With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

For more details see the Privacy Commissioner’s website.

Getting the privacy balance right is not easy, from both theoretical and practical perspectives. As examples, here are some recent developments that go both ways.

Pro Privacy

• Proposed Bill C-12 amendments to PIPEDA that would mandate privacy breach notification in certain circumstances.
• The Ontario Court of Appeal decision in Jones v Tsige that created a tort of breach of privacy, or “intrusion upon seclusion” for intentional, offensive privacy invasions.
• The US Supreme court decision in US v Jones that decided police need to get a warrant before attaching a GPS tracking device to a vehicle.

Anti Privacy

• Proposed Bill C-12 amendments to PIPEDA that encourage private entities to give personal information to law enforcement without warrants.
• Proposed “Lawful Access” legislation that allows police to obtain a significant amount of information about our mobile phone and internet accounts without a warrant, and would require ISP’s to retain certain information about us.
• The Supreme Court of Canada’s refusal to hear the appeal of the Leon’s case where the Alberta Court of Appeal said that license plates are not personal information.

The Office of the Privacy Commissioner of Canada (OPC) recently tabled its Annual Report on the Privacy Act. The airport scanner issue receiving much of the press, however there are a number of other noteworthy items in the report. The Privacy Act is the legislation that applies to the Canadian federal government.

Regarding airport scanners, the major concern is whether the Canadian Air Transport Security Authority (CATSA) and the airport screeners it hires under contract are respecting the privacy rights of travellers. While some elements of good privacy management were found, an audit performed earlier in the year identified a number of areas for concern. Of particular note was the security over the images produced by the full-body scanners. Despite being strictly prohibited, a cellphone and closed-circuit television camera were found in the room where officers were viewing the images. These issues were discovered during the audit and were addressed by CATSA.

CATSA has also suggested a plan to observe passengers in the airport pre-boarding areas for suspicious behaviour. OPC expressed a number of concerns including the potential for inappropriate risk profiling based on characteristics such as race, ethnicity, age or gender.

The report also looked at various forms of biometric information such as fingerprints and facial images. Although the collection of biometric information can lead to highly reliable identification systems — certainly more reliable than paper systems — the collection and use of this information has also raised significant privacy concerns. While biometric information has the potential to bolster identification systems, it can also lead to privacy concerns regarding covert collection of data, cross-matching and unwanted secondary disclosure. To aid organizations looking to utilize biometric information, the OPC has prepared a primer that helps to identify the pros and cons of biometric data systems.

Also addressed in the report was a complaint made by an individual who was asked by Canada Post to provide identification in order to terminate the rental of a postal box. After review, OPC found that Canada Post has a statutory obligation to provide a secure postal service and that the collection of personal information was consistent with that mandate. The purpose of the data collection was to ensure that postal boxes were not being used or closed fraudulently and further to aid in the investigation of illegal goods shipments. OPC determined that the collection of data for these purposes was reasonable and that the complaint made was not well founded.

Privacy issues are often a balancing act between too much and too little. OPC’s annual report looks to identify areas of concern and make recommendations as to how to strike an appropriate balance. Governments require personal information to properly exercise their functions, however the question quickly becomes “how much collection and use is too much?” A complete copy of OPC’s Annual Report to Parliament is on OPC’s website at www.priv.gc.ca.

The Ontario Court of Appeal just released its decision in Jones v Tsige saying that there is a tort of invasion of privacy in Ontario.  Until this decision, it was generally felt that this right did not exist in Ontario.  The court also refers to the tort as intrusion upon seclusion.

The gist of the case is that a bank employee looked up banking information on someone she knew (another bank employee who was in a common-law relationship with the victim’s former husband) - at least 174 times over a 4 year period.  That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages for it.  The Court of Appeal decided she could, and awarded $10,000 in damages.

To be actionable:

• the defendant’s conduct must be intentional, including recklessness;
• the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
• a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

It does not apply to intrusions into every private or personal matter. The decision says that it is only intrusions into matters such as:

• financial or health records
• sexual practices and orientation
• employment
• diary or private correspondence

For a more detailed analysis, see these posts by Omar Ha-Redeye on Slaw and David Fraser

Here are some of the sites that are going dark today, or changing their home pages in protest over the proposed US legislation. For more information on why this legislation is so bad, check out these sites, or search for “SOPA” on Slaw or Techdirt.com, or just Google it.

Wikipedia:

Boing Boing

WordPress

EFF

This is Google’s US site. Google’s Canadian homepage does not seem to be affected.

Michael Geist

As Connie mentioned, the annual Consumer Electronics Show is now underway in Las Vegas. The tech press is full of commentary on the latest and greatest things at the show. One trend is that everything is becoming more intelligent and more connected, ranging from TV’s to appliances.

