Teresa Scassa - Blog

Class action lawsuits for privacy breaches are becoming all the rage in Canada – this is perhaps unsurprising given the growing number of data breaches. However, a proceeding certified and settled in October 2019 stands out as significantly different from the majority of Canadian privacy class action suits.

Most privacy class action lawsuits involve data breaches. Essentially, an entity trusted with the personal information of large numbers of individuals is sued because they lost the data stored on an unsecured device, a rogue employee absconded with the data or repurposed it, a hacker circumvented their security measures, or they simply allowed information to be improperly disclosed due to lax practices or other failings. In each of these scenarios, the common factor is a data breach and improper disclosure of personal information. Haikola v. Personal Insurance Co. is a notably different. In Haikola, the alleged misconduct is the over collection of personal information in breach of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The legal issues in this case arose after the representative class plaintiff, Mr. Haikola, was involved in a car accident. In settling his claim, his insurance company asked him to consent to providing them access to his credit score with a credit reporting agency. Mr. Haikola agreed, although he felt that he had had no choice but to do so. He followed up with the insurance company on several occasions, seeking more information about why the information was required, but did not receive a satisfactory explanation. He filed a complaint with the Office of the Privacy Commissioner. The subsequent investigation led to a Report of Findings that concluded, in the words of Justice Glustein, that the insurance company’s “collection and use of credit scores during the auto insurance claim assessment process is not something that a reasonable person would consider to be appropriate.” (at para 13) The company eventually changed its practices.

Under PIPEDA, the Commissioner’s findings are not binding. Once a complainant has received a Report of Findings, they can choose to bring an application under s. 14 of PIPEDA to Federal Court for an order and/or an award of damages. After receiving his Report of Findings, Mr. Haikola took the unusual step of seeking to commence a class action lawsuit under s. 14 of PIPEDA. The defendants argued that the Federal Court had no jurisdiction under s. 14 to certify a class action lawsuit. There is no case law on this issue, and it is not at all clear that class action recourse is contemplated under s. 14.

The parties, in the meantime, negotiated a settlement agreement. However, quite apart from the issue of whether a class action suit could be certified under s. 14 of PIPEDA, it was unclear whether the Federal Court could “make an enforceable order in a PIPEDA class action against a non-governmental entity.” (at para 28) With advice from the Federal Court case management judge, the parties agreed that Mr. Haikola would commence an action in Ontario Superior Court, requesting certification of the class action lawsuit and approval of the settlement. The sole cause of action in the suit initiated in Ontario Superior Court was for breach of contract. The argument was that in the contract between the insurance company and its customers, the insurance company undertook to “”act as required or authorized by law” in the collection, use, and disclosure of the Class Members’ personal information – including information from credit reporting agencies.” (at para 56) This would include meeting its PIPEDA obligations.

The class included persons whose credit history was used as part of a claim settlement process. The insurance company identified 8,525 people who fell into this category. The settlement provided for the paying out of $2,250,000. The court estimated that if every member of the class filed a valid claim, each would receive approximately $150.

In considering whether a class action lawsuit was the preferable procedure, Justice Glustein noted that generally, for this type of privacy complaint, the normal recourse was under PIPEDA. The structure of PIPEDA is such that each affected individual would have to file a complaint; the filing of a complaint and the issuance of a report were both prerequisites to commencing an action in Federal Court. Justice Glustein considered this to be a barrier to access to justice, particularly since most individuals would have claims “of only a very modest value”. (at para 66) He found that “The common law claim proposed is preferable to each Class Member making a privacy complaint, waiting for the resolution of the complaint from the Privacy Commissioner with a formal report, and then commencing a Federal Court action.” (at para 67)

Justice Glustein certified the proceedings and approved the settlement agreement. He was certainly aware of the potential weaknesses of the plaintiff’s case – these were factors he took into account in assessing the reasonableness of the amount of the settlement. Not only were there real issues as to whether a class action lawsuit was a possible recourse for breach of PIPEDA, a proceeding under s. 14 is de novo, meaning the court would not be bound by the findings of the Privacy Commissioner. Further, the Federal Court has been parsimonious with damages under PIPEDA, awarding them only in the most “egregious” circumstances. It is, in fact, rare for a Federal Court judge to award damages unless there has been an improper disclosure of personal information. In this case, the insurance company was found to have collected too much information, but there had been no breach or loss of personal data.

This case is interesting because raises the possibility of class action lawsuits being used for privacy complaints other than data security breaches. This should put fear into the heart of any company whose general practices or policies have led them to collect too much personal information, obtain insufficient consent, or retain data for longer than necessary (to name just a few possible shortcomings). Perhaps the facts in Haikola are exceptional enough to avoid a landslide of litigation. Justice Glustein was clearly sympathetic towards a plaintiff who had doggedly pursued his privacy rights in the face of an insufficiently responsive company, and who had been vindicated by the OPC’s Report of Findings. Justice Glustein noted as well that it was the plaintiff who had sought to initiate the class action lawsuit – he had not been recruited by class counsel.

There is clearly also an element in this decision of frustration and dissatisfaction with the current state of Canadian data protection law. Justice Glustein observed: “If systemic PIPEDA breaches are not rectified by a class procedure, it is not clear what incentive large insurers and others will have to avoid overcollection of information.” (at para 88) Justice Glustein also observed that “While the Privacy Commissioner may encourage or require changes to future practices, it [sic] has very limited powers to enforce compliance through strong regulatory penalties.” (at para 88) This is certainly true, and many (including the Privacy Commissioner) have called for greater enforcement powers to strengthen PIPEDA. This comment, taken with Justice Glustein’s additional comment that the settlement imposes on the Defendants a “meaningful business cost” for the overcollection of personal information, are nothing short of a condemnation of Canada’s private sector data protection regime.

The government has heard such condemnations from the Commissioner himself, as well as from many other critics of PIPEDA. It is now hearing it from the courts. Hopefully it is paying attention. This is not just because PIPEDA obligations need stronger and more diverse enforcement options to provide meaningful privacy protection, but also because class action lawsuits are a blunt tool, ill-designed to serve carefully-tailored public policy objectives in this area.

 

 

Published in Privacy

The second discussion paper in Ontario’s lightning-quick consultation on a new data strategy for the province was released on September 20, 2019. Comments are due by October 9, 2019. If you blink, you will miss the consultation. But if you read the discussion paper, it will make you blink – in puzzlement. Although it is clear from its title that Ontario wants to “create economic benefits” through data, the discussion paper is coy, relying mainly on broad generalities with occasional hints at which might actually be in the works.

