Monday, August 08, 2022

Video: OPC Finding: Spam messages sent by COVID testing contractor

The Privacy Commissioner of Canada just released a report of findings about a company contracted by the Airport of Montreal to do on-arrival covid testing. The company added the people tested to their mailing list and sent them unsolicited commercial electronic messages. The investigation was done jointly with the Information Commissioner of Quebec. The finding raises more questions than it answers.

The complainant in this case arrived at Montreal’s Trudeau International Airport. To comply with the Public Health Agency of Canada’s rules, the individual had to undergo on-arrival COVID testing. Conveniently, the Airport had contracted with a company called Biron Health Group to COVID testing directly at the airport. So the complainant went to the Biron site, provided them with his contact information, had this test done, it was negative and they emailed him the results.

A few days after receiving his test results, the complainant received an email from Biron promoting its other services. The complainant unsubscribed using the link in the email, and never received any further unwanted emails from them. The OPC said “he was shocked to receive such an email” and filed a complaint with the OPC.

The information and privacy commissioner of Quebec also investigated, but does not appear to have released a decision on the case. Instead, they just referred to the OPC’s finding.

During the course of the investigation, the company said it had “implied consent” under Canada’s Anti-Spam Law to send commercial electronic messages and was justified in doing so.

The OPC said there was no implied consent under PIPEDA, however. Here’s what they said specifically:

“The OPC is of the opinion that Biron could not reasonably assume that it had the implicit consent of travellers arriving in Canada. Biron was mandated by the government to conduct COVID-19 testing on travellers and paid by the Montreal Trudeau Airport. Biron was the only company offering this service at this airport. Consequently, travellers arriving in Canada had no choice but to do business with Biron to comply with the rules issued by the Public Health Agency. In this situation, these travellers would not normally expect their personal information to be used for reasons other than the mandatory testing.

Biron collected the travellers’ personal information for the purpose of conducting COVID-19 tests and sending them sensitive information related to their health, notably their test results. Biron was acting as a service provider for the airport. The OPC considers that Biron should have taken these circumstances into account before using the personal information for secondary marketing purposes and for its own purposes.”

Because Biron said they’d stop doing this, the OPC closed the file as “settled during the course of the investigation”. Case closed.

So why is this unsatisfying? There are a couple of key questions in the background, of interest to privacy practitioners, that are unaddressed and thus unanswered.

The first question is what law should actually apply to Biron in this case? The Privacy Commissioner refers to PIPEDA, our federal commercial privacy law. But we have a mess of privacy laws in Canada, more than a few of which could have been applicable.

Quebec has a provincial privacy law that applies to all businesses in that province, unless they are “federal works, undertakings or businesses”. Notably, international airports and airlines are “federal works, undertakings or businesses.”

There really is no doubt that if the testing facility had been off the airport property and operating on its own, the federal privacy Law could not have applied at all and instead the Quebec private sector privacy law would have been applicable. That means the federal Commissioner would have had no jurisdiction to investigate and it would have been entirely up to the Quebec Commissioner to do so.

So does that mean that simply being on or operating from airport property makes you a “federal work, undertaking or business”? I don't think that can really be the case.

Was it because the service they were providing is connected to international travel that places them within Federal jurisdiction? That seems dubious to me.

Were they within Federal jurisdiction because they had been engaged by the airport authority to provide this service? The airport authority is certainly a “federal work, undertaking or business”, but does that mean all of its contractors become “federal works, undertakings or businesses”? Again, I don't think that can really be the case. Would a taxi company given a concession to serve the airport automatically come under federal jurisdiction?

They were performing a function that was required by the Public Health Agency of Canada, but PHAC is subject to the federal Privacy Act, which never came up in the commissioner's report of findings.

This would be more tricky in a province like Alberta, where there is a provincial general privacy law that excludes PIPEDA and a health privacy law that does not. (Quebec doesn’t have a health-specific privacy law.)

Now, it may well be that both the federal and the Quebec Commissioners thought they didn't even have to consider jurisdiction because they got the result they were looking for during the course of the investigation: the company said they would change their practices and what might have been problematic under either the Quebec or the federal law has ceased. This seems likely to me, as in my experience the federal Privacy Commissioner's office we'll bend over backwards to avoid making any statements related to their jurisdiction that could come back to haunt them later.

This is not just a privacy nerd question, because other things turn on whether a company is a “federal work, undertaking or business”. If Biron is in that category, then provincial labour and employment laws don’t apply to that workplace. Instead, the Canada Labour Code applies. Other federal laws would also suddenly apply to them, not just our privacy law. If I was this company, I’d be left scratching my head.

The second element of this that is problematic is the interaction between our privacy laws and Canada's anti-spam law, also known as CASL. You will recall that the company said that they were justified in sending commercial electronic messages because they had an “existing business relationship” with the people who underwent testing. The Privacy Commissioner really did not address that, but instead focused on the Personal Information Protection and Electronic Documents Act which requires consent for all collection, use and disclosure of personal information. That consent can be implied, particularly where it would be reasonable for the individual to expect that their information will be used for a particular purpose in light of the overall transaction. The Commissioner found that individuals would not expect to have their personal information used for the secondary purpose and therefore there was no implied consent under PIPEDA.

But that is contrary to the express scheme of Canada's anti-spam law. Under CASL, an organization can only send a commercial electronic message to a recipient where it has consent to do so. That consent either must be express or implied. Implied consent under CASL is very different from implied consent under PIPEDA. CASL doesn't care about what the consumer's expectation might be. Consent can be implied where there is an existing business relationship. One of the possible existing business relationships is the purchase of goods or services from the organization in the previous two years. Presumably, buying a COVID test from a vendor would meet that threshold and there would be implied consent for sending commercial electronic messages. I do agree with the federal Privacy Commissioner that doing so because you are ordered to by the Public Health Agency of Canada would really be contrary to the individual's expectation.

But this really does highlight some of the absurd dissonance between our anti-spam law and our privacy law. Both use the term “implied consent”, but it means radically different things. From this finding from the federal Commissioner, it appears that he is of the view that implied consent under CASL does not lead to deemed implied consent under PIPEDA. CASL expressly permits it, but PIPEDA does not.

When it comes to consent for sending commercial electronic messages, one would think that the piece of legislation that was expressly written and passed by Parliament for that purpose would be the final say, but the OPC certainly does not seem to be of that view.

The Privacy Commissioner carried out this investigation along with the Quebec commissioner, but there is no mention of whether the CRTC, which is the regulator under CASL, was involved.

At the end of the day, I think an existing business relationship was created between the complainant and the company so that there would have been implied consent to send commercial electronic messages, regardless of whether the consumer would have expected it to do so. The Commissioner did highlight that the individual had to be tested under the rules for the Public Health Agency of Canada, leaving room to argue that had the individual gone to the company for a test for other purposes, that might have been a more direct commercial relationship between the parties.

As my friend and tech law colleague Jade Buchanan pointed out on Twitter, “CASL is completely unnecessary when PIPEDA will apply to the use of personal information (name email, etc.) to send commercial electronic messages.” Personally, I think that one of the reasons why we have CASL is because PIPEDA was seldom enforced by the OPC against spammers when clear jurisdiction to do so existed for more than a decade before CASL was created.

And there’s nothing in the pending Consumer Privacy Protection Act that would address this dissonance between our privacy and spam law.

So that is the finding, and we're left scratching our heads a bit or at least have unanswered questions about important matters of jurisdiction and the intersection between our privacy laws and our spam laws.

No comments: