Teresa Scassa - Blog

The department formerly known as Industry Canada (now Innovation, Science and Economic Development or ISED) has just released a discussion paper that seeks public input on the regulations that will accompany the new data breach notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA).

The need to require private sector organizations in Canada to report data breaches was first formally identified in the initial review of PIPEDA carried out in 2007. The amendments to the statute were finally passed into law in June of 2015, but they will not take effect until regulations are enacted that provide additional structure to the notification requirements. The discussion paper seeks public input prior to drafting and publishing regulations for comment and feedback, so please stop holding your breath. It will still take a while before mandatory data breach notification requirements are in place in Canada.

The new amendments to the legislation make it mandatory for organizations to report data breaches to the Privacy Commissioner if those breaches pose “a real risk of significant harm to an individual”. (s. 10.1) An organization must also notify any individuals for whom the breach poses “a real risk of significant harm (s. 10.1(3). The form and contents of these notifications remain to be established by the regulations. A new s. 10.2 of PIPEDA will also require an organization that has suffered a reportable breach to notify any other organization or government institution of the breach if doing so may reduce the risk of harm. For example, such notifications might include ones to credit reporting agencies or law enforcement officials. The circumstances which trigger this secondary notification obligation remain to be fleshed out in the regulations. Finally, a new s. 10.3 of PIPEDA will require organizations to keep records of all data breaches not just those that reach the threshold for reporting to the Privacy Commissioner. In theory these records might enable organizations to detect flaws in their security practices. They may also be requested by the Commissioner, providing potential for oversight of data security at organizations. The content of these records remains to be determined by the new regulations.

From the above, it is clear that the regulations that will support these statutory data breach reporting requirements are fundamentally important in setting its parameters. The ISED discussion paper articulates a series of questions relating to the content of the regulations on which it seeks public input. The questions relate to how to determine when there is a “real risk of significant harm to an individual”; the form and content of the notification that is provided to the Commissioner by an organization that has experienced a breach; the form, manner and content of notification provided to individuals; the circumstances in which an organization that has experienced a breach must notify other organizations; and the form and content or records kept by organizations, as well as the period of time that these records must be retained.

There is certain that ISED will receive many submissions from organizations that are understandably concerned about the impact that these regulations may have on their operations and legal obligations. Consumer and public interest advocacy groups will undoubtedly make submissions from a consumer perspective. Individuals are also welcome contribute to the discussion. Some questions are particularly relevant to how individuals will experience data breach notification. For example, if an organization experiences a breach that affects your personal information and that poses a real risk of harm, how would you like to receive your notification? By telephone? By mail? By email? And what information would you like to receive in the notification? What level of detail about the breach would you like to have? Do you want to be notified of measures you can take to protect yourself? Do you want to know what steps the organization has taken and will take to protect you?

Anyone with an interest in this issue, whether personally or on behalf of a group or an organization has until May 31, 2016 to provide written submission to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . The discussion paper and questions can be found here.

Published in Privacy

Technology has enabled the collection and sharing of personal information on a massive scale, and governments have been almost as quick as the private sector to hoover up as much of it as they can. They have also been as fallible as the private sector – Canada’s federal government, for example, has a substantial number of data breaches in the last few years.

What has not kept pace with technology has been the legislation in place to protect privacy. Canada’s federal Privacy Act, arguably a ground-breaking piece of legislation when it was first enacted in 1983, has remained relatively untouched throughout decades of dramatic technological change. Despite repeated calls for its reform, the federal government has been largely unwilling to update this statute that places limits on its collection, use and disclosure of personal information. This may be changing with the new government’s apparent openness to tackling the reform of both this statute and the equally antiquated Access to Information Act. This is good news for Canadians, as each of these statutes has an important role to play in holding a transparent government accountable for its activities.

On March 10, 2016 Federal Privacy Commissioner Daniel Therrien appeared before the Standing Committee on Access to Information, Privacy and Ethics, which is considering Privacy Act reform. The Commissioner’s statement identified some key gaps in the statute and set out his wish list of reforms.

As the Commissioner pointed out, technological changes have made it easier for government agencies and departments to share personal information – and they do so on what he describes as a “massive” scale. The Privacy Act currently has little to offer to address these practices. Commissioner Therrien is seeking amendments that would require information sharing within the government to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with legal obligations to protect privacy, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another.

The Commissioner is also recommending that government institutions be explicitly required under the law to safeguard the personal information in their custody, and to report data breaches to the Office of the Privacy Commissioner. It may come as a surprise to many Canadians that such a requirement is not already in the statute – its absence is a marker of how outdated the law has become. Since 2014, the Treasury Board of Canada, in its Directive on Privacy Practices has imposed mandatory breach reporting for all federal government institutions, but this is not a legislated requirement, nor is there recourse to the courts for non-compliance.

The Commissioner is also seeking more tools in his enforcement toolbox. Under the Privacy Act as it currently stands, the Commissioner may make recommendations to government institutions regarding their handling of personal information. These recommendations may then be ignored. While he notes that “in the vast majority of cases, government departments do eventually agree to implement our recommendations”, it is clear that this can be a long, drawn out process with mixed results. Currently, the only matters that can be taken to court for enforcement are denials by institutions to provide individuals with access to their personal information. The Commissioner is not seeking the power to directly compel institutions to comply with its recommendations; rather, he recommends that an institution that receives recommendations from the Office of the Privacy Commissioner have two choices. They may implement the recommendations or they may go to court for a declaration that they do not need to comply. On this model, relatively prompt compliance would presumably become the default.

