One of the emerging technologies that has arisen as a result of the existence of a free and open Internet is the Internet of Things. Both Canadian and US regulators have raised the spectre of privacy law infringements by devices utilizing the IoT. While publications from these regulators have raised certain high-level privacy law issues, what has been missing from the discussion is a useful analytical framework which can be used. In The Internet of Things and Privacy: An Analytic Framework, we endeavour to provide such a framework.
The answers to the following two questions are critical in determining how and when privacy laws will apply to the operation of the IoT:
(a) Is the information collected by an IoT Device personal information?
(b) Is a third party collecting, using or disclosing personal information through the operation of the IoT Device?
Yet these threshold questions appear to have received little attention in the regulators’ analyses.
(a) Is the information collected by an IoT Device personal information?
In order for privacy laws to apply, the information being collected by an IoT Device has to be ‘personal information.’ It is true that if personal information is being so collected, it has the potential to be higher in quality, quantity and sensitivity than that collected from traditional consumer products (Philippa Lawson, ‘The Connected Car: Who is in the driver’s seat? – A study on privacy and onboard vehicle telematics technology’, p 13). That imposes more onerous compliance requirements, eg with respect to the consent required to collect such information and the level of security required to protect that information. However, before we address those issues, we need to better understand when information collected by an IoT Device may be personal information.
(i) How is personal information defined?
At a high level, Canada’s legislative privacy regime is composed of federal privacy legislation, Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA), which applies to the collection, use and disclosure of personal information, in connection with a commercial activity, in every province other than the three which have ‘substantially similar’ privacy legislation: namely, the Alberta Personal Information Protection Act, SA 2003, c P-6.5 (PIPA AB), the British Columbia Personal Information Protection Act, SBC 2003, c 63 (PIPA BC), and, in Quebec, An Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (APPIPS). In addition, there are certain (relatively unused) statutory-based torts, as well as two new, and much more significant, common-law privacy-related torts: the tort of intrusion upon exclusion and the tort of public disclosure of private facts.
The privacy legislative regime has established the following base definition of personal information, subject to certain scenario-specific exceptions: ‘information about an identifiable individual’. Courts have interpreted what it means for information to be ‘about an identifiable individual:’ for example, in Ontario, courts have found that information is ‘about an identifiable individual’ when it is reasonable to expect that, when the information is combined with information from sources otherwise available, an individual can be identified (Ontario (Attorney General) v Ontario (Information and Privacy Commissioner) (2001), 154 OAC 97 (ONSC Div Ct) at para 15, affirmed Ontario (Attorney General) v Pascoe, [2002] OJ No 4300, (2002), 166 OAC 88 (ONCA)).
The US privacy regime is a patchwork of sectoral and issue specific federal privacy legislation, a plethora of state privacy legislation, and various privacy torts. With respect to interpreting the scope of ‘personal information,’ some US courts have taken a different approach. A US court found that information is personal information if it is inherently personal, such as an email address that includes an individual’s first and last name, a phone number, or Facebook ID (Ellis v The Cartoon Network, 14-cv-484 (N.D. Ga. Oct 8, 2014) at page 9), but is not necessarily personal information if the information can be used to identify a particular individual, such as GPS location information of license plate information when the person collecting the license plate information has access to the license plate registration information (but see Leon’s Furniture Limited v Alberta (Information and Privacy Commissioner), 2011 ABCA 94 [Leon’s] at para 48).
The distinction between the two jurisdictions is important: more information collected by IoT Devices will be considered personal information in Canada than in the USA. In practice, there can be some significant nuances.
(ii) When does ‘object-oriented’ information constitute personal information?
For the sake of simplifying our analysis, we will consistently use the same example of an IoT Device: a ‘smart fridge,’ which collects, uses and potentially discloses information as to the nature, volume and timing of the use of products in the fridge.
The issue is if and when that information about the fridge, as an object, becomes information about an individual such that it is personal information. In other words, when does ‘object-oriented’ information constitute personal information?
In Canada, this issue, as to when information collected about an object should be considered to be personal information, has been the subject of jurisprudence in the past several years. The most significant decision is Order P12-01: Schindler Elevator Corporation (December 19, 2012) (Schindler Elevator Corporation (Re), 2012 BCIPC 25) – significant because it represents the culmination of a line of decisions which were effectively divided into two schools of thought on this issue: the ‘About Individuals View’ and the ‘Identifiable View’.
