Digital Privacy Act amends PIPEDA

Several amendments were made last week to PIPEDA, the federal private sector privacy legislation.   This has been sitting around in draft for a long time.  Except for sections creating a new mandatory breach notification scheme, the amendments are now in force.  The breach notification scheme requires some regulations before it comes into effect.  More on that at the end of this post.

Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.

Here are some of the highlights that are in force now:

  • The business contact exception from the definition of personal information has been broadened.
  • Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
  • A new section says consent is only valid if the individual would understand what they are consenting to.  This speaks to the clarity of the explanation, and is particularly important when dealing with children.
  • Several new exceptions to the collection, use and disclosure of personal information without consent have been added.  Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
  • The Commissioner now has a compliance agreement remedy.

The breach notification sections that come into effect at a later date include:

  • Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”  That test is somewhat subjective, and will no doubt cause some consternation in practice.  Guidance is included on relevant factors to consider and what constitutes “significant harm”.
  • The report must contain certain information and be on a form that will be in the regulations yet to be released.
  • Affected individuals must be similarly notified.
  • Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold.  This could pose a challenging compliance issue for large organizations.
  • The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
  • The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements.  That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.

Cross-posted to Slaw

Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Happy Data Privacy Day

From the Privacy Commissioner of Canada: “On January 28, Canada, along with many countries around the world, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.”

Privacy becomes increasingly challenging with new tech such as big data, the internet of things, wearable computers, drones, and government agencies recording massive amounts of data in the name of security.  Sober thought needs to go into balancing the advantages of such things with privacy rights, creating them in a privacy sensitive way, and giving people informed choices.

dpd_englishprivacy sample

Cross-posted to Slaw


Here’s how changes to PIPEDA would work

For the London Free Press – July 8, 2013 – Read this at

The Privacy Commissioner of Canada (OPC) recently released a report recommending reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the privacy legislation that governs private-sector privacy generally in Ontario and many other provinces.

The report noted that, “Ninety per cent of the data that exists in the world today has been created in the last two years,” and PIPEDA needs to evolve.

The report highlighted four recommendations.

1: Strengthen enforcement and encourage greater compliance

Statutory damages (meaning set damages without any requirement of proof) for certain contraventions of PIPEDA. The report cites the Copyright Act as a successful example of a statutory-damages regime.

Order-making powers to give the Commissioner the ability to issue a binding order to either enforce an action or prevent one from being committed. At present, the Commissioner can only recommend this type of action.

Administrative monetary penalties (AMPs) are suggested as a means of bringing organizations into compliance with PIPEDA. AMPs are similar to fines, but would be assessed directly by the Commissioner.

Why the OPC wants this: “It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.”

2: Shine a light on privacy breaches

Require organizations to report breaches of personal information to the Commissioner and to affected individuals.

Why the OPC wants this: Some organizations voluntarily report and inform individuals of privacy breaches. Some organizations do not. Those that do voluntarily report may face negative financial and reputational consequences while those that do not report may escape any form of recourse. This “creates an uneven playing field for organizations.”

3: Lift the veil on authorized disclosures

PIPEDA allows disclosure of personal information to a government institution without the knowledge or consent of the affected individual, upon request. Organizations may, but don’t always, challenge or refuse these requests. The OPC would require organizations to maintain a record of disclosures to government and make it publically available.

Why the OPC wants this: Canadians seeking access to their personal information would be able to find out if their information had been disclosed. There is no transparency or clear rules about what information can and should be provided to government institutions without a court order.

4: Walk the talk

Enforceable agreements would force an organization, at the end of a privacy investigation, to agree with the Commissioner’s recommendations and to comply within a set time period.

Make accountability provisions subject to review by the Federal Court.

Why the OPC wants this: Monitoring and analyzing a company’s actions are just as time-consuming as the Commissioner’s investigations.

Holistic strategy is better for privacy laws

For the London Free Press – May 6, 2013 – Read this at

There has been controversy in the United States in the last few weeks about their patchwork of privacy laws in contrast to the holistic approach favoured by Canada and the European Union. This matters as commerce and cloud services become more borderless.

