With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

For more details see the Privacy Commissioner’s website.

Getting the privacy balance right is not easy, from both theoretical and practical perspectives. As examples, here are some recent developments that go both ways.

Pro Privacy

• Proposed Bill C-12 amendments to PIPEDA that would mandate privacy breach notification in certain circumstances.
• The Ontario Court of Appeal decision in Jones v Tsige that created a tort of breach of privacy, or “intrusion upon seclusion” for intentional, offensive privacy invasions.
• The US Supreme court decision in US v Jones that decided police need to get a warrant before attaching a GPS tracking device to a vehicle.

Anti Privacy

• Proposed Bill C-12 amendments to PIPEDA that encourage private entities to give personal information to law enforcement without warrants.
• Proposed “Lawful Access” legislation that allows police to obtain a significant amount of information about our mobile phone and internet accounts without a warrant, and would require ISP’s to retain certain information about us.
• The Supreme Court of Canada’s refusal to hear the appeal of the Leon’s case where the Alberta Court of Appeal said that license plates are not personal information.

The Office of the Privacy Commissioner of Canada (OPC) recently tabled its Annual Report on the Privacy Act. The airport scanner issue receiving much of the press, however there are a number of other noteworthy items in the report. The Privacy Act is the legislation that applies to the Canadian federal government.

Regarding airport scanners, the major concern is whether the Canadian Air Transport Security Authority (CATSA) and the airport screeners it hires under contract are respecting the privacy rights of travellers. While some elements of good privacy management were found, an audit performed earlier in the year identified a number of areas for concern. Of particular note was the security over the images produced by the full-body scanners. Despite being strictly prohibited, a cellphone and closed-circuit television camera were found in the room where officers were viewing the images. These issues were discovered during the audit and were addressed by CATSA.

CATSA has also suggested a plan to observe passengers in the airport pre-boarding areas for suspicious behaviour. OPC expressed a number of concerns including the potential for inappropriate risk profiling based on characteristics such as race, ethnicity, age or gender.

The report also looked at various forms of biometric information such as fingerprints and facial images. Although the collection of biometric information can lead to highly reliable identification systems — certainly more reliable than paper systems — the collection and use of this information has also raised significant privacy concerns. While biometric information has the potential to bolster identification systems, it can also lead to privacy concerns regarding covert collection of data, cross-matching and unwanted secondary disclosure. To aid organizations looking to utilize biometric information, the OPC has prepared a primer that helps to identify the pros and cons of biometric data systems.

Also addressed in the report was a complaint made by an individual who was asked by Canada Post to provide identification in order to terminate the rental of a postal box. After review, OPC found that Canada Post has a statutory obligation to provide a secure postal service and that the collection of personal information was consistent with that mandate. The purpose of the data collection was to ensure that postal boxes were not being used or closed fraudulently and further to aid in the investigation of illegal goods shipments. OPC determined that the collection of data for these purposes was reasonable and that the complaint made was not well founded.

Privacy issues are often a balancing act between too much and too little. OPC’s annual report looks to identify areas of concern and make recommendations as to how to strike an appropriate balance. Governments require personal information to properly exercise their functions, however the question quickly becomes “how much collection and use is too much?” A complete copy of OPC’s Annual Report to Parliament is on OPC’s website at www.priv.gc.ca.

The Ontario Court of Appeal just released its decision in Jones v Tsige saying that there is a tort of invasion of privacy in Ontario.  Until this decision, it was generally felt that this right did not exist in Ontario.  The court also refers to the tort as intrusion upon seclusion.

The gist of the case is that a bank employee looked up banking information on someone she knew (another bank employee who was in a common-law relationship with the victim’s former husband) - at least 174 times over a 4 year period.  That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages for it.  The Court of Appeal decided she could, and awarded $10,000 in damages.

To be actionable:

• the defendant’s conduct must be intentional, including recklessness;
• the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
• a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

It does not apply to intrusions into every private or personal matter. The decision says that it is only intrusions into matters such as:

• financial or health records
• sexual practices and orientation
• employment
• diary or private correspondence

For a more detailed analysis, see these posts by Omar Ha-Redeye on Slaw and David Fraser

Ann Cavoukian – the Ontario Privacy Commissioner – has written an excellent op-ed in the Financial Post entitled Beware of ‘Surveillance by Design’.

It starts off with:

I feel the need to raise a growing concern regarding the lack of understanding of a key privacy issue – the ease of data linkages in an ever-increasing online world.

In this day and age of 24/7 online expanded connectivity and immediate access to digitized information, new analytic tools and algorithms now make it possible, not only to link a number with a name, but also to combine information from multiple sources, ultimately creating an accurate profile of a personally identifiable individual.

The Commissioner weighs in on the controversial Alberta Leon’s case that decided license plates are not personal information – which differs from other provinces.

She also expresses her concerns about the pending federal “lawful access” laws, saying that:

In my view, this represents a looming system of “surveillance by design,” that should concern us all in a free and democratic society.

To call a smart-phone a phone is really a misnomer. We need to think of them as computers with internet connections that we carry around in our pockets.

Why is this an important distinction? From a legal perspective, that changes the perspective tremendously. Consider Connie Crosby’s Slaw post “Digital Wallets on Their Way” , and the comment on the post musing about privacy and the warrant-less search of cellphones that is being debated in various jurisdictions.

