Privacy Rights, Metadata, and Aggregation

May 13, 2015

Have questions about metadata, data aggregation and privacy rights but don’t know where to begin? Here’s a short primer and some resources to get you started.

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

What is metadata?
Metadata is data generated when a person uses technology and an electronic or digital record is created. In other words, metadata is data that describes other data. Metadata is created when you use certain devices – your computer, your smart phone, your tablet and others – and it can provide insight about how you are using those devices. Metadata can provide a lot of information about a person. As well, the line between metadata and the actual content of a communication can be difficult to draw.  Sometimes, metadata can tell you more than the actual communication itself; for example, a 911 call. Patterns in metadata could be also very revealing; for example, an abrupt change in someone’s movement patterns or someone’s Internet usage.

What are some examples of metadata?

  • Date, time, location and telephone numbers when you make a telephone call or send a text message:
  • IP addresses, e-mail addresses and server transfer information when you send an email
  • Search queries, search results, pages accessed and URLs when you search Google
  • Username, number of friends, “likes”, check-ins and events on Facebook

Recent developments
The Communications Security Establishment Canada (CSE) conducted a mobile, WiFi-driven warrantless search associated with mobile devices in Canada in 2012. Although this may have been a test run, there is no guarantee that metadata will not be collected for other purposes by intelligence agencies in the future, and it is more than likely that it already is (see Ann Cavoukian and Avner Levin’s “Metadata surveillance is an invasion of our privacy” in the National Post).
In 2013, the British Columbia Civil Liberties Association filed a lawsuit against CSEC, arguing that its secret surveillance of Canadians infringes Canadians’ rights under Charter s. 8, unreasonable search and seizure.
Furthermore, Canada Border Services Agency has disclosed that it has made 19,000 requests for customer information to telecommunications companies in the span of a single year (see Colin Freeze, Globe & Mail, “Canada’s metadata collection worries critics”).

What have Canadian courts said about metadata and privacy?
Courts have defined metadata in a number of cases dealing with exchange of documents in court cases, preservation of documents and search and seizure of information.
Metadata may include information identifying, describing, managing or directing a telecommunication (United States of America v Fraser, 2014 BCSC 227) or information relating to the purpose and creation of that communication (Big Pond Communications 2000 Inc v Kennedy, [2004] OJ No 820).

The Supreme Court has taken the privacy interests inherent in metadata very seriously. In the context of analyses of reasonable expectations of privacy under Charter s. 8 (unreasonable search and seizure), the Court has recognized that personal computers contain “automatically generated” data that may reveal personal information (R v Vu, 2013, SCC 60) and that IP addresses can also reveal personal information (R v Spencer, 2014 SCC 43).

Is metadata personal information protected by PIPEDA and similar legislation?
PIPEDA protects personal information; ie. information about an identifiable individual.
Courts have defined “personal information” under PIPEDA broadly, and with a view to context.

Personal information is not only that which is obviously identifiable with a particular person: it is also that which raises a serious possibility of identification – either with this information alone, or combined with other information (see Gordon v Canada (Health), 2008 FC 258).

Metadata can be personal information that is protected by PIPEDA.

For example, an IP address taken with subscriber information can reveal considerable information about a person – a person’s interests, expertise, travel patterns, the people they associate with and more (see the Office of the Privacy Commissioner – What an IP Address Can Reveal About You).

An individual’s social network can be used to identify them, as can their patterns of movement.

One recent experiment concluded that tracking data from a person’s mobile device for just one week could provide an accurate description of many significant aspects of that person’s life (see here).

Further reading and other resources on metadata and privacy
Office of the Privacy Commissioner
Ontario Information and Privacy Commissioner, “A Primer on Metadata: Separating Fact from Fiction
Colin Freeze, Globe & Mail, “How Canada’s shadowy metadata-gathering program went awry” (June 2013)
Michael Geist, “Who is Watching the Watchers?: Ten Questions about Canada’s Secret Metadata Surveillance Activities” (June 2013).

What is data aggregation?
Companies may put together personal information collected about their customers either for internal purposes or to sell to other companies. Data brokers collect, compile and sell individuals’ personal information for marketing or other purposes (for example: Cornerstone, Info Canada, Credit Bureaus).
Both companies who directly gather personal information and data brokers who purchase information are subject to PIPEDA. Even though information that is aggregated may be publicly available, it may still be personal information under PIPEDA. These companies often state that data is anonymized in such a way as to ensure that it is not “personal information” under PIPEDA.

Could the results of data aggregation violate PIPEDA and substantially similar legislation?
If there is a data breach in a substantial database of a data broker, this could lead to violations of PIPEDA. This is especially concerning in an era of cloud computing, where issues regarding security of data exist, especially when data travels through other jurisdictions. De-identified data is not always as anonymous as companies would like to believe. If data can be re-identified, this can lead to privacy concerns under PIPEDA.
This risk is not speculative – de-identification is possible, and the likelihood of this occurring can depend on many different factors, including the kind of information available and the motivation of a person trying to learn it.

However, although de-identification is not perfect, companies can take steps in their anonymization processes to minimize privacy risks. It is important that companies understand the most recent developments in de-identification research and use new techniques as they are developed: See: Ontario Information and Privacy Commissioner, Big Data and Innovation, Setting the Record Straight: De-identification Does Work (June 2014).

Data mining can be used to analyze patterns that could lead to new conclusions being drawn that may even be unknown to the person whose information is being mined.
This could also lead to breaches of PIPEDA if there is a possibility that these patterns could be personal information, associated with an identifiable individual.

However, the Assistant Privacy Commissioner has found that where assumptions are drawn about people based on aggregated data, this is not personal information, since these assumptions may not be correct. This view of consumer profiling is troubling and introduces some uncertainty into this area of the law. For more information, see PIPEDA Case Summary #2009-004 and this article by Teresa Scassa.

Further reading and other resources about data aggregation and privacy
Office of the Privacy Commissioner of Canada – “Data Brokers: A Look at the Canadian and American Landscape” (September 2014).
Ontario Information and Privacy Commissioner – “Looking Forward: De-identification Developments – New Tools, New Challenges” (May 2013).
The Canadian Internet Policy and Public Interest Clinic – “On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship” (April 2006).
Pete Warden, “Why You Can’t Really Anonymize Your Data” (May 2011).