Teresa Scassa - Blog

“Consumer Privacy and Radio Frequency Identification Technology” (with Theodore Chiasson, Michael Deturbide and Anne Uteck, (2005-2006) 37 University of Ottawa Law Review 215-248

Radio Frequency ID tags are poised to replace the UPC barcode as a mechanism for inventory control in the wholesale and retail contexts.  Yet the tiny chips offer a range of potential uses that go beyond the bar code.  In this paper we define RFID technology and its applications.  We explore the privacy implications of this technology and consider recent attempts in the U.S. and European Union to grapple with the privacy issues raised by the deployment of RFIDs at the retail level.  We then consider the extent to which Canada’s Personal Information Protection and Electronic Documents Act  will apply to RFID technology, before making recommendations for initiatives to proactively address the privacy issues that RFIDs will raise.

“Global Reach, Local Grasp: Constructing Extraterritorial Jurisdiction in the Age of Globalization” (2007) 6 Canadian Journal of Law and Technology 29-60. (With Stephen Coughlan, Robert Currie and Hugh Kindred) PDF Available here.

The reach of national law is often greater than its grasp. Canada, like other countries, has effective legal power over its territory and all within it. However, one consequence of the current process of globalization, for good or ill, is that Canadian interests are no longer contained exclusively within Canadian borders. Canada thus finds it increasingly necessary to consider asserting its legal jurisdiction beyond its frontiers. In this we consider issues of jurisdiction, distinguishing between territorial and extraterritorial jurisdiction, and defining and discussing legislative/prescriptive jurisdiction, executive/enforcement jurisdiction, investigative jurisdiction and judicial/adjudicative jurisdiction. We discuss the mechanics of extraterritorial action, and  the means by which extraterritorial action is taken.  We also consider the policy justifications which have primarily motivated Canada to act extraterritorially in the past. In the second part of the paper, we consider whether the lessons of the past are applicable to the future. Primarily we will do this by pursuing four “case studies” of areas of law which raise new and challenging issues. These include i) the internet; ii) personal data protection, iii) human rights and iv) competition in the marketplace.

“Information Privacy in Public Space:  Location Data, Data Protection and the Reasonable Expectation of Privacy”, (2009) 7:2 Canadian Journal of Law and Technology 193-220. PDF available here.

The sheer volume of location data that is now being collected by private sector companies in relation to a wide range of products and services poses serious challenges for privacy and data protection law.  This paper considers a central challenge to privacy posed by the collection and compilation of location data  -- the accessibility of this data to law enforcement agents through exceptions to the general principles of consent for disclosure that exist under private sector data protection legislation in Canada.  Recent court interpretations of these exceptions – primarily in the internet context – paint a muddled picture of their relationship to the right to be free from unreasonable search and seizure under the Canadian Charter of Rights and Freedoms.  This paper considers whether the permissive disclosure provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and its substantially similar counterparts mean that law enforcement agents have ready access to information about our movements and activities, or whether s. 8 of the Charter plays a role in limiting the circumstances in which disclosure without notice or consent may take place.

“The Inadvertent Disclosure of Personal Health Information through Peer-to-peer File Sharing Programs”, in JAMIA 2010 17: 148-158 ( Journal of the American Medical Informatics Association) (with K. El Emam, E. Neri, E. Jonker, M. Sokolova, L. Peyton, & A. Neisa)

There has been a consistent concern about the inadvertent disclosure of personal information on peer-to-peer file sharing networks. Examples of personal health and financial information being exposed have been published. This paper estimates the extent to which personal health information (PHI) is leaking in this way, and compare that to the extent of leakage of personal financial information (PFI). The paper concludes that there is a real risk of PHI leakage on peer-to-peer file sharing networks, although the risk is not as large as for PFI. Custodians of PHI should not install file sharing applications on their computers, and individuals need to be educated about the proper use of file sharing tools to avoid inadvertent disclosure of their, their family’s, their clients’, or patients’ PHI.

