Thursday, October 30, 2014

Annual Report to Parliament on the Privacy Act tabled for 2013-2014

The Office of the Privacy Commissioner of Canada has released its annual report on the Privacy Act, Canada's federal public sector privacy legislation, for 2013-2014. The report was tabled by our new Commissioner, Daniel Therrien, but relates to a period under the leadership of former Commissioner Jennifer Stoddart and Interim Commissioner Chantal Bernier.

Not surprisingly, the RCMP and surveillance of telecommunications customers loom large in the report. The summary provided in the accompanying press release gives a good overview:

News Release

Annual Report:

RCMP review highlights need for better record keeping

Privacy Commissioner’s latest annual report highlights a review which identified shortcomings in how the Royal Canadian Mounted Police (RCMP) monitors and reports on its collection of subscriber data from telecommunications companies without a warrant.

OTTAWA, October 30, 2014 – The results of a review of the RCMP’s warrantless access requests to telecommunications companies have prompted the Privacy Commissioner to call on federal institutions to ensure they properly document these types of requests.

The Office of the Privacy Commissioner of Canada (OPC) launched its review to determine whether the RCMP had appropriate controls in place to ensure its collection of this type of personal information from companies without a warrant was in compliance with the Privacy Act.

“We were disappointed to find that limitations in the RCMP’s information management systems meant we were unable to assess whether such controls were in place,” says Commissioner Therrien.

“It was not possible to determine how often the RCMP collected subscriber data without a warrant. Nor could we assess whether such requests were justified.”

The results of the review are included in the Commissioner’s 2013-2014 Annual Report on the Privacy Act tabled in Parliament today. The report also includes information related to other privacy and surveillance issues, including Beyond the Border initiatives and metadata; and discusses key investigations and complaint and data breach trends.

The review was closed after senior officials at the RCMP informed the OPC that, in the wake of a landmark Supreme Court of Canada decision, the organization would ensure its practices were in line with the ruling.

The OPC has recommended that the RCMP implement a means to monitor and report on warrantless requests for subscriber information.

“We are pleased that the RCMP has agreed to implement this recommendation,” says Commissioner Therrien. “While this review was focused on the RCMP, the recommendation calling for proper record keeping around such requests is one that other federal government organizations should also follow.

“Canadians understand that law enforcement and national security agencies have legitimate needs to collect personal information. Transparency is critical to accountability and will help to increase trust. Canadians want and deserve to have a clearer picture of how, when and why federal institutions are collecting personal information,” the Commissioner said.

“We would also encourage all federal departments and agencies not already doing so to take steps to ensure that all requests for subscriber data respect the Supreme Court of Canada’s recent decision in R. v. Spencer. The clear implication from this critically important decision for privacy is that government institutions must carefully evaluate their processes for obtaining information to ensure compliance with the Charter. The Supreme Court was clear in the Spencer decision that, absent exigent circumstances or a reasonable law providing lawful authority, government agencies must obtain prior judicial authorization in order to obtain subscriber data linked to anonymous online activities.”

Metadata Analysis

The annual report notes that the OPC has also completed a technical and legal primer on metadata – the data trail generated each time someone uses a mobile device, computer, telephone or other technologies.

Metadata and Privacy: a Technical and Legal Overview

The paper, made public today, concludes that organizations should not underestimate what metadata can reveal about an individual. Given the ubiquitous nature of metadata and the powerful inferences that can be drawn about specific individuals, government institutions and private-sector organizations will have to govern their collection and disclosure activities according to appropriate processes and standards that are commensurate with the potential level of sensitivity of metadata in any given set of circumstances.

Beyond the Border Initiatives

The annual report also notes that, over the last year, the OPC saw a trend towards an increased collection of personal information at borders and an expansion of the sharing and uses of such information. A large part stems from the entry/exit program – an initiative developed under the Canada-U.S. Beyond the Border perimeter security agreement. Initial phases have involved the exchange of entry information between Canada and the U.S. of third country nationals and permanent residents crossing land borders. The program will be expanded to include Canadian and U.S. citizens.

The OPC has already raised a number of questions with respect to the program.

Plans for the next phases of the entry/exit program contemplate not only collecting exit data from all travellers, but using that personal information for wider purposes. This includes sharing it with federal institutions. The OPC has recommended that each of these expanded uses be demonstrated as necessary and effective, be undertaken in the least privacy-invasive manner possible and be designed so any loss of privacy is in proportion to a substantial societal benefit.

The OPC expects to receive Privacy Impact Assessments (PIAs) for proposed new uses of personal information from the entry/exit program in the coming year. PIAs are an important tool and bring real value to organizations because they help to both identify and mitigate privacy risks.

Data Breaches

For the third consecutive year, the number of data breaches voluntarily reported to the OPC by federal institutions reached a record high. It is unclear whether there were actually more breaches or whether more departments and agencies chose to report them.

There were 228 reported data breaches in 2013-2014 across the federal government, more than double the 109 reported a year earlier.

