by Isabelle Guevara, winner of the 2021 Privacy and Access Law Section Student Essay Contest
I. Introduction
In the Digital Age, a society and economy driven by information and technological advancement presents unique opportunities for firms to commodify and monetize massive amounts of data. Data mining and harvesting is a USD $138.9 billion industry, with a projected growth of USD $229.4 billion by 2025.1 The global data industry will only continue to grow as the incursion of the coronavirus (COVID-19) pandemic thrusts an increasing portion of individuals’ lives deeper and deeper into the cybersphere.
As “the oil of the digital era”,2 entities that own or obtain access to data have the potential to influence society and the economy. While information and data are commodities in themselves, they derive most of their value from their “potential to be refined into an essential commodity.”3 Big Tech behemoths, such as Facebook, Apple, Amazon, Microsoft and Google – as well as other companies that harvest their users’ data – have mastered this craft. Not only do they collate and analyze raw data to create tools that can enhance efficiency, predict outcomes and influence consumer behaviour, but they also have the power to monetize their users’ personal data by sharing them with third parties.
Despite the immeasurable amount of data accrual by only a handful of players, Canadian privacy law does not adequately address digital companies’ use (or misuse) of their users’ personal data. Drawing on the writings of Professor Jack M. Balkin at Yale Law School, who coined the term “information fiduciary”, this paper argues that Canadian privacy law should adopt a fiduciary model for companies that collect users’ personal data (which I refer to simply as “digital companies”.4 For the purposes of this paper, a digital company that owes fiduciary obligations to its users will be referred to as a “data fiduciary”, which is interchangeable with Professor Balkin’s term “information fiduciary”.) First, I provide a brief overview on the law of fiduciary obligations. Second, I explain the concept of data fiduciaries as articulated by Professor Balkin. Third, I argue that the relationship between digital companies and their users satisfies the common law requirements to recognize an ad hoc fiduciary relationship. Fourth, I explain the scope and content of a data fiduciary’s duty in relation to its users’ data, and briefly touch on the breach of the duty and potential remedies. Finally, I argue that Parliament should enact a federal statute codifying the data fiduciary concept and the requisite elements to establish an ad hoc data fiduciary. Although the concept of a data fiduciary may attract judicial and legislative reluctance, recognizing the fiduciary nature of the relationship between digital companies and their users is crucial to protecting the privacy of Canadians.
II. The Law of Fiduciary Obligations
Fiduciary obligations – dubbed “the highest duty known to law”5 – arise out of relationships of trust between two parties. The beneficiary reposes his or her trust and confidence in the fiduciary (also referred to as the “trustee”), who must act honestly and in utmost good faith for the best interests of the beneficiary.6 Fiduciary obligations traditionally arose from the “vesting of property in a trustee for the sole benefit of a beneficiary.” 7 As a result of technological advancements in society, Canadian courts have broadened the scope of “property” to include information.8 Thus, fiduciaries must espouse “norms of exemplary behaviour” with respect to the property in question.9 The heightened degree of loyalty imposes a stringent standard on the fiduciary unlike most other areas of law10 – even a slight deviation from the standard constitutes a breach of the duty.
Traditional categories of fiduciaries a rise from de facto fiduciary relationships. These relationships give rise to fiduciary obligations by virtue of their “inherent purpose or their presumed factual or legal incidents”.11 The law recognizes two classes of de facto fiduciary relationships: true-trust functionaries, such as trustees, agents, executors and family; and quasi-trustees, such as real estate agents, insurance agents, advisors, professionals.12 Although these relationships are presumed to be fiduciary in nature, whether a particular obligation is fiduciary in nature depends on the specific circumstances of the situation.13 A lawyer’s relationship with a client, for instance, automatically gives rise to a fiduciary relationship by virtue of the client reposing his or her trust in the lawyer. However, certain obligations may not be fiduciary in nature if the services performed for the client have no fiduciary element (for example, if the lawyer was merely a conduit to provide a piece of paper to the client).14
Canadian courts have also recognized non-traditional fiduciaries, which arise from ad hoc fiduciary relationships. The existence of an ad hoc fiduciary relationship turns on the specific factual circumstances of a particular relationship.15 These obligations are imposed on certain actors based on the nature of the specific relationship, and not whether they fall into one of the recognized fiduciary categories.16 For example, parties to a joint venture are not in a de facto fiduciary relationship because courts have held that “fiduciary duties will be implied only in exceptional circumstances in a commercial relationship”.17 However, the Supreme Court of Canada held that parties to a joint venture can be in a fiduciary relationship where the contract disclosed that one party signed an undertaking to act as an agent for the other party.18 Thus, courts have recognized fiduciary relationships in certain circumstances where the facts demonstrate that one party took on fiduciary responsibilities in relation to another party.
Although the recognition of new categories of fiduciary relationships tends to attract judicial reluctance,19 courts are driven by public policy considerations when determining whether a fiduciary relationship exists. Courts will generally impose a fiduciary obligation to “protect relationships of importance to the public”20 and “preserve the integrity of socially valuable or necessary relationships that arise as a result of human interdependency.”21 As technological developments continue to shape society in the Digital Age, the law should impose fiduciary duties on novel social and economic relationships where one party has the power to influence and affect the interests of the other.
III. Data Fiduciaries: A New Category of Fiduciary
This section advocates for the recognition of a new type of fiduciary: a data fiduciary. First, I introduce the concept of a data fiduciary by drawing on the writings of Professor Jack M. Balkin, a Knight Professor of Constitutional Law and the First Amendment at Yale Law School. Second, I argue that data fiduciaries can – and should – be incorporated into Canadian privacy law.
