That’s the title of my Slaw post for today.  It reads as follows.

We have mentioned before that the Anti-Spam act (bill c-28) will not come into force until the fall. (It may potentially be delayed because the election has delayed the creation of the regulations that must be in place before it is in force.) Several sections of the act that amend PIPEDA (Personal Information Protection and Electronic Documents Act) were however proclaimed in force effective April 1

The PIPEDA amendments from the Anti-Spam act are in force to the extent that they are administrative in nature. Those that interact with the anti-spam provisions are not yet in force, and presumably will come into force at the same time as the Anti-Spam act.

These are some of the noteworthy changes.

A new section 12 gives the Commissioner the ability to refuse to investigate a complaint in certain circumstances. Essentially if there is a better forum for the complaint, or if a compliant is not filed within a reasonable time.

Section 12.2 gives the Commissioner the ability to discontinue a complaint in certain circumstances, such as where there is insufficient evidence, the complaint is frivolous, the organization has given a fair and reasonable response, or where it has been addressed in another procedure.

A new section 23 expands the scope of permitted sharing of information by the Commissioner with provincial and international counterparts. The idea is to foster co-operation in investigations.

And of course the bill that proposed specific changes that arose from the 5 year PIPEDA review died with the election. It contained many housekeeping changes that were essentially shortcomings to the legislation raised by experience. It also contained new things like notice requirements for privacy breaches. We will have to wait for a while to see what happens to that draft bill.

That is the title of my Slaw post for today.  It reads as follows:

Various Canadian Privacy Commissioners have taken the position that car license plate numbers are personal information, and thus subject to privacy legislation. That comes up, for example, in the context of Google street views, where Google has been told they must blur license plate numbers.

Various Privacy Commissioner decisions have also limited the use of driver’s license information. For example, a store may ask to see a driver’s license as identification for someone returning a purchase as a fraud prevention measure, but the store is only supposed to look at it, not record the information on it.

Those principles are now in question as a result of an Alberta Court of Appeal Decision. (Or at least as far as Alberta privacy legislation is concerned.)

In Leon’s Furniture v Alberta the Court of Appeal said that license plate numbers are not personal information. And that a business can record driver’s license numbers so long as there is a reasonable need, and appropriate safeguards are in place.

Given the impact of this decision it would not be surprising if it was appealed. The decision contains a dissent that Privacy Commissioners will no doubt find encouraging.

For more commentary and analysis about the case see All About Information and the Canadian Privacy Law Blog. The decision is here.

The Ontario Superior Court of Justice just released a decision saying that there is no free-standing tort of invasion of privacy in Ontario.  For more detail see the Jones v Tsige decision (pdf), and commentary by David Fraser and All About Information.

The Ontario Court of Appeal in its decision in R v Cole talks about an employee’s expectation of privacy on a work computer.  For more detail see commentary by David Fraser and Dan Michaluk.   This decision was very fact driven, and found that there was an expectation of privacy for a work laptop for which the employee had permission to use for personal work, and to take home.  It tempered that expectation by an implied right of access by IT personnel to service and maintain the network.  And explicit company policies can counter that expectation.

So if your business does not have a technology use policy that addreses this issue, you should consider implementing one.

For the London Free Press – December 13, 2010

Read this on Canoe

Proposed legislation could have major implications for businesses, consumers

Development and innovation of technology inevitably breeds new laws to regulate that technology. For lawyers practising Information Technology law, there is a considerable amount of potential new law to digest.

For example, Bill C-28, the Fighting Internet and Wireless Spam Act, brings in several anti-spam measures. While this is welcome by most people, the language may take in things we may not consider to be spam and affect how typical businesses communicate. Since the penalties are significant, we need to take a close look at this act before it takes effect to understand what it will mean for a typical business or organization.

Bill C-29 would make several changes to the Personal Information Protection and Electronic Documents Act. Most of these were expected – and welcome – because they address issues arising from the current law.

