“Mass invasion of Canadians’ privacy” was the searing conclusion of outgoing Privacy Commissioner of Canada Daniel Therrien following an investigation into the Tim Hortons mobile app.
The outcome of the investigation is emblematic of the state’s inability to adequately protect consumers in a digital economy. Tim Hortons will pay no fines for violating the law, because the four privacy commissioners involved in the joint investigation do not have that power.
While the firm has agreed to implement the recommendations of four privacy authorities in this case, if the company had simply chosen to ignore the report, the commissioners would have been powerless to do much about it.
“It is untenable that organisations like Facebook are allowed to reject my office’s findings as mere opinions,” Therrien said back in December of 2019.
Therrien was calling for legislative reform in 2019, and as he ends his term as privacy commissioner this month with the Tim Hortons investigation, he was once again called on the federal government to pass stronger privacy laws.
Decision-makers seem to be delaying the empowerment of regulators to do their jobs more effectively; which means vigorously enforcing the laws that we have and occasionally advising on new ones when appropriate. As it stands they are unable to do either; the advice is ignored and the enforcement is not happening.
Politically, Canada continues to privilege corporate interests that are averse to scrutiny or imposition of any sort when it comes to what they can do with the data they create. While these firms often caution that new privacy laws may chill investment or kill innovation, the fact that a coffee and donuts chain is getting in on the action shows that this is no longer the sole domain of a few bleeding-edge tech companies.
The Privacy Commissioner’s investigation concluded two years after exclusive reporting by James McLeod, who was then at the Financial Post. The 24-month lag leaves much to be desired, but findings are more than just an expensive and time consuming bureaucratic fact check. They are satisfying in that they reinforce that our governance institutions can investigate a data-driven firm.
Moreover, the privacy commissioners went beyond simply concluding that Tim Hortons acted illegally because they misled consumers to obtain geolocation consent. In establishing the central feature of proportionality — whether the collection of data was proportional to the benefits the firm received — the investigation underscored that even if the mobile app had been clear about the level of tracking, it STILL would have violated Canada’s privacy guidelines because the volume and frequency of information they were collecting was far greater than what they needed.
This principle could represent an important step toward a more healthy and trustworthy data governance environment in Canada, but only if our watchdogs have appropriate teeth to impose penalties on violating companies, and the power to proactively sniff out potential violators.
The issues at play here, both the data collection concerns and the limited enforcement powers being brought to bear, have broader implications. Privacy is one concern; healthy and competitive markets are another.
Companies use data to compete in digital markets, and as reported in The Logic, data allows companies to turbocharge existing anti-competitive tactics and enables new ones. Recently passed amendments to the Competition Act include non-price effects on competition that include consumer privacy to the type of anticompetitive effects that can be considered. Previously, the Competition Commissioner has teamed up with the Privacy Commissioner just once, to investigate misleading privacy claims. The resulting fine was a fraction of the penalties levied elsewhere after similar investigations.
In the Competition Bureau, we see similar limitations. Without the power to compel market studies the Bureau would be unable to conduct a similar investigation into potentially anti-competitive dynamics in the data-driven economy.
A crucial component to this investigation into corporate surveillance was the ability to access the data that the app collected. In breaking the original story, McLeod was able to obtain the information through a request under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Moreover, if Tim Hortons ever faces any meaningful financial penalty, it will come in the form of class action lawsuits rather than state action. As it stands, the onus to evaluate and report irresponsible data collection behaviours continues to rest on individuals and the authorities we have are limited in their ability to resolve transgressions.
The iPhone App Store first launched in 2008, and Apple added GPS to the device in the same year; the entire mobile geolocation ecosystem had only existed for 12 years when McLeod broke the Tim Hortons story. Two years for a formal investigation is too long in the context of the modern digital environment. Our collective impatience for broader policy reform is underpinned by time-intensive investigations that test the electorate’s attention and stretch regulator endurance under fragile political tenures.