That’s the title of my Slaw post for today.  It reads as follows.

With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

That’s the title of my Slaw post for today.  It reads as follows.

Getting the privacy balance right is not easy, from both theoretical and practical perspectives. As examples, here are some recent developments that go both ways.

Pro Privacy

• Proposed Bill C-12 amendments to PIPEDA that would mandate privacy breach notification in certain circumstances.
• The Ontario Court of Appeal decision in Jones v Tsige that created a tort of breach of privacy, or “intrusion upon seclusion” for intentional, offensive privacy invasions.
• The US Supreme court decision in US v Jones that decided police need to get a warrant before attaching a GPS tracking device to a vehicle.

Anti Privacy

• Proposed Bill C-12 amendments to PIPEDA that encourage private entities to give personal information to law enforcement without warrants.
• Proposed “Lawful Access” legislation that allows police to obtain a significant amount of information about our mobile phone and internet accounts without a warrant, and would require ISP’s to retain certain information about us.
• The Supreme Court of Canada’s refusal to hear the appeal of the Leon’s case where the Alberta Court of Appeal said that license plates are not personal information.

The Ontario Court of Appeal just released its decision in Jones v Tsige saying that there is a tort of invasion of privacy in Ontario.  Until this decision, it was generally felt that this right did not exist in Ontario.  The court also refers to the tort as intrusion upon seclusion.

The gist of the case is that a bank employee looked up banking information on someone she knew (another bank employee who was in a common-law relationship with the victim’s former husband) - at least 174 times over a 4 year period.  That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages for it.  The Court of Appeal decided she could, and awarded $10,000 in damages.

To be actionable:

• the defendant’s conduct must be intentional, including recklessness;
• the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
• a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

It does not apply to intrusions into every private or personal matter. The decision says that it is only intrusions into matters such as:

• financial or health records
• sexual practices and orientation
• employment
• diary or private correspondence

For a more detailed analysis, see these posts by Omar Ha-Redeye on Slaw and David Fraser

That’s the title of my Slaw post for today.  It reads as follows.

As Connie mentioned, the annual Consumer Electronics Show is now underway in Las Vegas. The tech press is full of commentary on the latest and greatest things at the show. One trend is that everything is becoming more intelligent and more connected, ranging from TV’s to appliances.

That results in many great features and new capabilities. At the same time, a Washington Post article entitled Privacy rights activists worry about potential abuse of high-tech devices featured at CES event points out that we can’t forget about the privacy issues that comes along with this technology.

The article starts off by saying:

The thousands of devices debuting Tuesday at the Consumer Electronics Show here demonstrate how tech companies are poised to gather unprecedented insights into consumers’ lives — how much they eat, whether they exercise, when they are home and who they count as friends.

Silicon Valley is in a gold rush for information, highlighted by Google’s announcement Tuesday that it would incorporate data posted by users on its social networking service into the results of its main search engine.

Many of the companies providing this technology are certainly cognizant of the privacy issues, and will do the right things regarding use, disclosure and consent. But we can’t forget that we don’t all have the same sensibilities or thresholds for privacy issues. Some of us may indeed care about who our washing machine tells that our laundry is done, or who knows what the temperature is in our house.

This is an issue that we can’t just brush aside.

For the London Free Press – January 9, 2012 – Read this on Canoe

Here are some tech developments to look out for in 2012.

The proposed amendments to Pipeda, the Canadian federal-privacy legislation, will be passed. Several of the amendments are long overdue, and will give some practical relief to business, without any compromise to personal privacy.

The change with the most visible effect will be the requirement for a business that experiences certain privacy breaches to report the breach to the privacy commissioner or to the individuals whose information may have been compromised.

The federal anti-spam legislation expected to be in force in 2011 is still waiting for regulations to be passed before coming into force.

The draft regulations received a lot of criticism, and may be revised prior to the act coming into force. The act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of spam.

The act is intended to provide tools to stop what we all understand to be spam. But the act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

The smartphone and tablet revolution will continue. Whether you are a fan of Apple, Android, or Windows Phone 7 (yes, Microsoft is still in the phone game with a new operating system that has been favourably reviewed), there will be new choices to buy. This always-connected, location-aware, augmented-reality world will lead to challenges to privacy, advertising and business models.

We will start to hear more about digital wallets and near-field communications (NFC). Our smartphones will eventually become our wallets and credit cards, allowing us to pay at stores like a tap-and-go card.

North America lags behind other parts of the world in near-field communications, but expect to see more phones with this ability on the market this year. There is some speculation there could be some near-field communications wallet promotion around the Olympic Summer Games in London, England.

