A courier arrived at my apartment door, handed me a heavy cardboard envelope and asked me to sign for it. This was serious business, and Toronto-Dominion Bank was not messing around.
Weeks earlier, I’d sent a formal request to see all my personal information held by my bank. It’s the only bank I’ve ever had, going all the way back to when my mom helped a six-year-old me start a savings account at the Canada Trust branch at the end of our street.
The actual contents of the envelope were a bit disappointing. According to TD, all the personal information it holds on me fits comfortably on six pages, with the last page mostly blank. Along with those six pages was a letter that was a total of four paragraphs long.
In theory, it should be easy for any Canadian to find out how much personal information companies hold on them… But if you do take on this quest for all the personal data corporations have on you, the inescapable conclusion is that Canada’s data privacy law hasn’t kept pace with 21st century technology, and legal compliance is half-hearted at best.
“As outlined in your letter, you have requested copies of your personal information held at TD. Please find enclosed our response to this information request,*” the letter said in part. “If you require further details, please ensure to visit the nearest branch, providing all details necessary to complete the request.”
The asterisk referred to a five-paragraph note under the customer relations manager’s signature, and hinted at all the information TD was declining to provide: “Access request packages will not include any information already available through normal business processes; information on non-Canadian operations; TD Ombudsman files; or audio/video tapes (unless details of date, time and location are provided.) Any material that may reveal confidential commercial information or is proprietary to TD has been omitted or severed where possible.”
I received six pages worth of basic account notes and biographical information, but, ultimately, the bank had decided what information it wanted to provide. If I wanted anything more, I’d need to fight them for it.
This is how it goes when you start sending letters to corporations requesting to see all the personal information they have on you. If you dig through the terms and conditions to find the right email address, and jump through various complicated and arbitrary bureaucratic hoops, companies almost always send you something, but it’s usually less than you expect, and you’re left with a feeling that they’re holding back on the good stuff.
In theory, it should be easy for any Canadian to find out how much personal information companies hold on them.
Under Canada’s data privacy law — the Personal Information and Protection of Electronic Documents Act (PIPEDA) — anyone can send an email to a company asking for a copy of their personal information, and the company is required to send you everything it has within 30 days.
But if you do take on this quest for all the personal data corporations have on you, the inescapable conclusion is that Canada’s data privacy law hasn’t kept pace with 21st century technology, and legal compliance is half-hearted at best.
My barrage of requests met with a wide range of responses, mostly unsatisfactory.
The hunt for my data started in October 2019 when my phone alerted me that the Tim Hortons app I had installed had been logging my location in the background. Curious, I sent a request to Restaurant Brands International Inc. (RBI) the owner of Tim Hortons, to see exactly what it knew about me.
About a month later, I received a trove of data that indicated Tim Hortons had quite detailed knowledge of my whereabouts at all hours of the day.
But part of what allowed me to understand the Tim Hortons data was that RBI gave me the data in a format that offered a huge amount of information in a way I could search and analyze. That’s not always the case when making data requests.
For example, Telus Communications Inc. , my cellphone carrier for more than a decade, sent me a barrage of PDF files, and, as if to impress upon me the volume and the sensitivity of my personal information, insisted on locking each file with a four-digit passcode we set up in advance.
Some of the files might have been very interesting to decipher — for example, the 285-page file that logged my mobile data usage down to the byte for a period of about four months — but since the data was all provided in a locked-down PDF, all I could do was scroll through it and observe that on Dec. 4, 2019, at 5:40 p.m. I uploaded 367,894 bytes of data and downloaded 1,880,002 bytes on my phone.
Telus also gave me a seven-page list of cell tower sites that my phone had connected to during the past year, although not with any corresponding dates or times.
Big tech companies such as Twitter Inc., Facebook Inc. and Google LLC already provide formal mechanisms to allow users to download their data, but s maller, less technology-focused companies can be much less informal.
I sent a request for all my data collected by Pizza Pizza Ltd.’s ordering app by emailing privacy@pizzapizza.ca . The reply came directly from Curt Feltner, the company’s chief financial officer.
On location data specifically, Feltner wrote, “I can confirm that the Pizza Pizza ordering app determines a customer’s location but does not track and store the customer’s location data movements after the order is delivered.”
Paige Backman, a partner at Toronto-based law firm Aird and Berlis LLP, and chair of its privacy and data security group, said the companies she deals with want to comply with data privacy and disclosure regulations, but requests for information don’t generally get a lot of attention.
“Access requests are actually a very small part of what organizations see. Now, we’re seeing more of them, but we don’t see a significant amount of them,” she said. “The response to access requests varies significantly among businesses.”
For example, I requested my data from McDonald’s Restaurants of Canada Ltd., whose ordering app had the same access as Tim Hortons in logging my phone’s location, and what I got back was much sparser than what the coffee chain provided.
The spreadsheet contained dates, restaurant locations, how much I paid for an order and precious little else. Another sheet contained a log of every time the company emailed me — mostly receipts from my mobile orders, as far as I can tell.
But if people don’t think a company is giving them everything it’s got, or want that data in a readable format, their only recourse is to file a complaint with the Office of the Privacy Commissioner (OPC). That seems like a lot of fuss to get, say, Telus to provide my data in a more useful format than PDF files.
The privacy commissioner received just 110 complaints last year from people trying to access their personal information under PIPEDA, according to the OPC’s most recent annual report.
It’s also particularly difficult to complain if you think a company might not be showing you the full picture. It’s almost impossible to prove that a company is collecting more data than what it’s provided, so it’s hard to justify an appeal, given that it would be based on just a hunch that somebody might be holding back more data.
That said, I will likely be sending a formal appeal to the OPC soon.
On the same day the Financial Post published my original piece on Tim Hortons’ location tracking efforts, I filed a follow-up PIPEDA request to Radar Labs Inc., the New York company that Tim Hortons was using to analyze the raw Global Positioning System (GPS) data from my phone. Based on how the technology worked, I suspected Radar might be holding even more information about me than what Tim Hortons had.
Radar has not acknowledged my request at all, despite repeated emails, but on Friday, July 10 at 6 p.m., just before the 30-day PIPEDA timeline was about to expire, I received a follow-up email from RBI that said it will be sending me some more information in another month.
“Your access request relates to personal information collected through the Tim Hortons app and, accordingly, RBI will provide you with a response,” the email said.
“We are in the process of consulting with Radar to respond to your request and it will be impracticable to provide you with the response by July 12. We will have a written response to your request by no later than August 11th.”
Wading through this whole process, I’m left with two inescapable conclusions…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…