Governments around the world are clearly struggling to position their countries/regions to compete in a burgeoning data economy. Canada is (until the election period cooled things off) in the middle of developing its own digital and data strategy. Ontario launched its data strategy consultation in February 2019. The AI industry (in which Canada and Ontario both aspire to compete) is thirsty for data, and governments are contemplating the use of AI to improve governance and to automate decision-making. It is not surprising, therefore, that this document tackles the important issue of how to support the data economy in Ontario.

The document identifies a number of challenges faced by Ontario. These include skill and knowledge deficits in existing industries and businesses; the high cost of importing new technologies, limited digital infrastructure outside urban core areas, and international competition for highly qualified talent for the data economy. The consultation paper makes clear that the data strategy will need to address technology transfer, training/education, recruitment, and support for small businesses. Beyond this, a key theme of the document is enhancing access to data for businesses.

It is with respect to data that the consultation paper becomes troublingly murky. It begins its consideration of data issues with a discussion of open government data. Ontario has had an open data portal for a number of years and has been steadily developing it. A new law, pushed through in the omnibus budget bill that followed the Ford government’s election is the first in Canada to entrench open government data in law. The consultation document seems to suggest that the government will put more resources into open data. This is good. However, the extent of the open data ambitions gives pause. The consultation document notes, “it is important for governments to ensure that the right level of detailed data is released while protecting government security and personal privacy.” Keep in mind that up until now, the approach to open data has been to simply not release as open data datasets that contain personal information. This includes data sets that could lead to the reidentification of individuals when combined with other available data. The consultation paper states “Ontario’s government holds vast amounts of data that can help businesses develop new products and services that make Ontarian’s lives easier, while ensuring that their privacy is protected.” These references to open data and privacy protection are indications that the government is contemplating that it will make personal data in some form or another available for sharing. Alarmingly, businesses may be invited to drive decision-making around what data should be shared. The document states, “New collaboration with businesses can help us determine which data assets have the greatest potential to drive growth.” An out-of-the-blue example provided in the consultation paper is even more disturbing. At a point where the document discusses classic categories of important open data such as geospatial reference and weather data, it suddenly states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered a high-value dataset that may present various opportunities for Ontario.”

If personal data is on the table (and the extent to which this is the case should be a matter of serious public consultation and not lightning-round Q & A), then governance becomes all the more important. The consultation paper acknowledges the importance of governance – of a sort. It suggests new guidelines (the choice of words here is interesting – as guidelines are not laws and are usually non-binding) to help govern how data is shared. The language of standards, guidance and best practices is used. Words such as law, regulation and enforcement are not. While “soft law” instruments can have a role to play in a rapidly changing technological environment, Canadians should be justifiably wary of a self-regulating private sector – particularly where there is so much financially at stake for participating companies. It should also be wary of norms and standards developed by ‘stakeholder’ groups that only marginally represent civil society, consumer and privacy interests.

If there is one thing that governments in Canada should have learned from the Sidewalk Toronto adventure, it is that governments and the private sector require social licence to collect and share a populations’ personal data. What this consultation does instead is say to the public, “the data we collect about you will be very valuable to businesses and it is in the broader public interest that we share it with them. Don’t worry, we’re thinking about how to do it right.” That is an illustration of paternalism, not consultation or engagement. It is certainly not how you gain social licence.

The Ontario government’s first Consultation Paper, which I discuss here was about “promoting trust and confidence”, and it ostensibly dealt with privacy, security and related issues. However, the type of data sharing that is strongly hinted at in the second discussion paper is not discussed in that first paper and the consultation questions in that document do not address it either.

There is a great deal of non-personal government data that can be valuable for businesses and that might be used to drive innovation. There is already knowledge and experience around open data in Ontario, and building upon this is a fine objective. Sharing of personal and human behavioural data may also be acceptable in some circumstances and under some conditions. There are experiments in Canada and in other countries with frameworks for doing this that are worth studying. But this consultation document seems to reflect a desire to put all government data up for grabs, without social licence, with only the vaguest plans for protection, and with a clear inclination towards norms and standards developed outside the usual democratic processes. Yes, there is a need to move quickly – and to be “agile” in response to technological change. But speed is not the only value. There is a difference between a graceful dive and a resounding belly flop – both are fast, only one is agile.

 

Published in Privacy

A ruling under B.C.’s Personal Information Protection Act (PIPA) will add new fuel to the fires burning around the issue of whether Canada’s federal political parties should have to comply with data protection laws. In Order P19-02, B.C. Privacy Commissioner Michael McEvoy rejected constitutional challenges and ruled that B.C.’s data protection law applied not just to provincial political parties (something it indisputably does), but also to electoral district associations in B.C. established under the Canada Elections Act. The decision means that the hearing into a complaint against the Courtenay-Alberni Riding Association of the New Democratic Party of Canada will now proceed. The riding association will still have the opportunity to argue, within the factual context of the complaint, that the application of specific provisions of PIPA place unacceptable limits on the right to vote and the freedom of expression under the Canadian Charter of Rights and Freedoms (the Charter).

There has been considerable attention paid to the relatively unregulated information handling practices of Canadian political parties in the last few years. A 2012 report commissioned by the Office of the Privacy Commissioner of Canada laid out the legal landscape. In the fall of 2018, federal, provincial and territorial privacy commissioners issued a joint call for meaningful privacy regulation of political parties in Canada. In late 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics issued its report titled Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly in which it recommended, among other things, that Canadian political parties be made subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Instead, the federal government chose to amend the Canada Elections Act to add some fairly tepid requirements for parties to have and make available privacy policies. Meaningful oversight and enforcement mechanisms are notably absent. In April 2019, Office of the Privacy Commissioner of Canada issued guidance for political parties on how to protect privacy. On August 7, Open Media conducted a review of the privacy policies of Canada’s federal political parties, measuring them against the guidelines issued by the OPC. The review reveals a fairly dismal level of privacy protection. As noted above, B.C.’s PIPA applies to B.C.’s provincial political parties. A review of those parties’ privacy practices earlier this year resulted in an investigation report that makes interesting reading.