The Commissioner is also seeking an amendment that would require government institutions to conduct privacy impact assessments before the launch of a new program or where existing programs are substantially modified. Again, you would think this would be standard practice by now. It does happen, but the Commissioner diplomatically describes current PIAs as being “sometimes uneven” in both their quality and timeliness. The Commissioner would also like to see a legislated requirement that government bills that will have an impact on privacy be sent to the OPC for review before being tabled in Parliament.

The Commissioner seeks additional amendments to improve transparency in relation to the government’s handling of personal information. Currently, the Commissioner files an annual report to Parliament. He may also issue special reports. The Commissioner recommends that he be empowered under the legislation “to report proactively on the practices of government”. He also recommends extending the Privacy Act to all government institutions. Some are currently excluded, including the Prime Minister’s Office and the offices of Ministers. He also recommends allowing all individuals whose personal information is in the hands of a federal government institution to have a right of access to that information (subject, of course, to the usual exceptions). Currently on Canadian citizens and those present in Canada have access rights.

This suite of recommendations is so reasonable that most Canadians would be forgiven for assuming these measures were already in place. Given the new government’s pre- and post-election commitments to greater transparency and accountability, there may be reason to hope we will finally see the long-overdue reform of the Privacy Act.

 

Published in Privacy

I was at the United Nations last week for an Expert Group Meeting on Moving from commitments to results in building effective, accountable and inclusive institutions at all levels. On February 18, 2016, I gave a presentation on balancing privacy with transparency in open government. This is a challenging issue, and one that is made even more so by digitization, information communication technologies and the big data environment.

Openness access to government information and data serve the goals of greater transparency and greater public trust in government. They are essential in fighting corruption, but they are also important in holding governments to account for their decision-making and for their spending of public funds. However, transparency must also be balanced against other considerations, including privacy. Privacy is a human right, and it protects the dignity, autonomy and integrity of individuals. Beyond this, however, the protection of privacy of personal information in the hands of governments also enhances public trust in governments and can contribute to citizen engagement.

How, then, does one balance privacy with transparency when it comes to information in the hands of government? There are no easy answers. My slides from my presentation can be found here, and these slides contain some links to some other publicly available work on this topic.

Published in Privacy

A recent decision of the Ontario Superior Court of Justice has expanded the scope of the tort of invasion of privacy in Ontario. This is an important development, given that the tort was only recognized for the first time by the Ontario Court of Appeal in 2012. The rapid expansion of private recourses for invasion of privacy is not surprising. Technology has amplified privacy risks, and highly publicized incidents of data breaches, snooping, shaming, and identity theft have dramatically increased public awareness of the risks and harms of privacy invasive activity.

Doe 464533 v. D. involved a defendant who posted an intimate video of the plaintiff on a pornography website without her knowledge or consent. The two had been in a relationship which began when they were in high school and ended shortly afterwards. The plaintiff moved away to attend university and remained in regular contact with the defendant. He began pressuring her to send him an intimate video of herself. She refused to do so for a time, but eventually gave in to repeated requests. The defendant had assured her that no one else would see the video. As it turns out, he posted the video to a porn site on the same day he received it. He also showed it to other young men from the high school he had attended with the plaintiff.

The posting of the video and its aftermath were devastating to the plaintiff who suffered from depression and anguish. Justice Stinson observed that at the time of the hearing, 4 years after the incident, she was still “emotionally fragile and worried that the video may someday resurface and have an adverse impact on her employment, her career or her future relationships.” (at para 14)

There are two significant aspects to the court’s decision in this case. The first is that it expands the privacy tort recognized by the Ontario Court of Appeal in Jones v. Tsige. In that case, a bank employee had improperly accessed customer information for her own purposes. The Court of Appeal was prepared to recognize at least one aspect of the broad tort of invasion of privacy – that of “intrusion upon seclusion”. In other words, one who snoops or hacks their way into the personal information of another can be held liable for this invasion. The facts of Doe 464533 did not fit within the boundaries of ‘intrusion upon seclusion’. The defendant did not improperly access the plaintiff’s personal information. She sent it to him directly. However, she did so on the understanding that the material would remain strictly private. In breach of this understanding, the defendant posted the information online and shared it with common acquaintances. Justice Stinson characterized this as another branch of the broad tort of invasion of privacy – the “public disclosure of embarrassing private facts about the plaintiff”. Justice Stinson observed that “[i]n the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection.” (at para 44) He adopted a slightly modified version of the American Restatement (second) of Torts’ formulation of this branch of the tort:

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of the other’s privacy, if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. (at para 46)

The recognition of this branch of the tort is an important development given that it now clearly provides recourse for those who are harmed by the publication of private facts about themselves. There are limits – the tort will only be available where the material published “would be highly offensive to a reasonable person”. Further, if the facts are ones that there is a public interest in knowing (for example, the publication of information about a person’s involvement in corrupt or illegal activity), there will be no liability. However in an era in which “revenge porn” is a known phenomenon, the tort may provide a deterrent effect in some instances, and a basis for recourse in others.

