Internet and the protection of personal information
In this era of expansion of blogs and websites such as Facebook, cookies become more and more popular to capture the profile of an individual. One should wonder if he is properly protected against dissemination of personal if not confidential information. Indeed, many websites, including research engines, compile a wide variety of information in order to use or resell profiles to allow business enterprises to target clients for sale of their products and services.
The Québec Civil Code, in article 37, covers the establishment of files on other persons:
«37. Every person who establishes a file on another person shall have a serious and legitimate reason for doing so. He may gather only information which is relevant to the stated objective of the file, and may not, without the consent of the person concerned or authorization by law, communicate such information to third persons or use it for purposes that are inconsistent with the purposes for which the file was established. In addition, he may not, when establishing or using the file, otherwise invade the privacy or damage the reputation of the person concerned.»
At first sight, this seems to be a reasonable framework for the protection of personal information, to prevent third parties from using them for unauthorized purposes.
However, the issue is whether the purpose for which the information is gathered has been authorized by the individual concerned.
Most web users, often naively, voluntarily share important aspects of their personal life. In participating in a blog or in websites like Facebook, one necessarily agrees to disseminate personal information.
Article 37 of the Civil Code will be of little help to a person who will, voluntarily, share information of a personal and sometimes intimate nature with unknown correspondents. This information will be spread worldwide and… forever. Indeed, the life span of an information on the web is not limited, except by the exhaustion of interest therefor.
If everything were confined to one territorial jurisdiction, interventions would be made easier, though not automatic. We live in a multiple jurisdiction world some of which do not easily allow legal recourses. The consequence of spreading important information, wilfully, to a large public is tangible. For example, a future employer may choose to research the web for any information on a potential candidate. Given that the availability of the information was made wilfully by the person, that person will not be in a position to object to such inquiry. This would not constitute an intrusion into the private life of that person, that person having chosen to make the information available to the public in general.
This procedure by potential employers is spreading, in our view without infringement by the potential employer.
One must keep in mind that the profile that can be generated from the web does not flow from a single source of information; when combined and cross-referenced, information submitted through various websites may constitute an important basis for personal profiling.
Of course, if the profiling is aimed at a criminal behaviour (robbery of identity, fraudulent marketing, etc.), it will be prohibited; however, the intervention of police authorities or civil courts remains limited by reason, namely, of the multiple jurisdiction involved.
Another problem arises when an important institution (government, broker, credit corporation, bank, etc.) accidentally looses personal data. It may cover a highly confidential information such as the social security number. Such information in the hands of a criminal enterprise could help it in personal profiling and fraudulent operations. In such a case, the institution could incur civil liability but the victim, to be indemnified, must link the loss suffered to the actual dissemination of data.
For more information on this matter, please consult:
Office of the privacy commissioner of Canada: www.privcom.gc.ca
Culture, communications and women: www.mcccf.gouv.qc.ca
Ministry of government services - law on the legal framework for information technology: www.msg.gouv.qc.ca/en/enligne/loi_ti/index.asp
This bulletin is intended as a general information instrument and is not to be considered as a legal advice or opinion on any of the issues raised