It is within this context that a B.C. couple filed a complaint with the B.C. Office of the Information and Privacy Commissioner after each received and email from the NDP’s Courtenay-Alberni Riding Association inviting them to attend a meet and greet with the federal party’s leader. The couple wrote a letter to the local NDP seeking to know what information the party had on them, from whom it had been sourced, with whom it had been shared, and how the information had been and would be used. When they did not receive a satisfactory response, they filed a complaint with the OIPC. Since the NDP objected to the jurisdiction of the OIPC in the matter, the OIPC issued a notice of hearing to determine the preliminary issue of whether BC’s PIPA applied to the Courtney-Alberni Riding Association (the Organization).

The Organization made three constitutional arguments objecting to the jurisdiction of the OIPC. The first is that PIPA cannot apply to federally registered political entities because s. 41 of the Constitution Act, 1867 gives the federal government sole jurisdiction over the conduct of federal elections. The second is that PIPA cannot apply because other federal laws, including the Canada Elections Act and PIPEDA are paramount. The third argument was that, if PIPA were found to apply, to the extent that it did so, it would place unjustified limits on the right to vote and the freedom of expression guaranteed under the Charter. As noted above, on this third issue, the adjudicator ruled that there was an insufficient factual context to make a determination. Because Commissioner McAvoy ultimately decided that PIPA applies, the third question will be considered in the context of the hearing into the actual complaint.

Commisioner McAvoy noted that PIPA applies to every “organization” in BC. “Organization” is defined broadly to include: “a person, an unincorporated association, a trade union, a trust or a not for profit organization.” The Riding Association, as an unincorporated association, falls within this definition. He ruled that it made no difference that the organization was established under the constitution of a federal political party or that it is involved in federal politics. He rejected the Organization’s rather convoluted argument that since PIPEDA also applied to ‘organizations’, it precluded the application of BC’s statute. The Commissioner noted that because there is no commercial activity, PIPEDA did not apply to the collection, use or disclosure of personal information by the organization, and thus did not preclude the application of PIPA.

Commissioner McAvoy rejected the first constitutional argument on the basis that PIPA does not attempt to regulate the conduct of federal elections. PIPA’s purpose relates to “the regulation of the collection, use and disclosure of personal information by organizations.” (at para 45) It has nothing to do with any election-related issues such as the establishment of political parties, voting processes, or campaign financing. PIPA itself falls within provincial jurisdiction over “property and civil rights” in B.C. The Organization argued that by applying to federal riding associations in the province, it attempted to affect matters outside the province, but the adjudicator disagreed. He stated: “Analysis of incidental effects should be kept distinct from assessment of whether a provincial statute is validly enacted under the Constitution Act, 1867” (at para 52). He noted that in any event, incidental effects do not necessarily render a statute unconstitutional.

The Commissioner also rejected the paramountcy argument. The Organization argued that PIPA’s provisions conflicted with the Canada Elections Act, as well as the Telecommunications Act and Canada’s Anti-Spam Legislation (CASL) and frustrated a federal purpose and therefore could not apply to federal riding associations in B.C. Commissioner McEvoy found that there was no actual conflict between the federal and provincial laws. The Canada Elections Act imposes no substantive obligations around, for example, consent to the collection of personal information. It is not a situation where one statute says consent is not required and another says that it is. The Canada Elections Act is simply more permissive when it comes to personal information. Because the do-not-call list established under the Telecommunications Act does not address email communications, which is the subject matter of the actual complaint, there is no conflict with that law. Similarly, he found no conflict with the CASL. Although the CASL permits political parties or organizations to send emails with out consent to solicit donations, the email that was the subject of the complaint before the OIPC did not solicit a donation, but was rather an invitation to an event. As a result there is no conflict between the laws. Further, case law does not support the view that a conflict is found simply because a provincial law has more restrictive elements than a federal law. The Commissioner stated: “the fact that the Canada Elections Act and the two other federal laws take a permissive approach to use of certain personal information of electors does not of itself establish a conflict with PIPA’s requirements (even if one assumes, for discussion purposes only, that PIPA actually prohibits that which federal law permits.) . . . It is possible to comply with both PIPA and the federal laws [. . .]” (at para 79).

Commissioner McAvoy also rejected the argument that the application of PIPA would frustrate the federal purpose pursued under the Canada Elections Act. He found that the Organization had not adequately established the federal purpose nor had it managed to demonstrate how PIPA frustrated it.

Clearly this particular skirmish is far from complete. It is entirely possible that the Organization will challenge the Commissioner’s decision, and the matter may head to court. Nevertheless, the decision is an important one, as it raises the clear possibility that riding associations of federal political parties in BC might be held to a far stricter standard of data protection that that required of political parties elsewhere in Canada. This will increase the growing pressure on the federal government to take real, concrete steps to ensure that political parties are held to the same standards as private sector organizations when it comes to collecting, using and disclosing personal information. Given vast amounts of data available, the potential for intrusive and inappropriate uses, the controversies around profiling and targeting, and the growing risks of harm from data breaches, this is an unacceptable legislative gap.

 

Published in Privacy

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

Published in Privacy

On May 21, 2019, Canada’s federal government launched its Digital Charter, along with several other supporting documents, including its action plan for the Charter and proposals for modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA). Together, the documents discuss the outcomes of the recent federal digital strategy consultation and chart a path forward for federal policy in this area. The documents reflect areas where the government is already forging ahead, and they touch on a number of issues that have been at the centre of media attention, as well as public and private sector engagement.

As a strategy document (which, launched less than six months away from an election, it essentially is) the Digital Charter hits many of the right notes, and its accompanying documentation reveals enough work already underway to give shape to its vision and future directions. Navdeep Bains, the Minister of Innovation, Science and Economic Development, describes the Digital Charter as articulating principles that “are the foundation for a made in Canada digital approach that will guide our policy thinking and actions and will help to build an innovative, people-centred and inclusive digital and data economy.”

The Digital Charter features 10 basic principles. Three relate to digital infrastructure: universal access to digital services; safety and security; and open and modern digital government. Another three touch on human rights issues: data and digital for good; strong democracy; and freedom from hate and violent extremism. Two principles address data protection concerns: control and consent; and transparency, portability and interoperability — although the latter principle blends into the marketplace and competition concerns that are also reflected in the principle of ensuring a level playing field. Perhaps the most significant principle in terms of impact is the tenth, an overarching commitment to strong enforcement and real accountability. Weak enforcement has undermined many of our existing laws that apply in the digital context, and without enforcement or accountability, there is little hope for a credible strategy. Taken together, the 10 principles reflect a careful and thorough synthesis of some of the issues confronting Canada’s digital future.

