Friday, May 28, 2010

Privacy and the cloud

I was invited to give a presentation to the International Association of Privacy Professionals' annual Canadian Symposium on the topic of privacy in the cloud.

For anyone else who may be interested, here is the presentation I gave:

Privacy and law enforcement access to information

I had the great pleasure today of giving a presentation at the Canadian IT Law Association's annual Spring Training event on law enforcement access to personal information.

Here is the presentation, though I caution that the new proposed amendments to PIPEDA will tweak some of it.

Thursday, May 27, 2010

New anti-spam bill introduced

My head has been spinning with the proposed new amendments to PIPEDA introduced this week so that I haven't really had a chance to focus on Bill C-28 (Fighting Internet and Wireless Spam Act). David Canton has a good summary and introduction over at Slaw: FISA – new anti-spam bill introduced — Slaw.

Wednesday, May 26, 2010

Markup of Bill C-28 and Bill C-29 Amendments to PIPEDA

Due to popular demand, here's a markup of PIPEDA showing the proposed amendments made by both Bill C-28 (Fighting Internet and Wireless Spam Act) and Bill C-29 (An Act to amend the Personal Information Protection and Electronic Documents Act), via Google Docs.

Facebook revamps privacy controls

Facebook's Mark Zuckerberg has just wrapped up a press conference, responding the massive criticism of Facebook's privacy practices. He has unveiled a simplified framework for controlling the "sharing" of personal information on the site.

Here's the official Facebook blog: Making Control Simple | Facebook.

CNet's Declan McCullagh live blogged the press conference here: Facebook event will outline 'simpler' privacy controls | Politics and Law - CNET News.

So did Business Insider's Nicholas Carlson: LIVE: Facebook Rolls Out New Privacy Options.

Overview of proposed PIPEDA amendments

I've just posted an overview of the PIPEDA amendments over at slaw.ca

Overview of proposed PIPEDA amendments — Slaw

On Tuesday, May 25, the Minister of Industry introduced in Parliament Bill C29, also known as an Act to amend the Personal Information Protection and Electronic Documents Act.

Bill C-29 is the long-awaited government response to the five year mandatory review of PIPEDA and contains a number of very significant amendments that, if passed, will alter the landscape of privacy law compliance in Canada. At a very high level, it provides mandatory breach notification for security breaches related to personal information, attempts to clarify the confusing “lawful authority” provisions in Section 7 and also facilitates the disclosure of customer and employee information in connection with business transactions. This post will attempt to summarize the significant amendments, but since the ink is barely dry on the bill readers should check out the amendments for themselves either at the parliamentary website or on the marked up version that I have created and have posted to the Canadian Privacy Law Blog.

Business Contact Information

The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. "Business Contact Information" refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent

Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product

In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority

Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of "lawful authority" has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process. Though I have strong opinions on what it should mean, I was looking for clarification on what Parliament thinks it means. I was disappointed. Lawful authority is "defined" in the new Section 7(3)(c.1):

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)

(a) lawful authority refers to lawful authority other than

(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or

(ii) rules of court relating to the production of records; and

(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

Also in Section 7(3)(c.1), the government has added to the circumstances where information could be disclosed without consent, provided there is lawful authority of course, for the purpose of performing policing services that are not otherwise referred to in Section 7(3)(c.1). Sub paragraph (iv) permits a disclosure for the purpose of notifying next of kin of an injured, ill or deceased individual.

Gag Order

A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner.

This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies

Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions

The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. It is also a condition that personal information be necessary to determine whether to proceed with the transaction and is necessary to complete the transaction. Once the transaction is completed, Subsection (2) permits the parties to the transaction to use and disclose the personal information without consent, provided they have entered into an agreement that requires them to reach only used information for the purposes for which it was originally collected, to protect that information and to give effect any withdrawal with consent as is already provided for under Principle 3 of the CSA Model Code. It is an overriding condition that the personal information be necessary for carrying on the business or the activity that was the object of the transaction and that the individuals are notified within a reasonable time after the transaction has completed of the transaction and that their personal information has been disclosed.

This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information

The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification - Notification of the Commissioner

Perhaps the most notable addition to PIPEDA in Bill C29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification - Notification of the Individual

The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice.

This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

Tuesday, May 25, 2010

Markup of Bill C-29 PIPEDA Amendments

For anyone who may be interested, I've created a markup of PIPEDA showing the changes proposed by Bill C-29 (first reading). Additions are shown as underlined and deletions are struck out. Here it is.

