The Great Canadian Personal Data Grab

The Royal Bank of Canada updated its mobile application for Android users earlier this month. Like many banking apps, the RBC version allows users to view account balances, pay bills, and find bank branches from their smartphone. Yet when users tried to install the app, they were advised that the bank would gain access to a wide range of personal data.

The long list of personal data – far longer than that found in comparable applications from banks such as TD Canada Trust or Bank of Montreal – included permission to use the device’s camera, to read the user’s call history, to access the user’s Internet browsing habits, and to even check out their browser bookmarks. After users took to Twitter and the Google app review section to complain, RBC advised that it would update the app and that users should “stay tuned” about the permission requirements.

My weekly technology law column (Toronto Star version, homepage version) notes that RBC is not alone in requiring users to disclose more personal information in order to access services. Aeroplan, the loyalty program linked to Air Canada, sent an email last week to hundreds of thousands of Canadians notifying them that it too was changing its data collection practices.

The company disclosed that holders of its popular financial credit cards (which can be used to earn Aeroplan points based on total spending) will soon be required to grant it access to detailed financial activity. Starting next year, Aeroplan will be privy to all cardholder transactions, including merchant names, transaction amounts, and dates of the transactions.

The personal data grab from two of Canada’s best-known companies is part of a disturbing privacy trend involving a seemingly insatiable desire for customer information. These demands stretch Canadian privacy law to its limits and run the risk of placing user data at risk for security breaches.

Canadian privacy law requires organizations to obtain consent for the collection, use, and disclosure of personal information. The basic premise is that privacy is a negotiated bargain in which companies can ask for permission to do virtually anything with the personal information they collect so long as users grant their consent.  

The law does contain an important limitation, however, stating that “an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.” In other words, companies can ask for whatever information they believe is reasonable under the circumstances, but they cannot mandate the disclosure if it is not strictly necessary to supply the good or service.

Despite the legal limitations, the RBC and Aeroplan policies illustrate how companies have become increasingly aggressive in their personal information collection practices. Companies use data mining technologies (the same ones used by intelligence agencies to comb through the meta data of billions of telephone calls) to analyze customer habits and inform a wide range of business decisions.

Some uses may seem relatively innocuous, yet the practice of collecting as much data as possible raises serious concerns.  The risk of a security breach increases as companies capture and retain more and more information. This is particularly true for sensitive financial data, which is now accessed by more than just a regulated financial institution.

Moreover, the collection practices push the legal envelope by requiring disclosures that are not strictly necessary to maintain a loyalty program or offer a mobile app. There have been relatively few complaints to the Privacy Commissioner of Canada on these issues, which may be a product of a public that has become increasingly cynical about the potential for privacy laws to stop invasive practices from both government and the private sector. Yet as companies seek mountains of customer data, it may be time for consumers to start saying no.

Tags: / /


  1. Mobile browser
    It can be difficult to avoid these issues and almost all mobile applications seem to require access to your location (fine grained), your phone id, number, contacts and call history. I have stopped installing mobile apps unless I really need them or they ask for reasonable permissions, instead I use my mobile browser, it has a decent security model and leaves me in control of what I provide to service providers.

    Remember the mobile web, it is your privacy friend.


  2. The value of information
    The trade-off with any loyalty program is they get access to some information about you from their partners, and in exchange you get points which you can redeem for things that you value (gift cards, travel, discounts, etc.). So really my objection to Aeroplan’s move isn’t that they are making this data grab per se, but rather that they are making a BIG reach for additional valuable information without increasing the value they give members.

  3. Thank you, Professor Geist, for pointing this out. I will be writing to my bank regarding my Aeroplan card and the legal limitation on data collection for services. It seems doubtful that confronting giant corporate entities could have much effect, but I will mention the Privacy Commissioner in attempt to add weight.

    This reminds me of an incident I had with RBC when I was a student, seeking a student loan. One of the checkboxes on the form at the bank gave permission to RBC to sell my financial records to anyone they saw fit. In small print on the back, they noted that law forbids them from refusing services should I not consent to that clause. So I did not consent to that clause. The immediate reaction of the bank manager processing my loan was to deny the loan. When I pointed out the noted exception on their own paperwork, hours of waiting ensued, as she made phone calls looking for a way to exclude me from their marketing program. They had no system in place to exempt those who didn’t agree. I got the loan, but I suspect my information was sold without my consent.

  4. BTW, CIBC also recently upgraded their Android app to require access to my on-phone Contacts. Creepy.

    Interestingly, Citibank in the states released an app update with similarly intrusive permission demands and, when challenged, said it was a mistake and backed out the change. Refreshing!

  5. Foreign Servies
    Does PIPEDA apply to foreign companies offering services in Canada? That is, are the likes of Apple, Dropbox, Google, etc. bound to adhere to Canadian law while offering their services to Canadians?


  6. Justification is needed
    Thank you for another great article Prof. Geist. I have often wondered about the legality of these services which request personal information which is clearly above and beyond what is required in order for the software to function. When installing an app on my phone I am told what permissions the app is requesting but in a take it or leave it manner. Forced to either agree to the permissions or forgo the use of the service. This current situation seems to run contrary to the law as you quoted it in your article in cases where data is requested which is not “required to fulfil the explicitly specified, and legitimate purposes” of the app. In my mind this current situation needs to change. Companies should be required to provide information on why each permission is required in order to fulfil the purpose of the app and not just request any permissions they want.

  7. CSEC/NSA Orders?
    Makes me wonder….

  8. RBC’s app permissions
    I wonder how much of this is intentional and what’s just lazy application development? easier to ask for all the permissions (which a lot of people don’t bother reading in full) than to pick out only the ones you need.