Yet, this digital charter might more accurately be described as a digital chart. In essence, it is an action plan, and while it is both credible and ambitious, it is not a true charter. A charter is a document that creates legal rights and entitlements. The Digital Charter does not. Its principles are framed in terms of open-ended goals: “Canadians will have control over what data they are sharing,” “All Canadians will have equal opportunity to participate in the digital world,” or “Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.” Some of the principles reflect government commitments: “The Government of Canada will ensure the ethical use of data.” But saying that some can “expect” something is different from saying they have a right to it.

The goals and commitments in the Digital Charter are far from concrete. That is fair enough — these are complex issues — but concepts such as universal digital access and PIPEDA reform have been under discussion for a long time now with no real movement. A chart shows us the way, but it does not guarantee we’ll arrive at the destination.

It is interesting to note as well that privacy as a right is not squarely a part of the Digital Charter. Although privacy has (deservedly) been a high-profile issue in the wake of the Cambridge Analytica scandal and the controversies over Sidewalk Labs’ proposed smart city development in Toronto, this Digital Charter does not proclaim a right to privacy. A right to be free from unjustified surveillance (by public or private sector actors) would be a strong statement of principle. An affirmation of the importance of privacy in supporting human autonomy and dignity would also acknowledge the fundamental importance of privacy, particularly as our digital economy plows forward. The Digital Charter does address data protection, stating that Canadians will have control over the data they share and will “know that their privacy is protected.” They will also have “clear and manageable access to their personal data.” While these are important data protection goals, they are process-related commitments and are aimed at fostering trust for the purpose of data sharing.

Indeed, trust is at the the core of the government strategy. Minister Bains makes it clear that, in his view, “innovation is not possible without trust.” Further, “trust and privacy are key to ensuring a strong, competitive economy and building a more inclusive, prosperous Canada.”

Privacy, however, is the human right; trust is how data protection measures are made palatable to the commercial sector. Trust is about relationships — in this case, between individuals and businesses and, to some extent, between individuals and governments. In these relationships, there is a disparity of power that leaves individuals vulnerable to exploitation and abuse. A trust-oriented framework encourages individuals to interact with businesses and government — to share their data in order to fuel the data economy. This is perhaps the core conundrum in creating digital policy in a rapidly shifting and evolving global digital economy: the perceived tension between protecting human rights and values on the one hand, and fostering a competitive and innovative business sector on the other. In a context of enormous imbalance of power, trust that is not backed up by strong, enforceable measures grounded in human rights principles is a flimsy thing indeed.

And this, in a nutshell, is the central flaw in an otherwise promising Digital Charter. As a road map for future government action, it is ambitious and interesting. It builds on policies and actions that are already underway, and sets a clear direction for tackling the many challenges faced by Canada and Canadians in the digital age. It presents a pre-election digital strategy that is in tune with many of the current concerns of both citizens and businesses. As a charter, however, it falls short of grounding the commitments in basic rights and enshrining values for our digital future. That, perhaps, is a tall order and it may be that a transparent set of principles designed to guide government law and policy making is as much as we can expect at this stage. But calling it a Charter misleads, and creates the impression that we have done the hard work of articulating and framing the core human rights values that should set the foundational rules for the digital society we are building.

Published in Privacy

On April 25 the federal Privacy Commissioner and the Privacy Commissioner of British Columbia released a joint Report of Findings in an investigation into Facebook’s handling of personal information in relation to the Cambridge Analytica scandal. Not surprisingly, the report found that Facebook was in breach of a number of different obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). Somewhat more surprisingly, the Report also finds that the corresponding obligations under BC’s Personal Information Protection Act (PIPA) were also breached. The Report criticizes Facebook for being less than fully cooperative in the investigation. It also notes that Facebook has disputed the Commissioners’ findings and many of their recommendations. The Report concludes by stating that each Commissioner will “proceed to address the unresolved issues in accordance with our authorities” under their respective statutes. Since the federal Commissioner has no order-making powers, the next step for him will be the Federal Court seeking a court order to compel changes. This will be a hearing de novo – meaning that the same territory will be covered before the Court, and Facebook will be free to introduce new evidence and argument to support its position. The court will owe no deference to the findings of the Privacy Commissioner. Further, while the Federal Trade Commission in the US contemplates fines to impose on Facebook in relation to its role in this scandal, Canada’s Commissioner does not have such a power, nor does the Federal Court. This is the data protection law we have – it is not the one that we need. Just as the Cambridge Analytica scandal drew attention to the dynamics and scale of personal data use and misuse, this investigation and its outcomes highlight the weaknesses of Canada’s current federal data protection regime.

As for the BC Commissioner – he does have order making powers under PIPA, and in theory he could order Facebook to change its practices in accordance with the findings in the Report. What the BC Commissioner lacks, however, with all due respect, is jurisdiction, as I will discuss below.

While the substantive issues raised in the complaint are important and interesting ones, this post will focus on slightly less well-travelled territory. (For comment on these other issues see, for example, this op-ed by Michael Geist). My focus is on the issue of jurisdiction. In this case, the two Commissioners make joint findings about the same facts, concluding that both statutes are breached. Although Facebook challenges their jurisdiction, the response, in the case of the BC Commissioner’s jurisdiction is brief and unsatisfactory. In my view, there is no advantage to Canadians in having two different data protection laws apply to the same facts, and there is no benefit in a lack of clarity as to the basis for a Commissioner’s jurisdiction.

This investigation was carried out jointly between the federal and the BC Privacy Commissioner. There is somewhat of a BC nexus, although this is not mentioned in the findings. One of the companies involved in processing data from Facebook is Aggregate IQ, a BC-based analytics company. There is an ongoing joint investigation between the BC and federal Privacy Commissioners into the actions of Aggregate IQ. However, this particular report of findings is in relation to the activities of Facebook, and not Aggregate IQ. While that other joint investigation will raise similar jurisdictional questions, this one deals with Facebook, a company over whose activities the federal Privacy Commissioner has asserted jurisdiction in the past.

There is precedent for a joint investigation of a privacy complaint. The federal privacy commissioners of Australia and Canada carried out a joint investigation into Ashley Madison. But I that case each Commissioner clearly had jurisdiction under their own legislation. This, I will argue, is not such a case. Within Canada, only one privacy Commissioner will have jurisdiction over a complaint arising from a particular set of facts. In this case, it is the federal Privacy Commissioner.

