 

Source: Office of the Privacy Commissioner of Canada

Categories
Mobile Syrup

RCMP inappropriately shares personal information on thousands of individuals with other federal agencies

VANCOUVER, CANADA – JANUARY 26, 2015: A sign for the Royal Canadian Mounted Police in English and French along with the crest of the RCMP.

The RCMP disclosed the personal information of thousands of foreign individuals based on incomplete information to the Department of Defence – Canadian Armed Forces (DND-CAF).

This was revealed after the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner (OPC) took part in a joint review examining disclosures federal institutions made under the Security of Canada Information Disclosure Act (SCIDA).

Approved in 2019, SCIDA allows 17 federal institutions to share information with each other to protect security. This includes sharing personal information.

A two-part test, known as the disclosure test, must be satisfied before any information can be shared under this act. The first is the institution sharing the information is satisfied the information they’re sharing will help the institution that’s receiving the information. The second is personal privacy won’t be impacted “more than is reasonably necessary.”

The review examined 215 disclosures from 2020, 212 of which passed both parts of the test. The three that didn’t were all disclosure made by the RCMP.

The specifics

The first part of the test was not satisfied in two of the disclosures. Made on a proactive basis, one went to Global Affairs Canada (GAC) and the other to Immigration, Refugees and Citizenship Canada (IRCC). The review notes the RCMP failed to show they considered how each disclosure would help the recipient deliver on national security.

The information was shared “based on a mistaken belief that disclosed information fell within the recipient’s jurisdiction.” The review notes the RCMP acknowledged to the NSIRA the information they shared was not compliant under SCIDA. The RCMP said it was also in the process of updating its SCIDA policy.

In its third disclosure, the RCMP failed to meet the second part of the disclosure test.

According to the review, the RCMP received information on thousands of men, women, and children who an unknown third party detained for their alleged involvement in terrorist organizations. The information was sent by a “trusted foreign partner,” along with detailed notes indicating how the information was obtained.

The RCMP shared the initial data set with the DND – CAF because of its counter-terrorism mandate and their operations in the regions where the named individuals were detained. But the RCMP failed to share the additional detailed information on how the information was collected. It also didn’t have any record of receiving this information.

DND – CAF said the information was not integrated into its system but the information has to be held onto for “force protection and to rapidly identify threats.”

Recommendations

The review led to two recommendations relevant to this case. The first asks the RCMP to finish updating its SCIDA policy, update decision-makers on the requirements of the disclosure test, and make sure all information is appropriately documented.

The second is that the RCMP provides the remaining information to the armed forces, and DND-CAF assesses whether or not keeping the personal information they have on hand is necessary.

Image credit: Shutterstock

Source: National Security and Intelligence Review Agency/Office of the Privacy Commissioner of Canada

Categories
Mobile Syrup

Privacy Commissioner’s office wasn’t consulted on Liberal online harm bill

Source: Shutterstock https://www.shutterstock.com/image-photo/online-international-business-concept-computer-key-1678618930

The Office of the Privacy Commissioner (OPC) is claiming that the Liberal government never consulted with them when drafting a controversial new internet regulation bill that would require websites to delete harmful content on their platforms.

The National Post reports that according to an OPC spokesperson, the office “was not consulted by Canadian Heritage on this matter,” and was only provided with a briefing on the proposed legislation after explicitly requesting it.

This online harms bill — also known as Bill C-36 — is one of 10 pieces of legislation that Canada’s newly re-elected Liberal government promised to introduce in parliament within the party’s first 100 days back in office.

The bill was first announced in July as a technical paper, though any official parliamentary discussion on it was halted due to the 2021 federal election being called.

The paper proposes the creation of a “Digital Safety Commission” consisting of a digital safety commissioner, digital recourse council, and an advisory board.

The commission’s job would be to require websites — like Facebook, Twitter, and YouTube — remove harmful and abusive content from their platforms within 24 hours, or face repercussions.

The proposed legislation identifies five categories of abusive and harmful content: terrorist content, content that incites violence, hate speech, child sexual exploitation content, and the non-consensual distribution of intimate images.

However, the specifics of the bill have many worried that the new commission, while seeking to protect Canadians, would simultaneously violate their privacy and constitutional rights.

As a result number of internet policy and legal advocacy groups have spoken out against the proposed legislation so far, including OpenMedia, the Canadian Civil Liberties Association, Ranking Digital Rights, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, and the Citizen Lab.

Source: The National Post