Seeking information
It takes work to retrieve data that corporations have on you
TORONTO — A courier at my apartment door handed me a heavy cardboard envelope and asked me to sign for it. This was serious business, and Toronto-Dominion Bank was not messing around.
Weeks earlier, I’d sent a formal request to see all my personal information held by my bank. It’s the only bank I’ve had, going back to when my mom helped a six-yearold me start a savings account at the Canada Trust branch at the end of our street.
The contents of the envelope were disappointing. According to TD, all the personal information it holds on me fits comfortably on six pages, with the last page mostly blank. Along with those six pages was a letter that was a total of four paragraphs long.
“As outlined in your letter, you have requested copies of your personal information held at TD. Please find enclosed our response to this information request,*” the letter said in part. “If you require further details, please ensure to visit the nearest branch, providing all details necessary to complete the request.”
The asterisk referred to a five-paragraph note under the customer relations manager’s signature, and hinted at all the information TD was declining to provide: “Access request packages will not include any information already available through normal business processes; information on non-Canadian operations; TD Ombudsman files; or audio/video tapes (unless details of date, time and location are provided.) Any material that may reveal confidential commercial information or is proprietary to TD has been omitted or severed where possible.”
I received basic account notes and biographical information, but, ultimately, the bank had decided what information it wanted to provide. If I wanted anything more, I’d need to fight them for it.
This is how it goes when you start sending letters to corporations requesting to see all the personal information they have on you. If you dig through the terms and conditions to find the right email address, and jump through various hoops, companies almost always send you something, but it’s usually less than you expect, and you’re left with a feeling that they’re holding back on the good stuff.
In theory, it should be easy for any Canadian to find out how much personal information companies hold on them.
Under Canada’s data privacy law — the Personal Information and Protection of Electronic Documents Act (PIPEDA) — anyone can send an email to a company asking for a copy of their personal information, and the company is required to send you everything it has within 30 days.
But if you do take on this quest for all the personal data corporations have on you, the inescapable conclusion is that Canada’s data privacy law hasn’t kept pace with 21stcentury technology, and legal compliance is half-hearted at best.
UNSATISFACTORY RESPONSES
My barrage of requests met with a wide range of responses, mostly unsatisfactory.
The hunt for my data started in October 2019 when my phone alerted me that the Tim Hortons app I had installed had been logging my location in the background. Curious, I sent a request to Restaurant Brands International Inc. (RBI) the owner of
Tim Hortons, to see exactly what it knew about me.
About a month later, I received a trove of data that indicated Tim Hortons had quite detailed knowledge of my whereabouts at all hours of the day.
But part of what allowed me to understand the Tim Hortons data was that RBI gave me the data in a format that offered a huge amount of information in a way I could search and analyze. That’s not always the case when making data requests.
For example, Telus Communications Inc., my cellphone carrier for more than a decade, sent me a barrage of PDF files, and, as if to impress upon me the volume and the sensitivity of my personal information, insisted on locking each file with a four-digit passcode we set up in advance.
Some of the files might have been very interesting to decipher — for example, the 285-page file that logged my mobile data usage down to the byte for a period of about four months — but since the data was all provided in a locked-down PDF, all I could do was scroll through it and observe that on Dec. 4, 2019, at 5:40 p.m. I uploaded 367,894 bytes of data and downloaded 1,880,002 bytes on my phone.
Telus also gave me a sevenpage list of cell tower sites that my phone had connected to during the past year, but not with corresponding dates or times.
Big tech companies such as Twitter Inc., Facebook Inc. and Google LLC already provide formal mechanisms to allow users to download their data, but smaller, less technology-focused companies can be much less informal.
I sent a request for all my data collected by Pizza Pizza Ltd.’s ordering app by emailing privacy@pizzapizza.ca . The reply came directly from Curt Feltner, the company’s chief financial officer.
On location data specifically, Feltner wrote, “I can confirm that the Pizza Pizza ordering app determines a customer’s location but does not track and store the customer’s location data movements after the order is delivered.”
Paige Backman, a partner at Toronto-based law firm Aird and Berlis LLP, and chair of its privacy and data security group, said the companies she deals with want to comply with data privacy and disclosure regulations, but requests for information don’t generally get a lot of attention.
“Access requests are actually a very small part of what organizations see. Now, we’re seeing more of them, but we don’t see a significant amount of them,” she said. “The response to access requests varies significantly among businesses.”
But if people don’t think a company is giving them everything it’s got, or want that data in a readable format, their only recourse is to file a complaint with the Office of the Privacy Commissioner (OPC). That seems like a lot of fuss to get, say, Telus to provide my data in a more useful format than PDF files.
The privacy commissioner received just 110 complaints last year from people trying to access their personal information under PIPEDA, according to the OPC’s most recent annual report.
It’s also particularly difficult to complain if you think a company might not be showing you the full picture. It’s almost impossible to prove that a company is collecting more data than what it’s provided, so it’s hard to justify an appeal, given that it would be based on just a hunch that somebody might be holding back more data.
That said, I will likely be sending a formal appeal to the OPC soon.
On the same day the Financial Post published my original piece on Tim Hortons’ location tracking efforts, I filed a follow-up PIPEDA request to Radar Labs Inc., the New York company that Tim Hortons was using to analyze the raw Global Positioning System (GPS) data from my phone. Based on how the technology worked, I suspected Radar might be holding even more information about me than what Tim Hortons had.
Radar has not acknowledged my request at all, despite repeated emails, but on Friday, July 10 at 6 p.m., just before the 30-day PIPEDA timeline was about to expire, I received a follow-up email from RBI that said it will send me more information in another month.
“Your access request relates to personal information collected through the Tim Hortons app and, accordingly, RBI will provide you with a response,” the email said.
“We are in the process of consulting with Radar to respond to your request and it will be impracticable to provide you with the response by July 12. We will have a written response to your request by no later than August 11th.”