The other interesting aspect of this decision is the damage award. The plaintiff had decided to commence her action under the Court’s Simplified Procedure. This meant that the maximum she could ask for in damages was $100,000. Justice Stinson ordered the maximum amount with little hesitation – which suggests that he might have awarded even more extensive damages had there been no cap. This is surely interesting, as damage awards for breach of privacy (either the tort or recourses under private sector data protection laws in Canada) have been generally quite small. In Jones v. Tsige, the Court had awarded only $10,000 in damages and had indicated that the normal range for such damages would be up to a maximum of $20,000 where no direct financial losses could be shown. In Doe 464533, Justice Stinson found the harm suffered by the plaintiff by the publication of the video to be analogous to the harm suffered in cases of sexual assault and battery. He fixed an amount of $50,000 in general damages for the past and ongoing effects of the defendant’s actions. He also awarded $25,000 in aggravated damages relating to the particularly offensive behavior of the defendant. According to Justice Stinson, the defendant’s breach of trust was “an affront to their relationship that made the impact of his actions even more hurtful and painful for the plaintiff.”(at para 59). He also awarded $25,000 in punitive damages for the defendant’s reckless disregard for the plaintiff. He noted that the defendant had not apologized, nor had he shown any remorse. He noted as well the highly blameworthy nature of the defendant’s conduct, the vulnerability of the plaintiff, and the significant harm the plaintiff had suffered. Justice Stinson also expressed the view that the punitive damage award was meant to have a deterrent effect. He stated: “it should serve as a precedent to dissuade others from engaging in similar harmful conduct.” (at para 62) In addition to the total award of $100,000 in damages, the judge ordered a further $5,500 in prejudgment interest and $36,208.73 in legal costs.

The recognition of the new tort, combined with the court’s approach to quantifying the harm suffered from this form of privacy invasive activity, should sound a warning to those who seek to use the internet as a means to expose or humiliate others.

Published in Privacy

Recent debates about enhanced police and national security surveillance powers in Canada have drawn attention to the vulnerability of Canadians’ privacy rights in the absence of proper safeguards and oversight. This problem is particularly acute in our big data economy, where participation in the economy – simply by being consumers of products and services – leaves a detailed trail of data in the hands of private sector actors. The Criminal Code provides for extensive access by police to personal information in the hands of third parties through its warrant system. Laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) also allow private sector companies to provide law enforcement and other government entities with personal information, without the knowledge and consent of the individual. This is often done in response to a court order or search warrant; however, PIPEDA also permits voluntary sharing even without a warrant in some circumstances.

The courts have had to play an important role in placing limits on the extent of access by state authorities to Canadians’ personal information. Just this week, in another significant decision, Justice Sproat of the Ontario Superior Court, issued a long-awaited decision in R. v. Rogers Communication (2016 ONSC 70) on the constitutional limitations on “tower dump” warrants.

The original tower dump warrants in this case were issued to police who were investigating a jewellery store robbery in Toronto. The police believed that the unidentified suspects had used cell phones during or just after the robbery. They asked the court for an order requiring the relevant cell phone service providers (in this case Rogers and Telus) to provide a dump of all of the data from cell phone towers that might have picked up and transmitted these calls within a window of time surrounding the robbery. On Telus’ estimate, compliance with the original order would have required it to provide data relating to at least 9,000 customers. Rogers estimated that it would need to provide the records of 34,000 subscribers. In addition to the data regarding all of the customers who had placed calls through those towers, the police also sought their name and address information, the names and contact information of all of the individuals who these people called, and credit card and bank information on file for the callers. The police subsequently revised their request, seeking a much more limited amount of data. However, Rogers and Telus pursued their Charter case, arguing that a court ruling on the constitutional legitimacy of this type of data request was necessary to protect not just their own interests but those of their customers.

The Court agreed that the customers of telecommunications companies had a reasonable expectation of privacy in their cell phone data and that if Rogers and Telus could not proceed with the Charter claims, it would be difficult for these issues to be effectively litigated. It agreed to hear and rule on the Charter arguments notwithstanding that the police had withdrawn their initial request for the data and notwithstanding the fact that the Charter rights in question belonged to thousands of private citizens and not to the Telcos directly.

Justice Sproat did not hesitate in ruling that the original production orders sought in this case were overly broad and that they infringed the Charter rights of the individuals whose data would have been captured by them. He found that the orders “went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation” (at para 42). He then went on to formulate a set of guidelines for police seeking tower dump warrants. He premised his guidelines on the “fundamental principles of incrementalism and minimal intrusion” (at para 63). He emphasized as well the requirement for police who seek such a warrant to explain “clearly in the information to obtain how requested data relates or does not relate to the investigation.” (at para 64)

The guidelines and their more detailed articulation can be found at paragraph 63 of the decision. In summary though, they are that the police must provide:

1. A statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind;

2. An explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters are relevant to the investigation;

3. An explanation as to why all of the types of records sought are relevant;

4. Any other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records;

5. A request for a report based on specified data instead of a request for the underlying data itself;

6. If there is a request for the underlying data there should be a justification for that request

7. Confirmation that the types and amounts of data that are requested can be meaningfully reviewed

These are important guidelines that seek to limit the reach of state authorities into the private lives of Canadians to only that information which is genuinely necessary to investigate criminal activity.