Unsurprisingly, Facebook raised jurisdictional issues. It challenged the jurisdiction of both commissioners. The challenge to the federal Commissioner’s jurisdiction was appropriately dismissed – there is a sufficient nexus between Facebook and Canada to support the investigation under PIPEDA. However, the challenge to the jurisdiction of the BC Commissioner was more serious. Nevertheless, it was summarily dismissed in the findings.

Uneasiness about the constitutional reach of PIPEDA in a federal state has meant that the law, which relies on the federal trade and commerce power for its constitutional legitimacy, applies only in the context of commercial activity. It applies across Canada, but it carves out space for those provinces that want to enact their own data protection laws to assert jurisdiction over the intra-provincial collection, use and disclosure of personal information. To oust PIPEDA in this sphere, these laws have to be considered “substantially similar” to PIPEDA (s. 26(2)(b)). Three provinces – BC, Alberta and Quebec, have substantially similar private sector data protection laws. Even within those provinces, PIPEDA will apply to the collection, use or disclosure by federally-regulated businesses (such as banks or airline companies). It will also apply to cross-border activities by private sector actors (whether international or inter-provincial). This split in jurisdiction over privacy can be complicated for individuals who may not know where to direct complaints, although the different commissioners’ offices will provide assistance. This does not mean there is no room for collaboration. The federal and provincial Commissioners have taken common positions on many issues in the past. These instances are conveniently listed on the website of Alberta’s privacy commissioner.

What has happened in this case is quite different. This is described as a joint investigation between the two Commissioners, and it has resulted in a joint set of recommendations and findings. Both PIPEDA and BC’s PIPA are cited as being applicable laws. In response to the challenge to the BC Privacy Commissioner’s jurisdiction, the Report tersely states that “PIPA (Personal Information Protection Act (British Columbia)) applies to Facebook’s activities occurring within the province of BC”. Yet no information is given as to what specific activities of Facebook were exclusively within the province of BC. No distinction is made at any point in the report between those activities subject to PIPA and those falling under PIPEDA. In this respect, it seems to me that Facebook is entirely correct in challenging the BC Privacy Commissioner’s jurisdiction. Facebook collects, uses and discloses personal information across borders, and its activities with respect to Canadians are almost certainly covered by PIPEDA. If that is the case, then they are not also subject to PIPA. The Exemption Order that finds PIPA BC to be substantially similar to PIPEDA provides:

1. An organization, other than a federal work, undertaking or business, to which the Personal Information Protection Act, S.B.C. 2003, c. 63, of the Province of British Columbia, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act, in respect of the collection, use and disclosure of personal information that occurs within the Province of British Columbia.

Section 3(2) of the Personal Information Protection Act provides:

(2) This Act does not apply to the following:

(c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

The “federal Act” is defined in s. 1 of PIPA to mean PIPEDA. The scheme is quite simple: if PIPEDA applies then PIPA does not. If the federal Commissioner has jurisdiction over the activities described in the Report, the provincial Commissioner does not. The only way in which the BC Commissioner would have jurisdiction is if there are purely local, provincial activities of Facebook that would not be covered by PIPEDA. Nothing in the Findings suggests that there are. At a minimum, if there are separate spheres of legislative application, these should be made explicit in the Findings.

Jurisdictional issues matter. We already have a complex mosaic of different data protection laws (federal, provincial, public sector, private sector, health sector) in Canada. Individuals must muddle through them to understand their rights and recourses; while organizations and entities must likewise understand which laws apply to which of their activities. Each statute has its own distinct sphere of operation. We do not need the duplication that would result from the adjudication of the same complaint under two (or more) different statutes; or the confusion that might result from different results flowing from different complaint resolutions. If there are separate sets of facts giving rise to separate breaches under different statutes, this has to be spelled out.

Federal-provincial cooperation on data protection is important; it is also valuable for the different privacy commissioners to reach consensus on certain principles or approaches. But creating overlapping jurisdiction over complaints flies in the face of the law and creates more problems than it solves. We have enough data protection challenges to deal with already.

Published in Privacy

Schedule 31 and Schedule 41 of Ontario’s new omnibus Budget Bill amend the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) respectively. One change to both statutes will expand the ability of public sector bodies to share personal information with law enforcement without consent. A more extensive set of amendments to FIPPA constitute another piece of the government’s digital and data strategy, which is further developed in the Simpler, Faster, Better Services Act, another piece of the budget bill discussed in my post here.

FIPPA and MFIPPA set the rules for the collection, use and disclosure of personal information by the public sector. MFIPPA applies specifically to municipalities, and FIPPA to the broader public sector. Both statutes prohibit the disclosure of personal information under the custody or control of a public body unless such a disclosure falls under an exception. Currently, both statutes have an exception related to investigations which reads:

(g) if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

The Budget Bill will amend this exception by replacing it with:

(g)  to an institution or a law enforcement agency in Canada if,

(i)  the disclosure is to aid in an investigation undertaken by the institution or the agency with a view to a law enforcement proceeding, or

(ii)  there is a reasonable basis to believe that an offence may have been committed and the disclosure is to enable the institution or the agency to determine whether to conduct such an investigation;

Paragraph (g)(i) is essentially the same as the original provision. What is new is paragraph (g)(ii). It broadens the circumstances in which personal information can be shared with law enforcement. Not only that, it does so in the squishiest of terms. There must be a reasonable basis to believe that an offence may have been committed. This is different from a reasonable basis to believe that an offence has been committed. Not only does it lower the threshold in the case of individuals, it may also open the door to the sharing of personal information for law enforcement fishing expeditions. After all, if enough people file for certain benefits, it might be reasonable to believe that an offence may have been committed (there’s always someone who tries to cheat the system, right?). The exception could enable the sharing of a quantity of personal information to permit the use of analytics to look for anomalies that might suggest the commission of on offence. The presence of this amendment in an omnibus budget bill that will receive very little scrutiny or debate contradicts the government’s own statement, in its announcement of its data strategy consultation, that “Data privacy and protection is paramount.” This is not a privacy-friendly amendment.

