Teresa Scassa - Blog

Displaying items by tag: Privacy

In case there was any doubt, the Office of the Privacy Commissioner of Canada (OPC) produced a report this week that confirms that Canada’s private sector data protection legislation is simply not up to the task of adequately protecting the personal information of Canadians. The report is aptly titled: The Case for Reforming the Personal Information Protection and Electronic Documents Act.

The introduction to this report makes plain the frustration of those charged with administering the Personal Information Protection and Electronic Documents Act (PIPEDA). Enacted with much fanfare in 2001, this statute contains a provision that requires that it be reviewed every 5 years to ensure that it remains adequate for the task of protecting the personal information of Canadians in commercial contexts. As the introduction to the Report notes, the first 5 year review ended with a Bill to amend the statute – this Bill died on the order paper and in spite of attempts to resuscitate it, it has never been passed. The second 5 year review has simply stalled. In the meantime, as the report notes, the personal data landscape has been dramatically transformed with the rise of social networking, mobile communications, increased cross-border data collection and sharing, and the growing use of personal information for the profiling and targeting of consumers

PIPEDA is a fairly tentative piece of legislation, giving only ombudsperson powers to the Privacy Commissioner, and favouring an approach that encourages compliance rather than mandating it. This new report issued by the Office of the Privacy Commissioner (OPC) makes it clear that this approach is no longer effective nor is it appropriate to the current data protection context. The Report notes that comparable jurisdictions have moved towards giving data commissioners more powers of enforcement, including order-making powers and the ability to impose fines or other administrative penalties on companies that play fast and loose with personal information. PIPEDA even lags behind the laws of those few provinces that have their own private sector data protection statutes: Commissioners in Quebec, B.C. and Alberta have order making powers, and Alberta also has mandatory data breach notification requirements. The report observes that not only is the toothless PIPEDA a difficult tool to use to gain compliance from large web-based collectors of personal information that are based outside of Canada, it also relies too heavily upon the willingness of domestic companies to take the Commissioner’s findings or audit reports seriously.

The OPC report identifies four pressure points based on their 12 years of experience with the legislation, and makes four recommendations for legislative reform to address each of these. The first pressure point is enforcement. The report explains how the lack of enforcement powers has hindered the ability of the OPC to address data protection issues. It notes, for example, that there is “nothing in the law that provides enough incentive for organizations to invest in privacy in significant ways.” (at p. 6). It notes as well that even when complaints lead to investigation and recommendations, companies may renege on agreements to change practices because there is nothing to compel them to do so. The report laments that other jurisdictions have taken steps to enhance their enforcement powers while nothing is done in Canada. As a result, the report recommends that stronger enforcement powers be added to the legislation. It identifies as possibilities: adding statutory damages powers to enhance the damages available to complainants who ultimately take their issues to Federal Court; giving the Commissioner order-making powers; and giving the Commissioner the power to impose administrative monetary penalties. Ideally, all three should be added. I note in particular that while statutory damages will improve the individual recourse under the Act, this on its own will not greatly improve compliance under the legislation (see my earlier blog post on individual recourse in privacy cases).

The second pressure point identified in the report is the lack of mandatory reporting for data breaches. The Report notes that as things currently stand, organizations who voluntarily report a data breach face negative publicity, while those who cover up breaches are insulated from reproach. A mandatory data breach reporting provision (which is what the report recommends) would ensure that Canadians are made aware of data breaches, would give Canadians a much clearer picture of the state of personal data security, and would create strong incentives for organizations to improve their privacy practices.

The third pressure point identified is an interesting and important one. PIPEDA contains a provision which allows organizations to voluntarily share personal information with police or other authorities without the consent of the individuals to whom the information relates. Given the increasingly high volumes of personal data in the hands of private sector actors, and the fine grain of detail of much of this information (for example, it may include detailed location information about the movement of individuals over extended periods of time), this should be a matter of great concern. At present there is little or no transparency about the number of requests made by law enforcement for this type of information, nor is there any transparency about the number of times private sector organizations voluntarily share information without insisting upon a warrant. The report’s third recommendation is to require organizations “to publicly report on the number of disclosures they make to law enforcement. . . without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception.” (at p. 14)

The final pressure point identified in the report is that of demonstrating accountability. Although accountability of organizations for compliance with data protection laws is one of the privacy principles set out in PIPEDA, the report notes that the record of accountability of private sector actors is not all it should be. Not only does the OPC expend significant resources on investigations and audits, they are forced to invest additional resources in follow ups to ensure that there has been compliance with their recommendations. The report recommends that the accountability principle in PIPEDA be amended to require organizations to demonstrate, on the request of the OPC, that they are actually compliant with the law. Further, the report recommends that the law provide for “enforceable agreements” – in other words, undertakings by organizations to comply with the legislation that can be enforced by the OPC if compliance is not actually forthcoming.