But there are new parts that could use clarification. Language that tries to clarify what constitutes “lawful authority” to release information to law enforcement when requested doesn’t make clear what proof or threshold of proof is required. It also contains language requiring that the privacy commissioner and affected individuals be notified of breaches in some circumstances. The language has threshold tests, which on the surface are not as clear as they might be. If this language stays, it may take a decision by the privacy commissioner and/or a court to clarify the threshold.

Bill C-32, the Copyright Modernization Act, is the latest of several attempts to amend the Copyright Act. Controversial elements include digital lock provisions that would let publishers trump user rights. Much has been written about this, including a book entitled From Radical Extremism to Balanced Copyright: Canadian Copyright and the Digital Agenda, written by several copyright experts.

Bill C-51, which would amend the Criminal Code, Competition Act and Mutual Legal Assistance in Criminal Matters Act a.k.a. Investigative Powers for the 21st Century Act, is the latest effort to give law enforcement more access to electronic communications.

But what proponents call “lawful access” bills, critics deride as “awful access” bills. They question whether making things easier for law enforcement is worth the significant erosion in privacy and extra costs to Internet service providers.

These bills may have far-reaching practical implications, not only for many businesses and organizations, but also for consumers.

That’s the title of my Slaw post for today.  It reads as follows.

Those who practice in the IT area have a lot of potential new law to digest.  The Federal government has several bills in various stages that will affect many businesses and organizations, and all of us as consumers.  These bills have been mentioned on Slaw, but I thought it was worthwhile listing them all in one place. 

Bill C-28    Fighting Internet and Wireless Spam Act.  

This bill brings in several anti-spam measures.  While this is welcome by most people, the language has the possibility to affect how typical businesses communicate.  Things that we may not consider to be spam might get caught by the act.  Since the penalties are significant, we will have to take a close look at this before it is in force to understand what it means for a typical business or organization. 

Bill C-29     An Act to amend the Personal Information Protection and Electronic Documents Act

This would make several amendments to PIPEDA.  Most of the amendments were expected, and are welcome as they address issues that have arisen from the current legislation.  There are a couple of new parts that could use some clarity, though.  Language that attempts to clarify what “lawful authority” is that allows one to release information to law enforcement doesn’t really seem to clarify what the threshold of proof is, or what to ask for.  It also contains language that requires notification of breaches in certain circumstances to both the privacy commissioner and the affected individuals.  The language has threshold tests – which on the surface are not as clear as they might be.   If this language stays, it may take a privacy commissioner decision and/or court decision to clarify the threshold.  The best source for more information is David Fraser’s blog

Bill C-32     Copyright Modernization Act.

This is the latest of several attempts over the years to amend the Copyright Act.  Controversial elements include digital lock provisions that will allow publishers to trump user rights.  There has been a lot written about this, including a book entitled From “Radical Extremism” to “Balanced Copyright”: Canadian Copyright and the Digital Agenda written by several copyright experts. The best source for more information about the bill is Michael Geist’s blog.

Bill C-51     An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act. 

There also appears to be at least one companion bill, C-52.  This is the latest incarnation of what has been dubbed a “lawful access” bill.   The bill essentially tries to give law enforcement more access to electronic communications.    Critics refer to the bills as “awful access”, and point to the erosion of privacy and the costs ISP’s will need to spend.  They also question the practical effectiveness of the measures.   This bill is hot off the press, and I have not had time to look at it – but in general I fall into the ”awful access” camp.  Expect more commentary on this from both Michael and David.

That’s the title of my Slaw post for today.  It reads as follows.

There has been a lot of press over the Privacy Commissioner’s decision that the Google Street View collection of information from unprotected wifi signals breached PIPEDA.  See the press release, and the decision.  See examples of press reports by the CBC and  CTV.   The CTV report says that Spanish regulators announced they were filing a lawsuit against Google for the incident, seeking millions in fines.

I know nothing more about this than I read in the press – but I think we need to put Google’s actions in perspective here.  Yes, it should not have collected that data.  And yes, PIPEDA and the privacy laws of other counties were violated.  And yes, it should take steps to ensure something like this won’t happen again.