Future annual reports should provide better information about the extent of serious federal government data breaches thanks to a recent change to the Treasury Board’s Directive on Privacy Practices. Federal institutions are now required to report all material data breaches.

Complaints

Year over year, complaints to the OPC have grown in both volume and complexity.

In 2013-2014, the Office accepted 1,777 complaints under the Privacy Act. This was lower than the previous year, which was unusually high due to more than 1,000 complaints related to two major data breaches at Employment and Social Development Canada (ESDC). If complaints associated with those breaches are not counted, there would be a year-over-year increase of approximately 700 complaints. That figure includes 339 complaints relating to a single issue at Health Canada.

ESDC Investigation

In March 2014, the OPC tabled in Parliament a special report on an investigation into ESDC’s loss of an external hard drive containing the personal information of almost 600,000 student loan recipients.

Our annual report summarizes the results of an investigation into another breach involving the disappearance of a USB key containing the personal information of more than 5,000 Canada Pension Plan Disability appellants. The USB key, which was being used by a Justice Department employee, disappeared from an ESDC office. It was neither password-protected nor encrypted, nor was it ever found. As in the breach involving the loss of a hard drive, the investigation found weaknesses in key privacy management controls.

Annual Report to Parliament 2013-14 - Transparency and Privacy in the Digital Age - Report on the Privacy Act

Wednesday, October 29, 2014

Privacy regulators call for measured response to terrorism attacks

In anticipation of new federal regulations to expand police surveillance powers and in connection with their annual meeting, Canadian federal, provincial and territorial privacy regulators, in a media release, have called upon the Federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

The media release is here: News Release: Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures - October 29, 2014.

Friday, October 17, 2014

Presentation: Wearables under Canadian law

I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My second panel presentation was emerging issues and I focused on wearables.

My presentation is here:

Presentation: Right to be forgotten in Canada? Not so fast ...

I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My first panel presentation was on the collision between privacy and freedom of expression in the form of the "Right to be Forgotten". Spoiler alert: it would be unconstitutional in Canada.

Here's my presentation:

Tuesday, October 14, 2014

Two weeks until the Canadian Bar Association 5th Annual Privacy and Access Law Symposium

Only a short time until the Canadian Bar Association's 5th Annual Privacy and Access Law Symposium in Ottawa at the end of the month. The conference is uniformly excellent with great speakers.

Topics include:

  • Implementing Canada's new Anti-Spam Legislation (CASL) under existing privacy frameworks
  • Key developments in international law which will affect Canadian compliance
  • Mobile tracking, consumer online scoring and user-generated health data
  • Records management and challenges to access
  • Significant provincial changes regarding police information checks, PIPEDA, Ontario's FIPPA “advice and recommendations” exemption, and IPC Ontario's “Crossing the Line” investigation report
  • Trends in access including shared services arrangements which include NGOs
  • Privacy in public places – protectable personal information

You can get the agenda [PDF] here and register here.

Friday, October 10, 2014

Cyberbullying and lawful access Bill C-13 in the home stretch

The Protecting Canadians from Online Crime Act, also known as the controversial cyberbullying and lawful access ("law adjacent" access?) bill is in the home stretch, about to be passed by the House of Commons. From the CBC: Cyberbullying bill inches closer to law despite privacy concerns - Politics - CBC News.

I have had a lot to say about it, so for background, please check out the Bill C-13 Tag.

Monday, October 06, 2014

The 18th annual Canadian IT Law Association Conference

The 18th annual conference of the Canadian Information Technology Law Association is coming up in Montreal, October 20-21, 2014.

I have not missed an IT-Can conference since I started practicing law and have been honoured to be a regular speaker. (In fact, I liked the association so much, I was the president of the Association for a while. :) I'm moderating a panel on privacy, big data and data governance. There are other excellent plenary sessions and round-tables for anyone with an interest in tech or privacy law. A veritable buffet:

The Annual Update on IP Issues • Cybersecurity: Mitigating Business Risk • Evolution of IT Licensing: From Software Licensing to Software as a Service • Privacy and Information Governance Challenges in the Age of Big Data • IT and the Practice of Law: Whatever Happened to the Paperless Office? • Développements récents 2013-2014 en TI en droit québécois • Canada's New Anti-Spam Legislation: Compliance Challenges and Risk Mitigation Strategies • Mobile Payment Technology Issues • Hot Topics in IT Law 2014 • A Checklist of Issues for Doing Business in Quebec • Strategic Use of Outsourcing Arrangements • Global Practice Issues: The Intersection of Anti-Corruption and Technology • Mobile and Telecommunications Contracting • The Current State of Net Neutrality

Check out the brochure [PDF], which has all the registration details. If you have any questions about the program please contact Lisa Ptack, IT.CAN Executive Director at lisa.ptack@rogers.com.