“Journalistic Purposes and Private Sector Data Protection Legislation: Blogs, Tweets, and Information Maps” (2010) 35 Queen’s Law J. 733-781

This paper explores how changes in the ways in which information is consumed and disseminated by myriad individuals in myriad forms may impact data protection law in Canada. The author uses examples of blogs, Twitter and information maps to illustrate the problems which will inevitably arise when trying to discern which individuals and which information will properly fit into the journalistic purposes exception in Canadian data protection statutes. She suggests that exceptions for the collection, use or disclosure of personal information for journalistic purposes raise vital questions pertaining to the purpose and scope of these exceptions. Recent case law serves to illustrate the difficulties faced by decision-makers in defining the scope of these exceptions, particularly given the need to balance the public right to be informed with individual privacy rights. The author considers the journalistic purposes exceptions in light of the role of journalists by analyzing how reporters’ privilege cases, defamation law (“responsible journalism”) and ethical codes of conduct might affect and inform current Canadian case law. She compares how journalistic purpose exceptions are configured and applied in Australia and the United Kingdom. In the conclusion, the author considers the direction that data protection law in Canada should take. She suggests that a reasonableness test, which attempts to balance the various conflicting interests, should govern decisions on whether information is being provided for a journalistic purpose or for some “other” purpose.

This paper explores how changes in the ways in which information is consumed and disseminated by myriad individuals in myriad forms may impact data protection law in Canada. The author uses examples of blogs, Twitter and information maps to illustrate the problems which will inevitably arise when trying to discern which individuals and which information will properly fit into the journalistic purposes exception in Canadian data protection statutes. She suggests that exceptions for the collection, use or disclosure of personal information for journalistic purposes raise vital questions pertaining to the purpose and scope of these exceptions. Recent case law serves to illustrate the difficulties faced by decision-makers in defining the scope of these exceptions, particularly given the need to balance the public right to be informed with individual privacy rights. The author considers the journalistic purposes exceptions in light of the role of journalists by analyzing how reporters’ privilege cases, defamation law (“responsible journalism”) and ethical codes of conduct might affect and inform current Canadian case law. She compares how journalistic purpose exceptions are configured and applied in Australia and the United Kingdom. In the conclusion, the author considers the direction that data protection law in Canada should take. She suggests that a reasonableness test, which attempts to balance the various conflicting interests, should govern decisions on whether information is being provided for a journalistic purpose or for some “other” purpose.

“Geographic Information as Personal Information”, (2010) 10:2 Oxford University Commonwealth Law Journal 185-214

The rapid proliferation of applications using geographical information combined with the growing accessibility of vast quantities of data of all kinds has given rise to the mapping of information on an unprecedented scale. Information maps are created by governments, private sector actors, and even by individuals; they may be sole-authored or crowd-sourced. These maps are frequently made available over the internet. Information maps have a serious potential to impact on personal privacy. This paper gives an overview of developments in the mapping of information. It then explores a key question in the data protection context: when is geographical information personal information? Particular challenges in answering this question include the way in which geographical information may be a key to re-identifying de-identified data, and how it can be used to link aggregate geodemographic data to specific individuals.

“Privacy by the Wayside: The New Information Superhighway, Data Privacy, and the Deployment of Intelligent Transportation Systems”, (2011) 74 University of Saskatchewan Law Review 117-164 (with Jennifer Chandler and Elizabeth F. Judge)

Intelligent Transport Systems (ITS) integrate vehicles and surface transportation infrastructure with information, communication, and sensory technologies to improve the safety, efficiency, security, service, accessibility, environmental responsibility, and reliability of the transportation system. The term ITS covers a very broad range of transport-related activities involving federal, provincial, and municipal governments as well as private sector actors. In its broadest sense, ITS enables an integrated and intelligent network of services for both public and private transportation systems. In this article, we discuss the data protection and privacy issues raised by the use of ITS in Canada.  We begin with an overview identifying the central privacy issues that arise with ITS. We then provide an introduction to the legal and institutional privacy framework in Canada. This is followed by a closer analysis of Canada’s data protection regimes and their application to ITS. 

“Data Protection, Privacy and Spatial Data”, in R. Devillers & H. Goodchild, eds. Proceedings of the 6^th International Symposium on Spatial Data Quality, Taylor & Francis, 2009, pp. 211-220 (with Lisa Campbell)

In this paper, we explore the extent to which spatial data may be considered personal information for the purposes of data protection and privacy law. While data quality is an important objective in the creation of spatial data applications, we demonstrate that even relatively low quality spatial data may attract the application of data protection or privacy law, particularly when it is matched or combined with other data sets. The rapid development of a variety of applications and tools that incorporate spatial data pose significant privacy law challenges both for individuals and for the developers and users of these tools.