1. The About Individuals View
The school of thought holding that information about an object is not personal information was represented by the 2011 Alberta Court of Appeal decision in Leon’s Furniture Limited v Alberta (Information and Privacy Commissioner) 2011 ABCA 94. In explaining how best to understand the definition of ‘personal information’ as meaning ‘information about an identifiable individual,’ the Court broke the definition into two parts (at [47]-[48]):
The ‘identifiable individual’ term has two components. Firstly, the individual must be ‘identifiable’. Generic and statistical information is thereby excluded, and the personal information (here the relevant number) must have some precise connection to one individual. Secondly, the information must relate to an individual. Information that relates to objects or property is, on the face of the definition, not included. The key to the definition is the word ‘identifiable’. The Act is designed to regulate and protect information that is uniquely connected to one person…
Further, to be ‘personal’ in any reasonable sense the information must be directly related to the individual; the definition does not cover indirect or collateral information. Information that relates to an object or property does not become information ‘about’ an individual, just because some individual may own or use that property. Since virtually every object or property is connected in some way with an individual, that approach would make all identifiers ‘personal’ identifiers. In the context of the statute, and given the purposes of the statute set out in s. 3, it is not reasonable to expand the meaning of ‘about an individual’ to include references to objects that might indirectly be affiliated or associated with individuals. Some identification numbers on objects may effectively identify individuals. Many, however, are not ‘about the individual’ who owns or uses the object, they are ‘about the object.’ (emphasis added)
Not unexpectedly, the Alberta Information and Privacy Commissioner violently objected to this analysis, but his application to the Supreme Court of Canada to appeal was dismissed.
2. The Identifiable View
The second view argues that information associated with objects – like VINs, for example – because it can be used in conjunction with other information to identify an individual, must therefore be personal information: it focuses on the importance of the requirement that the individual be ‘identifiable’ from the use of that information.
The Alberta IPC expressed this view when it had the opportunity to re-engage with the issues raised by Leon’s in Order F2012-14: Alberta Health (June 29, 2012), which required that the Alberta IPC determine whether (a) legal land descriptions and, and related water analyses for same, and (b) activities related to that land and water which could be traced back to an individual, constituted personal information. The Alberta IPC concluded that:
Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information (at [49]).
In our view this is somewhat confusing, in that it suggests that the ability of an item of data to be used to identify an individual is sufficient to make that personal information. We think this is inaccurate: rather, that data has to be associated with that individual once identified, in order for that data to constitute personal information.
In the very lengthy Schindler Elevator, the British Columbia Information and Privacy Commissioner – perhaps not surprisingly – effectively joined the Alberta IPC in objecting to the Leon’s Court of Appeal decision and its advocacy of the About Individuals View.
The issue in Schindler Elevator was whether information which Schindler collected using a GPS and engine status data system installed in its mechanics’ service vehicles (eg start and stop times, and excessive speeding, braking and acceleration) was (a) information about the vehicles, and therefore not personal information, or (b) information about the mechanic employees, and therefore personal information. In perhaps her most relevant argument, the BC IPC stated (at [83]):
What does an additional requirement that the information be ‘about’ a particular individual add to this? The meaning of ‘about’ as articulated in NAV Canada and Otis is, again, not appropriate under PIPA. They view the term ‘about’ as restricting personal information to information which relates to the individual in a personal, as opposed to employment, business or professional capacity. Where information can be used for multiple and perhaps equally important purposes, it is neither necessary nor helpful to read into PIPA’s definition of personal information a requirement that information must be ‘about’ an identifiable individual in some ‘personal’ or ‘private’ way. The reality is that the same information can be and often is used for multiple purposes. The mileage information collected by Fleet Complete, for example, can be (and is) used for purposes related to asset management (such as scheduling vehicle maintenance) and can also be used for purposes related to employee discipline (such as determining whether an employee is using the vehicle assigned to her or him for personal travel). (emphasis added)
In other words, where the information is used for asset management, it is not personal information. However, where the information is used for a purpose related to the individual employee, it is personal information. Thus in Schindler Elevator the BC IPC concluded (at [85]) that:
‘personal information’ is information that is reasonably capable of identifying a particular individual, either alone or when combined with other available sources of information, and is collected, used or disclosed for a purpose related to the individual. Consistent with PIPA’s statutory purposes, this recognizes that information may be used for different purposes at different times (emphasis added).
