A Key Step Towards the Right to Be Forgotten? Federal Privacy Laws and Internet Search Engines | JD Supra

[co-author: Adam Williams – Articling Student]

In Reference re Subsection 18.3(1) of the Federal Courts Act (the Reference), the Federal Court of Canada held that the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA) applies to internet search engines when they index webpages and present search results in response to searches of an individual’s name.

This issue was determined by the Court on a reference by the Office of the Privacy Commissioner of Canada (OPC) in connection with an investigation of a complaint against Google. The complaint alleges that Google contravened PIPEDA by displaying links to news articles that contained personal and sensitive information about the complainant. The complaint raises, in part, the question of whether or not PIPEDA includes a “right to be forgotten.”

In a 2018 document entitled “Draft OPC Position on Online Reputation,” the OPC asserted that PIPEDA provides two key mechanisms for “enhancing one’s control over their online reputation”; namely that individuals can: (i) challenge the accuracy, completeness and currency of results returned for searches on their name; and (ii) require that personal information that is no longer needed be destroyed, erased or made anonymous. In the draft, the OPC noted that the language of PIPEDA does not expressly provide for the two mechanisms identified by the OPC. However, as described below, such express language could be included in expected reforms to PIPEDA under Bill C-11.

In the underlying 2017 complaint that gave rise to the Reference, the Complainant argued that Google had contravened PIPEDA by displaying links to websites with news articles that contained personal and sensitive information in response to searches of his name. The Complainant alleged the information was outdated and inaccurate, and led to harms including physical assault, lost employment opportunities and severe social stigma. In response, Google did not remove the links, referring the Complainant instead to the administrators of those websites for resolution.

In the Reference, the Federal Court considered whether “Google’s search engine collect[s], use[s] or disclose[s] personal information in commercial activities within the meaning of s 4(1)(a) of PIPEDA when it indexes webpages and presents search results in response to searches of an individual’s name.”

Paragraph 4(1)(a) of PIPEDA states:

4 (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities.

The Federal Court held as follows:

  • Google collects personal information in connection with automated crawling of webpages (i.e., using software to continually access webpages and transmit information for indexing);
  • Google uses personal information, in particular, “Google needs as much information as possible to make its search engine as comprehensive and valuable as possible for users, and consequently for advertisers”; and
  • Google discloses personal information through displaying, and controlling the ordering of, its “snippets” in its search results.

The Federal Court further held that the above noted actions occurred in the course of commercial activities. Despite Google’s search engine providing a “free” service to content providers and users, the Federal Court noted that a large amount of the company’s revenues came from advertising displayed alongside search results. Google promotes its advertising services by highlighting the popularity of its search engine and its ability to target ads to users based on the personal information it has about them. The Federal Court described this as Google having “a flagrant commercial interest” in connecting users and advertisers.

Accordingly, the Federal Court held that the operation of Google’s search engine did fall within the scope of paragraph 4(1)(a) of PIPEDA.

The Federal Court also considered whether the operation of Google’s search engine was excluded from application of PIPEDA on the basis that it collects, uses or discloses personal information for journalistic purposes. The Federal Court concluded that this exception to the application of PIPEDA did not apply.

The substance of the underlying complaint of whether Google did in fact breach PIPEDA in its collection, use or disclosure of the Complainant’s personal information was referred back to the OPC. In particular, the Federal Court noted that it had not determined the existence of “the power of the Commissioner to recommend deindexing.” Accordingly, notwithstanding the confirmation that PIPEDA applies to Google’s search engine, whether a right to be forgotten exists under PIPEDA remains undetermined.

Some key takeaways are as follows:

  • While the existence of the right to be forgotten is not expressly provided for in PIPEDA, it is expected that the upcoming reforms to Canadian privacy legislation will address this issue more directly. In particular, Bill C-11, first introduced in November 2020, proposes to enact the Consumer Privacy Protection Act (CPPA). The current draft of CPPA provides individuals with a right to request an organization to dispose of their personal information and requires organizations to take reasonable steps to ensure the accuracy of personal information under its control. Commentators have compared the proposed wording in Bill C-11 to the “right to be forgotten” contained in the General Data Protection Regulation (GDPR), the European privacy legislation, but noted that the proposed wording is not necessarily directly aligned with the GDPR wording.
  • Adapting to anticipated changes in the federal privacy legislation regarding the “right to be forgotten” will require organizations to, among other things, undertake a comprehensive mapping of what data is collected, the purposes for which the data is collected, the period of time that data must be retained to fulfill those purposes, how data is moved around the organization and all the points at which personal information is stored (internally and externally). In addition to this data mapping, under Bill C-11, organizations will also need to develop a set of policies and protocols to govern their obligations under privacy legislation, including how requests to dispose of information will be handled and what steps will be taken to ensure that personal information is accurate, up-to-date and complete.

The CPPA is further discussed in our previous publication, Understanding the Draft Consumer Privacy Protection Act: A Summary of the Key Changes Proposed.