A. Professor Balkin’s “Information Fiduciary” Concept
In the Digital Age, individuals have become increasingly susceptible to the collection and use of their personal data by large digital companies. Professor Balkin argues that these companies should be recognized as “information fiduciaries”, which he defines as “a person or business who, because of their relationship with another, has taken on special duties with respect to the information they obtain in the course of the relationship.”22 By collecting and using their users’ personal information, digital companies take on fiduciary responsibilities with respect to the data (the “property” in question) much like doctors, lawyers, accountants and other professionals.23 Like these professionals, digital companies entice people to use their platforms by presenting themselves as trustworthy.24 Further, both professionals and digital companies typically require their patients, clients or users to disclose personal information.25 While the disclosure of information is intended to better provide services to patients, clients and users, the information asymmetry and power imbalance in these relationships can be exercised to their detriment.26
Digital companies have an even greater capacity to collect information than professionals and other traditional fiduciaries because data collection, use and sharing are fundamental aspects of their relationship with their users.27 These companies sit on a “gold mine” of personal information collected from its users that can be used to their detriment28 by manipulating their emotions and decisions, discriminating against them, and monetizing their data.29 For example, Uber Technologies Inc. (“Uber”), a company that offers a ride share platform comprised of 94.9 million users as of December 2018,30 can analyze users’ data and extrapolate whether an individual is involved in an extramarital affair or attending secret or illegal meetings.31 Amazon.com, Inc. (“Amazon”), a multinational e-commerce company, can analyze users’ data through users’ online shopping preferences and voice recordings from its own brand of virtual assistants32 to reveal private information, such as sexual preferences from purchasing sex toys and health issues from buying certain types of medication. Facebook, Inc. (“Facebook”), an American social media conglomerate with over 2.7 billion users,33 can collect data to influence users’ emotions and behaviour. Scholars have gone so far as arguing that Facebook has the power to decide an election through “digital gerrymandering”.34 This strategy involves Facebook analyzing users’ data to learn about their political views or party affiliation. Assuming Mark Zuckerberg supported one political party, he could use the data to manipulate the feed of users who have the same party affiliation and encourage them to vote, while the rest of the users will not receive a voting prompt on their feed.35 As a result, Facebook has the intellectual and technological capacity to engage in “information warfare” during elections.36
Due to their special power over their users’ personal information, digital companies have an obligation to prevent the misuse of personal data, placing them “in a different position from other businesses and people who obtain and use digital information.”37 Although digital companies may not fit squarely into the recognized categories of fiduciaries, Professor Balkin argues that “the greater the imbalance of power, the greater the asymmetries of information, the greater the degree of control over the [individual’s] environment, and the greater the [individual’s] vulnerability, the greater the need for fiduciary obligations becomes.”38 Accordingly, the law should impose a heightened responsibility on digital companies regarding their users’ personal data.
Recognizing digital companies as information fiduciaries would heighten protections for the privacy of Canadians by “[limiting] the rights the company would otherwise enjoy to collect, collate, use and sell personal information about the end user.”39 Although critics may argue that limiting their rights would stifle innovation, the fiduciary model merely sets boundaries on a company’s otherwise limitless power over users’ data. Adopting a fiduciary model in privacy law fosters innovation by protecting users whose personal information is necessary to grow and innovate. 40 Furthermore, regulating privacy dimensions of digital companies’ conduct is not that different from regulating other aspects of their business. Competition law, for example, governs anti-competitive conduct that harms consumers and other businesses. Some anti-competitive practices may be “innovative” in the sense that they generate efficiencies and profit-maximizing return. However, the law regulates certain behaviour that adversely affects consumers and other competitors. Similarly, the proposed fiduciary model of privacy is intended to regulate business practices that may potentially violate users’ privacy. The proposed fiduciary model is not intended to cease all data collection and stifle innovation; rather, it is intended to limit the collection and use of such data in a manner that better protects the privacy of individuals.
Critics of the information fiduciary model argue that recognizing a fiduciary relationship between digital companies and their users is unnecessary because this problem can be fixed by capitalism and the markets.41 The underlying assumption behind this argument is that tech giants such as Facebook and Google will cease to exist in the next decade because “[s]ocial trends change over time”.42 However, one of the hallmarks of modern digital companies is their ability to adapt to societal trends or acquire companies that do. Even if Facebook or Google ceases to exist in the next decade or so, the propensity for the next Big Tech behemoth to collect and monetize users’ data will continue to exist. Thus, the law should take both a reactive and preventative stance on data privacy issues that have public policy dimensions, particularly the collection and misuse of personal data.
B. Data Fiduciaries in Canadian Privacy Law
Despite the harrowing effects of data leakage or misuse, Canadian privacy law does not currently impose a fiduciary obligation on digital companies who misuse their users’ data. This section of the paper argues that the data fiduciary concept fits squarely into this area of Canadian law. First, I demonstrate that digital companies can be recognized as data fiduciaries because they satisfy the common law requirements for ad hoc fiduciary relationships. Second, I discuss the scope of the fiduciary obligation. Third, I illustrate the content of data fiduciaries’ obligations to their users, including the duty of confidentiality, duty of care, duty of loyalty and duty of disclosure. Finally, I briefly explain the breach of the duty and potential equitable remedies.
1. Ad Hoc Data Fiduciaries
Digital companies should be recognized as ad hoc fiduciaries, not de facto fiduciaries, because of the different factual circumstances surrounding each relationship. I am not arguing that the law should recognize all digital companies as data fiduciaries, thereby creating a new category of de facto fiduciaries; rather, I am arguing that the data fiduciary concept should be recognized in Canadian law, but whether a digital company is a data fiduciary depends on the specific factual matrix of the relationship. The primary rationale for this distinction is that not all digital companies have the same capacity to collect users’ data or engage in the same practices with respect to the data. Thus, the existence of a data fiduciary will turn on the specific facts and circumstances of the relationship.