It is worth noting that Justice Sproat declined to consider post-seizure safeguards in relation to tower dump data. Where a production order legitimately allows police to seek tower dump data, nothing in the Criminal Code provides any guidance as to what safeguards should govern the security and retention of this data. These are important issues – we are all painfully aware of the rising number of public and private sector data security breaches, and of cases of excessive retention and careless destruction of no-longer useful personal information. According to Justice Sproat, issues regarding retention of this data are best left to the legislator. Given the vast amount of personal information now capable of collection from the private sector through the host of different production orders available under the Criminal Code, Parliament should be strongly encouraged to address this issue. In the meantime, it would be good to see police forces develop policies regarding the retention and destruction of personal information obtained under warrants that is no longer necessary for its original purpose.

 

 

 

Published in Privacy

The rise of big data analytics, combined with a movement at all levels of government in Canada towards open data and the proactive disclosure of government information have created a context in which privacy interests are increasingly likely to conflict with the goals of transparency and accountability. In some cases these conflicts may be small and easily reconciled, but in other cases they may be more substantial. In addition, some means of reconciling the conflict must be found; where privacy and transparency conflict, for example, which value should prevail and under what conditions?

Conflicts between transparency and privacy have been seen recently in, for example, concerns expressed over the amount of personal information that might be found in court and tribunal decisions that are published online. Sunshine lists – lists of salaries of public employees that are over a certain amount – also raise issues. Provinces that publish such lists have tended to do so using file formats that do not lend themselves to easy digital manipulation. But of course these modest technological barriers are routinely overcome, and individual name and salary information is absorbed into the big data universe for purposes quite distinct from meeting a government’s transparency objectives. Open municipal data files may include information about specific individuals: for example, a database of all home renovation permit applications would have privacy implications for those individuals who applied for such permits. Even with names were redacted, it is easy enough to identify the owners of any homes for which renovation permits were obtained. In some cases, the level of connection may be less direct. For example, a public restaurant inspection record that cited kitchen staff at a small local restaurant for failure to wash their hands on a specific inspection date might indirectly reveal the identity of the persons who did not wash their hands, particularly if the staff of the restaurant is quite small. And, of course, in the big data context, even anonymized data, or data that is not personal information on its face, can be matched with other available data to identify specific individuals.

The point is not that the disclosure of such information must be avoided at all costs – rather, the issue is how to determine where to draw the line between privacy and transparency, and what steps might be taken to protect privacy while still ensuring transparency. No new legislative framework has been created to specifically guide the move towards open government in Canada, notwithstanding the fact that government data is fuel for the engines of big data.

In a paper that has just been published by the Alberta Law Review, my co-author Amy Conroy and I explore these issues, using a recent Supreme Court of Canada decision as a departure point for our analysis. Although the Court’s decision in Ministry of Community Safety and Correctional Services v Information and Privacy Commissioner (Ontario) (Ministry of Community Safety) does not specifically address either open data or proactive disclosure, the case nevertheless offers important insights into the gaps in both legislation and case law in this area.

In our paper we consider the challenges inherent in the release of government data and information either through pro-active disclosure or as open data. A key factor in striking the balance between transparency and privacy is the definition of personal information – information that is not personal information has no privacy implications. Another factor is, of course, the meaning given to the concept of transparency. Our paper considers how courts and adjudicators understand transparency in the face of competing claims to privacy. We challenge the simple equation of the release of information with transparency and argue that the coincidence of open government with big data requires new approaches that are informed by the developing relationship between privacy and transparency.

“Promoting Transparency While Protecting Privacy in Open Government in Canada” by Amy Conroy and Teresa Scassa is published in (2015) 53:1 Alberta Law Review 175-206. A pre-print version is available here.

Published in Privacy
Thursday, 06 August 2015 09:57

Data Security and the Rogue Employee

Data security breaches are frequently in the news, contributing to a growing anxiety regarding the security of the vast stores of personal information held by so many public and private sector organizations in Canada (and abroad). The recent passage of Bill S-4 (The Digital Privacy Act) will impose a data security breach notification requirement on private sector organizations covered by Canada’s Personal Information Protection and Privacy Act. This requirement has yet to come into effect; it awaits the drafting of regulations that will set out the manner and form of breach notifications.

Data security breaches occur in many different ways. While the paradigmatic breach is the malicious intruder who hacks his or her way past corporate firewalls to steal data, this is not the only (or even the most common) form of breach. In many cases, data breaches occur when devices such as USB keys or laptops that contain (often unencrypted) personal data go missing. Whether lost or stolen, it is often impossible to tell whether the data was or will ever be accessed or used. The laptop thief, for example, may have been seeking a laptop rather than the data it contains. Carelessness may take other forms as well; repeatedly faxing sensitive customer information to the wrong fax number is just one example.

The type of breach that perhaps causes the most anxiety for organizations comes from the ‘rogue employee’. Employees of organizations often, of necessity, have a great deal of access to sensitive customer information as a normal part of their duties. Organizations put in place policies regarding access and privacy, and may have other checks and balances within the institution to guard against (or to detect) unauthorized access. Unfortunately, an increasing number of security breaches seem to arise precisely because an employee has accessed personal information in contravention of these policies. This may be done for personal reasons (complicated interpersonal relations following the breakdown of relationships, for example), for financial gain, or for reasons that are not entirely clear. The breaches may affect only one or two individuals, or may be with respect to a significant number of people. Rogue employees are a security weak spot; they already have regular access to the data – all they require is motivation, whether it be personal or financial.