The U.S. approach to privacy has been to enact laws that apply to narrow areas as problems are perceived, rather than to look at privacy as a broader subject to regulate.

For example, in 1988 the United States Congress passed the Video Privacy and Protection Act to prevent wrongful disclosure of videotape rental or sale records. Though such laws may be effective in the short term, they have a narrow focus, fail to address future technology and leave gaps. And the process to change existing laws is typically glacier slow.

Some privacy regulation is the U.S, isn’t based on privacy laws at all, but on regulatory action and class-action lawsuits based on notions such as the breach of a company’s privacy policy. In other words, the wrong was a breach of a privacy promise, not a breach of a legal privacy requirement.

In contrast, the Canadian and European model deals with privacy on a holistic basis. The holistic approach allows for existing privacy laws to adapt to new technologies rather than having to create new privacy laws in response to new technologies.

In any given Canadian province there are likely no more than two privacy statutes that apply to the private sector.

One applies to personal information generally, and there’s often a separate one that applies to medical records. This is a far more stable, all-encompassing and technology-neutral approach to privacy issues than the U.S. model.

Peter Fleischer, global privacy counsel at Google, recently commented on this issue and his desire to see the United States enact better privacy laws. He notes not a single country has followed the U.S. model.

Fleischer praises European privacy laws for their simplicity and warns if changes aren’t made to the U.S. approach “privacy will prove a serious roadblock to any such future trade back (with the European Union), as long as some people in Europe can argue that the U.S. has not-effective privacy laws.”

Fleischer provides the example of Uruguay that has looked to Spain. as opposed to the U.S., when drafting its recent privacy laws.

In the long run, the holistic approach is a far better and more effective model to protect privacy interests. The holistic approach makes it easier for businesses to understand their obligations and comply, easier for individuals to know where they stand, has less risk of leaving privacy gaps, and makes it easier to deal internationally when other countries require privacy protection as a condition of personal information crossing borders.

As the world continues to emerge from the global economic crisis and the trend toward global integration continues, Canada’s holistic privacy framework will help us take advantage of global opportunities while a less-effective framework could damage U.S. efforts.

Perspective is an important element of Privacy

Todays Slaw post:

One thing I find consistent about privacy issues is an inconsistency in approach and viewpoint.  What is and is not deemed acceptable seems to change dramatically based on several factors, including geographic location (which I suppose is really more of a cultural issue than a geographic one), whether it is about one’s own information or you are doing something with someone else’s information, and whether the party with the information is government or business.

Many times it comes down to issues of trust, understanding, surprise, and how public one wants their life to be.

An example is in this article entitled Eric Schmidt is using the same argument against drones that others use against Google Glass.

One of the most common concerns raised about Google Glass (other than looking like a nerd) is the potential for privacy invasion.  The more of these there are around, the more likely each one of us is going to be captured on the video they can take whether we like it or not. And where is all this video going to end up?  That issue has also been raised about drones.  Google’s Eric Schmidt has apparently stated that drones should be strictly regulated for privacy reasons, which seems inconsistent with their approach to Google Glass.

Perhaps one explanation for this could be that privacy in the United States is viewed differently than in Canada and other parts of the world.  In the US, privacy is not approached as a holistic discrete topic to be regulated by general principles.  Instead, it is regulated on a piecemeal basis, such as a privacy law that applies only to movie rentals.

Privacy Abuses and Leaks

Today’s Slaw post

Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.

Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent.

Here is an infographic on web leakage provided by the Commissioner.

While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.

UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.

Children and website privacy

Today’s Slaw post:

Last week Jennifer Stoddart, the Privacy Commissioner of Canada, spoke at an IT.Can teleconference about online behavioural advertising. Online behavioural advertising means tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests. One point she made that I found interesting was about children.

Some countries have laws that specify how children under a certain age are to be treated online including what can be directed to them, and when parental consent is needed. That does not exist here.

