The Office of the Privacy Commissioner of Canada (OPC) announced the results of an investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet. The OPC coordinated its investigation with the Dutch Data Protection Authority (DPA). Commissioner Stoddart has previously stated that coordinated enforcement is a priority of the OPC.

The OPC found that the mobile app was not compliant with the Personal Information Protection and Electronic Documents Act (Canada) in respect of how it handles address book information. Once a user consents to the app using the user's address book information, telephone numbers are uploaded to the providers' servers using SSL/TLS encryption. This may occur up to two times a day or when a manually refreshes. Telephone numbers that are correlated to other users are retained in clear text by the provider. These are "in network" numbers to which instant messages could be sent. Telephone numbers that are not associated with other users of the app are not discarded. Instead they are retained in a hashed format. These are "out of network" numbers.

The OPC raised a number of concerns:

  • Users could not (as a general rule) manually add and amend contacts. Instead, as a condition of using the service, a user had to provide access to his or her complete address book.
  • The app retained out of network numbers (that is, information of non-users). The fact that the out of network numbers were hashed was not sufficient to justify the retention.
  • The anonymization technique was not complete because "the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached." In addition, the OPC found that the methodology applied by the provider meant that the hash was always the same for the same number. This meant that it was theoretically possible to search to see whether a number had been submitted before.

The OPC's decision sets a high threshold for retaining information even in an anonymized form where the information is not needed for the operation of the service.

For more information, visit our Data Governance Law blog at www.datagovernancelaw.com

About Fraser Milner Casgrain LLP (FMC)

FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.