In March 2015, the BC Court of Appeal handed down an interesting decision in a case (Steel v. Coast Capital Savings Credit Union) involving an employee who had wrongfully accessed the personal folder of another employee. The folder was on the company’s server. The case was not a suit for invasion of privacy; the Credit Union for which the employee had worked had fired her following the detection of the breach. The employee had sued for wrongful dismissal, arguing that the penalty of dismissal was too severe given her 21 years of faultless service to the company. The employee worked in the IT department of the Credit Union, and had a high level of access to the company’s systems. She had accessed the personal folder of a manager at the credit union in order to see where she stood on a list setting out priority entitlement to parking. The breach was detected when the manager tried unsuccessfully to access the file at the same time that the employee was looking at the list.

The judge at first instance had upheld the dismissal of the employee, and she had appealed that decision to the Court of Appeal. What the case came down to, in essence, was whether a long-time employee with an excellent record could be dismissed for a one-time accessing of a file in a personal folder of another employee to view a list regarding the assignment of parking spots. The majority of the Court of Appeal ruled that dismissal was an acceptable response. Writing for the majority, Justice Goepel observed that the Supreme Court of Canada made it clear that “dishonesty going to the core of the employment relationship carries the potential to warrant dismissal for just cause.”(McKinley v. BC Tel, at para 57). Such conduct is that which “violates an essential condition of the employment contract, breaches the faith inherent to the work relationship, or is fundamentally or directly inconsistent with the employee’s obligations to his or her employer.”(McKinley at para 48). While other factors (such as length and quality of service) may be relevant, the key issue is whether there has been a fundamental breakdown in the employment relationship. In this case, the Court of Appeal accepted the assessment of the trial judge that the clear breach of internal privacy policies by someone in the position of the appellant employee (whose level of system access created a relationship of trust) led to a “fundamental breakdown of the employment relationship”. (at para 34).

The dissenting justice would have given more weight to the long service of the employee and to the non-critical nature of the information she accessed. Justice Donald also noted that the company policies did not require dismissal for breach of the policies on privacy and access. Disciplinary action could be “up to and including termination of employment”, based on a range of contextual factors which included “the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s).” (at para 15) He would have found that termination was an excessive consequence on the facts of this case. That this approach was not accepted by the majority of the Court may be an indication that courts are beginning to recognize the broader concerns over the risks posed by “rogue employees” to both their employers (in terms of their potential liability) and to the public.

Published in Privacy

Bill S-4, the Digital Privacy Act has received royal assent and is now law. This bill amends Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA, Canada’s private sector data protection statute has been badly in need of updating for some time now. Although it only came into being in 2001, the technologies impacting personal information and the growing private sector thirst for such data have changed dramatically, rapidly outstripping the effectiveness of the legislation. There have been many calls for the reform of PIPEDA (perhaps most notably from successive Privacy Commissioners). The Digital Privacy Act addresses a handful of issues – some quite important, but leaves much more to be done. In this post I consider three of the changes: new data sharing powers for private sector organizations, data breach notification requirements, and a new definition of consent.

At least one of the amendments is considered a step backwards by privacy advocates. A new s. 7(3)(d.1) allows private sector organizations to share personal information between themselves without the knowledge or consent of the individuals to whom the information pertains for the purposes of investigating breaches of “agreements” or laws. Originally seen as a measure that would make it easier for organizations such as banks to investigate complex fraud schemes that might involve a fraudster dealing with multiple organizations, the growing awareness of the vulnerability of individuals to snooping and information sharing of all kinds, has made this provision the target of significant criticism by privacy advocates. Keep in mind that an “agreement” can be a user agreement with an ISP, the terms of use of a web site or other online service, or any other contract between an individual and an organization. The provision means that any company that suspects that one of the terms of an agreement to which it is party has been breached can ask other companies to share information – without the knowledge or consent of the individual or without a court order – in order to investigate this potential breach. There is a profound lack of transparency and accountability in the data sharing enabled by this provision. True, such sharing is not mandatory – an organization can refuse to share the information requested under this provision. This amendment places an onus on individuals to pressure organizations to give them clearer and more robust assurances regarding whether and how their personal information will be shared.

The amendments will also add to PIPEDA data breach notification requirements. This is a change long sought by privacy advocates. Essentially, the law will require an organization that has experienced a data security breach to report the breach to the Privacy Commissioner “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” (s. 10.1) Affected individuals must also be notified in the same circumstances. “Significant harm” is defined in the legislation as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” A determination of whether there is a “real risk” of these types of harms can be determined by considering two factors spelled out in the legislation: the sensitivity of the information at issue, and the likelihood that it is being misused or may be misused in the future. Any other “prescribed factor” must also be taken into account, leaving room to include other considerations in the regulations that will be required to implement these provisions. The real impact of these data breach notification provisions will largely turn on how “real risk” and “significant harm” are interpreted and applied. It is important to note as well that these provisions are the one part of the new law that is not yet in force. The data breach notification provisions are peppered throughout with references to “prescribed” information or requirements. This means that to come into effect, regulations are required. It is not clear what the timeline is for any such regulations. Those who have been holding their breath waiting for data breach notification requirements may just have to give in and inhale now in order to avoid asphyxiation.

