Canadian Official Alleges Aylo Broke Privacy Laws; Aylo Responds

OTTAWA—A report released by the office of the Canadian Privacy Commissioner alleges that Aylo, the parent company of Pornhub, has violated the country's Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA regulates how private sector organizations, like Aylo or really any technology company, can use or disclose personal data.

“The inadequate privacy protection measures on Pornhub and other Aylo sites have led to devastating consequences for the complainant and other victims of non-consensual disclosure of intimate images,” said Philippe Dufresne, the commissioner.

“Privacy is a fundamental right...Given the enormous risks involved, Aylo must take steps to ensure that it only posts intimate images and videos with the direct knowledge and consent of everyone appearing in the content.”

Aylo sued the office to prevent the release of the report in a federal court in May 2023.

Litigation prevented Dufresne from releasing the report until February 2024. 

An Ontario woman initially filed a complaint with the privacy commissioner who was victimized by revenge porn uploaded to the site in 2015. She reached out to Aylo, known as MindGeek at the time, to remove the material, and it did. But it kept circulating.

Since Pornhub had download functions at the time, the woman's video of her victimization was downloaded and re-uploaded several times and was eventually found 700 times on 80 other websites — the vast majority of these sites aren't owned by Aylo. 

Findings in the report indicate that the woman hired a professional takedown service at a significant personal cost. It is worth noting that the download feature was problematic for content that was actually produced consensually and legally.

The report documents what Dufresne considers shortcomings in Aylo's trust and safety overhaul since December 2020. 

Dufresne proposed changes in Aylo's trust and safety protocols that are non-binding. Despite this, Aylo has openly confirmed major overhauls and, in the eyes of the United States federal government, in contrast, engagement with law enforcement and regulators.

"We are proud to have instituted Trust and Safety policies that rely heavily on not only our internal policies and moderation team, but also on our array of external partnerships and technologies, that surpass those of any other major user-generated platform on the internet," says Sarah Bain, vice president of public engagement for Ethical Capital Partners, in an email to AVN.

Ethical Capital Partners, a private equity firm, is the ownership group that purchased Aylo in the summer of 2023.

"We take harm to anyone very seriously," explains Bain. "Day in and day out, Aylo’s Trust & Safety and engineering teams work collaboratively with law enforcement, advocacy groups, and other stakeholders to prevent online abuse and to hold those abusers to account."

Dufresne's report alleges that Aylo has shown no indication of collaboration with law enforcement. Evidence suggests otherwise.

Barring the fact that Aylo's ownership group includes attorneys and former law enforcement executives, this notion is outdated.

Aylo collaborates with Crime Stoppers International and has voluntarily reported to the National Center for Missing and Exploited Children (NCMEC), based in the United States and affiliated with law enforcement agencies like the Federal Bureau of Investigation.

The company also reached a Deferred Prosecution Agreement with the U.S. Attorney's Office for the Eastern District of New York.

Federal prosecutors and law enforcement agents conducted a 30-month investigation related to Aylo's indirect relationship with the Girls Do Porn sex trafficking ring that used the imagery of a supposed legal operation to cover up its organized illegal activities.

The majority of Dufresne's report features information gathered well before the trust and safety overhauls after Aylo's acquisition.

Canada's privacy commissioner is not the only national government official to accuse Aylo of violating data and personal privacy laws.

European Union regulators have received campaigns from groups in the Euro bloc alleging violations of GDPR and the Digital Services Act that requires large internet platforms to report on trust and safety and user data to the European Commission.