The Supreme Court of Canada has identified four requirements for a court to recognize an ad hoc fiduciary relationship: (1) the alleged fiduciary has scope for the exercise of some discretion or power; (2) a person or class of persons vulnerable to the alleged fiduciary’s control; (3) the alleged fiduciary can exercise their power or discretion to affect the beneficiary’s legal or practical interests; and (4) a mutual understanding or the alleged fiduciary’s undertaking to act in the best interests of the alleged beneficiary.43 Drawing on uncovered practices by digital companies, I argue that these elements are present in the relationship between these companies and their users. While the establishment of an ad hoc fiduciary relationship is factually dependent, the presence of these elements in existing relationships opens the door for the recognition of the data fiduciary concept in Canadian privacy law.
Exercise of Discretion or Power over Users
Digital companies have the ability to exercise a tremendous amount of discretion or power over their users. These companies can manipulate users’ behaviour, induce the disclosure of information and maximize the amount of data harvested because they design and build the technological infrastructure in which their users operate.44 They can even amass their users’ data when their users are operating off their platform. For example, Facebook has countless partnerships with third-party services where users can log in to the third-party website with their Facebook account.45 The system is designed for user convenience: instead of creating a new account on another website, users can link their Facebook account and automatically generate an account for that website. However, the data collected from other websites is linked back to the user’s Facebook account, allowing Facebook to maximize data collection from platforms it does not control.
Many digital companies also have broad discretion to share users’ personal information with third parties when monetizing their data. For example, Google monetizes users’ data by engaging in real-time bidding (“RTB”). RTB is a highly complex process whereby website and application publishers auction off ad space to advertisers by offering up a user’s personal information, including location, device identification, cookies and browsing history.46 Advertisers then bid over the ad space based on the personal data they received and Google profits from the process. However, RTB compromises users’ personal data and subjects them to surveillance by third parties, including advertisers, data brokers, hedge funds, and government bodies such as the U.S. Immigration and Customs Enforcement.47
The ability of digital companies to exercise their discretion or power over their users is only magnified by network effects. A positive network effect refers to a phenomenon where the value of the product or service improves as the number of its users increase.48 Amazon, for example, requires large amounts of consumer purchasing data to predict consumer choice and behaviour. As Amazon attracts more and more users to its platform, it can collect more consumer data, develop algorithms based on the data and use those algorithms for targeted advertising or predicting consumer behaviour to manage its inventory. In turn, even more users are drawn to its platform because of the convenience and choice it offers to its consumers. The permeation of this vicious cycle permits companies like Amazon to collect massive amounts of data, which strengthens their power – and the ability to exercise their power – over their users.
Vulnerability
The first part of the vulnerability element requires the identification of a person or group of persons vulnerable to the alleged fiduciary’s control, which depends on the specific factual circumstances. Once the person or group of persons is identified, they must be vulnerable to the alleged fiduciary. The existence of vulnerability is neither a necessary condition49 nor a sufficient condition50 of a fiduciary relationship. However, it is an important consideration in determining whether the factual circumstances lend itself to an ad hoc fiduciary relationship.51 While external factors may give rise to vulnerability prior to the parties entering into the relationship, the more important consideration is “the extent to which vulnerability arises from the relationship”.52
Vulnerability emerges from a combination of the beneficiary’s inability to “prevent the injurious exercise of the power or discretion” and the “grave inadequacy or absence of other legal or practical remedies to redress the wrongful exercise of the discretion or power.”53 In the context of data fiduciaries, users are unable to prevent digital companies’ exercise of power because these companies have the technological capacity to collect ample amounts of personal data and share them with others in a matter of seconds. Information asymmetry and power imbalance permits companies to exercise their power without the user’s knowledge, and major data breaches and privacy invasions are usually discovered by journalists years after the event has taken place.54 Thus, users are generally unable to prevent a digital company’s exercise of power or discretion.
Further, users do not have a remedy either in existing privacy laws, or in other areas of law such as tort and contract law. Existing privacy laws do not provide the user with an individual cause of action. Under the Personal Information Protection and Electronic Documents Act55 (“PIPEDA”), which governs the collection, use and disclosure of personal information in the private sector commercial business context, individuals do not have the right to sue the alleged perpetrator for a breach of the PIPEDA. Instead, individuals can file a complaint with the Privacy Commissioner, who will only initiate the complaint if there are reasonable grounds for investigation.56 Even where the Privacy Commissioner commences a proceeding with the Federal Court against the violating party, the orders sought are usually inadequate to redress the wrongful act. For example, on February 6, 2020, two years after the Privacy Commissioner received complaints about Facebook permitting third-party access to its users’ data, it commenced a proceeding against Facebook for violating Clauses 4.3, 4.3.2, and 4.7 of Schedule 1 and Section 6.1 of PIPEDA.57 While the Privacy Commissioner has sought an order for Facebook to correct its practices and prevent the further use or disclosure of users’ personal data,58 the victims do not have individual recourse to bring an application against Facebook under PIPEDA or to seek an appropriate remedy to redress the privacy breaches.
In addition, users cannot seek a remedy under tort and contract law if the digital company contracts out of its obligations. In those situations, a remedy will not be available to users whose privacy was violated. Alternatively, while there is some authority that a party can contract out of their fiduciary obligations in certain situations such as a joint venture,59 a better analysis is that courts will examine the parties’ conduct and evidentiary features to determine whether the relationship of the parties invokes a trust scenario.60 Thus, even in situations where the alleged data fiduciary attempts to contract out of its fiduciary obligations, courts will be more driven by a determination of whether the conduct of the parties gave rise to a fiduciary relationship.
Under tort law specifically, the misuse of personal data does not always satisfy the elements of three privacy-based torts: breach of confidence, intrusion upon seclusion and public disclosure of embarrassing private facts. These privacy-based torts are further discussed below.