One amendment that I find particularly interesting is a brand new definition of consent. PIPEDA is a consent-based data protection regime. That is, it is premised on the idea that individuals make free and informed choices about who gets to use their personal information and for what purposes. Consent is, of course, becoming somewhat of a joke. There are too many privacy policies, they are too long and too convoluted for people either to have the time to read them all or be capable of understanding them. It doesn’t help that they are often framed in very open-ended terms which do not give a clear indication of how personal information will be used by the organization seeking consent. In this context, the new definition is particularly intriguing. Section 6.1 of the statute now reads:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

This is a rather astonishing threshold for consent – and one that is very consumer-friendly. It requires that the individual understand “the nature, purpose and consequences” of the use of their personal information to which they consent. In our networked, conglomerated and big-data dominated economy, I am not sure how anyone can fully understand the consequences of the collection, use or disclosure of much of their personal information. Given a fulsome interpretation this provision could prove a powerful tool for protecting consumer privacy. Organizations should take note. At the very least it places a much greater onus on them to formulate clear, accessible and precise privacy policies.

Published in Privacy

The Privacy Commissioner of Canada has issued his findings in relation to the investigation of multiple complaints by Canadians regarding the collection, use and disclosure of their personal information by a company based in Romania. The company, Globe24h operates a website which it describes as a “global database of public records”. This global database contains a substantial number of decisions from Canadian courts and administrative tribunals. Some of this content was acquired by scraping court or tribunal websites, or websites such as CanLII. (I wrote about this situation earlier here.)

The problem, from a privacy point of view is that many court and tribunal decisions contain a great deal of personal information. For example, a decision from a divorce case might provide considerable detail about personal assets. Immigration or refugee determination hearings similarly might reveal sensitive personal information. As Commissioner Therrien noted in his findings, the “highly detailed, highly sensitive personal information” found in the decisions that were the focus of the complaints in this case “could have negative reputation impacts (including financial information, health information, and information about children)” (at para 27). Globe24h offers a fee-based service for removal of personal information. A number of the complainants in this case had paid up to 200 euros to have their information removed from decisions in the database.

The Romanian company responded to the investigation by arguing that the Office of the Privacy Commissioner of Canada had no jurisdiction over its activities; and that if it did, Canada’s Personal Information Protection and Electronic Documents Act did not apply because it was engaged in journalistic activities. Alternatively, they argued that they were making use of publicly available information, for which consent is not required under PIPEDA. In this admittedly long blog post, I look at a number of different issues raised in the Commissioner’s findings. You can jump ahead if you like to: Open courts principle and privacy; Extended territorial jurisdiction; Journalism exception; Publicly available personal information; or Crown copyright – the unspoken issue.

 

Open courts principle and privacy

The open courts principle – which provides transparency for the justice system in Canada – dictates that decision-makers provide reasons for their decisions and that these decisions be publicly accessible. In the old days, decisions were published in law reports or made available for consultation at court offices. Either way, anyone interested in a particular case had to make some effort to track it down. Decisions were indexed according to subject matter, but were not easily searchable by individual names. The capacity to make court decisions publicly available on the Internet has dramatically increased the ability of the public to access court decisions (and, given the high cost of legal services and the growing number of self-represented litigants, it is not a moment too soon). However, public availability of court decisions on the Internet can raise significant privacy issues for individuals involved in litigation. There is a big difference between accepting that a court decision in one’s case will be published in the interests of transparency and having one’s personal information sucked up and spit out by search engines as part of search results unrelated to the administration of justice.

The main response to this problem to date (from the Canadian Judicial Council’s 2005 Model Policy for Access to Court Records) has been for courts to require the use of technological measures on court websites (and on websites such as CanLII) to prevent search engines from indexing the full text of court decisions. This means that those searching online using a particular individual’s name would not find personal details from court proceedings caught up in the search results. However, these licence terms are only imposed on entities such as CanLII. The general copyright licences on court websites place no such restrictions on the reproduction and use of court decisions. Of course, placing restrictions on the searchability/usability of published decisions can also be a barrier to their innovative reuse. A better approach – or at least a complementary one – might be to be more restrained in the sharing of personal information in published decisions. This latter approach is one recommended by the Office of the Privacy Commissioner of Canada for administrative tribunals. It is unevenly adopted by courts and tribunals in Canada.

While the open courts principle and how Canadian courts and tribunals implement it are relevant to the problem in this case, the Commissioner’s decision does not address these issues. The complaints focussed on the activities of the Romanian company and not on how courts and tribunals manage personal information. Nevertheless, this issue is, to a large extent, at the heart of the problem in this case.