The other set of amendments to FIPPA contained in the budget bill are aimed at something labelled “data integration”. This is a process meant to allow government to derive greater value from its stores of data, by allowing it to generate useful data, including statistical data, to government and its departments and agencies. It allows for the intra-governmental sharing of data for preparing statistics for the purposes of resource management or allocation, as well as the planning and evaluation of the delivery of government funded programs and services, whether they are funded “in whole or in part, directly or indirectly” (s. 49.2(b)).

Because these amendments contemplate the use of personal information, there are measures specifically designed to protect privacy. For example, under s. 49.3, personal information is not to be used for data integration unless other data will not serve the purpose, and no more personal information shall be used than is reasonably necessary to meet the purpose. Public notice of the indirect (i.e. not directly from the individual) collection of personal information must be provided under s. 49.4. Any collection of personal information can only take place after data standards provided for in s. 49.14 have been approved by the Privacy Commissioner (s. 49.5). Once collected, steps must be taken to deidentify the personal information. The amendments include a definition of deidentification, which involves the removal of direct identifiers as well as any information “that could be used, either alone or with other information, to identify an individual based on what is reasonably foreseeable in the circumstances” (s. 49.1). Section 49.8 specifically prohibits anyone from using or attempting to use “information that has been identified under this Part, either alone or with other information, to identify an individual”.

Provision is made for the disclosure of personal information collected through the data integration scheme in limited circumstances – this includes the unfortunately worded exception discussed above where “there is a reasonable basis to believe that an offence may have been committed”. (s. 49.9(c)(ii)).

In terms of transparency, a new s. 49.10 provides for notice to be published on a website setting out information about any collection of personal information by a ministry engaged in data integration. The information provided must include the legal authority for the collection; the type of personal information that may be collected; and the information sources, the purpose of any collection, use or disclosure, as well as the nature of any linkages that will be made. Contact information must also be provided for someone who can answer any questions about the collection, use or disclosure of the personal information. Contact information must also be provided for the Privacy Commissioner. Data standards developed in relation to data integration must also be published (s. 49.14(2)), and any data integration unit that collections personal information must publish an annual report setting out prescribed information (s. 49.13).

Section 49.11 mandates the safe storage and disposal of any personal information, and sets retention limits. It also provides for data breach notification to be made to affected individuals as well as to the Commissioner. The Commissioner has the power, under s. 49.12 to review the practices and procedures of any data integration unit if the Commissioner “has reason to believe that the requirements of this Part are not being complied with”. The Commissioner has power to make orders regarding the discontinuance or the modification of practices or procedures, and can also order the destruction of personal information or require the adoption of a new practice or procedure.

The amendments regarding data integration are clearly designed to facilitate a better use of government data for the development and delivery of programs and services and for their evaluation. These are important measures and seem to have received some careful attention in the amendments. Once again, however, these seem to be important pieces of the data strategy for which the government has recently launched a consultation process that seems to be becoming more irrelevant by the day. Further, as part of an omnibus budget bill, these measures will not receive much in the way of discussion or debate. This is particularly unfortunate for two reasons. First, as the furore over Statistics Canada’s foray into using personal information to generate statistical data shows, transparency, public input and good process are important. Second, the expansion of bases on which personal information shared with government can be passed along to law enforcement merits public scrutiny, debate and discussion. Encroachments on privacy slipped by on the sly should be particularly suspect.

Published in Privacy
Thursday, 04 April 2019 12:54

Open Banking & Data Ownership

On April 4, 2019 I appeared before the Senate Standing Committee on Banking, Trade and Commerce (BANC) which has been holding hearings on Open Banking, following the launch of a public consultation on Open Banking by the federal government. Open banking is an interesting digital innovation initiative with both potential and risks. I wrote earlier about open banking and some of the privacy issues it raises here. I was invited by the BANC Committee to discuss ‘data ownership’ in relation to open banking. The text of my open remarks to the committee is below. My longer paper on Data Ownership is here.

_______________

Thank you for this invitation and opportunity to meet with you on the very interesting subject of Open Banking, and in particular on data ownership questions in relation to open banking.

I think it is important to think about open banking as the tip of a data iceberg. In other words, if Canada moves forward with open banking, this will become a test case for rendering standardized data portable in the hands of consumers with the goal of providing them with more opportunities and choices while at the same time stimulating innovation.

The question of data ownership is an interesting one, and it is one that has become of growing importance in an economy that is increasingly dependent upon vast quantities of data. However, the legal concept of ‘ownership’ is not a good fit with data. There is no data ownership right per se in Canadian law (or in law elsewhere in comparable jurisdictions, although in the EU the idea has recently been mooted). Instead, we have a patchwork of laws that protect certain interests in data. I will give you a very brief overview before circling back to data portability and open banking.

The law of confidential information exists to protect interests in information/data that is kept confidential. Individuals or corporations are often said to ‘own’ confidential information. But the value of this information lies in its confidentiality, and this is what the law protects. Once confidentiality is lost, so is exclusivity – the information is in the public domain.

The Supreme Court of Canada in 1988 also weighed in on the issue of data ownership – albeit in the criminal law context. They ruled in R. v. Stewart that information could not be stolen for the purposes of the crime of theft, largely because of its intangible nature. Someone could memorize a confidential list of names without removing the list from the possession of its ‘owner’. The owner would be deprived of nothing but the confidentiality of and control over the information.

It is a basic principle of copyright law that facts are in the public domain. There is good reason for this. Facts are seen as the building blocks of expression, and no one should have a monopoly over them. Copyright protects only the original expression of facts. Under copyright law, it is possible to have protection for a compilation of facts – the original expression will lie in the way in which the facts are selected or arranged. It is only that selection or arrangement that is protected – not the underlying facts. This means that those who create compilations of fact may face some uncertainty as to their existence and scope of any copyright. The Federal Court of Appeal, for example, recently ruled that there was no copyright in the Ontario Real Estate Board’s real estate listing data.

Of course, the growing value of data is driving some interesting arguments – and decisions – in copyright law. A recent Canadian case raises the possibility that facts are not the same as data under copyright law. This issue has also arisen in the US. Some data are arguably ‘authored’, in the sense that they would not exist without efforts to create them. Predictive data generated by algorithms are an example, or data that require skill, judgment and interpretation to generate. Not that many years ago, Canada Post advanced the argument that they had copyright in a postal code. In the US, a handful of cases have recognized certain data as being ‘authored’, but even in those cases, copyright protection has been denied on other grounds. According ownership rights over data – and copyright law provides a very extended period of protection – would create significant issues for expression, creation and innovation.