Commissioner Jennifer Stoddart is approaching the end of the second term of her appointment. Her leadership of the OPC has been exemplary; she has taken it from a beleaguered and unstable agency to one that has proven its expertise and effectiveness. It has worked with great effectiveness with federal departments and agencies, it has developed effective strategies for public outreach and education, and it has worked tireless to improve data protection in the private sector. The Commissioner has also maintained a high level of communication and collaboration with other data commissioners in Canada and abroad. In short, she has done as much – perhaps more – than one could expect to address the privacy of Canadians in both the public and private sectors under two neglected and outdated privacy statutes. This report is notable for the frank and direct way it publicly addresses the deficiencies in Canada’s private sector data protection legislation. Since the mandated legislative review process set out in PIPEDA has proven utterly ineffective in doing so, the Commissioner has taken the initiative, addressing Canadians directly to explain in plain and direct terms what the problems are and how they might be fixed. Let us hope that the government is listening.

Published in Privacy

Privacy is big news these days, particularly when it comes to online activity. Internet users are increasingly being tracked by websites they visit, by advertisers on those sites, and by their mobile apps. Profiling practices are ubiquitous. Information and activities on social networking sites are mined by “big data” for purposes that are hardly transparent to users. It is in this context that the Standing Committee on Access to Information, Privacy and Ethics has just released its report on Privacy and Social Media in the Age of Big Data.

The report outlines many of the challenges and issues facing individuals and regulators in the social media context. There are significant issues around how consumer consent is obtained to the collection, use and disclosure of their personal information, the unlimited nature of information collected, the uses to which harvested information is put, and the length of time information is retained. Some testimony before the Committee specifically addressed the added challenges raised by the collection of the personal information of children. Issues of accountability, transparency and security are also considered in the report, and the Committee heard testimony regarding the practices of specific social media companies, and the measures being adopted by the Federal Trade Commission in the US.

Given the broad scope of the inquiry and the importance of the issues, the Committee’s recommendations are a letdown. The first three recommendations consist largely of statements urging the Privacy Commissioner of Canada to develop new guidelines to address privacy challenges with social media. The recommendations which follow encourage both government and social media companies to support education, to promote safe online activities and to support digital literacy. While guidelines and education clearly have a role to play, the recommendations do not go far enough, and in particular, they ignore the sorry state of Canada's private sector data protection law.

During the course of its inquiry, the committee heard plenty of evidence about the lack of movement on long overdue legislative reform to the Personal Information Protection and Electronic Documents Act (PIPEDA), and about how the proposed amendments to this law in Bill C-12, which has languished for some time now, may already be out of date. The Committee also heard evidence about the need for enhanced powers of enforcement for the federal Privacy Commissioner who managed to do her job admirably well with largely only the power to cajole and encourage compliance. That the recommendations of the Committee are entirely silent on the need to amend PIPEDA to add data breach notification requirements, the power to levy fines, order-making powers or other enforcement measures is simply stunning.

One can be grateful, at least, for the recommendations contained in the Supplemental Report of the New Democratic Party of Canada. The NDP members of the Committee clearly took away a different message from these hearings than did the other members. The NDP makes a number of recommendations for legislative amendments that would enhance the enforcement power of the Privacy Commissioner. These include recommendations for legislative change to require companies to notify the Privacy Commissioner in cases of serious breaches of data security, to enhance the enforcement powers of the Commissioner, and to implement “do not track” functions. Indeed, earlier this year, the NDP’s Charmaine Borg (who sits on the Standing Committee) introduced a private members bill (Bill C-475) that would amend PIPEDA so as to implement some of these recommendations around data breach notification and enforcement powers.

The soft approach to privacy protection has not proven adequate to deal with the pervasive, intensive and ubiquitous data collection practices which have become the norm in our digitized society. The almost daily accounts of data breaches and their negative impacts on individuals are evidence of the failure of gentle encouragement to achieve regulatory compliance with even the most basic privacy norms. It is past time to update and upgrade Canada’s data protection legislation. It is most disappointing to see a Standing Committee report that can study these issues and conclude only that gentle encouragement is still the path to follow.

Published in Privacy
Thursday, 14 March 2013 14:33

The Failure of Privacy Law

Recently, the decision of the Ontario Court of Appeal in Jones v. Tsige was celebrated by privacy advocates for recognizing a new privacy tort in Ontario. The plaintiff/appellant Jones received an award of $10,000 in damages for harm suffered as a result of the defendant’s unauthorized access to her bank records over a period of time.

An even more recent dispute between Jones and her lawyer has highlighted a chronic problem with privacy law in Canada: the lack of meaningful recourse. Last week, a judge ordered Jones to pay her lawyer the balance of the legal fees she incurred in her ground-breaking lawsuit. These fees were in excess of $125,000 – more than 12 times Jones’ damage award. The judge made it clear that the lawyer had provided first rate representation for his client. The lesson here is that legal services are expensive, and frankly, the majority of Canadians cannot afford to go to court.

The new tort that resulted from Jones v. Tsige is similar to statutory torts in provinces such as British Columbia, Manitoba, Saskatchewan and Newfoundland and Labrador. They are fairly narrowly framed; these torts require a wilful violation of privacy. They are meant to apply in cases of stalking, voyeurism, and other deliberate privacy intrusions. The high cost of litigation combined with the fact that courts give relatively small damage awards for the difficult-to-quantify harms that flow from privacy invasion mean that these torts are of little practical use to most Canadians.