Breach of confidence requires that (1) the information was confidential; (2) it was imparted in confidential circumstances; and (3) the plaintiff suffered a detriment due to the unauthorized use.61 In the context of a social media company, it would be difficult to establish all three elements of breach of confidence. The first two elements would not be made out because not all of a user’s personal data are confidential or were imparted under confidential circumstances. In the context of social media companies, users publish information about their personal lives or opinions about specific issues with a public audience in mind (or at least 1,000 of their Facebook friends). Nevertheless, social media companies can use this information to the detriment of the user. The third element would also not be made out because companies can bury a fine print clause in their privacy policy or terms and conditions that effectively obtains express authorization from the user for the use of their information, thereby precluding a finding by a court of unauthorized use. However, many users do not read the privacy policies or terms and conditions; even if they do, they may not fully comprehend the impact of the authorization on their privacy, vitiating adequate consent. Additionally, it may be difficult to prove the third element, which requires causation between the unauthorized use and the detriment suffered. Due to the surreptitious nature of many companies’ practices, users may not be able to attribute the detriment to the unauthorized use. For example, when Facebook manipulated its users’ news feed to influence their emotions as part of a psychological study,62 it was likely extremely difficult for users to attribute their emotions to the subtle differences in their news feed.
Public disclosure of embarrassing private facts is not an appropriate cause of action in most allegations of a digital company misusing their users’ data. Two elements of this tort that render it an unviable cause of action are that (1) private facts were disclosed to the public; and (2) the matter that was made public is offensive and objectionable to a reasonable man of ordinary sensibilities.63 Information published on a social media site will likely not be considered a private fact because it has been publicized to hundreds or even thousands of that user’s connections. In the context of other digital companies, they typically do not make private facts public, but rather sell information to third parties who have the potential to misuse the data. Additionally, many data breaches involve facts that would not be considered “offensive and objectionable to a reasonable man of ordinary sensibilities”, yet still have an adverse impact on the user. If Facebook engaged in digital gerrymandering to influence the outcome of an election and publicized information about its users’ political affiliation, the publicized information would likely not be offensive and objectionable. Nevertheless, analyzing users’ personal data for political strategies has a much larger adverse impact on society and democracy as a whole by deciding the outcome of an election.
Intrusion upon seclusion similarly not a viable cause of action. One of the elements of the tort is that the defendant invaded the plaintiff’s private affairs.64 However, most of a user’s personal data are obtained consensually through privacy policies or terms and conditions, making it hard to argue that the company “invaded” the user’s private affairs. Furthermore, intrusion upon seclusion only provides a cause of action for intrusion of a person’s privacy; it does not provide a cause of action for misuse of personal data.
Although the torts mentioned in this section may provide a cause of action in certain circumstances,65 a majority of the potential privacy breaches do not provide individuals with a redress for the wrong.
Affecting Users’ Legal and Practical Interests
Digital companies can leverage their power or discretion to affect their users’ legal or practical interests. These companies have the technological capacity to extrapolate their users’ information, such as political affiliation, personal habits, credit histories and previous work experiences.66 They can leverage their users’ cognitive thinking and emotions to influence users’ behaviour, which can adversely affect their practical interests.67 For example, Uber has the ability to collect data from its users – both drivers and riders – about pickup and drop-off points, ride times, length of the ride and much more. In an effort to induce drivers to work longer hours, which would then encourage more riders to use its app, Uber conducted experiments on its drivers using video game techniques and non-cash rewards.68 The psychological experiments induced drivers to work longer hours in locations that were less profitable for them.69 Although Uber argued that its drivers were still fully in control of their decisions to end their shift or continue working,70 the company’s understanding of its users’ behaviour combined with manipulative techniques affected its drivers’ practical interests.
Many digital companies can also exercise their discretion to share users’ data with third parties, which may have adverse impacts on users’ interests and society as a whole. In the early 2010s, for instance, Facebook’s privacy policy permitted third parties to access its users’ data. In 2015, a British political consulting firm, Cambridge Analytica, purchased Facebook users’ data in an attempt to influence American users to elect Donald Trump as president.71 Cambridge Analytica was a subsidiary of the SCL Group, a private research company that used psychological operations (“psyops”) in military and political operations all over the world.72 Two years before the 2016 U.S. election, Cambridge Analytica circulated a personality survey on Facebook and collected 5,000 data points73 from over 30 million participants74 to predict voters’ personalities and political affiliation.75 The firm primarily targeted “persuadables” – individuals who could vote either way during the election.76 Cambridge Analytica subsequently launched massive campaigns disparaging Hillary Clinton and targeted persuadable individuals to manipulate the outcome of the election. The Cambridge Analytica – Facebook scandal demonstrated the harrowing effect of data leakage and its ability to impact the legal and practical interests of the American people.
Mutual Understanding or Undertaking by the Fiduciary to Act in the Best Interests
An important element in recognizing the existence of an ad hoc fiduciary relationship is a mutual understanding or an undertaking by the fiduciary to act in the best interests of the beneficiary. A mutual understanding can be gleaned from evidence that “one party has relinquished its own self-interest and agreed to act solely on behalf of the other party.”77 In Norberg v Wynrib,78 Justice McLachlin (as she then was) asserted that “fiduciary relationships […] are more typically the product of the voluntary agreement of the parties that the beneficiary will cede to the fiduciary some power, and are always dependent on the fiduciary’s undertaking to act in the beneficiary’s interests.”79 In addition, Justice Cromwell in Perez v Galambos80 held that “a critical aspect of a fiduciary relationship is an undertaking of loyalty: the fiduciary undertakes to act in the interests of the other party.”81 He clarified that while vulnerability may be a relevant consideration, a power-dependency relationship is not a separate category of ad hoc fiduciary relationships.82 Instead, there must be a mutual understanding or an undertaking by the fiduciary to serve the best interests of the beneficiary.
