Top News

Want the personal data corporations have on you? Good luck, it's not nearly as simple as it sounds

Privacy law experts say the only real risk for those companies is harm to their reputations because the law doesn’t have meaningful enforcement teeth

A courier arrived at my apartment door, handed me a heavy cardboard envelope and asked me to sign for it. This was serious business, and Toronto-Dominion Bank was not messing around.

Weeks earlier, I’d sent a formal request to see all my personal information held by my bank. It’s the only bank I’ve ever had, going all the way back to when my mom helped a six-year-old me start a savings account at the Canada Trust branch at the end of our street.

The actual contents of the envelope were a bit disappointing. According to TD, all the personal information it holds on me fits comfortably on six pages, with the last page mostly blank. Along with those six pages was a letter that was a total of four paragraphs long.

In theory, it should be easy for any Canadian to find out how much personal information companies hold on them... But if you do take on this quest for all the personal data corporations have on you, the inescapable conclusion is that Canada’s data privacy law hasn’t kept pace with 21st century technology, and legal compliance is half-hearted at best.

“As outlined in your letter, you have requested copies of your personal information held at TD. Please find enclosed our response to this information request,*” the letter said in part. “If you require further details, please ensure to visit the nearest branch, providing all details necessary to complete the request.”

The asterisk referred to a five-paragraph note under the customer relations manager’s signature, and hinted at all the information TD was declining to provide: “Access request packages will not include any information already available through normal business processes; information on non-Canadian operations; TD Ombudsman files; or audio/video tapes (unless details of date, time and location are provided.) Any material that may reveal confidential commercial information or is proprietary to TD has been omitted or severed where possible.”


I received six pages worth of basic account notes and biographical information, but, ultimately, the bank had decided what information it wanted to provide. If I wanted anything more, I’d need to fight them for it.

This is how it goes when you start sending letters to corporations requesting to see all the personal information they have on you. If you dig through the terms and conditions to find the right email address, and jump through various complicated and arbitrary bureaucratic hoops, companies almost always send you something, but it’s usually less than you expect, and you’re left with a feeling that they’re holding back on the good stuff.

In theory, it should be easy for any Canadian to find out how much personal information companies hold on them.

Under Canada’s data privacy law — the Personal Information and Protection of Electronic Documents Act (PIPEDA) — anyone can send an email to a company asking for a copy of their personal information, and the company is required to send you everything it has within 30 days.

But if you do take on this quest for all the personal data corporations have on you, the inescapable conclusion is that Canada’s data privacy law hasn’t kept pace with 21st century technology, and legal compliance is half-hearted at best.

My barrage of requests met with a wide range of responses, mostly unsatisfactory.

The hunt for my data started in October 2019 when my phone alerted me that the Tim Hortons app I had installed had been logging my location in the background. Curious, I sent a request to Restaurant Brands International Inc. (RBI) the owner of Tim Hortons, to see exactly what it knew about me.

About a month later, I received a trove of data that indicated Tim Hortons had quite detailed knowledge of my whereabouts at all hours of the day.

But part of what allowed me to understand the Tim Hortons data was that RBI gave me the data in a format that offered a huge amount of information in a way I could search and analyze. That’s not always the case when making data requests.

For example, Telus Communications Inc. , my cellphone carrier for more than a decade, sent me a barrage of PDF files, and, as if to impress upon me the volume and the sensitivity of my personal information, insisted on locking each file with a four-digit passcode we set up in advance.

Some of the files might have been very interesting to decipher — for example, the 285-page file that logged my mobile data usage down to the byte for a period of about four months — but since the data was all provided in a locked-down PDF, all I could do was scroll through it and observe that on Dec. 4, 2019, at 5:40 p.m. I uploaded 367,894 bytes of data and downloaded 1,880,002 bytes on my phone.

Telus also gave me a seven-page list of cell tower sites that my phone had connected to during the past year, although not with any corresponding dates or times.

Big tech companies such as Twitter Inc., Facebook Inc. and Google LLC already provide formal mechanisms to allow users to download their data, but s maller, less technology-focused companies can be much less informal.

I sent a request for all my data collected by Pizza Pizza Ltd.’s ordering app by emailing . The reply came directly from Curt Feltner, the company’s chief financial officer.

On location data specifically, Feltner wrote, “I can confirm that the Pizza Pizza ordering app determines a customer’s location but does not track and store the customer’s location data movements after the order is delivered.”

Paige Backman, a partner at Toronto-based law firm Aird and Berlis LLP, and chair of its privacy and data security group, said the companies she deals with want to comply with data privacy and disclosure regulations, but requests for information don’t generally get a lot of attention.

“Access requests are actually a very small part of what organizations see. Now, we’re seeing more of them, but we don’t see a significant amount of them,” she said. “The response to access requests varies significantly among businesses.”

For example, I requested my data from McDonald’s Restaurants of Canada Ltd., whose ordering app had the same access as Tim Hortons in logging my phone’s location, and what I got back was much sparser than what the coffee chain provided.