Arguably, the most pervasive threats to personal privacy come from routine over- collection of personal information, and poor information handling practices. The tort of invasion of privacy does not apply in such cases. Instead, private sector data protection legislation is meant to provide recourse to individuals when their personal information is inappropriately collected, used or disclosed by private sector organizations. Yet the Personal Information Protection and Electronic Documents Act (PIPEDA) has its own substantial defects. This law applies to activities in the federally regulated private sector, and to the private sector more broadly in those provinces without their own legislation (all provinces and territories except B.C., Alberta, and Quebec fall under PIPEDA),. Individuals may make complaints under PIPEDA; the outcome of any such complaint is a report by the Office of the Privacy Commissioner (OPC). This report may contain recommendations as to how an organization should correct deficiencies in its practices, but these recommendations are not binding. Once a report has been issued, an individual may choose to take the matter to Federal Court to get an order requiring the organization to change its practices. The individual may also seek compensation for any harm they have suffered. Once again, it costs money to go to court, and those few individuals who have exercised this option have had little success. Nammo v. Transunion of Canada Inc. has become the benchmark for awards of damages in such cases; Mr. Nammo was awarded a whopping $5000 after a credit reporting agency failed to collect accurate information about him, and shared the incorrect (and negative) credit information with a bank. It is no surprise that the majority (if not all) of those who have pursued their PIPEDA claims before the Federal Court have represented themselves. The cost of legal representation would far outstrip any likely award of damages.

The OPC does excellent work within the limits of its mandate, and it has no doubt had some success in improving how (receptive) businesses handle personal information. There is, however, little in the legislation to seriously motivate compliance. PIPEDA is a relatively toothless statute: the Privacy Commissioner has no order-making power, there is no mandatory breach disclosure provision, and there is little in the way of economic consequences for those who flout privacy principles. Yet PIPEDA has passed its first five-year review without much-needed legislative amendment (the Conservative government’s Bill C-12 died on the order paper and has yet to be revived), and it is now well overdue for its second five-year review. It is into this context that Charmaine Borg of the NDP has introduced a private member’s Bill C-475, which would impose a mandatory data breach disclosure requirement on organizations, would provide the Privacy Commissioner with order-making powers, and would create the potential for significant financial penalties for those who refuse to comply with orders.

Measures of this kind could provide a real incentive for organizations to take data protection more seriously. And let’s face it, for the vast majority of Canadians, it is not the right to go to court to sue for invasion of privacy or to seek damages for violations of PIPEDA that will make any kind of difference. These rights are rendered meaningless by both the cost of litigation and by the resultant lack of deterrent effect on bad behaviour. The best protection for individuals is a regime that gives organizations clear reasons to improve their practices and systems.

Published in Privacy
Friday, 08 February 2013 13:27

More on Privacy and Public Gun Permit Data

Recently I have blogged about the controversial interactive map created by the New York Journal News which showed the names and addresses of gun permit holders in two New York counties. I then followed this up with another posting about how the data on the map was substantially inaccurate. Both the map and its aftermath raise interesting issues about public data, open government and privacy rights.

This week, a New York court has given us more to think about on the issue of public government information and privacy. The New York Times sought access to an electronic copy of a database of the names and addresses of all residents of New York City who hold handgun licences. In Matter of New York Times Co. v. City of New York Police Dept., the appellate division of the New York State Supreme Court denied disclosure of the database notwithstanding that the information it contains is a matter of public record. The court stated: “The fact that Penal Law §400.00(5) makes the name and address of a handgun license holder “a public record” is not dispositive of whether respondent can assert the privacy and safety exemptions to FOIL [Freedom of Information Law] disclosure.” The court went further, noting that this was so “especially when petitioners seek the names and addresses in electronic form.” It also indicated that other case law supported the view that the disclosure of a person’s home address “implicates a heightened privacy concern.”

This decision is an interesting one in that it tackles head on the thorny problem of what to do with public record information that includes the personal information (names and addresses) of individuals. When made available in electronic form, this information can be used to create all manner of information maps (among other things) that might generate far greater privacy concerns than the original government record. The infamous gun permit map is an example of this. Consider also the Proposition 8 map – a map that plotted the names, addresses and donation amounts of all contributors to a campaign to ban gay marriage in California.

Open government and open data principles favour the disclosure of government information in digital “re-usable” formats to serve a variety of public purposes which include promoting transparency and accountability. While access to information legislation generally permits a government department or agency to refuse disclosure of third party personal information in response to an access request, this limitation does not apply to information that is already part of a public record. In Canada, the Personal Information Protection and Electronic Documents Act (which governs the private sector use of personal information) creates exemptions to rules around the collection, use and disclosure of “publicly available information”. According to the regulations, this category of information expressly includes “personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law”. While it is true that the exemption is limited to instances “where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry”, given that the information appears in the registry for purposes of transparency and accountability, republishing the information would likely fit within those purposes. In any event, newspapers are largely exempt from the application of this law where personal information is collected, used or disclosed for journalistic purposes. The result is a significant gap in Canadian privacy law when it comes to public registry data.

The Office of the Privacy Commissioner of Canada is already aware of the problems that open government and open courts principles may raise when it comes to the electronic dissemination of “public record” information. For example, the Commissioner has issued guidelines to administrative tribunals to assist them in their decision-making around the online publication of decisions that might contain detailed personal information. Clearly the OPC is of the view that open online access can change the privacy equation.