While a mutual understanding can take many forms and depends on the specific facts, the alleged fiduciary’s undertaking can only be satisfied by virtue of the following: (1) the exercise of statutory powers; (2) express or implied terms of an agreement; or (3) an undertaking to act in this way.83 The exercise of statutory powers will be discussed further below in Section IV, where I explain the implementation of the data fiduciary concept into Canadian law through a federal statute. The rest of this section discusses the nature of a data fiduciary’s undertaking.
Since the nature of the undertaking will be dependent on the norms of the particular relationship,84 an express term of an agreement or an undertaking to act in a certain way will require digital companies to enter into separate agreements with each of their users by inserting an undertaking clause in their terms and conditions when a user signs up to use their platform. However, digital companies are unlikely to include an undertaking clause because the obligations would be onerous, barring them from using personal data to maximize their profit.
Courts are more likely to infer an undertaking from an implied term of an agreement. A relevant fact-based consideration is whether the alleged data fiduciary induced its user to relying on its loyalty.85 Digital companies typically use their privacy policies and terms and conditions to induce their users into relying on their loyalty by promising not to misuse their personal data. For example, Amazon’s Privacy Notice promises to use personal data for the purpose of improving its products and services for the benefit of its users.86 Further, it states that it does not sell users’ data to third parties, aside from those listed in its Privacy Notice.87 Amazon also makes the representation that its systems are designed to protect users’ privacy and security.88 A user who reads this policy will likely be persuaded that Amazon will not misuse their personal data. Thus, implied terms of a privacy policy or terms and condition agreement can satisfy the final element to establish an ad hoc fiduciary relationship.
2. Scope of the Duty
As previously mentioned, fiduciary obligations concerning data would apply to digital companies who collect personal information from users on their online platform. The data fiduciary’s obligations would pertain to the information collected on their platforms. The duty would extend to third parties who obtain users’ information from data fiduciaries because many digital companies who collect data on their own websites also provide the data to others.89 Third parties include persons to whom the user consents to sharing their data, as well as persons who did not obtain users’ consent. Professor Balkin argues that the fiduciary duty must “run with the data”, which means that the law should impose similar obligations on third parties who have obtained users’ personal data.90 The rationale behind extending the duty to third parties is that users do not need a “separate contractual agreement” with each organization that obtains the data, which maintains certainty and consistency.91 Over time, as the data are collated and reused, it will be onerous for data brokers to distinguish which data come with fiduciary obligations and which does not.92 Thus, “running with the data” will encourage data brokers to “revolutionize their practices” and create a system that prioritizes users’ privacy,93 while incentivizing information fiduciaries to ensure that their partners and other third parties are handling users’ personal information in a sensitive manner.
One problem with “running with the data” is that ad hoc fiduciary relationships require a mutual understanding or an undertaking, which implies that the beneficiary is aware that the third party is collecting their personal information. However, many users are “unaware of the existence of data brokers as well as the purposes for which they collect and use [their] data.”94 Consequently, third parties who collect personal data without the user’s knowledge may not be considered fiduciaries in this sense. Although this shortcoming may limit the effectiveness of the information fiduciary model, the practical implication is that digital companies will be incentivized to revisit their privacy policies, improve their cybersecurity, closely monitor third-party activity on their platforms and notify users when a third party is collecting their data.
3. Content of the Duty
Professor Balkin acknowledges that the nature of the fiduciary relationship between an information fiduciary and its users may not attract the same degree of care, loyalty and protection required by traditional fiduciary relationships.95 The content of a fiduciary duty depends on certain factors, including the “trust, confidence, complexity of subject matter, and community or industry standards.”96 This section discusses the main components of a data fiduciary’s obligations regarding personal information it collects from its users. The non-exhaustive duties discussed in this section are a combination of duties owed by traditional fiduciaries, which are tailored to the special relationship between data fiduciaries and their users.
Duty of Confidentiality and Duty of Care
The duty of confidentiality and the duty of care require data fiduciaries to keep their beneficiaries’ information confidential and secure. Inherent in these duties are that data fiduciaries must create safeguards to ensure the security of their users’ data. Currently, many users’ personal data are stored in unsecure servers, which has the potential for massive privacy violations or leakage. For example, in 2019, the cybersecurity firm UpGuard discovered unprotected Facebook data on Amazon’s servers, which exposed “hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.”97 The duty of confidentiality and the duty of care would require digital companies such as Facebook to ensure that their users’ personal data is confidential and secure.
The duty of care would also require the data fiduciary to ensure that personal information is only used for the purpose for which it was collected. Many users originally consent to disclosing their personal data because they trust digital companies will use it for a certain purpose. However, many companies use it for other purposes in an attempt to monetize data as a commodity. The duty of care would limit the use of personal data to specified purposes and would require data fiduciaries to obtain consent if the data are to be used for another purpose.
Duty of Loyalty
The duty of loyalty requires the data fiduciary to use their users’ personal data for the best interests of the user. Traditional fiduciaries are barred from “[entering] into engagements or [assuming] functions in which he has or can have a personal interest conflicting or which possibly may conflict with the interests of those he is bound to protect”.98 In the case of data fiduciaries, the duty of loyalty would prohibit them from manipulating users’ emotions or behaviours for their own personal gain. While data fiduciaries may still use personal data for certain purposes, such as advertising and marketing, they must not do so in a way that would conflict with the interests of its users. For example, Facebook can still use personal data for targeted ads, but may not conduct psychological experiments on its users with that same data.
