Google: See no evil...?

After finding that California-based Google was hosting advertising that relied on users' private medical information, Canada’s interim Privacy Commissioner is warning other companies operating here that they must respect Canadian privacy law.

The problem arose after one user filed a complaint to the Privacy Commissioner's office. The user says they visited a website with information about a respiratory device; not long afterwards, Google-hosted ads about sleep apnea began popping up.

That, says the federal watchdog, is overstepping the bonds of privacy.

“As Canadians spend more and more time online, they create a digital trail that can reveal a great deal about a person. Organizations such as Google must ensure privacy rights are respected in this complex environment,” the Commissioner said in a press release.

Guidelines published last year strictly forbid companies from gleaning personal medical information and using it to tailor ads. The office also points out that Google's own privacy policy forbids advertisers from using users' cookies to identify them on the basis of race, religion, sexual orientation or health.

The legislation that the commissioner is tasked with upholding, The Personal Information Protection and Electronic Documents Act (PIPEDA), doesn't detail what constitutes sensitive personal information and, at present, the courts have yet to formulate a test to determine what contravenes PIPEDA. Figuring out what constitutes a breach is a matter of guesswork.

Complicating matters, online advertising is increasingly prevalent, and companies collect ever-more sophisticated information about users' surfing habits. It all means that companies are opening themselves to huge liability issues if the third parties who use their service do not follow the rules.

Google says it has worked to ensure that users' privacy is respected, and the actions of a few rule-bending advertisers shouldn't define their commitment to that.

Even so, under Canadian law Google is still responsible.

"You can't pass the buck," says Brian Bowman, a partner with Pitblado Law in Winnipeg who focuses on Canada's privacy laws. He says that while Google itself didn't connect the user with the overly-targeted ad, it is responsible for the system that did. "The accountability still rests with you," he says.

And does that open Google to liability? "Yes, absolutely,” says Bowman. "Even in the context of Google searches, it is highly sensitive information and needs to be present with a higher level of due diligence," he says.

It may seem strange to consider it a breach of privacy to have a technical algorithm regurgitate a user's surf patterns back to them, in the form of an advertisement. There is certainly still some definition of where an expectation of privacy begins and ends, says Bowman. But, he points out, the ads don't verify who they're targeting – and if the computer used is a shared system, either within a family or in a public place, it blows the doors off a user's privacy.

It's privacy-by-design, says Bowman. Companies have got to make sure that respect for personal information is the default.

Companies should take heed of the Privacy Commission's warnings, lest they find themselves at its mercy. While its primary purpose is to investigate breaches and recommend fixes, it also has the power to order the company to issue an apology, charge them damages for the embarrassment a user may have faced and, as a last resort, take them to Federal Court.

One issue that will matter to Google, and smaller outfits, is Canada’s unique regulatory regime, often overlooked by those in far-off Silicon Valley.

"This finding and others that have been put out by the Office of the Information Commissioner ... will help get the awareness up in other jurisdictions," Bowman says. "It highlights the extra-jurisdictional nature of the internet and the challenges it provides."

To ensure that her investigation had the proper weight, interim Privacy Commissioner Chantal Bernier went to the American Federal Trade Commission's Consumer Protection Bureau to make the issue cross state lines. That, says Bowman, is a good step forward in educating American companies that aren't informed about PIPEDA about the Canadian context.

Google, for their part, accepted their responsibility under the act and worked with the Commissioner's office to set up some remedies.

Their plan is to better inform users about the advertising campaigns, and their rights under Google's privacy policies — including the ability to opt-out their personal search information — as well as to better train their staff and improve their automated ad review system to ensure that such breaches don't slip through again. Bernier's office says they're pleased about Google's commitment, and they've conditionally closed the file.

"We've worked closely with the Office of the Privacy Commissioner throughout this process and are pleased to be resolving this issue," Google said in a statement.

But this isn't a one-off situation. The Commissioner is making its intentions clear. “We also have concerns about whether other advertising networks are complying with Canadian privacy law. We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations,” Bernier said in a statement.

Bowman says it's a cautionary tale.

"For all organizations, what they can learn from this, you really need to do your privacy due diligence."