Balancing the interests of open government and privacy is a significant challenge – and not an easy one. I doubt we have heard the last on this issue.


Published in Privacy
Friday, 01 February 2013 13:21

Update on Gun Permit Holder Information Map

In a recent blog post I wrote about the issues raised by the mapping of public information. The issue that prompted this blog post was the creation, by the Journal News of New York State, of a map featuring the names and addresses of all gun permit holders in two counties. The map prompted outrage although it merely represented data made available to the newspaper on an access to information request.

A recent development in the story highlights another issue both with open data and with the mapping of public information. The Journal News reports that a substantial amount of the posted information was inaccurate. Apparently this was attributable to the fact that one of the two counties at issue did not require permit renewals, and thus contained a significant amount of outdated information. In fact, the data for this county was only about 25% accurate. The other county required renewals every five years, which made the data more current, though not entirely up-to-date.

The open data movement promises significant social and economic benefits. Making government data freely available in appropriate formats for reuse is meant to increase government transparency and accountability, and to provide individuals and the private sector with raw data for research or innovation. Many already use such information to create useful apps, or to develop information maps that place government data in an interactive and accessible geographic context.

One of the challenges, however, is ensuring that the data sets provided by government are accurate, complete and fit for the purpose to which they are put. Not only must governments ensure that they are providing current data and appropriate updates, they must also include the meta data necessary for users to understand the scope and limitations of the data set.

Where the data includes personal information (including home addresses) it would seem that the onus should be even higher on governments to ensure that the information being provided is current, or that the limitations of the data set are clearly identified. Of course, there is also an onus on the party using the information to ensure that they understand the limits of the data set.

Voltage Pictures LLC has brought a motion in Federal Court seeking a court order that would compel Internet Service Provider Teksavvy Solutions Inc. to disclose the identities of customers using certain IP addresses that have been linked to Internet file-sharing of works in which Voltage owns the copyright. If the court were to order the disclosure, the identified individuals could be sued for copyright infringement by Voltage.

The University of Ottawa’s Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) has brought a motion to intervene in the proceedings. CIPPIC has an established track record in representing the public interest in cases of this kind; they have argued for a balance between individuals’ privacy interests in their online activities and copyright holders interests in previous litigation. The Federal Court has adjourned its hearing of Voltage’s motion in order to consider the issue of CIPPIC’s intervention.

Published in Privacy

A New York newspaper created a furore by publishing, in the wake of the tragic school shooting in Newtown, Connecticut, an interactive online map that displayed the names and addresses of residents holding permits for guns. The newspaper obtained the data through an access to information request. The map was accompanied by an article with the title: “The gun owner next door: What you don't know about the weapons in your neighborhood." The map and article provoked outrage. Gun owners were concerned about their privacy, and one news agency ran an interview with a retired burglar who suggested that the map would make burglars’ work much easier. A blogger responded to the map by creating another map which featured the names and addresses of the staff of the newspaper. The newspaper has reportedly had to hire armed guards to protect its main office.

This is, of course, not the first time that controversial information maps have been created by news agencies or by others. In California, for example, information about election donors is a matter of public record. Someone used this information to publish a map detailing the names, addresses and contribution amounts of individuals who had donated to a campaign to amend the State’s constitution to prohibit gay marriage.

Widely available Web 2.0 tools and resources have made it easy for almost anyone to create online maps. The ability to present information in a geographical context is an attractive option. Information maps are visually appealing, and can reveal patterns and permit connections that might not be evident from data presented in the form of lists or plain text. For example, Patrick Cain, a Canadian journalist, has been creating innovative and fascinating information maps for many years. Perhaps one of his most useful maps is his annual map of busted grow-ops in Toronto. There are real risks associated with purchasing a house which was once used for a grow op, and there is no obligation on sellers to disclose this information. The grow-op maps provide important and easily accessible information for those searching for a new home.


While there is no doubt that information maps can be useful and important, there are also potential risks. There is a great deal of publicly available information collected by different levels of government. For example, many registers of public documents, and decisions of administrative tribunals are already accessible to the public. The Privacy Commissioner of Canada has expressed concerns about the consequences of placing this sort of information online; in the past, public access was available only to those who took the trouble to show up at specific sites to view the entries in the register. This implicitly limited access to this information. While some of this public information might be very usefully presented to the public in map form (see, for example, the maps of crime reports in Ottawa) other information may have serious privacy or security consequences if disclosed online and in map form.


Privacy and data protection laws in Canada do not offer a great deal of protection in this regard. While governments are bound by privacy legislation that protects against the disclosure of personal information in the context of access to information requests, a great deal of other government information is part of public registers. Individuals who disclose information on maps for personal, non-commercial purposes may be exempt from the application of national or provincial private sector data protection laws, and these laws also create exceptions for information that is collected, used or disclosed for “artistic, literary or journalistic purposes”. (I recently published a law journal article on this issue.)Thus, for example, a news outlet in Canada that did something comparable to the New York-based newspaper described above might well be insulated from recourse under data protection laws because of their “journalistic purposes” in doing so.