Duty of Disclosure
Data fiduciaries have a duty of disclosure in two main situations. First, they have a duty to promptly notify affected users in the event of a security or privacy breach.99 This allows the user or users to immediately take any necessary steps, such as changing passwords or deleting information, to prevent any further breaches. Second, data fiduciaries have a duty to disclose to their users any potential conflicts of interest. For example, if a data fiduciary is entering into a contract with a third party that involves users’ personal information, the fiduciary must disclose this conflict of interest and obtain consent when necessary.
Conflicting Duties
Directors of data fiduciaries owe a fiduciary duty to act in the best interests of the company, which may conflict with their duties to their users. In particular, acting in the best interests of the company typically involves maximizing profits for their shareholders. Since digital companies such as Facebook and Google are, first and foremost, an advertising company, a significant portion of their revenue is generated by selling targeted advertising spaces to third parties.100 As such, they have a strong economic incentive to attract users to their platform and maximize data collection and analysis to improve algorithms.101 Directors’ fiduciary duties to the company may cause friction with their duties to their users regarding personal data. However, directors can perform both duties concurrently without contention by maximizing profits for the company within the confines of respect for their users’ privacy. Professor Balkin notes that directors have other duties to consumers, the environment and competitors that may conflict with their fiduciary duty to the company.102 Nevertheless, management is bound by other areas of law to carry out these duties concurrently. Similarly, directors of digital companies can still maximize profits without engaging in business practices that harm users’ privacy interests.
C. Breach of Fiduciary Duty and Remedy
The law would hold data fiduciaries to a strict standard of conduct, and any slight abrogation from the standard constitutes a breach of the duty. Manipulating users’ behaviour, emotions and political views or selling data to third parties without users’ consent will obviously violate the fiduciary obligation; however, other conduct may not be as clear. The plaintiff must demonstrate that the data fiduciary acted inconsistently with its duty to act in utmost good faith. In the event of a privacy violation, the data fiduciary can rebut the de facto breach by showing that it acted consistently with its duties. For example, if a user’s personal data were stolen by a third-party hacker, the data fiduciary will not be held liable if it can demonstrate that adequate technological safeguards were in place prior to the breach.
The remedies for a breach of fiduciary obligation are non-exhaustive.103 The appropriate remedy will depend on the factual circumstances of the case, and courts have discretion to grant the plaintiff an appropriate equitable remedy. Courts may order an injunction to prohibit a privacy-violating practice, a mandatory order to compel the information fiduciary to commit a rightful act or redress the loss or improper gain through rescission, restitution or damages.
IV. Implementation into Canadian Law
As discussed in the previous section, digital companies in certain situations will satisfy the requirements to be considered an ad hoc data fiduciary. It is incumbent on Parliament to enact legislation codifying the concept of a data fiduciary, as well as the specific requirements to establish an ad hoc data fiduciary. The statute would not operate to automatically impose fiduciary obligations on all digital companies. Rather, a federal statute would expressly provide that digital companies can be data fiduciaries under certain circumstances and codify the elements for establishing a data fiduciary relationship.
Implementation through a federal statute has two main benefits. First, it promotes consistency and certainty regarding the requirements to establish a data fiduciary relationship and the content of the duty. Digital companies will be aware of the circumscribed limits of their conduct and will modify their business practices to comply with the statute. Second, the enactment of legislation can include a statutory undertaking, satisfying the “undertaking” requirement for establishing an ad hoc fiduciary relationship. As an “exercise of statutory powers” is one acceptable form of an undertaking,104 the proposed statute could identify instances where the alleged fiduciary will be deemed to undertake to act in the best interests of the user.
The Canadian statute could be modelled after the proposed New York Privacy Act (“NYPA”),105 which was introduced in May 2019 by New York Senator Kevin Thomas and is currently being heard in the New York Senate Committee. The NYPA proposes to impose a fiduciary duty on controllers, data brokers, and every entity (or affiliate of any entity) that “collects, sells or licenses personal information of consumers,” which it calls “data fiduciaries”.106 These fiduciaries must “exercise the duty of care, loyalty, and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”.107 Further, the NYPA proposes that the fiduciary’s duty with respect to the data supersedes its duties to shareholders and other parties108 and creates a private right of action for individuals whose privacy is violated. Although not all aspects of the NYPA may be desirable in the Canadian privacy law context, the main features to be adopted from the NYPA is the codification of the data fiduciary concept, the requirements to establish a data fiduciary relationship and the content of the duty.
V. Conclusion
Although digital companies have not been traditionally recognized as fiduciaries, the Digital Age creates novel social and economic relationships that warrant protection for their users whose interests may be affected. The proposed data fiduciary model of privacy law addresses many of the concerns surrounding the collection and misuse of individuals’ personal data. In this paper, I have argued that the data fiduciary concept should be incorporated into Canadian law because digital companies have the capacity to collect and misuse personal data to the detriment of their users. Rather than creating a new category of fiduciary, data fiduciaries should be recognized on an ad hoc basis depending on the relevant factual circumstances of the relationship. Furthermore, data fiduciaries owe a duty of confidentiality, duty of care, duty of loyalty and duty of disclosure to their users when dealing with personal, sensitive information. Parliament should pass legislation implementing this concept into Canadian privacy law, which could be modelled after the proposed New York Privacy Act. Recognizing data fiduciaries in Canadian privacy law strikes a balance between companies’ digital kleptocracy to maximize profits and protecting individual privacy rights.
BIBLIOGRAPHY
LEGISLATION
Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
BILLS: UNITED STATES
US, S5642, “An Act to Amend the General Business Law, In Relation to the Management and Oversight of Personal Data”, 2019-2020, Reg Sess, NY.
JURISPRUDENCE
Davis v Kerr, 17 SCR 235, 1890 CarswellQue 25.
Elder Advocates of Alberta Society v Alberta, 2011 SCC 24.
Frame v Smith, [1987] 2 SCR 99, 42 DLR (4th) 81.