That results in many great features and new capabilities. At the same time, a Washington Post article entitled Privacy rights activists worry about potential abuse of high-tech devices featured at CES event points out that we can’t forget about the privacy issues that comes along with this technology.

The article starts off by saying:

The thousands of devices debuting Tuesday at the Consumer Electronics Show here demonstrate how tech companies are poised to gather unprecedented insights into consumers’ lives — how much they eat, whether they exercise, when they are home and who they count as friends.

Silicon Valley is in a gold rush for information, highlighted by Google’s announcement Tuesday that it would incorporate data posted by users on its social networking service into the results of its main search engine.

Many of the companies providing this technology are certainly cognizant of the privacy issues, and will do the right things regarding use, disclosure and consent. But we can’t forget that we don’t all have the same sensibilities or thresholds for privacy issues. Some of us may indeed care about who our washing machine tells that our laundry is done, or who knows what the temperature is in our house.

This is an issue that we can’t just brush aside.

Here are some tech developments to look out for in 2012.

The proposed amendments to Pipeda, the Canadian federal-privacy legislation, will be passed. Several of the amendments are long overdue, and will give some practical relief to business, without any compromise to personal privacy.

The change with the most visible effect will be the requirement for a business that experiences certain privacy breaches to report the breach to the privacy commissioner or to the individuals whose information may have been compromised.

The federal anti-spam legislation expected to be in force in 2011 is still waiting for regulations to be passed before coming into force.

The draft regulations received a lot of criticism, and may be revised prior to the act coming into force. The act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of spam.

The act is intended to provide tools to stop what we all understand to be spam. But the act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

The smartphone and tablet revolution will continue. Whether you are a fan of Apple, Android, or Windows Phone 7 (yes, Microsoft is still in the phone game with a new operating system that has been favourably reviewed), there will be new choices to buy. This always-connected, location-aware, augmented-reality world will lead to challenges to privacy, advertising and business models.

We will start to hear more about digital wallets and near-field communications (NFC). Our smartphones will eventually become our wallets and credit cards, allowing us to pay at stores like a tap-and-go card.

North America lags behind other parts of the world in near-field communications, but expect to see more phones with this ability on the market this year. There is some speculation there could be some near-field communications wallet promotion around the Olympic Summer Games in London, England.

The players in this field may extend beyond the traditional banks and credit-card companies. Companies such as Google and cellphone carriers are trying to get a part of this business. If we have choices, we need to watch to ensure we get the same protections for lost or compromised phones as we now get for lost cards.

Another buzzphrase we will hear more is “the Internet of things.” Sensor technology, and electronics in general, are becoming more pervasive and cheaper. So in addition to connecting to people and websites on the Internet, we will increasingly be able to connect to things such as our home thermostats and appliances. At the same time, voice control and gesture control will lead to new ways to interact with our devices.

Pending legislation always makes good fodder for lawyers to comment on in annual predictions articles. The pending anti-spam legislation has resulted in several such comments.

In my predictions article scheduled for publication next week, I comment that:

The Federal anti-spam legislation that was expected to be in force in 2011 is still waiting for regulations to be passed before coming into force. The draft regulations received a lot of criticism, and may be revised prior to the Act coming into force. The Act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of Spam. The Act is intended to provide tools to stop what we all understand to be spam. But the Act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

Michael Geist predicts that in July:

Nearly one year after proposing anti-spam regulations, the government unveils modified regulations and seeks further public comment before the law takes effect. The new regulations establish a series of new exceptions to the law consistent with the demands of several marketing groups.

Barry Sookman has written a detailed analysis entitled Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)? in which he suggests that the legislation may indeed be that overreaching. It is worth a read to get a flavour for how complex this can get, and what the unintended consequences may be.

This legislation and its pending regulations merit a close watch this year. While its intentions are good, I believe it has the potential to waste far more time, money and effort for businesses and charities attempting to comply, than it will save by the amount of real spam it might reduce. And I’m not sure whether appropriate regulations can temper it sufficiently.

Another wrinkle is that the Supreme Court of Canada’s December decision that said the proposed Canadian Securities Act was not within the legislative authority of Parliament has some wondering if the same fate might be in store for parts of the anti-spam legislation.

The Act requires those providing an “Internet Service” to report to either the police, or to Cybertip.ca depending on the circumstances, any child pornography they become aware of on the net, or if anyone is using their service to commit child pornography offences under the Criminal Code. 

They don’t have to look for it, but if they become aware of it, and don’t report it, it is an offense subject to significant fines.

It is noteworthy that the law applies to more than just what we would consider ISP’s.  It applies to anyone “providing Internet access, Internet content hosting or electronic mail” to the public.

So that would include anyone providing open wi-fi to the public, such as a coffee shop or municipality.  If you provide any kind of public access to the internet, you need to understand your obligations under this law.