There is, of course, a tricky balance to be struck. Personal privacy and individual security are important values, but so are those served by open government (transparency, accountability) and by the freedom of expression. Indeed, the Supreme Court of Canada is expected to rule sometime in the coming year on the constitutionality of the exception for journalistic purposes in Alberta’s private sector data protection legislation. That decision may give us some guidance on the tricky balance between freedom of expression and the protection of privacy. In the meantime governments must continue to examine how best to achieve the goals of openness while at the same time protecting individual privacy and security.

Note: this piece was first published by me at:http://www.bloggingforequality.ca/2013/01/information-maps-freedom-of-expression.html

Wednesday, 06 June 2012 09:39

Location-Based Services and Privacy

“Location-Based Services and Privacy”, (T. Scassa & Anca Sattler) (2011) 9:2 Canadian Journal of Law and Technology 99-134

The last decade has seen a rapid growth in the number and variety of location-based services that are available to consumers. While some of the older location-based services are tools such as GPS and other navigation systems, more recent innovations include applications that permit users to call up a variety of different information about their current locations, such as the nearest Italian restaurant, or the best deals at a favourite store. Location-based services (LBS) also allow individuals to share their location with friends in a wide range of social networking contexts. Location-based services are already shifting from pull to push applications. Information can now be pushed automatically to users based on their location. The options for such services are virtually limitless, and include mobile-marketing, public transportation applications, information about local points of interest, health care applications connected to remote treatment systems, or tools to find the closest election-day polling booth.

There is no doubt that many location-based services offer real benefits to users. Yet location-based services raise inevitable user privacy concerns. These concerns operate on multiple levels and involve many players. In some applications, privacy issues will arise between individual users, where, for example, applications permit the tracking of movements of family members, co-workers or “friends”. Location-based services may also result in the collection of a new layer of personal information about consumers by private sector companies. Information about individuals and their movements has meaningful commercial value, and the potential for the collection, use and disclosure of this information is significant. Location-based services also raise the spectre of state surveillance of individual activity – either concurrent with an individual’s movements (tracking), or retrospectively, through searching records of individual patterns of movement. These are just some of the contexts in which privacy issues are raised.

In this paper we describe location-based services, their evolution and their future directions. We then outline privacy issues raised by such services. We consider how current Canadian data protection laws apply to location-based services, and indicate where such laws fall short of addressing the full range of issues raised by location-based services. We also explore some technological methods to address the privacy challenges raised by location-based services. The paper concludes with a series of recommendations.

Published in Refereed Articles

The recent Alberta Court of Appeal decision in United Food and Commercial Workers, Local 401 v. Alberta (Attorney General) raises interesting issues regarding the relationship of data protection legislation to the constitutionally guaranteed freedom of expression.

The dispute arose after a union representing striking casino workers set up a picket line at the mall entrance to the casino. As part of the picketing activity, the Union videotaped the picket line and also took still photographs of persons crossing the line to enter the casino. Signs posted nearby indicated that photographs and videos might be featured on strike-related website. Different things were done with the images; some were posted online on the union’s website, and a still photo of the Casino Vice-President was used in unflattering ways in the Union newsletter and on leaflets. Following a complaint by some of the filmed individuals, an adjudicator under Alberta’s Personal Information Protection Act (PIPA) found that the photos and videos constituted personal information and that it had been collected, used and disclosed without notice or consent, as required by the Act. She also found that the exception to the application of PIPA for personal information that is collected, used or disclosed for “journalistic purposes and no other purpose” did not apply because the Union had multiple purposes for its actions, most of which were not journalistic. She found that the Union could argue that the information was collected, used or disclosed for the purposes of a possible investigation or legal proceeding, as disputes often broke out on picket lines. However, she ruled that the relevant exception would only be available if notice had been given of this purpose for collection. According to the adjudicator, the scope of this exception, if it had been available, would not have extended to the publication of the materials on the website, or the use of the still photos in the newsletter and elsewhere.

The Union sought judicial review of the decision, arguing in particular that their Charter right to freedom of expression had been infringed. Justice Goss of the Alberta Court of Queen’s Bench agreed, and she ordered that the regulation defining “publicly available information” be struck down for being under inclusive, and that the words “and for no other purpose” found in the exception to the Act for journalistic purposes should also be struck down. She also ordered a temporary suspension of invalidity to permit the Alberta legislature to address the defects in the legislation.

The Attorney-General of Alberta appealed this decision to the Alberta Court of Appeal. Although the Court of Appeal agreed with Justice Goss that PIPA posed certain constitutional issues, it disagreed with her as to the source of these issues and the appropriate remedies. It rejected the conclusion that the regulations defining “publicly available information” were relevant, observing correctly that “[u]nder the Act, “personal” information is not the same as “private” information” (at para 10). It spent more time on the s. 4(3)(c) exception to the application of the Act where information is collected, used or disclosed “for journalistic purposes and for no other purpose.” The Union had argued that posting the information on its website or in its pamphlets or newsletters served journalistic purposes, and that the consent of the photographed individuals should not have been required.