The other context in which the concept of data ownership arises is in relation to personal information. Increasingly we hear broad statements about how individuals ‘own’ their personal information. These are not statements grounded in law. There is no legal basis for individuals to be owners of their personal information. Individuals do have interests in their personal information. These interests are defined and protected by privacy and data protection laws (as well as by other laws relating to confidentiality, fiduciary duties, and so on). The GDPR in Europe was a significant expansion/enhancement of these interests, and reform of PIPEDA in Canada – if it ever happens – could similarly enhance the interests that individuals have in their personal data.

Before I speak more directly of these interests – and in particular of data portability – I want to just mention why it is that it is difficult to conceive of interests in personal data in terms of ownership.

What personal data could you be said to own, and what would it mean? Some personal data is observable in public contexts. Do you own your name and address? Can you prevent someone from observing you at work every day and deciding you are regularly late and have no dress sense? Is that conclusion your personal information or their opinion? Or both? If your parents’ DNA might reveal your own susceptibility to particular diseases, is their DNA your personal information? If an online bookstore profiles you as someone who likes to read Young Adult Literature – particularly vampire themed – is that your personal information or is it the bookstore’s? Or is it both? Data is complex and there may be multiple interests implicated in the creation, retention and use of various types of data – whether it is personal or otherwise. Ownership – a right to exclusive possession – is a poor fit in this context. And the determination of ownership on the basis of the ‘personal’ nature of the data will overlook the fact that there may be multiple interests entangled in any single datum.

What data protection laws do is define the nature and scope of a person’s interest in their personal information in particular contexts. In Canada, we have data protection laws that apply with respect to the public sector, the private sector, and the health sector. In all cases, individuals have an interest in their personal information which is accompanied by a number of rights. One of these is consent – individuals generally have a right to consent to the collection, use or disclosure of their personal information. But consent for collection is not required in the public sector context. And PIPEDA has an ever-growing list of exceptions to the requirements for consent to collection, use or disclosure. This shows how the interest is a qualified one. Fair information principles reflected in our data protection laws place a limit on the retention of personal information – when an organization that has collected personal information that is now no longer required for the purpose for which it is collected, their obligation is to securely dispose of it – not to return it to the individual. The individual has an interest in their personal information, but they do not own it. And, as data protection laws make clear, the organizations that collect, use and disclose personal information also have an interest in it – and they may also assert some form of ownership rights over their stores of personal information.

As I mentioned earlier, the GDPR has raised the bar for data protection world-wide. One of the features of the GDPR is that it greatly enhances the nature and quality of the data subject’s interest in their personal information. The right to erasure, for example, limited though it might be, gives individuals control over personal information that they may have, at one time, shared publicly. The right of data portability – a right that is reflected to some degree in the concept of open banking – is another enhancement of the control exercised by individuals over their personal information.

What portability means in the open banking context is that individuals will have the right to provide access to their personal financial data to a third party of their choice (presumably from an approved list). While technically they can do that now, it is complicated and not without risk. In open banking, the standard data formats will make portability simple, and will enhance the ability to bring the data together for analysis and to provide new tools and services. Although individuals will still not own their data, they will have a further degree of control over it. Thus, open banking will enhance the interest that individuals have in their personal financial information. This is not to say that it is not without risks or challenges.

 

Published in Privacy
Thursday, 07 February 2019 08:09

Ontario Launches Data Strategy Consultation

On February 5, 2019 the Ontario Government launched a Data Strategy Consultation. This comes after a year of public debate and discussion about data governance issues raised by the proposed Quayside smart cities development in Toronto. It also comes at a time when the data-thirsty artificial intelligence industry in Canada is booming – and hoping very much to be able to continue to compete at the international level. Add to the mix the view that greater data sharing between government departments and agencies could make government ‘smarter’, more efficient, and more user-friendly. The context might be summed up in these terms: the public is increasingly concerned about the massive and widespread collection of data by governments and the private sector; at the same time, both governments and the private sector want easier access to more and better data.

Consultation is a good thing – particularly with as much at stake as there is here. This consultation began with a press release that links to a short text about the data strategy, and then a link to a survey which allows the public to provide feedback in the form of answers to specific questions. The survey is open until March 7, 2019. It seems that the government will then create a “Minister’s Task Force on Data” and that this body will be charged with developing a draft data strategy that will be opened for further consultation. The overall timeline seems remarkably short, with the process targeted to wrap up by Fall 2019.

The press release telegraphs the government’s views on what the outcome of this process must address. It notes that 55% of Canada’s Big data vendors are located in Ontario, and that government plans “to make life easier for Ontarians by delivering simpler, faster and better digital services.” The goal is clearly to develop a data strategy that harnesses the power of data for use in both the private and public sectors.

If the Quayside project has taught anyone anything, it is that people do care about their data in the hands of both public and private sector actors. The press release acknowledges this by referencing the need for “ensuring that data privacy and protection is paramount, and that data will be kept safe and secure.” Yet perhaps the Ontario government has not been listening to all of the discussions around Quayside. While the press release and the introduction to the survey talk about privacy and security, neither document addresses the broader concerns that have been raised in the context of Quayside, nor those that are raised in relation to artificial intelligence more generally. There are concerns about bias and discrimination, transparency in algorithmic decision-making, profiling, targeting, and behavioural modification. Seamless sharing of data within government also raises concerns about mass surveillance. There is also a need to consider innovative solutions to data governance and the role the government might play in fostering or supporting these.

There is no doubt that the issues underlying this consultation are important ones. It is clear that the government intends to take steps to facilitate intra-governmental sharing of data as well as greater sharing of data between government and the private sector. It is also clear that much of that data will ultimately be about Ontarians. How this will happen, and what rights and values must be protected, are fundamental questions.

As is the case at the provincial and federal level across the country, the laws which govern data in Ontario were written for a different era. Not only are access to information and protection of privacy laws out of date, data-driven practices increasingly impact areas such as consumer protection, competition, credit reporting, and human rights. An effective data strategy might need to reach out across these different areas of law and policy.

