When a person deactivates, deletes or disengages with his or her profile on an online service, what happens to that person's personal information? When a person leaves, does personal information stay?
In 2015 Ashley Madison, an online dating website known for connecting users to explore or engage in extramarital affairs, was hacked and the personal information of 36 million users was publically exposed. The data breach prompted a joint investigation by the Canadian and Australian privacy regulators. While the investigation focused primarily on the adequacy of Ashley Madison's information security practices, it also considered the website's practice of retaining personal information of users whose profiles had been deactivated, deleted, or become inactive.
An Escape Route for Users
Before the data breach, if a user was no longer interested in using the Ashley Madison service, the website offered two formal options for cutting ties. A basic deactivation removed the user's profile from search results, but profile information and messages sent to other users prior to deactivation remained visible to those other users. A full delete, for a fee of C$19, removed all traces of the user's profile from the website. In the case of deactivation, Ashley Madison retained information associated with the account indefinitely, on the basis that many users return to the website, and when they do, they want their original profile to be available to them. Information associated with inactive accounts was also retained indefinitely, for the same reason. In the case of a full delete, Ashley Madison retained information associated with the account for 12 months, in order to protect against the possibility that departing users may fraudulently attempt to make a credit card 'chargeback'.
A Right to be Forgotten?
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), personal information may only be retained for as long as necessary to fulfil the purpose for which it was collected. Under the Australian Privacy Act, personal information may only be retained for so long as it may be used or disclosed for a purpose permitted by the Australian Privacy Principles. In both cases, the information must be retained as long as otherwise required by law. When it may no longer be retained, it must be destroyed or de-identified.
The joint investigation found that with respect to deactivated and inactive accounts, after a prolonged period of inactivity it becomes reasonable to infer that the user is unlikely to return, and therefore the personal information is no longer required for the purpose for which it was collected (to provide the online dating service). In fact, it was found that 99.9% of users who reactivated their accounts did so within just 29 days. Therefore, the indefinite retention of personal information was excessive in this case, and contravened Canadian and Australian privacy laws. The investigation also found that the prevention of fraud was a reasonable basis for retaining information for a limited period after a full delete.
When it comes to the retention of personal information about past users, the business needs of an organization must be balanced with the privacy rights of individual users. Online service providers should establish maximum retention periods for all personal information which they collect, but particularly for information that identifies past users. The Ashley Madison breach made it clear that in a particularly sensitive context, the public release of a user's name alone can have devastating consequences for his or her personal life. In general, a person who decides to log-out of an online service for the last time, should have the right to re-take control of his or her past. A person should have the right to be forgotten.
Contributors - Randeep Nijjar and Lisa Douglas