But when Google realized what it had done, it immediately stopped collecting it, isolated the information, saved it for the sole purpose of allowing investigators to look at it with a promise to destroy it once that was done, alerted the public and privacy authorities, and cooperated freely and frankly with privacy authorities.  Personal information was not released to anyone or used for any improper purpose.  No actual harm occured to anyone.  It was an error, not an intentional flouting of privacy laws.

So despite the fact that inappropriate collection occurred, its reaction was a model of cooperation consistent with its “Do no evil” mantra. 

In my view, attempts by regulators to collect massive fines are misguided.  It in essence punishes for making it public and cooperating, not for the improper collection.  Facing the spectre of fines would make companies want to keep such incidents to themselves – which is not what regulators want.

 For the London Free Press – October 18, 2010

Read this on Canoe

Global Privacy Enforcement Network aids cross-border co-operation to enforce privacy laws

In the age of Facebook and MySpace, privacy issues do not stop at national boundaries. More and more, business relies on a flow of personal information across both national and jurisdictional borders. As a result, privacy enforcers have begun to strengthen their capacity for cross-border co-operation.

Thirteen privacy enforcement authorities, including Canada’s Office of the Privacy Commissioner, recently formed the Global Privacy Enforcement Network (GPEN) to aid cross-border co-operation to enforce privacy laws. Other countries with privacy enforcement authorities include the U.S., France, New Zealand, Israel, Australia, Ireland, Spain, the United Kingdom, the Netherlands and Germany.

The global network will be responsible for enforcing laws and investigations to protect personal data. It will encourage its members to develop shared enforcement policies, and support joint enforcement initiatives.

The network does not create new legally binding obligations among the participants. Participation is voluntary, and all member authorities remain subject to domestic and international law. But though each country has unique privacy laws, the protections are similar.

The network has set out steps to further international privacy enforcement co-operation. This includes sharing information about effective investigative techniques and enforcement strategies. It will also organize training sessions on privacy and data security issues with non-governmental advisers from industry, academia, international organizations and professional associations.

The organization is supported by the Organization for Economic Co-operation and Development that, in 2007, adopted a recommendation of cross-border co-operation protecting privacy, calling for member countries to foster the establishment of an informal network of privacy enforcement authorities.

Cross-border privacy enforcement has come a long way over the past few years. As recently as 2007, the Canadian privacy commissioner declined to investigate an American website called Abika that was accused of collecting and disclosing personal information about Canadian citizens without their consent. For a fee, Abika would provide its customers with criminal record searches, e-mail traces, unlisted and cellphone numbers and licence plate details.

The privacy commissioner refused to investigate Abika, thinking it had no authority to do so. Because Abika refused to provide the names of its Canadian-based sources, there wasn’t any means of investigating those companies.

Instead, the privacy commissioner was forced to rely on the U.S. Federal Trade Commission for enforcement. The commission found Abika violated privacy laws, and placed an injunction on Abika prohibiting it from trading personal information without express written permission from the consumer.

Upon review of the matter, the Federal Court of Canada ordered the privacy commissioner to reinvestigate the issue. Although the privacy commissioner may not have effective enforcement mechanisms, the prevailing legislation – the Personal Information and Protection of Electronic Documents Act – still gave the commissioner the power to investigate complaints relating to the transborder flow of personal information.

That decision, the formation of the Global Privacy Enforcement Network, and the Canadian Privacy Commissioner’s investigations of companies such as Facebook, show that privacy enforcement will occur without national borders getting in the way

For the London Free Press – August 9, 2010

Read this on Canoe

Case involves actions undertaken by insurer State Farm on behalf of a client

The Federal Court of Canada recently released an important decision on the parameters of “commercial activity” under the Personal Information Protection and Electronic Documents Act (PIPEDA): State Farm v Privacy Commissioner.

The act is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business.

The act defines commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

In State Farm v Privacy Commissioner, the State Farm Mutual Automobile Insurance Co. questioned the privacy commissioner’s jurisdiction to investigate a refusal to provide access to personal information and her power to compel the production of documents during the course of an investigation.

Specifically, it dealt with a situation where State Farm retained a private investigator on behalf of an insured person who had been sued by a motor-vehicle accident plaintiff. The private investigator conducted video surveillance on the plaintiff. The plaintiff sought access to the surveillance footage under the act.

