regs to riches

Share this post
☕ tim hortons
www.regs2riches.com

☕ tim hortons

investigation highlights what needs to be fixed in Canadian data governance

Vass Bednar
Jun 4, 2022
7
Share this post
☕ tim hortons
www.regs2riches.com
Twitter avatar for @timeimmemorial_
Kevin Finnerty @timeimmemorial_
Me asking everyone how they like their burger before I cook them all exactly the same
Image
11:30 PM ∙ May 30, 2022
357,138Likes30,741Retweets

Twitter avatar for @MattZeitlin
Matthew Zeitlin @MattZeitlin
remember when dominos had that ad campaign that was like "our pizza was bad, we're sorry, now it's good," and now they have category leading delivery logistics and fine pizza? probably the only american institution that has gained trust recently
6:59 PM ∙ Jun 3, 2022
57,107Likes2,750Retweets

“Mass invasion of Canadians’ privacy” was the searing conclusion of outgoing Privacy Commissioner of Canada Daniel Therrien following an investigation into the Tim Hortons mobile app.

Twitter avatar for @PrivacyPrivee
OPC @PrivacyPrivee
Remarks by Privacy Commissioner of Canada regarding investigation of Tim Hortons. priv.gc.ca/en/opc-news/sp…
Alt text: “As a society, we would not accept it if the government wanted to track our movements every few minutes of every day. It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought.   In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians. “
3:40 PM ∙ Jun 1, 2022
42Likes25Retweets

The outcome of the investigation is emblematic of the state’s inability to adequately protect consumers in a digital economy. Tim Hortons will pay no fines for violating the law, because the four privacy commissioners involved in the joint investigation do not have that power. 

Twitter avatar for @globeandmail
The Globe and Mail @globeandmail
Tim Hortons is facing allegations that it violated Canada’s privacy laws by tracking customers via its app.
tgam.caTim Hortons faces scrutiny over app’s tracking of customersA new report could reveal findings about whether the Tims app violated Canadian privacy laws
9:00 PM ∙ May 30, 2022
331Likes222Retweets

While the firm has agreed to implement the recommendations of four privacy authorities in this case, if the company had simply chosen to ignore the report, the commissioners would have been powerless to do much about it.

“It is untenable that organisations like Facebook are allowed to reject my office’s findings as mere opinions,” Therrien said back in December of 2019.

Therrien was calling for legislative reform in 2019, and as he ends his term as privacy commissioner this month with the Tim Hortons investigation, he was once again called on the federal government to pass stronger privacy laws.

Twitter avatar for @PrivacyPrivee
OPC @PrivacyPrivee
The Tim Hortons app used location data to infer where users lived, worked, and whether they were travelling. It generated an “event” every time users entered and left their homes, entered and exited their office, or travelled. priv.gc.ca/en/opc-actions…
Alt text: USER_ENTERED_HOME; USER_EXITED_HOME; USER_ENTERED_OFFICE; USER_EXITED_OFFICE; USER_STARTED_TRAVELING; USER_STOPPED_TRAVELING; USER_ENTERED_GEOFENCE; USER_EXITED_GEOFENCE;
2:58 PM ∙ Jun 1, 2022
311Likes197Retweets

Decision-makers seem to be delaying the empowerment of regulators to do their jobs more effectively; which means vigorously enforcing the laws that we have and occasionally advising on new ones when appropriate. As it stands they are unable to do either; the advice is ignored and the enforcement is not happening.

Politically, Canada continues to privilege corporate interests that are averse to scrutiny or imposition of any sort when it comes to what they can do with the data they create. While these firms often caution that new privacy laws may chill investment or kill innovation, the fact that a coffee and donuts chain is getting in on the action shows that this is no longer the sole domain of a few bleeding-edge tech companies.

The Privacy Commissioner’s investigation concluded two years after exclusive reporting by James McLeod, who was then at the Financial Post. The 24-month lag leaves much to be desired, but findings are more than just an expensive and time consuming bureaucratic fact check. They are satisfying in that they reinforce that our governance institutions can investigate a data-driven firm.

Moreover, the privacy commissioners went beyond simply concluding that Tim Hortons acted illegally because they misled consumers to obtain geolocation consent. In establishing the central feature of proportionality — whether the collection of data was proportional to the benefits the firm received — the investigation underscored that even if the mobile app had been clear about the level of tracking, it STILL would have violated Canada’s privacy guidelines because the volume and frequency of information they were collecting was far greater than what they needed. 

This principle could represent an important step toward a more healthy and trustworthy data governance environment in Canada, but only if our watchdogs have appropriate teeth to impose penalties on violating companies, and the power to proactively sniff out potential violators.

The issues at play here, both the data collection concerns and the limited enforcement powers being brought to bear, have broader implications. Privacy is one concern; healthy and competitive markets are another.

Twitter avatar for @montezumachavez
Luis Alberto Montezuma @montezumachavez
If you believe in synergies between privacy and competition law, then this @PrivacyPrivee's decision is for you: priv.gc.ca/en/opc-actions… We found that Tim Hortons released updated versions of its App so that it could identify when the User was visiting a Tim Hortons competitor.
priv.gc.caPIPEDA Findings #2022-001: Joint investigation into location tracking by the Tim Hortons App - Office of the Privacy Commissioner of Canada
3:16 PM ∙ Jun 4, 2022
1Like1Retweet

Companies use data to compete in digital markets, and as reported in The Logic, data allows companies to turbocharge existing anti-competitive tactics and enables new ones. Recently passed amendments to the Competition Act include non-price effects on competition that include consumer privacy to the type of anticompetitive effects that can be considered. Previously, the Competition Commissioner has teamed up with the Privacy Commissioner just once, to investigate misleading privacy claims. The resulting fine was a fraction of the penalties levied elsewhere after similar investigations.

Twitter avatar for @NewsroomGC
GC Newsroom @NewsroomGC
Facebook to pay $9 million penalty to settle Competition Bureau concerns about misleading privacy claims
ow.lyFacebook to pay $9 million penalty to settle Competition Bureau concerns about misleading privacy claims - Canada.caFacebook Inc. will pay a $9 million penalty after the Competition Bureau concluded that the company made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook will also pay an additional $500,000 for the costs of the Bureau’s investigatio…
3:04 PM ∙ May 19, 2020
26Likes36Retweets

In the Competition Bureau, we see similar limitations. Without the power to compel market studies the Bureau would be unable to conduct a similar investigation into potentially anti-competitive dynamics in the data-driven economy.

A crucial component to this investigation into corporate surveillance was the ability to access the data that the app collected. In breaking the original story, McLeod was able to obtain the information through a request under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Moreover, if Tim Hortons ever faces any meaningful financial penalty, it will come in the form of class action lawsuits rather than state action. As it stands, the onus to evaluate and report irresponsible data collection behaviours continues to rest on individuals and the authorities we have are limited in their ability to resolve transgressions. 

The iPhone App Store first launched in 2008, and Apple added GPS to the device in the same year; the entire mobile geolocation ecosystem had only existed for 12 years when McLeod broke the Tim Hortons story. Two years for a formal investigation is too long in the context of the modern digital environment. Our collective impatience for broader policy reform is underpinned by time-intensive investigations that test the electorate’s attention and stretch regulator endurance under fragile political tenures. 

It is time to build a regulatory environment that can respond appropriately to market realities and adequately protect Canadians without the fear of feigned implications for economic growth. 

Leave a comment


Share this post
☕ tim hortons
www.regs2riches.com
Previous
Next
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Vass Bednar
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing