Happy Data Privacy Day

From the Privacy Commissioner of Canada: “On January 28, Canada, along with many countries around the world, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.”

Privacy becomes increasingly challenging with new tech such as big data, the internet of things, wearable computers, drones, and government agencies recording massive amounts of data in the name of security.  Sober thought needs to go into balancing the advantages of such things with privacy rights, creating them in a privacy sensitive way, and giving people informed choices.

dpd_englishprivacy sample

Cross-posted to Slaw 



Here’s how changes to PIPEDA would work

For the London Free Press – July 8, 2013 – Read this at lfpress.com

The Privacy Commissioner of Canada (OPC) recently released a report recommending reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the privacy legislation that governs private-sector privacy generally in Ontario and many other provinces.

The report noted that, “Ninety per cent of the data that exists in the world today has been created in the last two years,” and PIPEDA needs to evolve.

The report highlighted four recommendations.

1: Strengthen enforcement and encourage greater compliance

Statutory damages (meaning set damages without any requirement of proof) for certain contraventions of PIPEDA. The report cites the Copyright Act as a successful example of a statutory-damages regime.

Order-making powers to give the Commissioner the ability to issue a binding order to either enforce an action or prevent one from being committed. At present, the Commissioner can only recommend this type of action.

Administrative monetary penalties (AMPs) are suggested as a means of bringing organizations into compliance with PIPEDA. AMPs are similar to fines, but would be assessed directly by the Commissioner.

Why the OPC wants this: “It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.”

2: Shine a light on privacy breaches

Require organizations to report breaches of personal information to the Commissioner and to affected individuals.

Why the OPC wants this: Some organizations voluntarily report and inform individuals of privacy breaches. Some organizations do not. Those that do voluntarily report may face negative financial and reputational consequences while those that do not report may escape any form of recourse. This “creates an uneven playing field for organizations.”

3: Lift the veil on authorized disclosures

PIPEDA allows disclosure of personal information to a government institution without the knowledge or consent of the affected individual, upon request. Organizations may, but don’t always, challenge or refuse these requests. The OPC would require organizations to maintain a record of disclosures to government and make it publically available.

Why the OPC wants this: Canadians seeking access to their personal information would be able to find out if their information had been disclosed. There is no transparency or clear rules about what information can and should be provided to government institutions without a court order.

4: Walk the talk

Enforceable agreements would force an organization, at the end of a privacy investigation, to agree with the Commissioner’s recommendations and to comply within a set time period.

Make accountability provisions subject to review by the Federal Court.

Why the OPC wants this: Monitoring and analyzing a company’s actions are just as time-consuming as the Commissioner’s investigations.


Holistic strategy is better for privacy laws

For the London Free Press – May 6, 2013 – Read this at lfpress.com

There has been controversy in the United States in the last few weeks about their patchwork of privacy laws in contrast to the holistic approach favoured by Canada and the European Union. This matters as commerce and cloud services become more borderless.

The U.S. approach to privacy has been to enact laws that apply to narrow areas as problems are perceived, rather than to look at privacy as a broader subject to regulate.

For example, in 1988 the United States Congress passed the Video Privacy and Protection Act to prevent wrongful disclosure of videotape rental or sale records. Though such laws may be effective in the short term, they have a narrow focus, fail to address future technology and leave gaps. And the process to change existing laws is typically glacier slow.

Some privacy regulation is the U.S, isn’t based on privacy laws at all, but on regulatory action and class-action lawsuits based on notions such as the breach of a company’s privacy policy. In other words, the wrong was a breach of a privacy promise, not a breach of a legal privacy requirement.

In contrast, the Canadian and European model deals with privacy on a holistic basis. The holistic approach allows for existing privacy laws to adapt to new technologies rather than having to create new privacy laws in response to new technologies.

In any given Canadian province there are likely no more than two privacy statutes that apply to the private sector.

One applies to personal information generally, and there’s often a separate one that applies to medical records. This is a far more stable, all-encompassing and technology-neutral approach to privacy issues than the U.S. model.