The Court of Appeal noted that it was possible to give this provision effect in two ways. The first would be to find that any information that was collected for journalistic purposes as well as other purposes was entirely tainted by those other purposes, and thus could not qualify for the exception. The second would be to find that the information could be collected, used or disclosed without consent for journalistic purposes, but consent would have to be obtained for any other purposes. The Court preferred the latter interpretation, noting that organizations may have many different objectives and purposes. It wrote: “even though the union’s purpose is not primarily journalistic, to the extent that it does engage in journalistic activities it is entitled to rely on the exemption in the Act for that purpose.” (at para 52) Because this approach was adopted, the Court found it unnecessary to rule (as had Justice Goss) that the terms “and for no other purpose” in s. 4(3)(c) were unconstitutional.

The Court next considered the scope of the exception for journalistic purposes in order to determine whether the Union’s activities were captured by it. It opted for a relatively narrow interpretation. It found that the Union’s activities in filming the picket line were not primarily journalistic, but rather focused on “labour relations, collective bargaining, and the economic dynamics of a strike.” (at para 57). It noted: “Just because the union might have to communicate with its members and the public about the strike in order to accomplish its labour relations objectives does not turn the whole exercise into journalism.”(at para 57). The Court was of the view that it was not appropriate to cram the union’s activities into “journalism” in order to conduct a constitutional assessment. Rather, the issue should be whether PIPA, by creating barriers to the Union’s expression in the context of a strike, cast an appropriate balance between the goals of protecting personal information and the freedom of expression.

The jurisprudence is clear that picketing is an expressive activity that is also linked to the freedom of association. The Court of Appeal acknowledged that the decision of the adjudicator in this case did not impact on the right to picket. However, it did place limits on what could be done with photos and recordings made of the picket line activities. According to the Court, recording and distributing images and videos is an activity directly related to the purposes of picketing, which has both an informational and a dissuasive component. Because recordings of people crossing the picket line “spreads news of the picket line to a wider audience . . . [and] tends to increase the pressure on those who might be tempted to cross the picket line” (at para 64), it constitutes expressive activity. Although there is a coercive element to this type of expression, the Court observed that unpleasant speech is protected by the constitution. It stated: “so long as there is no promotion of violence or other illegal activity, a reasonable amount of psychological pressure may be brought to bear on all those involved.” (at para 66)

Because the recording and dissemination of images of people crossing the picket line is expressive conduct, the Court of Appeal concluded that the adjudicator’s decision that the images could not be collected, used or disclosed without consent, violated the Union’s freedom of expression rights. The Court accepted that PIPA served a pressing and substantial objective (protecting against the misuse of personal information), and that placing limits on the collection, use and disclosure of personal information was rationally connected to that objective. However, it found that there was no proportionality in the legislation because it was not drafted “in a manner that is adequately sensitive to Charter rights.” (at para 73). The Court’s comments on the elements of overbreadth of PIPA are interesting.

In the first place, the Court suggests that PIPA is overbroad for having “no functional definition” of the term “personal information”. Yet the core of the definition (“information about an identifiable individual”) is essentially shared by private and public data protection statutes across Canada. According to the Court, it is necessary for the Commissioner to narrow this definition in order to make it compliant with Charter values. However, the structure of the legislation is such that, although the definition is broad, the Act contains many exceptions to its application or to the requirements of consent for collection, use or disclosure of personal information in particular contexts or circumstances. It is not at all clear that the definition is the problem. The court may be looking for a definition that would exclude information about people in public places, yet such an exception to the application of the law (as inadvisable as it might be) could be created without changing the definition. It should be noted that shrinking the scope of the definition might also mean that the legislation would no longer qualify as “substantially similar” to PIPEDA.

The objection to the definition of personal information is thus closely linked to the Court’s second objection, which is that PIPA does not contain a general exception for information “that is personal, but not at all private”. Without citing any examples, the Court claims that “the comparative statutes in some provinces exempt activity that occurs in some public places.” (at para 73). It is not clear to what the court is referring, as the only other provinces with private sector data protection statutes are B.C. and Quebec, and neither statute has the kind of exemption described. The court is most likely referring to statutes in some provinces which create torts of invasion of privacy, and which set certain contextual boundaries for the torts. The situations are not at all equivalent. It is entirely appropriate that an individual’s ability to allege an invasion of their privacy be considered in light of circumstances that include whether they were engaged in activity in a public place. However, the data protection context is different. Data protection laws protect individuals against the collection, use and disclosure of their personal information by private sector actors. There is no obvious reason why an exception to the law should be carved out to permit companies to cull personal information about individuals from multiple sources regarding their movements in public spaces. It is important to note that video surveillance cameras and cell phone location information could both fall within this category of information.

The Court also objects to the “artificially narrow” definition of “publicly available information”. This objection is also problematic. The publicly available information exception is narrowly crafted, and is limited to things such as public telephone directory listings, public government registries, court and tribunal records, and the like. The exception is only available where the information is used for the purposes for which it was made publicly available, and where the collection, use or disclosure being made is for purposes which a reasonable person would consider appropriate in the circumstances. In all cases, the categories of publicly available information are ones where it could be said that the individual has either consented to the information becoming public (for example, directory listings only constitute publicly available information where the individual has been given an option to delist their number), or where the government has mandated by law that such information is to be public (in the case of registries, or court decisions). Information published in a newspaper, magazine or other publication is only publicly available information if “it is reasonable to assume that the individual that the information is about provided that information” (PIPA Regulation, s. 7(e)(ii).) Here again, one finds the notion of consent to a specific use of the information. The exceptions are crafted narrowly because to do otherwise would substantially disrupt the balance in the Act, making all manner of personal information open to collection, use or disclosure without consent. Expanding the definition of publicly available information to include activities in public lacks both the consent element and the specific purpose as a limiting condition.