Guerin v R, [1984] 2 SCR 335, 13 DLR (4th) 321.
Harris v Lindeborg, [1931] SCR 235, [1931] 1 DLR 945.
Hodgkinson v Simms, [1994] 3 SCR 377,117 DLR (4th) 161.
International Corona Resources Ltd v LAC Minerals Ltd, 1987 CarswellOnt 655, 44 DLR (4th) 592.
Jane Doe 464533 v D (N), 2016 ONSC 541.
Jones v Tsige, 2012 ONCA 32.
Lac Minerals Ltd v International Corona Resources Ltd, [1989] 2 SCR 574, 61 DLR (4th) 14.
McInerney v MacDonald, [1992] 2 SCR 138, 93 DLR (4th) 415.
Midcon Oil & Gas Co v New British Dominion Oil Co, [1958] SCR 314, 12 DLR (2d) 705.
Norberg v Wynrib, [1992] 2 SCR 22, 92 DLR (4th) 449.
Perez v Galambos, 2009 SCC 48.
R v Neil, 2002 SCC 70.
Seaspan International Ltd v British Columbia Railway, 2005 BCSC 256.
SECONDARY MATERIAL: BOOKS
Ellis, Mark, “Fiduciary Duties in Canada” (Toronto: Carswell) (loose-leaf).
Gillen, Mark & Woodman, Faye, eds, “The Law of Trusts: A Contextual Approach” (Toronto: Edmond Publishing, 2000).
SECONDARY MATERIAL: JOURNAL ARTICLES
Balkin, Jack M., “Information Fiduciaries and the First Amendment” (2016) 49:4 UC Davis L Rev 1183.
Balkin, Jack M., “The Fiduciary Model of Privacy” (2020) 134:1 Harv L Rev 11.
Dobkin, Ariel, “Information Fiduciaries in Practice: Data Privacy and User Expectations” (2018) 33:1 BTLJ 1.
Katz, Michael L. & Shapiro, Carl, “Systems Competition and Network Effects” (1994) 8:2 Journal of Economic Perspectives 93.
Khan, Lina M. & Pozen, David E., “A Skeptical View of Information Fiduciaries” (2019) 133:2 Harv L Rev 497.
SECONDARY MATERIAL: LECTURES
Ellis, Mark, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 10 September 2020).
Ellis, Mark, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 17 September 2020).
Ellis, Mark, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 22 October 2020).
OTHER MATERIALS
Amazon, “Privacy Notice” (last visited 20 December 2020), online: Amazon.ca.
Balkin, Jack M., “Information Fiduciaries in the Digital Age” (2 March 2014), online: Balkinization.
Balkin, Jack M. & Zittrain, Jonathan, “A Grand Bargain to Make Tech Companies Trustworthy” (3 October 2016), online: The Atlantic.
Clement, J., “Facebook: number of monthly active users worldwide 2008-2020” (24 November 2020), online: Statista.
Concordia, “Cambridge Analytica – The Power of Big Data and Psychographics” (27 September 2016) at 00h:03m:05s, online: YouTube.
Cyphers, Bennett, “Google Says It Doesn”t ‘Sell’ Your Data. Here’s How the Company Shares, Monetizes, and Exploits It.” (19 March 2020), online: Electronic Frontier Foundation.
Fauerbach, Therese, “More Valuable than Oil, Data Reigns in Today’s Data Economy” (last visited 20 December 2020), online: The Northridge Group.
Federal Trade Commission, Press Release, P125404, “FTC to Study Data Broker Industry’s Collection and Use of Consumer Data” (18 December 2012), online: Federal Trade Commission.
Goel, Vindu, “Facebook Tinkers With Users’ Emotions in News Feed Experiment, Stirring Outcry” (29 June 2014), online: The New York Times.
Lapowsky, Issie, “How Cambridge Analytica Sparked the Great Privacy Awakening” (17 March 2019), online: Wired.
Lapowsky, Issie, “In Latest Facebook Data Exposure, History Repeats Itself” (3 April 2019), online: Wired.
MarketsandMarkets, “Big Data Market” (March 2020), online: MarketsandMarkets.
Nemeth, Mitchell, “Information Fiduciary Theory and the Market” (20 July 2019), online: Towards Data Science.
Nield, David, “All the Ways Facebook Tracks You—and How to Limit It” (12 January 2020), online: Wired.
Notice of Application with the Federal Court against Facebook, Inc., (6 February 2020), T-190-20, online: Office of the Privacy Commissioner of Canada.
Scheiber, Noam, “How Uber Uses Psychological Tricks to Push Its Drivers’ Buttons” (2 April 2017), online: The New York Times.
Schwartz, Adam & Cohn, Cindy, ““Information Fiduciaries” Must Protect Your Data Privacy” (25 October 2018), online: Electronic Frontier Foundation.
Schwartz, Mattathias, “Facebook Failed to Protect 30 Million Users From Having Their Data Harvested by Trump Campaign Affiliate” (30 March 2017), online: The Intercept.
The Economist, “The world’s most valuable resource is no longer oil, but data” (6 May 2017), online: The Economist.
The Great Hack, 2019, Documentary (Los Gatos, California: Netflix, 2019).
Uber, “Company info” (last visited 20 December 2020), online: Uber Newsroom.
Wills, Jennifer, “6 Ways Amazon Uses Big Data To Stalk You” (5 October 2020), online: Investopedia.
Wu, Tim, “An American Alternative to Europe’s Privacy Law” (20 May 2018), online: The New York Times.
Zittrain, Jonathan, “Facebook Could Decide an Election Without Anyone Ever Finding Out” (1 June 2014), online: The New Republic.
Endnotes
4 I use the term “digital companies” because these businesses are in a unique position to leverage digital technology to generate value in their business models, users’ experience and internal operations. Digital companies include the Big Tech companies (Amazon, Apple, Google, Facebook and Microsoft) and other similar companies that collect and use their users’ personal data.