Peter Fleischer, global privacy counsel at Google, recently commented on this issue and his desire to see the United States enact better privacy laws. He notes not a single country has followed the U.S. model.

Fleischer praises European privacy laws for their simplicity and warns if changes aren’t made to the U.S. approach “privacy will prove a serious roadblock to any such future trade back (with the European Union), as long as some people in Europe can argue that the U.S. has not-effective privacy laws.”

Fleischer provides the example of Uruguay that has looked to Spain. as opposed to the U.S., when drafting its recent privacy laws.

In the long run, the holistic approach is a far better and more effective model to protect privacy interests. The holistic approach makes it easier for businesses to understand their obligations and comply, easier for individuals to know where they stand, has less risk of leaving privacy gaps, and makes it easier to deal internationally when other countries require privacy protection as a condition of personal information crossing borders.

As the world continues to emerge from the global economic crisis and the trend toward global integration continues, Canada’s holistic privacy framework will help us take advantage of global opportunities while a less-effective framework could damage U.S. efforts.


Perspective is an important element of Privacy

Todays Slaw post:

One thing I find consistent about privacy issues is an inconsistency in approach and viewpoint.  What is and is not deemed acceptable seems to change dramatically based on several factors, including geographic location (which I suppose is really more of a cultural issue than a geographic one), whether it is about one’s own information or you are doing something with someone else’s information, and whether the party with the information is government or business.

Many times it comes down to issues of trust, understanding, surprise, and how public one wants their life to be.

An example is in this article entitled Eric Schmidt is using the same argument against drones that others use against Google Glass.

One of the most common concerns raised about Google Glass (other than looking like a nerd) is the potential for privacy invasion.  The more of these there are around, the more likely each one of us is going to be captured on the video they can take whether we like it or not. And where is all this video going to end up?  That issue has also been raised about drones.  Google’s Eric Schmidt has apparently stated that drones should be strictly regulated for privacy reasons, which seems inconsistent with their approach to Google Glass.

Perhaps one explanation for this could be that privacy in the United States is viewed differently than in Canada and other parts of the world.  In the US, privacy is not approached as a holistic discrete topic to be regulated by general principles.  Instead, it is regulated on a piecemeal basis, such as a privacy law that applies only to movie rentals.


Privacy Abuses and Leaks

Today’s Slaw post

Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.

Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent.

Here is an infographic on web leakage provided by the Commissioner.

While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.

UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.


Children and website privacy

Today’s Slaw post:

Last week Jennifer Stoddart, the Privacy Commissioner of Canada, spoke at an IT.Can teleconference about online behavioural advertising. Online behavioural advertising means tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests. One point she made that I found interesting was about children.

Some countries have laws that specify how children under a certain age are to be treated online including what can be directed to them, and when parental consent is needed. That does not exist here.

The Commisioner’s approach is that if sites are aimed at children, then privacy disclosures and consents must be simple and clear and understandable by children. Which of course means that one should not be doing things with their personal information that requires consent if they are incapable of understanding and giving an informed consent. This approach is somewhat consistent with the approach to consent to health care treatment where children are able to give consent to many types of treatment on their own, provided they are capable of giving an informed consent.

The Commissioner also made it clear that children should not be tracked online, and thus behavioral advertising should not be directed to children.

Busy privacy week – Two privacy reports and a Supreme Court of Canada appeal

My latest Slaw post:

This has been a busy week for privacy news.

Anne Cavoukian, the Ontario Privacy Commissioner, released her annual report entitled “2011 Access & Privacy – Ever Vigilant”. Topics discussed in the report include privacy by design, biometrics, mobile devices, lawful access legislation, and open data. From the report:

The theme of my 2011 Annual Report — Ever Vigilant — was chosen in large part because this year Ontarians faced what I consider to be one of the most invasive threats to our privacy and freedom that I have encountered in 25 years of safeguarding citizens’ rights and championing openness and transparency in government.

