Several amendments were made last week to PIPEDA, the federal private sector privacy legislation. This has been sitting around in draft for a long time. Except for sections creating a new mandatory breach notification scheme, the amendments are now in force. The breach notification scheme requires some regulations before it comes into effect. More on that at the end of this post.
Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.
Here are some of the highlights that are in force now:
- The business contact exception from the definition of personal information has been broadened.
- Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
- A new section says consent is only valid if the individual would understand what they are consenting to. This speaks to the clarity of the explanation, and is particularly important when dealing with children.
- Several new exceptions to the collection, use and disclosure of personal information without consent have been added. Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
- The Commissioner now has a compliance agreement remedy.
The breach notification sections that come into effect at a later date include:
- Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” That test is somewhat subjective, and will no doubt cause some consternation in practice. Guidance is included on relevant factors to consider and what constitutes “significant harm”.
- The report must contain certain information and be on a form that will be in the regulations yet to be released.
- Affected individuals must be similarly notified.
- Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold. This could pose a challenging compliance issue for large organizations.
- The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
- The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements. That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.
Cross-posted to Slaw
Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers. See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on Openmedia.ca .
Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.
There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime. The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy. A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.
And that’s not to mention the cost to civil liberties and privacy. As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.
Cross-posted to Slaw
Ontario Privacy Commissioner Brian Beamish just released his first annual report.
It is an interesting read for anyone interested in access and privacy issues.
Topics include details on some noteworthy access and privacy decisions, open government, police body cameras, sharing of CPIC information with US border officials, contents of police record checks, and comments on personal health privacy.
It also contains stats on complaints and appeals.
Cross-posted to Slaw
A common rebuke to self-driving cars are thoughts about cars behaving like computers – like freezing or rebooting while driving. Those make amusing sound bytes or twitter comments, but there is a grain of truth to it. Self driving technology has come a long way, but while computers and software can follow programmed instructions, and can learn over time, humans are still better at many things.
An article in the New York Times entitled Why Robots Will Always Need Us does a good job of putting this in context, in part by the experience of aircraft.
Author Nicholas Carr points out that:
Pilots, physicians and other professionals routinely navigate unexpected dangers with great aplomb but little credit. Even in our daily routines, we perform feats of perception and skill that lie beyond the capacity of the sharpest computers. … Computers are wonderful at following instructions, but they’re terrible at improvisation. Their talents end at the limits of their programming.
In 2013, the Federal Aviation Administration noted that overreliance on automation has become a major factor in air disasters and urged airlines to give pilots more opportunities to fly manually.
That’s not to say that we should smugly dismiss automation or technology. Lawyers, for example, who dismiss the ability of software to replace certain things we do are in for a rude awakening.
In general, computer code is never bug free, is never perfect, and is not able to do certain things. (You can say the same for us humans, though.) For example, the aircraft industry spends huge amounts of time and money testing the software that operates aircraft. On the other hand, the types of things computers can do well are increasing, and will increase over time. At some point there may be breakthroughs that make computers more reliable and better at the things us humans are more adept at. But we are not there yet.
Cross-posted to Slaw
Depending on how you define a self driving car – probably sooner than you think.
Sometimes new technology seems to come out of nowhere, but it often creeps up on us. Legal disruptions that new tech spawns often follows the same path – usually a combination of lagging behind new technology, and getting in the way of new technology.
Current advances that come to mind include smart watches, drones, electric cars, and Tesla’s Powerwall.
Take self driving cars for example.
Its not as if we will go directly from a totally human driven car to a totally autonomous car. They will creep up on us. The Google self driving car gets a lot of press, and understandably so, but mainstream auto makers are rolling out these features now. We already have cars with features such as self parking, adaptive cruise control, cross traffic alerts, and lane departure warnings. Over time these will morph from warning systems to taking control for a brief time to driving for longer period of time. Self driving will start on highways before it moves to city driving.
Actually, self driving trucks might become prevalent sooner than self driving cars.
Cross-posted to Slaw.
Is your website mobile friendly? As of yesterday, Google search ranks mobile friendly sites higher in search results.