The Court also objects to the fact that there is “no special exemption for information collected and used for free expression”. In an article critical of the wording of the journalistic purposes exception, I consider a number of problems with the journalistic purposes exception. I have argued that indeed the formulation in Quebec’s private sector data protection legislation is broader than that used in PIPA or PIPEDA, as it refers to journalistic information that is communicated for “the legitimate information of the public”, rather than for the more obscure “journalistic purposes”. This gives somewhat more scope to the exception. However, I note that the effect of the Quebec exception is to permit the Commissioner to consider whether a communication was for “the legitimate information of the public”. In other words, it does not function as an outright exception to the application of the Act (as does the journalistic purposes exception). Rather, it allows the Commissioner to consider the scope and manner of the communication in order to determine whether the balance between freedom of expression and privacy has been appropriately struck. Given the significant developments in the new media, it may well be time to revisit the journalistic purposes exception in data protection laws; this must be done, however, in a thoughtful and considered manner.

Finally, the Court objects to the fact that “there is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their business.” (at para 73). This is puzzling since this seems to be a central purpose of data protection legislation. The statute as a whole is a scheme designed to permit just that – while at the same time giving individuals some right to control how their personal information is collected, used and disclosed.

Ultimately the Court wisely chose to simply quash the decision of the adjudicator, rather than to declare any portion of the statute unconstitutional. According to the Court, it is up to the legislature “to decide what amendments are required to the Act in order to bring it in line with the Charter.” (at para 81). Any such reform initiative by the legislature should be one that gives a much more careful consideration to the structure of the Act as a whole, and the complex web of interests that are already finely balanced.


Published in Privacy

Below is the statement I made to the House of Commons Standing Committee on Access to Information, Privacy and Ethics on May 31, 2012. The Standing Committee had convened hearings on the following motion:

Be it Resolved: That the Committee study the efforts and the measures taken by Google, Facebook and other social media to protect the personal information of Canadians, and that the Committee report its findings back to the House.

I would like to begin by saying that I think it is very important that more attention be given to data protection and privacy in relation to the activities of social media companies. I do find it somewhat ironic, however, that the Committee’s mandate has been framed in terms of studying the efforts and measures taken by social media companies to protect the personal information of Canadians. It is a bit like studying the efforts made by foxes to protect the lives of the chickens.

I note that to the extent that Google, Facebook and other social media companies attempt to protect the personal information of Canadians, these efforts are shaped by data protection law. The adequacy of our data protection legislation must therefore be a focus of attention. The amendments from the first five year review of 2006 have yet to make it through Parliament; the second five year review is already late in getting underway. These should be matters for concern, particularly since the data protection environment has changed substantially since the law was first enacted. The current law is particularly weak with respect to enforcement. The Commissioner has no order making powers and lacks the ability to impose fines or other penalties in the case of particularly egregious conduct.

The focus on social media and privacy has two broad aspects. The first relates to how individuals use these tools to communicate amongst themselves. In this regard we hear concerns about employers accessing Facebook pages, people posting the personal information of other people online, criminals exploiting Facebook information, and so on. These are concerns about information that individuals choose to share, the consequences of that sharing, and the norms that should govern this new mode of interpersonal exchange. The second aspect, and the one on which I will focus my attention is on the role of these companies in harvesting – or in facilitating the harvesting – of massive amounts of information about us in order to track our online activity, consumption habits, and even patterns of movement. In this respect, attention given to large corporations such as Facebook and Google is important, but there are also many other players in the digital environment who are engaging in these practices.

The business models of social media companies are generally highly dependent upon the personal data of their users. In fact, social networking, search engines, email and many other services are offered to us for free. By hosting our content and tracking our activities, these services are able to extract a significant volume of personal data. The nature and quality of this data is enhanced by new innovations. For example, information about the location and movements of individuals is highly coveted. More and more individuals carry with them location enabled smart phones and they use these devices for social networking and other online activities. Even computer browsers are now location-enabled, and thus information about our location is routinely gathered in the course of ordinary internet activities.

The point is that more and more data of increasingly varied kinds are being sought, collected, used and disclosed. This data is compiled, matched and mined in order to profile consumers for various purposes including targeted behavioural marketing. In some cases, this data may be shared with third party advertisers, with application developers or with related companies. Even where the data is de-identified, its fine-textured nature may still leave individuals identifiable, as companies such as AOL and Netflix have learned the hard way. Individuals may also still be identifiable from detailed profile information, and the substantial volumes of information gathered about us make us highly vulnerable to data security breaches of all kind.