The Commisioner’s approach is that if sites are aimed at children, then privacy disclosures and consents must be simple and clear and understandable by children. Which of course means that one should not be doing things with their personal information that requires consent if they are incapable of understanding and giving an informed consent. This approach is somewhat consistent with the approach to consent to health care treatment where children are able to give consent to many types of treatment on their own, provided they are capable of giving an informed consent.

The Commissioner also made it clear that children should not be tracked online, and thus behavioral advertising should not be directed to children.

Busy privacy week – Two privacy reports and a Supreme Court of Canada appeal

My latest Slaw post:

This has been a busy week for privacy news.

Anne Cavoukian, the Ontario Privacy Commissioner, released her annual report entitled “2011 Access & Privacy – Ever Vigilant”. Topics discussed in the report include privacy by design, biometrics, mobile devices, lawful access legislation, and open data. From the report:

The theme of my 2011 Annual Report — Ever Vigilant — was chosen in large part because this year Ontarians faced what I consider to be one of the most invasive threats to our privacy and freedom that I have encountered in 25 years of safeguarding citizens’ rights and championing openness and transparency in government.

That threat presented itself as lawful access legislation proposed by the federal government. The legislation was designed to provide police with much greater ability to access and track information about identifiable individuals via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, and at times, without a warrant or any judicial authorization. Telecommunications service providers would also be required to build and maintain intercept capabilities in their networks for use by police.

It my view, it is highly misleading to simply call such legislation “lawful access” or to champion it as a child protection measure. The broad powers proposed represent much more — they represent a looming system of “Surveillance by Design.”

The Alberta Privacy Commissioner, Jill Clayton, announced that she is applying to the Supreme Court of Canada for leave to appeal an Alberta Court of Appeal ruling that said parts of the Alberta privacy legislation violates the Charter of Rights and Freedoms.

Jennifer Stoddart, the Privacy Commissioner of Canada, released her annual report on PIPEDA entitled “Privacy for Everyone”. Topics discussed in her report include children and youth privacy, biometrics, big data, online privacy, lawful access, and updating PIPEDA. From the report:

Young Canadians are the most open to adopting new communications technologies which can, in some cases, invade their privacy. This holds true, not surprisingly, for those aged 18 to 34, as confirmed by a national opinion survey carried out this year for the OPC. (See section 3.3)

But the true adoption age for digital media is much, much younger.

We know, for example, that thousands of apps targeted at babies and toddlers are now available to teach little ones the alphabet and to entertain them with nursery rhymes.

The evidence may still be mostly anecdotal, but one recent study found that a third of North American Gen-Y moms (those aged 18 to 27) have let their children use a laptop by age two.

By the time the kids are three, those laptops and tablets are connected to the Internet daily for about a quarter of U.S. kids, according to the Joan Ganz Center in New York. By age five, the proportion online has soared to half.

We are giving our children unprecedented access to the Internet, but what are we doing to teach them about how to protect their privacy in the online environment?

We often hear the claim that young people growing up in this digital era do not care about privacy. This is not true.

While concepts of privacy are evolving, and young people tend to think about privacy differently than their parents, study after study shows that young people do care about their privacy.

Do Privacy Laws Need More Teeth?

Today’s Slaw post.

Canada’s Privacy Commissioner, Jennifer Stoddart, appeared yesterday before the House of Commons access to information, privacy and ethics committee.

The Commissioner would like PIPEDA to include stronger penalties for privacy violations as an incentive to comply. PIPEDA currently has no financial sanctions. If a violator does not conform to a decision of the Commissioner, the recourse is for the Commissioner to take it to the Federal court, which has powers to order compliance and grant damages.

In part this seems to be driven by “…the apparent disregard that some of these social media companies have shown for Canadian privacy laws.”

I’m wondering what readers think about this.

Would the ability to collect financial penalties for PIPEDA violations make a difference?

Does the complexity and newness of social media products make it inherently difficult to get privacy right and create clear and simple privacy policies – or do they just not put enough effort into it upfront?