Extended territorial jurisdiction

Under basic international law principles, countries cannot apply their laws outside of their own borders. So how could Canadian law apply to a Romanian company’s activities? The answer lies in what some co-authors of mine and I call extended territorial jurisdiction. This arises where activities outside a country’s borders are nonetheless closely connected to that country. After receiving over 20 complaints from Canadians regarding the hosting of their personal information on the Globe24h website, the Privacy Commissioner chose to apply Canada’s PIPEDA to the Romanian company. He did so on the basis that the company was collecting, using and disclosing personal information in the course of commercial activities (key triggers for PIPEDA’s application) and that its activities had a “real and substantial connection” to Canada. This connection was found in the fact that the company chose to include Canadian court and tribunal decisions in its database; that it sourced this material from websites located in Canada; that it accepted requests from Canadians to remove their personal information from its databases; and that it charged Canadians a fee to perform this service. While the company would be subject to Romanian data protection law in general, the Commissioner did not see this as an impediment to applying Canadian law in the specific circumstances. He noted that “It is commonplace in today’s global environment that organizations with an online presence may be subject to data protection laws in multiple jurisdictions depending on the nature of their activities.” (at para 100)

This approach is consistent with that taken by the Office of the Privacy Commissioner of Canada since the Federal Court handed down its decision on this point in Lawson v. Accusearch Inc. Of course, taking jurisdiction over a party in another country and being able to enforce outcomes in accordance with Canadian law are separate matters. In any event, the Privacy Commissioner is relatively toothless even within Canada; in the case of offshore companies any positive results depend largely upon a respondent’s willingness to cooperate with investigations and to change their practices with some gentle nudging. In this case, there seems to be a change of practice on the part of Globe24h, although the extent and durability of this change remain to be seen.

Journalism exception

I have previously written about the rather broad and open-ended exception to the application of PIPEDA to the collection, use or disclosure of personal information for “journalistic purposes”. Journalism is capable of a fairly broad interpretation, and in an era of disintermediated information and commentary, a broad approach to this exception is warranted. This may be even more so the case given the Supreme Court of Canada’s recent admonition that privacy laws must be balanced with the freedom of expression. However, an overly broad approach could exclude large swaths of activity from the scope of PIPEDA.

In this case, Globe24h argued that by providing a database of legal information it was entitled to benefit from the journalistic purposes exception. The Commissioner adopted a definition of “journalism” put forward by the Canadian Association of Journalism (CAJ). According to this definition journalism is an activity that has as its goal the communication of information, in a format that has “an element of original production” and that “provides clear evidence of a self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.” (at para 52). The definition is interesting, but it may be under inclusive when it comes to balancing freedom of expression and privacy. This remains an open question. Using this definition, the Commissioner found that the database of public records compiled by Globe24h was not journalism. In particular, he was of the view that the purpose of the database was to generate revenue from different means, including charging individuals who wish to have their personal information removed. He also found that the database did not embody the “original production” required in the CAJ’s definition, and concluded that “Globe24h is republishing information already available online through Canadian court and tribunal websites in a manner that enables the information to be located by search engines, which would not otherwise be possible, so as to profit from individuals’ desire to have this practice stop.” (at para 66).

While there may be an argument that this website does not serve journalistic purposes, the analysis here relies heavily upon the Commissioner’s conclusion that the site’s primary motivation is to derive revenue from individuals who are concerned about their privacy. It is not clear whether, without that element, he would have found that the journalism exception applied. The importance of this poorly worded exception – and the potential of narrow interpretations to conflict with the freedom of expression – leaves one wishing for clearer guidance.

Publicly available personal information

Globe24h also argued that it made use of publicly available personal information. PIPEDA expressly permits the collection, use and disclosure of such information without consent so long as it is used for the purposes for which it was collected and made publicly available. According to the Commissioner, the purpose for which the court decisions were made publicly available was “to promote transparency in the judicial system” (at para 93). He also went on to state that “the purpose for publishing court findings online does not include the association of such findings with individuals’ names in online search results.” (at para 92). The point here, I think, is that the search engine indexing shifts uses of this information away from transparency and towards data mining or snooping; the latter are not consistent with the purposes for which the information was made publicly available.

However, it should be noted that in this case, the assessment of purpose drifts into how the information might be accessed or manipulated by third parties –not by the respondent. This is rather tricky territory. It is a kind of secondary liability in the data protection context: court decisions are made publicly available to anyone around the world; the respondent creates a database that aggregates court decisions from multiple jurisdictions and makes them available. In doing so it enhances the searchability of the decisions by freeing them from technological restrictions. Has it done anything to take it outside the exception? Is the possibility that this new searchability might lead to improper uses of the information by others enough to find that the use does not fall within the exception? My point here is that the problem of excessive personal information in published court decisions seems to be pushed onto those who publish this information (and who thus facilitate the open courts principle), rather than resting with the courts who perhaps should be more careful in deciding what personal information is required to serve the open courts principle and what information is not.

Crown copyright – the unspoken issue

In Canada, court and tribunal decisions are covered by Crown copyright. This lies behind the courts’ ability to dictate licence terms to those who publish these decisions. Recent amendments to the Copyright Act also make it an infringement to circumvent technological protection measures on copyright protected works. Had the Romanian website been publishing court decisions in contravention of the user licence provided by court websites or circumventing court-mandated technological protection measures that blocked the indexing of the court decisions by search engines, then the courts themselves might have sought takedown of these materials or insisted upon compliance with their licence terms. These terms, however, do not appear in the licence for federal court decisions, for decisions of Ontario superior courts, or for decisions of the BC Supreme Court – and this is just a sample. Whether courts should use copyright restrictions to protect privacy values is an interesting question, particularly in an era of increasingly open government. Whether it is realistic or feasible to do so is another good question – if it is not then the privacy issues must be addressed at source. In any event, it may be time for the CJC to revisit its digitally archaic 2005 policy.