In other words, the fact that an item of data can be used to identify an individual is insufficient: rather, that data item must also be being used for a purpose relating to that individual – which in effect means that it must reveal something of a personal nature about that individual.
In conclusion, then, in British Columbia it appears that whether GPS, engine use data, or other information about an object related to an individual is considered to be personal information is dependent on (a) whether it can be used to identify an individual, and (b) whether, say, the VIN is being used for a purpose related to the vehicle, or for a purpose related to the individual, such that if it is for the latter purpose it will be considered to be personal information. Note, however, that this is contrary to the holding of the Alberta Court of Appeal, and could therefore be subject to challenge were a British Columbia court to take note of the Alberta decision.
With the caveat that the Commissioners and the courts in Canada are still in the process of finding their way on this issue, how does this analysis apply to our smart fridge example?
In short, the answer is very fact dependent. If the smart fridge, or the IoT Device attached to the fridge to make it ‘smart,’ is a one-time, off-the-shelf purchase by the consumer, and does not share information outside the home, the actual data collected by the IoT Device may not be able to be used to identify the individual. However, if the smart fridge, or the IoT Device attachment, is paid for on a subscription basis and is shared outside the home in connection with a service for which the consumer is paying (eg with a grocery delivery service), that data may very well be able to identify that individual and would be considered to be personal information.
(iii) Is a third party collecting, using or disclosing personal information through the operation of the IoT Device?
The phrase ‘collected by an IoT Device’ which we have used directly above is illustrative of the second key question: is a third party collecting, using or disclosing personal information through the operation of the IoT Device?
This, again, is a threshold issue: privacy legislation is triggered by the collection, use and disclosure of personal information by a third party. If an individual is using the IoT Device to collect their own personal information, for their own use and not for disclosure to a third party, privacy laws will not apply. Thus, where an individual is collecting information from the fridge and downloading it to a local diet app on a mobile phone for the purpose of monitoring and improving diet, that information is not being collected, used or disclosed by a third party and therefore is not subject to privacy laws.
If, however, that same individual shares that information with a third-party dietician, that will be considered to be collection by that third party such that consent is required. Further, if the manufacturer or distributor of the smart fridge, or the smart component thereof, is collecting information relating to the use of the fridge, eg for the purpose of market research, that will – again, if the information is in any way identifiable to, or can identify, an individual – constitute the collection of personal information.
(iv) Can the information which is collected in fact be identifiable to a single individual such that it is personal information?
The issue here is whether information collected by IoT Devices which are inherently shared devices – like a smart fridge – can be considered to be identifiable, and therefore personal information. The answer should be different depending on the facts: in the case of the smart fridge, the answer may differ depending on where the fridge is located – in a condominium owned by a single individual, in a house occupied by a family of four, in a rooming house with multiple apartments but a single shared kitchen or in the cafeteria of a 100-person law firm?
Canadian privacy jurisprudence has engaged with the same issue in different contexts. For example:
· Canadian postal codes, which can represent a small number of residence locations and multiple individuals, have been found not be personal information on their own (Order PO-2726 [2008] (ON IPC) (Appeal PA07-255; Ministry of Community Safety and Correctional Services)).
· IP addresses associated with a computer, which can be used by a single user, or by multiple users, raise the same issues. The Office of the Privacy Commissioner of Canada has taken the position that an IP address that is associated with other information that can be used to identify an individual is personal information (PIPEDA Report of Findings #2009-010 (Assistant Commissioner recommends Bell Canada inform customers about Deep Packet Inspection) at para 48). In contrast, the Article 29 Data Protection Working Party has expressed the view that ‘unless the service provider ‘is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side’ (Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive)). In short, whether IP addresses are personal information will, again, be fact dependent.
In contrast, wearable IoT Devices are likely identifiable with the individual, as they are not inherently shared devices.
In light of the foregoing, then, it is clear that shared IoT Devices may not, depending on the circumstances, collect, use or disclose information which is identifiable with an individual user.
John Beardwood is a Partner at Fasken Martineau LLP (Toronto).
Mark Bowman is an Associate there.