Thursday, June 18, 2015

Digital Privacy Act (Bill S-4) now (partially) in force

Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.

Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.

See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.

New Law to Protect the Personal Information of Canadians Online

Government of Canada's Digital Privacy Act comes into force

June 18, 2015 — Ottawa — Industry Canada

As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.

Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.

Under the Digital Privacy Act:

  • Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
  • Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
    Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
  • The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
Quick facts
  • Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
  • All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.

"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry

"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada

Friday, May 01, 2015

In the absence of actual harm, privacy cases are hardly worth pursuing

Continuing the theme of "don't bother unless you have actual losses ..."

In Albayate v. Bank of Montreal, 2015 BCSC 695, the plaintiff claimed against her bank for wrongly changing the address on their records and thus exposing her financial info to her former spouse. In short, the court found the bank mistakenly changed her address but the husband did not read her statement. He did not use them to her detriment. The bank apologized. End of story.

Her damages were assessed at a nominal $2000.

Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist

from Twitter

Tuesday, April 28, 2015

Ontario school bus association says Toronto crash records should be public | Toronto Star

from Twitter

RT @ricochet_en: This Friday! Privacy “Ask me anything” session on Reddit with @BCCLA, @cqwww, @PrivacyCDN and other Cdn experts:

from Twitter

RT @anitahovey: Cyber Liability Issues for SMB Lunch & Learn w @HR_Pros @OTCInsurance @PrivacyLawyer May 26

from Twitter

Monday, April 27, 2015

Canadian Privacy iAMA on Reddit

PrivaSecTech is hosting an AMA (“ Ask me anything “) on Reddit which will feature some of Canada’s top privacy professionals. On Friday May 1st from 17:00 - 20:00 AT / 15:00-19:00 ET / 12:00-16:00 PT, the team will be on hand to answer all of your privacy-related questions. Bring all of your interesting legal, policy, and technical questions as they apply to your organization or to yourself as a Canadian.

The team:

Micheal Vonn – The BCCLA’s own Policy Director, a specialist in privacy, national security, policing, surveillance and free speech.

Kris Constable – Senior Advisor & Consulting Privacy Officer at PrivaSecTech. Kris advises, trains, and audits organizations that prioritize the privacy of their users. Twitter: @cqwww

Andrew Clement – Professor in the faculty of Information, University of Toronto researching surveillance and privacy. He leads the internet surveillance mapping project and recently initiated the Snowden Surveillance Archive .

John Wunderlich – Independent privacy consultant and researcher. You can follow him on Twitter @PrivacyCDN or find him at .

Sara Levine – A specialist in privacy, freedom of information and health law, serving clients in the business, regulatory, non-profit, education and health sectors. Sara is committed to public education around privacy and freedom of information issues, and regularly speaks to groups interested in privacy rights and obligations in BC.

David T.S. Fraser – A Canadian privacy lawyer and partner with the firm of McInnes Cooper . He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

You will need an account on Reddit to participate. On the afternoon of May 1st, join the Canadian Privacy iAMA thread, and ask your question(s)! Visit PrivaSecTech’s event page for the link to the Reddit iAMA, which will be posted as soon as it is active!

In the interim, check out r/privacy and newly formed r/privacylaw .

Sunday, April 26, 2015

Tuesday, April 07, 2015

Why privilege matters in privacy advice

After a data breach, a company can easily find that the due diligence it exercised to avoid the breach in the first place can readily be turned against it. “Privacy impact assessments” and “threat risk assessments” are increasingly common, identifying privacy and security risks associated with new projects, new products and new processes. They should be a frank assessment highlighting all of the things that can go wrong to that the business can understand the steps to take to mitigate these risks. If they don’t identify all the risks, they are incomplete. But as most privacy professionals know, you can readily pay a million dollars to avoid a thousand dollars worth of risk. Mitigation steps need to be proportional to the risk, but only the worst case scenarios can instruct you on how badly things can go.

As important as these documents are, they can easily become the “smoking gun” that is front and centre in an investigation by regulators or a class action lawsuit. A privacy risk that is identified and unaddressed (or not fully addressed) will quickly be presented as negligence and recklessness.

I recently reviewed a “privacy risk assessment” prepared by a privacy consultant that was authored a few months before a significant breach involving tens of thousands of individuals. The report was the work of a privacy consultant and can readily be interpreted as a chronicle of previous privacy breaches (all of which could have been much worse), common carelessness on the part of employees, and budgetary constraints that led to cut corners. Many risks were identified and not all were ultimately addressed. The report can be seen to point in a direct line to negligent and reckless handling and safeguarding of sensitive personal information, while management was fully aware of systemic shortcomings. The report concludes that the organization should seek an “acceptable level” of privacy and security breaches. I expect that this document will be Exhibit “A” the class action lawsuit that has already been filed. The consultant's working notes will also be relevant evidence, along with any interviews he carried out. It may well be that the manager who commissioned it will soon regret making that decision.

The reason why this privacy risk assessment will be front and centre in a lawsuit is that the report was not prepared by a lawyer. It was prepared by a consultant who is not able to offer legal advice, despite the fact that it refers to compliance with privacy legislation. The only way to confidently keep anything out of court and off the record is to make sure that it is protected by legal advice privilege. If the report had been prepared by a lawyer or even by a consultant on a lawyer’s instructions in order to support the lawyer’s legal advice, it would never see the light of day unless the organization chooses to waive its privilege. The report would have served its purpose of allowing the organization to have a frank assessment of its vulnerabilities -- warts and all -- without the risk that it would be front and centre in court.

Note: I expect that this may be received as self-serving since I am a lawyer. I look forward to any debate or discussion that this raises.

Wednesday, March 25, 2015

Cyberbullying for family law practitioners (*not intended to be a how-to guide)

I was invited to speak with the Canadian Bar Association's Nova Scotia Family Law Section on cyberbullying law for family law practitioners. I was very happy to do so, given that many instances of cyberbullying arise from failed relationships and this will be a growing issue for family lawyers.

In case it is of interest, here is the presentation: