How Safe is our Information Online? One Email Changed how I share my data.

On Thanksgiving Monday, I received an email from CIPPIC’s Director, Professor David Fewer, asking me for an urgent favour. The name matched and the tone seemed professional, but something was off—the email had come to my personal email account, not my school account. I immediately realized that it was a phishing attempt.  

Within a short time, other CIPPIC student interns reported receiving similar messages. This raised a serious question about the source of the information—how did a stranger know where we worked and what emails to target? And most importantly: do Canadians have any legal protection when companies and individuals scrape and use information found online?  

The Hidden Reach of Our Digital Footprints  

Every time we post or peruse online, we leave traces of data behind. Publicly accessible platforms like LinkedIn, university websites, and company directories often reveal details such as our full names, workplaces, and even contact information.  

Individually, these pieces of data seem harmless. Together, they form a digital identity that scammers and large-scale data-harvesting companies can easily exploit. 

What the Law Says About Privacy and Personal Information  

Canada’s primary privacy legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. Federally regulated organizations that conduct business in Canada are always subject to PIPEDA and must also apply the act to their employees’ personal information.  

PIPEDA does not protect individuals from criminals. I received a phishing email from someone committing fraud, not a company that scraped my data. No privacy law can stop a scammer from gathering our public information and misuse it for illegal purposes. However, both scammers and data-scraping companies rely on the same raw material: “publicly available” information that we often post without thinking.  

Most of the data we share online may fall under different interpretations of “publicly available” as specified by the Office of the Privacy Commissioner of Canada (OPCC). While courts have interpreted the concept of “publicly available” in many landmark decisions throughout Canada, there is a consensus that by sharing information online, an individual does not automatically forfeit their control over their personal information.   

Organizations that collect, use, or disclose personal information must do so with knowledge and consent. This means that if a company shares or sells your information without consent, it is a violation of federal privacy law. However, the definition of “publicly available” information differs based on the platform. For instance, organizations and individuals may collect information from professional and business directories and disclose it without consent. LinkedIn, as a massive online network of businesses and professionals, may fall under this category. This enables organizations and individuals to scrape personal information that someone may have unintentionally exposed to the public.  

Personal Information and Legal Issues  

With the onset of the digital age and the rise of Artificial Intelligence, the OPCC and several provincial regulators have investigated multiple incidents involving unauthorized data scraping or the misuse of information collected from publicly accessible websites.  

In 2021 the OPCC investigated Clearview AI, a U.S.-based technology company with facial recognition software. The OPCC, along with the privacy commissioners of Alberta, British Columbia, and Quebec, found that Clearview AI had populated its facial recognition database by scraping billions of images from social media platforms and other public websites without consent. All four regulators ordered Clearview to stop collecting Canadians’ images and to delete the data it had already gathered.   

Clearview AI challenged the Alberta Commissioner’s order in the Court of King’s Bench of Alberta and won, opening the door to the legitimization of data scraping and AI model training. The Court found that the order infringed on Clearview AI’s freedom of expression rights as enshrined in the Charter of Rights and Freedoms.  

Justice Feasby of the Court of King’s Bench of Alberta noted that individuals who make the choice to share their images and information on search engines have the tools “in the form of privacy settings” to prevent the collection, use, and disclosure of their personal information. The Court’s decision sent a clear message to all Canadians: individuals bear increasing responsibility to shield their own information online.   

Takeaways: How Can we Protect Ourselves?  

We are living in an increasingly digital age. Our phones, computers, and tablets store credit card information, track our heart rates, and contain multitudes of passwords to various websites and accounts. We are responsible for protecting ourselves and our information.  

Here are how individuals can protect themselves and those around them:  

• Review your social media settings: LinkedIn may not seem like a major social media platform like Instagram or TikTok, but anyone with an account can access your email address, academic history, and current place of work. Limit who can see your email, workplace, and connections.  

• Educate others: (almost) everyone is online in today’s world. Remind your friends and family of their rights to access, correct, and withdraw consent for personal information under PIPEDA, as well as the importance of shielding information online.  

• Think before you post: every photo, biography, or update adds to a digital profile that is easy to scrape.  

Get Cyber Safe is a national campaign that aims to raise awareness about privacy and cybersecurity, as well as the steps Canadians can take to protect their information online. Visit the federal government’s website for step-by-step guides to protecting oneself online.  

My fellow interns and I received a wave of phishing emails. These individuals scraped information from public webpages, connected our names to CIPPIC, and found personal email addresses that were publicly visible. As law students and future lawyers, we must remind ourselves and others of our rights, and stay alert to how easily our digital footprints can expose us.    

The opinion is the author's, and does not necessarily reflect CIPPIC's policy position.