The spreadsheet contained dates, restaurant locations, how much I paid for an order and precious little else. Another sheet contained a log of every time the company emailed me — mostly receipts from my mobile orders, as far as I can tell.

But if people don’t think a company is giving them everything it’s got, or want that data in a readable format, their only recourse is to file a complaint with the Office of the Privacy Commissioner (OPC). That seems like a lot of fuss to get, say, Telus to provide my data in a more useful format than PDF files.

The privacy commissioner received just 110 complaints last year from people trying to access their personal information under PIPEDA, according to the OPC’s most recent annual report.

It’s also particularly difficult to complain if you think a company might not be showing you the full picture. It’s almost impossible to prove that a company is collecting more data than what it’s provided, so it’s hard to justify an appeal, given that it would be based on just a hunch that somebody might be holding back more data.

That said, I will likely be sending a formal appeal to the OPC soon.

On the same day the Financial Post published my original piece on Tim Hortons’ location tracking efforts, I filed a follow-up PIPEDA request to Radar Labs Inc., the New York company that Tim Hortons was using to analyze the raw Global Positioning System (GPS) data from my phone. Based on how the technology worked, I suspected Radar might be holding even more information about me than what Tim Hortons had.

Radar has not acknowledged my request at all, despite repeated emails, but on Friday, July 10 at 6 p.m., just before the 30-day PIPEDA timeline was about to expire, I received a follow-up email from RBI that said it will be sending me some more information in another month.

“Your access request relates to personal information collected through the Tim Hortons app and, accordingly, RBI will provide you with a response,” the email said.

“We are in the process of consulting with Radar to respond to your request and it will be impracticable to provide you with the response by July 12. We will have a written response to your request by no later than August 11th.”

Wading through this whole process, I’m left with two inescapable conclusions.

The first is that modern digital technology is built in complicated ways that are difficult to understand, and, in many cases, companies use that complexity and confusion to prevent users from fully understanding what they’re doing.

Nothing tells you what data is actually being collected when you agree to install an app on your phone, nor does it indicate which third-party service providers are processing and analyzing that data. You can only ask to see your personal information if you know who’s got it, and, right now, that can be impossible to figure out.

Privacy experts have come to the same conclusion: companies don’t really want users to understand how their technology works.

“The data market has not been built on transparency,” said Neil Sweeney, chief executive of Killi Inc., a Toronto-based company that aims to pay consumers to monetize their data.

“The reality was that in the past, the consumer never had to be included. Consent was never a requirement. Ultimately, all the systems that were built were to amalgamate and collect data unbeknownst to the consumer.”

Ultimately, all the systems that were built were to amalgamate and collect data unbeknownst to the consumer

Neil Sweeney, chief executive of Killi Inc.

The second inescapable conclusion for me was that most of the data I received isn’t useful at all.

One of the fundamental ideas behind PIPEDA is that people should give informed, meaningful consent when their personal information is being collected and used. As part of that, you have to see what personal information a company might be using, thus the right to request access to it.

But in 2020, data is used for complicated analytics, artificial intelligence algorithms and, when combined with other third-party data, to enable powerful software tools.

McDonald’s may send you a list of transactions, but privacy law doesn’t allow you to see the mechanisms behind the scenes that might analyze your behaviour so that the fast-food chain can hit you with customized discounts to keep you coming back more often.

Can you meaningfully understand how a system works if you can only see your little portion of the data, but you can’t see how all of the data is being used?

In Canada, many experts say that companies have an enormous amount of latitude in how they choose to abide by PIPEDA, because there are really no consequences if they break the law.

In response to my information requests, several companies broke the letter of the law by sending indecipherable ID numbers and codes that are mere gibberish to an average person.

Can you meaningfully understand how a system works if you can only see your little portion of the data, but you can't see how all of the data is being used?

“The requested information shall be provided or made available in a form that is generally understandable,” PIPEDA states. “For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.”

But privacy law experts say the only real risk for those companies is harm to their reputations, because the law doesn’t have meaningful enforcement teeth.

“Historically in Canada, the penalty has been loss of reputation,” Backman, the lawyer at Aird and Berlis, said.

PIPEDA gives Canadians the right to have informed consent over how their data is used, and by allowing people to see the personal information that a company has about them, the law should provide transparency into a company’s data collection practices.

But I found that the law is just words on paper when I tried to use my rights under PIPEDA.

“I think the law has failed to keep pace with some of the privacy challenges, many of them driven by advances in technology,” said Michael Geist, a professor at the University of Ottawa, and Canada Research Chair in internet and e-commerce law.

“You can’t establish a system where your primary mechanism for enforcing the law is leaving it to individuals to go out and file requests and complaints. That’s a recipe for what we have now, which is this patchwork for largely ineffective enforcement.”

Financial Post

• Email: | Twitter:

Copyright Postmedia Network Inc., 2020

Did this story inform or enhance your perspective on this subject?
1 being least likely, and 10 being most likely

Recent Stories