Marking 20 years
of bold journalism,
reader supported.
Mediacheck
Rights + Justice

The Great Canadian Personal Data Grab

Companies like RBC, Aeroplan use aggressive new tactics to understand customer habits.

Michael Geist 16 Oct 2013TheTyee.ca

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at [email protected] or online at www.michaelgeist.ca.

image atom
When mobile users tried to install the new Royal Bank of Canada app earlier this month, they were told the bank would gain access to a range of personal data. Phone image via Shutterstock.

The Royal Bank of Canada updated its mobile application for Android users earlier this month. Like many banking apps, the RBC version allows users to view account balances, pay bills and find bank branches from their smartphone. Yet when users tried to install the app, they were advised that the bank would gain access to a wide range of personal data.

The long list of personal data -- far longer than that found in comparable applications from banks such as TD Canada Trust or Bank of Montreal -- included permission to use the device's camera, to read the user's call history, to access the user's Internet browsing habits, and to even check out their browser bookmarks. After users took to Twitter and the Google app review section to complain, RBC advised that it would update the app and that users should "stay tuned" about the permission requirements.

RBC is not alone in requiring users to disclose more personal information in order to access services. Aeroplan, the loyalty program linked to Air Canada, sent an email last week to hundreds of thousands of Canadians notifying them that it too was changing its data collection practices.

The company disclosed that holders of its popular financial credit cards (which can be used to earn Aeroplan points based on total spending) will soon be required to grant it access to detailed information on their financial activity. Starting next year, Aeroplan will be privy to all cardholder transactions, including merchant names, transaction amounts and dates of the transactions.

The personal data grab from two of Canada's best-known companies is part of a disturbing privacy trend involving a seemingly insatiable desire for customer information. These demands stretch Canadian privacy law to its limits and run the risk of placing user data at risk for security breaches.

Privacy, a negotiated bargain

Canadian privacy law requires organizations to obtain consent for the collection, use and disclosure of personal information. The basic premise is that privacy is a negotiated bargain in which companies can ask for permission to do virtually anything with the personal information they collect so long as users grant their consent.

The law does contain an important limitation, however, stating that "an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes." In other words, companies can ask for whatever information they believe is reasonable under the circumstances, but they cannot mandate the disclosure if it is not strictly necessary to supply the good or service.

Despite the legal limitations, the RBC and Aeroplan policies illustrate how companies have become increasingly aggressive in their personal information collection practices. Companies use data mining technologies (the same ones used by intelligence agencies to comb through the metadata of billions of telephone calls) to analyze customer habits and inform a wide range of business decisions.

Some uses may seem relatively innocuous, yet the practice of collecting as much data as possible raises serious concerns. The risk of a security breach increases as companies capture and retain more and more information. This is particularly true for sensitive financial data which is now accessed by more than just a regulated financial institution.

Moreover, the collection practices push the legal envelope by requiring disclosures that are not strictly necessary to maintain a loyalty program or offer a mobile app. There have been relatively few complaints to the Privacy Commissioner of Canada on these issues, which may be a product of a public that has become increasingly cynical about the potential for privacy laws to stop invasive practices from both government and the private sector. Yet as companies seek mountains of customer data, it may be time for consumers to start saying no.  [Tyee]

Read more: Rights + Justice

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.

Do:

  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

LATEST STORIES

The Barometer

Do You Think Naheed Nenshi Will Win the Alberta NDP Leadership Race?

Take this week's poll