The players in this field may extend beyond the traditional banks and credit-card companies. Companies such as Google and cellphone carriers are trying to get a part of this business. If we have choices, we need to watch to ensure we get the same protections for lost or compromised phones as we now get for lost cards.

Another buzzphrase we will hear more is “the Internet of things.” Sensor technology, and electronics in general, are becoming more pervasive and cheaper. So in addition to connecting to people and websites on the Internet, we will increasingly be able to connect to things such as our home thermostats and appliances. At the same time, voice control and gesture control will lead to new ways to interact with our devices.

That’s the title of my Slaw post for today.  It reads as follows.

Several amendments are proposed to PIPEDA, (Bill C-12) the federal private sector privacy legislation. It is sitting now at first reading stage, and we are not yet sure how long it will be before it is passed.

This post summarizes an IT.Can teleconference on the subject presented today by David Fraser of McInnes Cooper and Lisa Lifshitz of Gowling Lafleur Henderson LLP.

The definition of personal information has been changed slightly. It is now simply defined as: “information about an identifiable individual”. Along with that comes a new definition of “business contact information”, which expands the “business card” exception that does not now include e-mail address. It also adds a requirement that the reason for the use or disclosure of business contact information be “in relation to their employment, business or profession”.

A new section 6.1 clarifies “valid consent” in terms of the need for the individual to understand what they are consenting to – including the nature, purpose and consequences. This may lead to some practical challenges in how to communicate that effectively – particularly “consequences”.

It will add mandatory breach notifications in certain situations, the provisions for which are very detailed.

Material breaches of “security safeguards” must be reported to the Privacy Commissioner.

Notifications must be made to individuals involved if the breach could lead to a “real risk of significant harm to the individual”.

There is also a 3^rd possible notification to a third party organization if that organization could reduce the risk of harm. It is unclear who that might be.

It adds a business transactions exemption, which is long overdue. Most practitioners have proceeded as if these amendments were already there.

It includes a broad definition of “business transaction” (business sale, merger, financing…), and allows personal information to be transferred without consent, provided that certain safeguards are complied with. These rules do not apply if the primary purpose of the transaction is the disposition of the personal information. If that is the case (such as the sale of a customer list), then the basic PIPEDA requirements come into play.

PIPEDA has the concept that information can be given to “investigative bodies” as approved by regulation. That concept will be removed, and replaced with a more flexible arrangement that allows disclosure to another organization if “necessary” to investigate a breach of an agreement or law, or to prevent, detect or suppress fraud.

For the London Free Press – November 7, 2011 – Read this on Canoe

The Canadian government recently introduced Bill C-12 (the Safeguarding Canadians’ Personal Information Act) that contains amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The PIPEDA privacy legislation charted new territory when it was enacted a few years ago. Most of these amendments are a result of things learned since then, and have been contemplated for some time.

For example, the new bill amends the “business card exemption” to make it clear that one’s business e-mail address is not personal information.

It was a glaring error when a person’s business telephone number and physical address was deemed not to be personal information, but their business e-mail address was considered personal information.

Provisions are included to govern privacy issues when personal information is transferred during corporate mergers and acquisitions. That includes things such as customer information. This was another glaring error that needed to be corrected.

One of the controversial sections of PIPEDA was the ability (but not the obligation) to provide personal information to government authorities if they provide the custodian of the information with proof of its “lawful authority.”

The meaning of “lawful authority” has been debated over the years. Out of an abundance of caution, many organizations simply required a subpoena or court order before they would turn personal information over to police.

The proposed amendments contain a provision saying that lawful authority means something other than a subpoena or court order. But this addition is not helpful in describing what lawful authority is.

The amendments contain lengthy provisions that will, for the first time, require disclosure of privacy breaches. When enacted, these provisions will require certain breaches to be reported to either the privacy commissioner, to individuals who may be affected, or both.

Not all privacy breaches must be disclosed. The amendments list various factors to determine whether a breach is material and thus must be disclosed to the commissioner.

Factors include the sensitivity of the personal information, the number of individuals affected, and whether the breach indicates there is a systemic problem.

The test to determine whether a breach must be disclosed to individuals is slightly different, being whether “the breach creates a real risk of significant harm to the individual.”

The tests to determine when the thresholds have been reached to require disclosure to the commissioner or the public are somewhat subjective. No doubt the privacy commissioner will interpret the thresholds to be lower than some entities facing a breach would interpret it.