This means that if someone does a google search from a mobile device, a site that is mobile friendly will appear higher in the search results than one that is not mobile friendly and would otherwise rank the same.
Given the high and trending higher percentage of time people use phones and tablets for search compared to PC’s, it is increasingly important that web sites be mobile friendly.
You can test a URL for mobile friendliness on this google page. In case you are wondering, Slaw, my elegal blog, and the Harrison Pensa web site all pass the test.
So take the test for your web site, and if it doesn’t pass, talk to your web developer.
Cross posted to Slaw.
If you are an Apple fan, April 24 2015 marks the beginning of the smartwatch era – the date the Apple Watch is available. (Preorders start Apr 10th.) Smartwatches have been around for a while, but given the Apple reality distortion field, they will initially sell in large numbers, even though they are the most expensive ones available. The basic Apple watch is functionally the same as the most expensive gold watch edition that starts at $10,000. (Someone said that if you can afford a $10,000 watch, you probably don’t need to know what time it is.)
But there are alternatives, including several Android versions, the Pebble, and the Microsoft Band. Version 2 of several of these are expected soon.
Smartwatches are designed to be an interface to your smartphone. But if you want something that comes at this from a different approach, check out the Neptune – from a Canadian company that takes the intriguing approach of making the device on your wrist the main computer. There are still a few days left to take advantage of their indiegogo campaign.
Personally – as much as I want one – I’m waiting for the upcoming second gen Android versions. But then again that Neptune is rather cool…
Cross posted to Slaw
A favicon is the small image that you see beside a web address in a browser tab. Similar images are sometimes used with social media names. Slaw, for example, uses as a favicon “Sl” in a particular font, Harrison Pensa uses its “HP” design (which, by the way, is a registered trademark), and my own blog uses my initials.
Because they are so small, they must be simple. If someone has a simple logo to begin with, it might be usable as is. But more complex logos won’t work. They need to be simplified, or edited so only a portion is used.
If one’s logo has been registered as a trademark, the trademark protection may not be effective if the logo is modified in any significant way. It may be necessary to register the favicon on its own as a trademark.
Anyone designing a new logo should keep favicon use in mind. It will not always be practical to design a logo that can be used in its entirety as a favicon, but that is a laudable goal. At the very least some thought should be turned to what portion of it might be used, whether people will recognize it as the same brand as the full logo, and whether there is merit to registering it separately as a trademark.
Cross-posted to Slaw
Today is world backup day, a reminder of how important it is to back up our data – and to do it daily.
(I have not been able to figure out the origins of this day – Wikipedia doesn’t even have an entry for it – but the sentiment is a good one.)
For just one example, if your defenses are down and you get hit with a Crypto Virus that locks up all your files, you can restore your files from yesterday’s backup, rather than paying the ransom.
For practical thoughts on some things to consider about how and why to back up all your data, take a look at this article by David Bilinsky.
Also take a look at this infographic by Cloudwards – a cloud storage promoter – that has some info about the causes of lost data, and issues to consider around backup solutions.
Courtesy of: Cloudwards.net
New TLDs (top level domains) continue to become live. There are hundreds to choose from. Gone is the day that there were only a handful, and a business could tie them all up for their corporate name and brands.
Also gone is the day that they are all inexpensive. Some of the new TLDs command a premium price. A .lawyer TLD, for example, costs US$6500. A .guru domain is a bargain at US$29.
This Yahoo article talks about the .sucks TLD, which will be in the sunrise period on March 30, and generally available 60 days later. Some think brands should pay the US$2500 to secure their brand.sucks domain name to keep it out of the hands of others, while some think that’s a waste of time and money.
Most of the new TLDs would be irrelevant to businesses that are not in the niche intended for the TLD, such as .vacations or .guitars. But others, such as .sucks or .help are more generic and could be used by almost anyone. Businesses and celebrities have obtained their own names for TLDs that could be used for purposes that could be derogatory or contrary to their image simply to park them and prevent their use. And there might be merit in getting ones like brand.help for one’s own use.
But there is a limit to what makes sense and what is affordable.
Cross-posted to Slaw