The privacy aspects of a phone that just makes phone calls without retaining any information, and the consideration of whether law enforcement needs a warrant to look at it – are much different than for the devices we have now. Legislators and courts need to consider that looking at a person’s phone may be the equivalent of walking into their house and looking at their bank statements, credit card bills, reading material, photo albums, and mail, and while they are there, nosing around on their computer to see all the files, email and whatever else is there including the sites they visit.

Considerering just the phone aspect for the moment, they track and save data on not only what calls you made, to who, and for how long – but also where you were when you made the call.

Other information that might reside on our cell phones include personal and confidential information such as banking information, health information, where we have been and when, and records of communications on various platforms that are meant to be private. Also consider that for many it is not only personal use, but also business use that will contain personal and confidential information of others.

And while you can make phone calls on smartphones, consider the other devices that they replace, and other things that they do:

Digital wallet, GPS, map, tracking device, camera, video camera, email client, social media client, phone directory, calendar, note pad, to do list, grocery list, book reader, magazine reader, newspaper reader, web browser, clock, alarm clock, file storage, dictation device, music player, video player, video game player, radio, video-phone, TV, dictionary, encyclopedia, research assistant, comparison shopper, calculator, wi-fi hot spot, bar code scanner, ephemeris, music composer, video / music editor, cookbook, translator, metronome, flashlight, level, … and the list goes on.

The trend to more invasive surveillance and control by North American governments (indeed, by many countries that we consider civilized democracies), or their granting of too much control to others is disturbing. Too many things are making creeping (and sometimes creepy) inroads into privacy rights, along with the usual specious “if you’ve got nothing to hide… ” argument. Too many things are tending towards shoot first, ask questions later. And governments are too eager to look to ISP’s and others who run the internet pipes to control what flows through.

Some examples:

The proposed US SOPA (Stop Online Piracy Act) that is being loudly opposed. It has been characterised as net censorship, an attempt to regulate the internet, and breaking the internet as we know it. It could result in entire web sites being taken down based merely on an allegation that one post or comment infringes copyright.

The proposed Canadian Lawful Access legislation that would allow much more invasive internet information to be given to authorities without warrants. This resulted in a lengthy letter by the Privacy Commissioner to the Ministers responsible.

The increasing use of license plate cameras by police, such as in the Washington DC area. In its simplest, most privacy friendly form, car mounted or fixed cameras read car license plates and flag any that are contained in a database of stolen or suspect vehicles. No record is kept of any plates other than those of interest. But it has come to light that some of the systems store the details of every single plate that they capture, and retain that for long periods of time.

The Canadian government recently introduced Bill C-12 (the Safeguarding Canadians’ Personal Information Act) that contains amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The PIPEDA privacy legislation charted new territory when it was enacted a few years ago. Most of these amendments are a result of things learned since then, and have been contemplated for some time.

For example, the new bill amends the “business card exemption” to make it clear that one’s business e-mail address is not personal information.

It was a glaring error when a person’s business telephone number and physical address was deemed not to be personal information, but their business e-mail address was considered personal information.

Provisions are included to govern privacy issues when personal information is transferred during corporate mergers and acquisitions. That includes things such as customer information. This was another glaring error that needed to be corrected.

One of the controversial sections of PIPEDA was the ability (but not the obligation) to provide personal information to government authorities if they provide the custodian of the information with proof of its “lawful authority.”

The meaning of “lawful authority” has been debated over the years. Out of an abundance of caution, many organizations simply required a subpoena or court order before they would turn personal information over to police.

The proposed amendments contain a provision saying that lawful authority means something other than a subpoena or court order. But this addition is not helpful in describing what lawful authority is.

The amendments contain lengthy provisions that will, for the first time, require disclosure of privacy breaches. When enacted, these provisions will require certain breaches to be reported to either the privacy commissioner, to individuals who may be affected, or both.

Not all privacy breaches must be disclosed. The amendments list various factors to determine whether a breach is material and thus must be disclosed to the commissioner.

Factors include the sensitivity of the personal information, the number of individuals affected, and whether the breach indicates there is a systemic problem.

The test to determine whether a breach must be disclosed to individuals is slightly different, being whether “the breach creates a real risk of significant harm to the individual.”

The tests to determine when the thresholds have been reached to require disclosure to the commissioner or the public are somewhat subjective. No doubt the privacy commissioner will interpret the thresholds to be lower than some entities facing a breach would interpret it.

It will be interesting to see how the breach disclosure sections work in practice. Some entities have been very forthright about disclosing privacy breaches. They may consider it the right thing to do, or fear the headline risk if the fact there was a breach is disclosed by another source.

Of course, we may not know how many privacy breaches have not been disclosed that these sections will now require to be disclosed.

It is a combination of things like mobile access, handheld computing power, inexpensive apps, cloud computing, location awareness, and social media.

Consider this: mobile devices are outselling PC’s, and digital media is equal to television in importance amongst ad executives. 

The explosion of smartphones and tablets enables us to get information about almost anything immediately wherever we are.  And to provide information to others just as quickly.  Tools like Google Goggles and Siri can do that by simply taking a picture of something, or speaking into our phones. (And really, the “phone” part of our phones is dwindling in importance to the rest of their features.)

All businesses and organizations should be thinking about how this is now affecting  them, and how it will affect them in the future – both in how it will challenge their current business models, and how they can use it to their advantage. 

And don’t forget to think about who your competitors will be.  For example, who is going to own the mobile payment space?  It might be the banks and credit card companies – but it could be telcos or Google.

It also raises interesting legal issues – like who owns the movie rights to a crowdsourced story, and how do privacy rights tie in with location aware services?

The one certain thing is that we ignore this revolution at our peril.