Friday, May 01, 2015

In the absence of actual harm, privacy cases are hardly worth pursuing

Continuing the theme of "don't bother unless you have actual losses ..."

In Albayate v. Bank of Montreal, 2015 BCSC 695, the plaintiff claimed against her bank for wrongly changing the address on their records and thus exposing her financial info to her former spouse. In short, the court found the bank mistakenly changed her address but the husband did not read her statement. He did not use them to her detriment. The bank apologized. End of story.

Her damages were assessed at a nominal $2000.

Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist

from Twitter

Tuesday, April 28, 2015

Ontario school bus association says Toronto crash records should be public | Toronto Star

from Twitter

RT @ricochet_en: This Friday! Privacy “Ask me anything” session on Reddit with @BCCLA, @cqwww, @PrivacyCDN and other Cdn experts:

from Twitter

RT @anitahovey: Cyber Liability Issues for SMB Lunch & Learn w @HR_Pros @OTCInsurance @PrivacyLawyer May 26

from Twitter

Monday, April 27, 2015

Canadian Privacy iAMA on Reddit

PrivaSecTech is hosting an AMA (“ Ask me anything “) on Reddit which will feature some of Canada’s top privacy professionals. On Friday May 1st from 17:00 - 20:00 AT / 15:00-19:00 ET / 12:00-16:00 PT, the team will be on hand to answer all of your privacy-related questions. Bring all of your interesting legal, policy, and technical questions as they apply to your organization or to yourself as a Canadian.

The team:

Micheal Vonn – The BCCLA’s own Policy Director, a specialist in privacy, national security, policing, surveillance and free speech.

Kris Constable – Senior Advisor & Consulting Privacy Officer at PrivaSecTech. Kris advises, trains, and audits organizations that prioritize the privacy of their users. Twitter: @cqwww

Andrew Clement – Professor in the faculty of Information, University of Toronto researching surveillance and privacy. He leads the internet surveillance mapping project and recently initiated the Snowden Surveillance Archive .

John Wunderlich – Independent privacy consultant and researcher. You can follow him on Twitter @PrivacyCDN or find him at .

Sara Levine – A specialist in privacy, freedom of information and health law, serving clients in the business, regulatory, non-profit, education and health sectors. Sara is committed to public education around privacy and freedom of information issues, and regularly speaks to groups interested in privacy rights and obligations in BC.

David T.S. Fraser – A Canadian privacy lawyer and partner with the firm of McInnes Cooper . He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

You will need an account on Reddit to participate. On the afternoon of May 1st, join the Canadian Privacy iAMA thread, and ask your question(s)! Visit PrivaSecTech’s event page for the link to the Reddit iAMA, which will be posted as soon as it is active!

In the interim, check out r/privacy and newly formed r/privacylaw .

Sunday, April 26, 2015

Tuesday, April 07, 2015

Why privilege matters in privacy advice

After a data breach, a company can easily find that the due diligence it exercised to avoid the breach in the first place can readily be turned against it. “Privacy impact assessments” and “threat risk assessments” are increasingly common, identifying privacy and security risks associated with new projects, new products and new processes. They should be a frank assessment highlighting all of the things that can go wrong to that the business can understand the steps to take to mitigate these risks. If they don’t identify all the risks, they are incomplete. But as most privacy professionals know, you can readily pay a million dollars to avoid a thousand dollars worth of risk. Mitigation steps need to be proportional to the risk, but only the worst case scenarios can instruct you on how badly things can go.

As important as these documents are, they can easily become the “smoking gun” that is front and centre in an investigation by regulators or a class action lawsuit. A privacy risk that is identified and unaddressed (or not fully addressed) will quickly be presented as negligence and recklessness.

I recently reviewed a “privacy risk assessment” prepared by a privacy consultant that was authored a few months before a significant breach involving tens of thousands of individuals. The report was the work of a privacy consultant and can readily be interpreted as a chronicle of previous privacy breaches (all of which could have been much worse), common carelessness on the part of employees, and budgetary constraints that led to cut corners. Many risks were identified and not all were ultimately addressed. The report can be seen to point in a direct line to negligent and reckless handling and safeguarding of sensitive personal information, while management was fully aware of systemic shortcomings. The report concludes that the organization should seek an “acceptable level” of privacy and security breaches. I expect that this document will be Exhibit “A” the class action lawsuit that has already been filed. The consultant's working notes will also be relevant evidence, along with any interviews he carried out. It may well be that the manager who commissioned it will soon regret making that decision.

The reason why this privacy risk assessment will be front and centre in a lawsuit is that the report was not prepared by a lawyer. It was prepared by a consultant who is not able to offer legal advice, despite the fact that it refers to compliance with privacy legislation. The only way to confidently keep anything out of court and off the record is to make sure that it is protected by legal advice privilege. If the report had been prepared by a lawyer or even by a consultant on a lawyer’s instructions in order to support the lawyer’s legal advice, it would never see the light of day unless the organization chooses to waive its privilege. The report would have served its purpose of allowing the organization to have a frank assessment of its vulnerabilities -- warts and all -- without the risk that it would be front and centre in court.

Note: I expect that this may be received as self-serving since I am a lawyer. I look forward to any debate or discussion that this raises.

Wednesday, March 25, 2015

Cyberbullying for family law practitioners (*not intended to be a how-to guide)

I was invited to speak with the Canadian Bar Association's Nova Scotia Family Law Section on cyberbullying law for family law practitioners. I was very happy to do so, given that many instances of cyberbullying arise from failed relationships and this will be a growing issue for family lawyers.

In case it is of interest, here is the presentation:

Wednesday, March 18, 2015

In Bill C-51, you can be ORDERED to help CSIS violate the Charter

Oh, there are so many things wrong with Bill C-51, the government's proposed Anti-Terrorism Act, 2015. But one aspect that I find particularly frightening has not received much attention. Under new amendments to the CSIS Act, you can be ordered to help CSIS violate the Charter rights of others.

Yup. Bill C-51 expands the sort of warrants that the Canadian Security Intelligence Service can obtain. It used to be that they could make secret applications, in secret, in front of a judge in a secret bunker for secret warrants to do things like wiretap, install bugs, etc. Now, CSIS is given a broader mandate to take measures to reduce "threats to the security of Canada". (Which is an incredibly vague term that should send chills up your spine.) And under C-51, CSIS can apply for warrant permitting its agents to break laws, including the Charter, to reduce such threats:

21.1 (1) If the Director or any employee who is designated by the Minister for the purpose believes on reasonable grounds that a warrant under this section is required to enable the Service to take measures, within or outside Canada, to reduce a threat to the security of Canada, the Director or employee may, after having obtained the Minister’s approval, make an application in accordance with subsection (2) to a judge for a warrant under this section.

So such a warrant would allow CSIS to do things, inside or outside of Canada, that would otherwise violate our criminal law or the Charter. That's bad enough. But Bill C-51 also gives CSIS the ability to get an order requiring others to help them violate our criminal law or the Charter.

Assistance order

22.3 (1) A judge may order any person to provide assistance if the person’s assistance may reasonably be considered to be required to give effect to a warrant issued under section 21 or 21.1.

And to make it worse, the order can include a gag-order preventing you from complaining about it.


(2) The judge may include in the order any measure that the judge considers necessary in the public interest to ensure the confidentiality of the order, including the identity of any person who is required to provide assistance under the order and any other information concerning the provision of the assistance.

I don't think that this would survive Charter scrutiny, but it's very troubling that the government wants CSIS to be able to deputize anyone and to force them to help in CSIS's "kinetic activities".

That's incredibly troubling.