Canadians deserve to participate in an informed conversation about privacy and surveillance


I was invited to contribute to the Hill Times Policy Briefing on Information Technology that was released today. Here's what I had to say:

Canadians deserve to participate in an informed conversation about privacy and surveillance

A multi-year conversation about privacy and surveillance is finally coming to a head, and it may be one of the defining issues of our time. This is a pivotal aspect of the relationship between citizens and the state, and Canadians have a right to sufficient information about the government’s activities to contribute to an intelligent conversation.

The topic of privacy and government surveillance has been making headlines in Canada for the last several years. Huge numbers – MILLIONS OF REQUESTS! – grab attention, but there is little understanding of the circumstances under which information is requested and disclosed from telecommunications service providers, the extent to which law enforcement seeks information, or even the nature of the information. Canadian law enforcement and security agencies have many of the same powers as their US counterparts. Canada has an equivalent of the USA Patriot Act: this is little-known and the import is little-understood. Few Canadians are aware that laws, including the Customs Act, the Excise Tax Act and the Environment Act, authorize warrantless access to personal information without judicial oversight or notice to the affected persons. Nobody outside government knows how often or how these powers are used.

Ever since the first efforts at legislating “lawful access” years ago, civil society groups have attempted to engage law enforcement and government in a dialogue to understand privacy and warrantless access to information about citizens. Their efforts have reached a crescendo as leaks from Mr. Snowden, furor over Bill C-13 and the Supreme Court of Canada decision in R. v. Spencer draw further attention to the issue. More recently, it has been reported that Rogers and Telus are challenging an order that they turn over call records of more than forty-thousand customers in one “tower dump”.

Law enforcement’s participation in that dialogue can be summed up in the following: “trust us, but it’s not private information anyway so don’t worry about it.” Government and national security agencies stonewall, telling us: “we don’t talk about national security.” Or cabinet ministers state that questioning such powers puts one in league with child pornographers. The credibility of assertions that Canadians are not targeted for mass warrantless surveillance has been dramatically undermined by documents from Mr. Snowden’s cache. Speculation that members of the “Five Eyes” - Canada included - spy on each other’s citizens is left largely uncontradicted.

The result is an informational vacuum in which hard facts are rare, leading to dire and Orwellian speculation.

Until recently, the only visibility into the Canadian government’s demands for information about its citizens had to be coerced from either the telcos or government. Thankfully, a small handful of telcos followed the lead of Google, Twitter and Facebook by releasing “transparency reports” earlier this year. But even here, the information is sparse, incomplete and likely misleading.

The reported data does not tell us, for example, how many requests are related to call records (so-called metadata) or unlisted numbers, in comparison to looking up the owner of a particular phone number? How many requests sought customer info based on IP addresses, which was the focus of the Spencer decision? How many customer accounts are affected?

Canadians have a Charter-guaranteed right to privacy, which can be limited “subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” This is a critical balancing act, recognizing that the state has a compelling interest in protecting society and the national security. At the same time, widespread, warrantless surveillance of a population is one of the hallmarks of a police state and the antithesis of how most Canadians imagine their country.

To what extent are we a free and democratic society? The only way this conversation can take place is when law enforcement agencies and national security organizations are transparent about the use of these powers. We already have similar information about the use of wiretap powers under the Criminal Code, tabled in Parliament annually. Providing statistics cannot conceivably undermine security or the effectiveness of investigative techniques.

Canadians have a right to express informed opinions about where the line should be drawn and where the balance between privacy and security should rest. This conversation is one of the most important for our society, and Canadians have a right to an informed discussion. It may well be that Canadians will be satisfied where the lines are drawn and where the balance lies; but without transparency, we can only speculate.

David TS Fraser practices internet and privacy law with the firm McInnes Cooper. He is the author of the Canadian Privacy Law Blog (blog.privacylawyer.ca) and can also be found on Twitter at @privacylawyer. The views expressed are the author’s alone and should not be attributed to his firm or its clients.

Friday, October 03, 2014

Presentation: Canada's Anti-spam Law and School Boards

Later today, I'll be giving a presentation to the Nova Scotia School Boards Association on Canada's Anti-Spam Law (CASL) and how it affects their operations. There has been a huge amount of confusion about the impact of this law on organizations like school boards, which are generally not engaged in commercial activity and can't really take advantage of some of the implied consent provisions are are available to other organizations.

Here's the presentation, in case it is of interest or useful:

Wednesday, October 01, 2014

SaskTel issues its first "Transparency Report" on government data demands

Hot on the heels of Telus' transparency report, SaskTel has also released its very first transparency report [PDF] on government data demands.

It's worth giving the report a look, and noting that SaskTel is the only telco in Canada that is also subject to a public sector privacy law that has very broad latitude for data disclosure to law enforcement.

Here are the numbers:

General – Listed Customer Name and Address 1,582

Court order 4,139

Freedom of Information and Protection of Privacy (excluding child sexual exploitation) 896

Federal/provincial government formal demands 233

Emergency requests 718

Emergency requests - after-hours by operator services 3,993

Child sexual exploitation 49

Requests denied 247


It's also worth noting that SaskTel says they have changed their practices in response to the R. v. Spencer case.