The individuals affected by Globe24h turned to the Privacy Commissioner for help when they experienced privacy invasions as a result of the company’s activities. They found a sympathetic ear, and the Commissioner may have achieved some results for them. One can ask, though, where the courts and tribunals have been in all of this. As noted earlier, they should take the lead in addressing privacy issues in their decisions. In addition, while Crown copyright may be an anachronism with the potential to limit free speech, as long as the government clings to it in the face of calls for reform it might consider using it on occasion in circumstances such as these, where inadequate measures designed to protect privacy have failed Canadians and something more is required.

 

Published in Privacy

Canada’s Information Commissioner has tabled a report in Parliament that has deeply troubling implications.

The scandal-in-the-making is a product of three pretty well-known characteristics of the current government – first, they have been utterly committed to dismantling and destroying every trace of the Long-Gun Registry established under the former Liberal government; second, their commitment to transparency and accountability is situational at best; and third, they have a tendency to bury important and sometimes controversial amendments in omnibus budget implementation bills.

Here’s what happened: The Conservative government was determined to do away with the long gun registry. It introduced a bill on October 25, 2011 which was eventually passed into law as the Ending the Long-Gun Registry Act (ELGRA) . This statute came into effect on April 5, 2012. However, no doubt anticipating the demise of the registry, an unnamed individual filed an access to information request on March 27, 2012. This applicant sought an electronic copy of all records in the Canadian Fire Arms Registry relating to firearms that were neither prohibited nor restricted. These were the specific records slated to be destroyed under s. 29 of the ELGRA.

Shortly after the coming into force of the ELGRA, the Information Commissioner wrote to the Minister of Public Safety and Emergency Preparedness to remind him that records relating to the Long-gun Registry that were the subject of requests under the Access to Information Act that were filed before the coming into effect of the ELGRA would have to be retained until the access requests had been dealt with (including any court proceedings flowing from these requests). The Minister responded, giving the Commissioner assurances that the RCMP would “abide by the right of access.”

The applicant eventually received a response to his request for records, but he was not satisfied with the response. He was of the opinion that the information provided was incomplete and was also concerned that the RCMP had gone ahead and destroyed responsive records. The Information Commissioner investigated and agreed that the response was incomplete. She also concluded that responsive records had been destroyed by the RCMP, notwithstanding the fact that they knew that the records were subject to a right of access. The destruction by government entities of records subject to a right of access is an offence under 67.1 of the Access to Information Act.

On March 26, 2015, the Information Commissioner informed the Attorney General of Canada, the Hon. Peter MacKay, of the possible commission of this offence. She also notified the Minister of Public Safety that in her view the complaint was well-founded. She recommended that any responsive records still in the possession of the RCMP be provided to the applicant. The Minister responded, indicating that he had no intention of following this recommendation.

Up to this point, the situation reveals a government committed to destroying all traces of the long-gun registry, and, as a result, unwilling to respond to an access request that would provide an applicant with data from the registry prior to its destruction. The Prime Minister’s response as reported by the CBC was: “[T]o be perfectly clear, the government is clarifying the information act to make sure it is in full conformity with Parliament's already expressed wishes on the long-gun registry that the RCMP has executed as they were required to do according to the law.”

It is clear that the access request slipped through the cracks between the introduction of the bill in October 2011 and its passage into law. It is also clear that granting access to the records would go against the intent expressed in the legislation to destroy the registry. The merits or demerits of the long-gun registry have already been the subject of much heated debate, but the battle over its continued existence is at an end. What is troubling is that the “loophole” existed, that a perfectly legitimate access to information request was filed, that the Minister of Public Safety committed to preserve records until outstanding access requests had been dealt with, and that the information was nonetheless destroyed.

What the government should have done was to address the access issue in the ELGRA in the first place. The wisdom of backdating the law to suspend access to information requests retroactively to the date the Bill was introduced in Parliament could have been debated as part of the legislation to put an end to the long-gun registry. Having omitted to do this, what the government has done instead is add to its budget implementation bill (Bill C-59) a series of provisions that retroactively remove the right of access to the long-gun registry data. The right of access is terminated on the date the long-gun Bill was introduced into Parliament (October 25, 2011). It effectively also removes any obligation to retain records, and makes their destruction legitimate. It also removes any liability of the Crown or its agents or employees with respect to the destruction of records.

It is true that these provisions will “fix” the oversight in the original long-gun Bill. However, as the Information Commissioner points out, they also retroactively absolve the RCMP of having destroyed records when it was clearly illegal to do so, and when the Minister of Public Safety had committed to the preservation of the records pending the resolution of outstanding access requests. The actions appear to have been illegal under the law as it stood at the time. Any pot smoker with a conviction for possession will tell you that it doesn’t matter what you think the law SHOULD be; what matters is what the law actually says when you carry out the transgressive act. Unless, of course, you have a legislative time machine that you can use to change the law at the time of your transgression. The Conservative government has such a legislative time machine. It is yet another one of those distasteful omnibus bills that offer a convenient sidestep to democratic debate and accountability.

This, ultimately, is the real problem and central matter for concern. The long-gun registry is – well – long gone. There was indeed a legislative loophole that created a problematic gap for a government that had committed to the total destruction of the registry records. But the ability to use omnibus bills to rewrite history and to absolve conduct that was both illegal and contrary to government assurances is ugly. And, as the Information Commissioner suggests, it is perhaps also a very dangerous precedent.

Published in Privacy
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Page 3 of 10

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law