It will be interesting to see how the breach disclosure sections work in practice. Some entities have been very forthright about disclosing privacy breaches. They may consider it the right thing to do, or fear the headline risk if the fact there was a breach is disclosed by another source.

Of course, we may not know how many privacy breaches have not been disclosed that these sections will now require to be disclosed.

For the London Free Press – July 18, 2011 – Read this on Canoe

The Canadian privacy commissioner, in her 2010 annual report to Parliament, commented on what she believes to be the future of privacy law in Canada.

Jennifer Stoddart mentions three things that need to happen for Canadians to secure a future that is private. They are enforcing privacy laws and ensuring they remain modern and relevant, increasing co-operation between privacy authorities and ensuring that privacy literacy matches our online literacy.

With respect to modern legislation, the privacy commissioner posed the following question: “laws designed for a bricks-and-mortar world up to the task of protecting privacy in the online context?”

The privacy commissioner views it as crucial to the future of Canadians that privacy laws are constantly updated to meet current and future challenges. The drafters of the Personal Information Protection and Electronic Documents (PIPEDa) – which is the cornerstone of Canadian privacy law – created the legislation in a way that mandated a review of the act by Parliament every five years. The first review occurred in 2006. The next review is scheduled to begin in 2011.

Perhaps the most interesting recommendation arising from the report is not something from the commissioner herself, but rather from two legal scholars involved in the preparation of the latest PIPEDa review.

The scholars – Sossin, dean of Hall law school, and Prof. France Houle of the of Montreal – recommended the office of the privacy commissioner should acquire limited power to make orders, including the ability to impose penalties such as fines. They also proposed explicit guideline-making power to assist with the fair and transparent implementation of new order-making powers. This controversial suggestion would significantly increase the power and authority of the privacy commissioner and will no doubt be the subject of debate during the 2011 review.

The increased popularity of the commissioner over the years is remarkable.

The commissioner opened a second office in 2010 in Toronto. The office is targeted at the business, industrial and academic sector located in the GTa. The office of the privacy commissioner determined that almost 44.5% of respondent organizations were located in Toronto or in the GTA.

The privacy commissioner’s office received 200 requests to present speeches and attended and delivered 150 speeches and presentations in 2010. The commissioner also received more than 250 media requests; launched a blog, youth website and youth blog; sent out 700 tweets and attracted almost 2,000 followers on Twitter.

It is ironic to note the privacy commissioner uses various types of social media – such as Facebook and Twitter – to warn Canadians of the privacy dangers of using social media.

Even in the digital age, the paper publications of the privacy commissioner have remained quite popular. The office distributed almost 15,500 publications in 2010 – including pamphlets, guidance documents, fact sheets, guides for businesses and individuals and annual reports.

Last April the Alberta Court of Appeal overturned an Alberta Privacy Commissioner ruling and decided that Leons furniture store was justified in collecting driver’s license and license plate information from customers picking up furniture.  The decision and some of its reasoning was counter to the that typically espoused by various privacy commissioners.

The Alberta Privacy Commissioner has asked for leave to appeal the descision to the Supreme Court of Canada.   Having the SCC weigh in here might lead to some clarity on this issue. 

More detail and links to background material is in this post by David Fraser.

That’s the title of my Slaw post for today.  It reads as follows.

We have mentioned before that the Anti-Spam act (bill c-28) will not come into force until the fall. (It may potentially be delayed because the election has delayed the creation of the regulations that must be in place before it is in force.) Several sections of the act that amend PIPEDA (Personal Information Protection and Electronic Documents Act) were however proclaimed in force effective April 1

The PIPEDA amendments from the Anti-Spam act are in force to the extent that they are administrative in nature. Those that interact with the anti-spam provisions are not yet in force, and presumably will come into force at the same time as the Anti-Spam act.

These are some of the noteworthy changes.

A new section 12 gives the Commissioner the ability to refuse to investigate a complaint in certain circumstances. Essentially if there is a better forum for the complaint, or if a compliant is not filed within a reasonable time.

Section 12.2 gives the Commissioner the ability to discontinue a complaint in certain circumstances, such as where there is insufficient evidence, the complaint is frivolous, the organization has given a fair and reasonable response, or where it has been addressed in another procedure.

A new section 23 expands the scope of permitted sharing of information by the Commissioner with provincial and international counterparts. The idea is to foster co-operation in investigations.

And of course the bill that proposed specific changes that arose from the 5 year PIPEDA review died with the election. It contained many housekeeping changes that were essentially shortcomings to the legislation raised by experience. It also contained new things like notice requirements for privacy breaches. We will have to wait for a while to see what happens to that draft bill.