5 Mark Ellis, “Fiduciary Duties in Canada” (Toronto: Carswell) (loose-leaf), ch 1, s 2 [Fiduciary Duties in Canada].
6 Hodgkinson v Simms, [1994] 3 SCR 377 at para 31, 117 DLR (4
th) 161 [Hodgkinson].
7 International Corona Resources Ltd v LAC Minerals Ltd, 1987 CarswellOnt 655 at para 151, 44 DLR (4
th) 592.
8 Mark Ellis, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 10 September 2020) [Law 552 September 10].
9 Fiduciary Duties in Canada,
supra note 5 at ch 1, s 21.
11 Perez v Galambos, 2009 SCC 48 at para 36 [Perez].
12 Law 552 September 10,
supra note 7.
13 McInerney v MacDonald
, [1992] 2 SCR 138 at para 20, 93 DLR (4
th) 415.
14 Mark Ellis, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 17 September 2020).
16 Guerin v R, [1984] 2 SCR 335 at para 99, 13 DLR (4
th) 321.
17 Seaspan International Ltd v British Columbia Railway, 2005 BCSC 256 at para 106.
18 Harris v Lindeborg, [1931] SCR 235 at para 17, [1931] 1 DLR 945.
19 Frame v Smith, [1987] 2 SCR 99, 42 DLR (4th) 81 [Frame].
20 R v Neil, 2002 SCC 70 at para 16.
21 Mark Gillen & Faye Woodman, eds, “The Law of Trusts: A Contextual Approach” (Toronto: Edmond Publishing, 2000) at 742.
22 Jack M. Balkin, “Information Fiduciaries and the First Amendment” (2016) 49:4 UC Davis L Rev 1183 at 1209 [Information Fiduciaries].
27 Ariel Dobkin, “Information Fiduciaries in Practice: Data Privacy and User Expectations” (2018) 33:1 BTLJ 1 at 15 [Information Fiduciaries in Practice].
28 Information Fiduciaries,
supra note 22 at 1187.
29 Information Fiduciaries in Practice,
supra note 27.
30 Uber, “
Company info” (last visited 26 April 2021), online: Uber Newsroom.
31 Information Fiduciaries,
supra note 22 at 1188.
33 J. Clement, “Facebook: number of monthly active users worldwide 2008-2020” (24 November 2020), online: Statista.
36 The Great Hack, 2019, Documentary (Los Gatos, California: Netflix, 2019) [The Great Hack].
37 Information Fiduciaries,
supra note 22 at 1186.
38 Jack M. Balkin, “The Fiduciary Model of Privacy” (2020) 134:1 Harv L Rev 11 at 24 [Fiduciary Model].
40 Information Fiduciaries in Practice,
supra note 27 at 7.
43 Frame,
supra note 19; Lac Minerals Ltd v International Corona Resources Ltd, [1989] 2 SCR 574, at para 26, 61 DLR (4
th) 14 [Lac Minerals]; Perez,
supra note 11; Elder Advocates of Alberta Society v Alberta, 2011 SCC 24 at para 36.
44 Fiduciary Model,
supra note 38 at 12.
48 Michael L. Katz & Carl Shapiro, “Systems Competition and Network Effects” (1994) 8:2 Journal of Economic Perspectives 93 at 94.
49 Lac Minerals,
supra note 43 at para 50.
50 Perez,
supra note 11 at para 74.
51 Lac Minerals,
supra note 43 at para 50.
52 Perez,
supra note 11 at para 68.
53 Frame,
supra note 11 at para 45.
54 Lina M. Khan & David E. Pozen, “A Skeptical View of Information Fiduciaries” (2019) 133:2 Harv L Rev 497 at 525 [A Skeptical View].
55 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
56 Ibid, ss 11(1), 11(2).
59 Midcon Oil & Gas Co v New British Dominion Oil Co, [1958] SCR 314, 12 DLR (2d) 705.
60 Mark Ellis, Fiduciary Obligations Law 552, Lecture (Faculty of Law, Queen’s University, 22 October 2020).
61 Lac Minerals,
supra note 43 at para 10.
63 Jane Doe 464533 v D (N), 2016 ONSC 541 at para 43.
64 Jones v Tsige, 2012 ONCA 32 at para 71.
65 For example, the elements of public disclosure of private facts may be made out in the case of Uber publicly disclosing a user’s secret meetings.
66 Information Fiduciaries in Practice,
supra note 27 at 13.
67 Fiduciary Model,
supra note 38 at 16.
72 The Great Hack,
supra note 36.
76 The Great Hack,
supra note 36.
77 Hodgkinson,
supra note 6 at para 33.
78 Norberg v Wynrib, [1992] 2 SCR 22, 92 DLR (4
th) 449 [Norberg].
80 Perez,
supra note 11 at para 69.
89 Information Fiduciaries in Practice,
supra note 27.
90 Information Fiduciaries,
supra note 22 at 1220.
91 Information Fiduciaries,
supra note 22 at 1220.
92 Fiduciary Model,
supra note 38 at 17.
93 Fiduciary Model,
supra note 38 at 17.
95 Information Fiduciaries,
supra note 22 at 1221.
96 Hodgkinson,
supra note 6 at para 35.
98 Davis v Kerr, 17 SCR 235 at para 11, 1890 CarswellQue 25.
100 A Skeptical View,
supra note 54 at 505.
102 Fiduciary Model,
supra note 38 at 23.
103 Norberg,
supra note 78.
104 Perez,
supra note 11 at para 77.
105 US, S5642, “An Act to Amend the General Business Law, In Relation to the Management and Oversight of Personal Data”, 2019-2020, Reg Sess, NY.