It has become very difficult to protect our personal data, particularly in contexts where privacy preferences are set once (and often by default) and the service is one which we use daily or even multiple times each day. It is often difficult to determine what information is being collected, how it is being shared and with whom. Privacy policies are often too long, unclear, and remote for anyone to actually read and understand. We now enter into a myriad of transactions each day and there simply isn’t time or energy to properly “manage” our data. It is a bit like walking through a swamp and being surrounded by a cloud of mosquitoes. To avoid being bitten we can swat away; we can even use insect repellents or other devices, but in the end we are inevitably going to be bitten, often multiple times.

It is also becoming increasingly difficult to avoid entering this swamp. People use social media to keep family and friends close, regardless of how far apart they live, or because the social network communities have become a part of how their own peer groups communicate and interact. Increasingly businesses, schools, and even governments are developing presences in social media, which give even more impetus to individuals to participate in these environments. Traditional information content providers are also moving to the Internet and to Facebook and Twitter, and are encouraging their readers/viewers/listeners to access their news and other information online and in interactive formats. These tools are rapidly replacing traditional modes of communication.

To date, our main protection from the exploitation of our personal information in these contexts has been data protection law. Data protection laws are premised on the need to balance the privacy interests of consumers with the needs of businesses to collect and use personal data. But in the time since PIPEDA was enacted, this need has become a voracious hunger for more and more data, retained for longer and longer periods of time. The need for data has shifted from information required to complete transactions or to maintain client relationships to a demand for data as a resource to be exploited. This shift risks gutting the consent model on which the legislation is based. This new paradigm deserves special attention and may require different legal norms and approaches.

Under the traditional data protection model, the goal was to enable consumers to make informed choices about their personal data. In the big data context, informed choices are virtually impossible to make. Beyond this, there is an element of servitude that is deeply disturbing. Nancy Obermeyer uses the term “volunteered geoslavery” to describe a context where location-enabled devices report on our movements to any number of companies without us necessarily being aware of this constant stream of data. She makes the point that equipping individuals with sensors that report on their activities leaves them vulnerable to dominance and exploitation; yet this is a growing reality in our everyday lives. Going beyond the simple collection of data, social networking services encourage users to make these sites the hub of their daily activities and communications.

Our personal data is a resource that businesses large and small regularly exploit. The data is used to profile us so as to define our consumption habits, to determine our suitability for insurance or other services, or to apply price discrimination in the delivery of wares or services. We become data “subjects” in the fullest sense of the word. There are few transactions or activities that do not leave a data trail.

As noted earlier, many so-called “free” services such as social networking sites, document sharing sites, cool applications, and even internet searching, are actually premised upon the ability to extract user data. In the 2011 decision of the Quebec Superior Court in St. Arnaud c. Facebook a judge refused to certify a class action law suit against Facebook. To do so would have required classifying the terms of use for the site as a consumer contract so that Quebec law could override the clause that provided that all disputes would be settled under the laws of California and adjudicated by California courts. The Quebec Court found that there was no consumer contract because the Facebook service is entirely free, whereas a consumer contract “is premised on payment and consideration.” The judge found that there was no obligation placed on users that could be regarded as a form of consideration.

This case demonstrates how the provision of personal data is overlooked as an element of the contract between the company and the individual. It is treated as a matter governed by the tangential privacy policies. This lack of transparency regarding the quid pro quo makes it the consumer’s sole responsibility to manage their personal information. Concerns that excessive amounts of personal information are being collected can then be met by assertions that people just don’t care about privacy. To regard the sharing of personal data as part of a consumer contract for services, by contrast, places both competition law and consumer protection concerns much more squarely in the forefront. In my view, it is time to explicitly address these concerns.

Another social harm potentially posed by big data is of course, discrimination. Oscar Gandy has written about this in his most recent book. We understand how racial profiling leads to injustice in the application of criminal laws. Profiling, whether based on race, sex, sexual orientation, religion, ethnicity, socio-economic status or other grounds, is a growing concern in how we are offered goods or services. Through big data, corporations develop profiles of our tastes and consumption habits; they channel these back to us in targeted advertising, recommendations and special promotions. When we search for goods or services, we are presented first with those things which we are believed to want. We are told that profiling is good because it means we don’t have to be inundated with marketing material for products or services that are of little interest. Yet there is also a flip side to profiling. It can be used to characterize individuals as unworthy of special discounts or promotional prices; unsuitable for credit or insurance; uninteresting as a market for particular kinds of products and services. Profiling can and will exclude some and privilege others.

I have argued that big data alters the data protection paradigm, and that social networking services, along with many other “free” internet services are major players in this regard. To conclude my remarks, I would like to focus on the following key points.

1) The collection, use and disclosure of personal information is no longer simply an issue of privacy, but raises issues of consumer protection, competition law, and human rights;

2) The nature and volume of personal information collected from social media sites and other “free” internet services goes well beyond transaction information and relates to the activities, relationships, preferences, interests and location of individuals;

3) Data protection law reform is overdue, and may now require a reconsideration or modification of the consent-based approach, particularly in contexts where personal data is treated as a resource and personal data collection extends to movements, activities and interests;

4) Changes to PIPEDA should include greater powers of enforcement for data protection norms, which might include order-making powers, and the power to levy fines or impose penalties in the case of egregious or repeated transgressions.

Published in Privacy
<< Start < Prev 11 12 13 14 15 16 17 18 Next > End >>
Page 15 of 18

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law