Privacy and security – the issues singled out in the government’s documents – are important, but privacy must mean more than the narrow view of protecting identifiable individuals from identity theft. We need robust safeguards against undue surveillance, assurances that our data will not be used to profile or target us or our communities in ways that create or reinforce exclusion or disadvantage; we need to know how privacy and autonomy will be weighed in the balance against the stimulation of the economy and the encouragement of innovation. We also need to consider whether there are uses to which our data should simply not be put. Should some data be required to be stored in Canada, and if so in what circumstances? These and a host of other questions need to be part of the data strategy consultation. Perhaps a broader question might be why we are talking only about a data strategy and not a digital strategy. The approach of the government seems to focus on the narrow question of data as both an input and output – but not on the host of other questions around the digital technologies fueled by data. Such questions might include how governments should go about procuring digital technologies, the place of open source in government, the role and implication of technology standards – to name just a few.

With all of these important issues at stake, it is hard not to be disappointed by the form and substance of at least this initial phase of the government's consultation. It is difficult to say what value will be derived from the survey which is the vehicle for initial input. Some of the questions are frankly vapid. Consider question 2:

2. I’m interested in exploring the role of data in:

creating economic benefits

increasing public trust and confidence

better, smarter government

other

There is no box in which to write in what the “other” might be. And questions 9 to 11 provide sterling examples of leading questions:

9. Currently, the provincial government is unable to share information among ministries requiring individuals and businesses to submit the same information each time they interact with different parts of government. Do you agree that the government should be able to securely share data among ministries?

Yes

No

I’m not sure

10. Do you believe that allowing government to securely share data among ministries will streamline and improve interactions between citizens and government?

Yes

No

I’m not sure

11. If government made more of its own data available to businesses, this data could help those firms launch new services, products, and jobs for the people of Ontario. For example, government transport data could be used by startups and larger companies to help people find quicker routes home from work. Would you be in favour of the government responsibly sharing more of its own data with businesses, to help them create new jobs, products and services for Ontarians?

Yes

No

I’m not sure

In fairness, there are a few places in the survey where respondents can enter their own answers, including questions about what issues should be put to the task force and what skills and experience members should have. Those interested in data strategy should be sure to provide their input – both now and in the later phases to come.

Published in Privacy
Tuesday, 22 January 2019 16:56

Canada's Shifting Privacy Landscape

Note: This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

In early January 2019, Bell Canada caught the media spotlight over its “tailored marketing program”. The program will collect massive amounts of personal information, including “Internet browsing, streaming, TV viewing, location information, wireless and household calling patterns, app usage and the account information”. Bell’s background materials explain that “advertising is a reality” and that customers who opt into the program will see ads that are more relevant to their needs or interests. Bell promises that the information will not be shared with third party advertisers; instead it will enable Bell to offer those advertisers the ability to target ads to finely tuned categories of consumers. Once consumers opt in, their consent is presumed for any new services that they add to their account.

This is not the first time Bell has sought to collect vast amounts of data for targeted advertising purposes. In 2015, it terminated its short-lived and controversial “Relevant Ads” program after an investigation initiated by the Privacy Commissioner of Canada found that the “opt out” consent model chosen by Bell was inappropriate given the nature, volume and sensitivity of the information collected. Nevertheless, the Commissioner’s findings acknowledged that “Bell’s objective of maximizing advertising revenue while improving the online experience of customers was a legitimate business objective.”

Bell’s new tailored marketing program is based on “opt in” consent, meaning that consumers must choose to participate and are not automatically enrolled. This change and the OPC’s apparent acceptance of the legitimacy of targeted advertising programs in 2015 suggest that Bell may have brought its scheme within the parameters of PIPEDA. Yet media coverage of the new tailored ads program generated public pushback, suggesting that the privacy ground has shifted since 2015.

The rise of big data analytics and the stunning recent growth of artificial intelligence have sharply changed the commercial value of data, its potential uses, and the risks it may pose to individuals and communities. After the Cambridge Analytica scandal, there is also much greater awareness of the harms that can flow from consumer profiling and targeting. While conventional privacy risks of massive personal data collection remain (including the risk of data breaches, and enhanced surveillance), there are new risks that impact not just privacy but consumer choice, autonomy, and equality. Data misuse may also have broader impacts than just on individuals; such impacts may include group-based discrimination, and the kind of societal manipulation and disruption evidenced by the Cambridge Analytica scandal. It is not surprising, then, that both the goals and potential harms of targeted advertising may need rethinking; along with the nature and scope of data on which they rely.

The growth of digital and online services has also led to individuals effectively losing control over their personal information. There are too many privacy policies, they are too long and often obscure, products and services are needed on the fly and with little time to reflect, and most policies are ‘take-it-or-leave-it”. A growing number of voices are suggesting that consumers should have more control over their personal information, including the ability to benefit from its growing commercial value. They argue that companies that offer paid services (such as Bell) should offer rebates in exchange for the collection or use of personal data that goes beyond what is needed for basic service provision. No doubt, such advocates would be dismayed by Bell’s quid pro quo for its collection of massive amounts of detailed and often sensitive personal information: “more relevant ads”. Yet money-for-data schemes raise troubling issues, including the possibility that they could make privacy something that only the well-heeled can afford.

Another approach has been to call for reform of the sadly outdated Personal Information Protection and Electronic Documents Act. Proposals include giving the Privacy Commissioner enhanced enforcement powers, and creating ‘no go zones’ for certain types of information collection or uses. There is also interest in creating new rights such as the right to erasure, data portability, and rights to explanations of automated processing. PIPEDA reform, however, remains a mirage shimmering on the legislative horizon.

Meanwhile, the Privacy Commissioner has been working hard to squeeze the most out of PIPEDA. Among other measures, he has released new Guidelines for Obtaining Meaningful Consent, which took effect on January 1, 2019. These guidelines include a list of “must dos” and “should dos” to guide companies in obtaining adequate consent

While Bell checks off many of the ‘must do’ boxes with its new program, the Guidelines indicate that “risks of harm and other consequences” of data collection must be made clear to consumers. These risks – which are not detailed in the FAQs related to the program – obviously include the risk of data breach. The collected data may also be of interest to law enforcement, and presumably it would be handed over to police with a warrant. A more complex risk relates to the fact that internet, phone and viewing services are often shared within a household (families or roommates) and targeted ads based on viewing/surfing/location could result in the disclosure of sensitive personal information to other members of the household.

Massive data collection, profiling and targeting clearly raise issues that go well beyond simple debates over opt-in or opt-out consent. The privacy landscape is changing – both in terms of risks and responses. Those engaged in data collection would be well advised to be attentive to these changes.

Published in Privacy
<< Start < Prev 1 2 3 4 Next > End >>
Page 1 of 4

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law