That threat presented itself as lawful access legislation proposed by the federal government. The legislation was designed to provide police with much greater ability to access and track information about identifiable individuals via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, and at times, without a warrant or any judicial authorization. Telecommunications service providers would also be required to build and maintain intercept capabilities in their networks for use by police.

It my view, it is highly misleading to simply call such legislation “lawful access” or to champion it as a child protection measure. The broad powers proposed represent much more — they represent a looming system of “Surveillance by Design.”

The Alberta Privacy Commissioner, Jill Clayton, announced that she is applying to the Supreme Court of Canada for leave to appeal an Alberta Court of Appeal ruling that said parts of the Alberta privacy legislation violates the Charter of Rights and Freedoms.

Jennifer Stoddart, the Privacy Commissioner of Canada, released her annual report on PIPEDA entitled “Privacy for Everyone”. Topics discussed in her report include children and youth privacy, biometrics, big data, online privacy, lawful access, and updating PIPEDA. From the report:

Young Canadians are the most open to adopting new communications technologies which can, in some cases, invade their privacy. This holds true, not surprisingly, for those aged 18 to 34, as confirmed by a national opinion survey carried out this year for the OPC. (See section 3.3)

But the true adoption age for digital media is much, much younger.

We know, for example, that thousands of apps targeted at babies and toddlers are now available to teach little ones the alphabet and to entertain them with nursery rhymes.

The evidence may still be mostly anecdotal, but one recent study found that a third of North American Gen-Y moms (those aged 18 to 27) have let their children use a laptop by age two.

By the time the kids are three, those laptops and tablets are connected to the Internet daily for about a quarter of U.S. kids, according to the Joan Ganz Center in New York. By age five, the proportion online has soared to half.

We are giving our children unprecedented access to the Internet, but what are we doing to teach them about how to protect their privacy in the online environment?

We often hear the claim that young people growing up in this digital era do not care about privacy. This is not true.

While concepts of privacy are evolving, and young people tend to think about privacy differently than their parents, study after study shows that young people do care about their privacy.


Do Privacy Laws Need More Teeth?

Today’s Slaw post.

Canada’s Privacy Commissioner, Jennifer Stoddart, appeared yesterday before the House of Commons access to information, privacy and ethics committee.

The Commissioner would like PIPEDA to include stronger penalties for privacy violations as an incentive to comply. PIPEDA currently has no financial sanctions. If a violator does not conform to a decision of the Commissioner, the recourse is for the Commissioner to take it to the Federal court, which has powers to order compliance and grant damages.

In part this seems to be driven by “…the apparent disregard that some of these social media companies have shown for Canadian privacy laws.”

I’m wondering what readers think about this.

Would the ability to collect financial penalties for PIPEDA violations make a difference?

Does the complexity and newness of social media products make it inherently difficult to get privacy right and create clear and simple privacy policies – or do they just not put enough effort into it upfront?


Privacy rights getting clearer – Tort recognized for first time

For the London Free Press – March 5, 2012 – Read this on Canoe

The Ontario Court of Appeal just released its decision in Jones v Tsige, recognizing for the first time there is a tort of invasion of privacy in Ontario.

The gist of the facts in Jones was a bank employee looked up banking information about another bank employee who was in a common-law relationship with the defendant’s former husband. She looked at the information at least 170 times over four years, but didn’t publish, distribute or record it.

That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages. The Court of Appeal decided she could, awarding $10,000 in damages.

Until this decision, it was generally felt one couldn’t sue or collect damages for breach of privacy in Ontario.

Previous Ontario trial-level decisions concerning the existence of a tort of invasion of privacy were at best conflicting with the historic, if not conventional, view the tort of invasion of privacy did not exist.

The Jones decision stated that:

It is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

“Intrusion upon seclusion” happens when one intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, in a situation where the invasion would be highly offensive to a reasonable person.

Leading up to this decision, a number of judges at the trial level had refused to strike out claims made under the tort of invasion of privacy at the pleadings stage, as they were unsure if the tort existed.

Privacy Commissioner explains problems with proposed lawful access law

That’s the title of my Slaw post for today.  It reads as follows.

With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.