The court concluded it would not be commercial activity for a defendant, herself, to collect evidence for the defence of a tort claim. There is no “commercial character” associated with that particular activity. The court then concluded that, because the primary characterization of the activity is not commercial, using a third party (such as an insurer, a law firm or a private investigator) to carry it out does not render it commercial.

“I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand – in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action — is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties.”

In this case, the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence by the defendant . . . in order to defend herself in the civil tort action brought against her.

In other words, the decision essentially says that if the act does not apply to something that X does, the fact that X hires someone else to do it (which is a commercial activity) does not turn that something into commercial activity for X, and thus does not make it subject to the Personal Information Protection and Electronic Documents Act.

For the London Free Press – June 28, 2010

Read this on Canoe

PERSONAL INFORMATION: The language pertaining to ‘lawful authority’ and breach notification is open to interpretation

Bill C-29 was recently introduced to amend the Personal Information Protection and Electronic Documents Act. The bill is an attempt to address a number of shortcomings in the legislation that governs private-sector privacy in Ontario and other provinces.

Most of the changes are welcome. Two changes are controversial: the definition of “lawful authority” and privacy breach notification.

“Lawful authority” determines when an entity can release information to the police without a warrant.

The act permits disclosure of information to government bodies where it has identified its “lawful authority” to obtain the information. Much debate has arisen as to what constitutes “lawful authority.” As a result, some entities won’t release personal information to police without a warrant.

Bill C-29 has attempted to clarify “lawful authority” as follows:

(a) lawful authority refers to lawful authority other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and (b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

So it tells us what “lawful authority” is not, but not how to know when it exists. It really isn’t very helpful.

The second issue deals with breach notification.

The Personal Information Protection and Electronic Documents Act does not require any notification to either customers or the privacy commissioner if personal information has been lost or stolen. The proposed amendments add requirements to notify the privacy commissioner and/or affected individuals in certain circumstances.

That language has threshold tests that are not as clear as they might be. If this language stays, it may take a privacy commissioner or court decision to clarify.

For example, the privacy commissioner must be notified where a “material” breach has occurred. Since “material” remains a subjective test, it is somewhat at the discretion of the entity to determine whether the breach is “material.”

Individuals must be notified only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Again, this requirement is somewhat at the discretion of the entity that would have to notify the individual.

Some will argue that the discretionary component of the notification requirements is valuable as it is not mandatory to disclose minor breaches. That may be a good thing, but it will take some time to figure out how to apply the tests in practice. The difficult part is knowing where the threshold actually is.

The wording of the breach notification provisions leaves the possibility that entities may abuse the discretion provided to them and choose not to report breaches that many would argue are major. That’s especially true since there is no fine or penalty for not doing so.

On the other hand, when it comes to privacy, the “headline risk” of not abiding by the legislation, or being perceived to not be doing the right thing, is perhaps as big a motivator as anything.

PIPEDA, or the Personal Information & Electronic Documents Act is the Canadian privacy law that covers federally regulated entities, and provincially regulated entities in provinces like Ontario that don’t have their own privacy laws.

Bill C29 was introduced in Parliament this week that will make several amendments to PIPEDA.  Most of these amendments have been expected, and are welcome as they address issues that have arisen from the current legislation. 

The press release is here, and the bill here.

For example, expanding the business contact exemption to include an email address, and explicit provisions that deal with the diligence of and transfer of personal information for the sale, merger, etc of a business.

There are a couple of new parts that could use some clarity, though. 

Language that attempts to clarify what “lawful authority” is that allows one to release information to law enforcement doesn’t really seem to clarify what the threshold of proof is, or what to ask for.

It also contains language that requires notification of breaches in certain circumstances to both the privacy commissioner and the affected individuals.  The language has threshold tests – which on the surface are not as clear as they might be.   If this language stays, it may take a privacy commissioner decision and/or court decision to clarify the threshold.

More complete discussion of the PIPEDA amendments are on David Fraser’s blog.  See his overview, and his markup showing the changes.