Clarifying lawful authority in PIPEDA? Really?

The proposed amendments in Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act are pretty broad-reaching. One of the provisions I've been anticipating is cleaning up the messy "lawful authority" term used in Section 7(3).

I am suprised by how this was proposed in the Bill (the underlined bits are added by Bill C-29):

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

(iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual, or

(v) the disclosure is requested for the purpose of performing policing services that are not referred to in subparagraph (i), (ii) or (iv);

But wait ... there's more. Section 7(3.1) clarifies "lawful authority" by saying what it isn't. (Which is already what you could clearly infer by reading the legislation as originally passed.)

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)

(a) lawful authority refers to lawful authority other than

(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or

(ii) rules of court relating to the production of records; and

(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

For greater certainty? Really? Just to be clear, lawful authority is lawful authority. Crystal clear. Thanks.

PIPEDA amendments will expand private sector "collaboration" with police, permit disclosure of personal information

With today's proposed amendments to the federal private sector privacy law, most of the attention has been focused at "breach notification". But there's another very important amendment that seems to be a little below the radar.

On this blog, I've had a lot to say about cooperation between the private sector and law enforcement/national security agencies. One of the problems that telcos in particular have been struggling with is how to deal with warrantless demands for customer information. Section 7 of PIPEDA allows limited disclosure without consent to law enforcement/national security agencies where they have "lawful authority" to request the information. Courts have ruled that an active police investigation is not "lawful authority", so a disclosure would be unlawful.

It appears that the bill introduced today to amend PIPEDA will expand the ability for organizations to provide customer information to authorities without a warrant. (I haven't seen the text of the bill yet.)

Here's the official word from the Industry Canada media release

Industry Canada Site - Government of Canada Moves to Enhance Safety and Security in the Online Marketplace

Supporting Effective Law Enforcement

Another key thrust of the Bill is supporting effective law enforcement. The Government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order. To avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

I expect that the amendments will be permissive, in that they will allow a custodian of information to pass personal information to the police rather than require it. But for many, that's a distinction without a difference as I've often seen police take the position that if privacy legislation would permit it, it's almost obligatory.

Update: Here is the First Reading text of Bill C-29.

Breach notification amendments to PIPEDA introduced in Parliament

Industry Minister Tony Clement has tabled legislation to amend PIPEDA, requiring data breach notification. (I haven't seen the text of the bill yet, but will provide a link as soon as I get my hands on it).

From the preliminary coverage (Firms not required to inform victims of privacy breach under new rules), it appears the new rules will be the same as Alberta's only requiring notice to affected individuals if the company determines there exists a "real risk of significant harm". Critics suggest that this threshold is too low or leaves too much discretion in the hands of companies.

Here's the press release, which outlines other amendments being made to PIPEDA:
Government of Canada Moves to Enhance Safety and Security in the Online Marketplace


OTTAWA, ONTARIO--(Marketwire - May 25, 2010) - The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

"Canadian shoppers should feel just as confident in the electronic marketplace as they do at the corner store," said Minister Clement. "With today's two pieces of legislation, we are working toward a safer and more secure online environment for both consumers and businesses — essential in positioning Canada as a leader in the digital economy."

"Our government believes that personal information should be no less secure when shared online than anywhere else. That is why we are taking steps to ensure it is better protected," said Minister of State Lebel. "These measures will empower and better protect consumers while ensuring that Canadian businesses can continue to compete in the global marketplace."

To address public concerns about the increasing number of data breaches involving personal information, PIPEDA proposes a new requirement for organizations to report material data breaches to the Privacy Commissioner of Canada and to notify individuals where there is a risk of harm. This requirement will complement the government's recently enacted identity theft legislation and encourage better information security practices on the part of organizations.

PIPEDA also proposes amendments related to protecting the privacy of minors and other vulnerable individuals online. Other amendments are designed to clarify and streamline rules for business and support effective investigations by law enforcement and security agencies.

The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.

The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.

Backgrounder

Government of Canada Introduces Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Government of Canada has introduced enhancements to private sector privacy legislation in a bill seeking to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). In doing so, the Government is implementing the Government Response to the first statutory review of PIPEDA and is delivering on a commitment made by the Minister of Industry at the June 22, 2009, forum entitled Canada's Digital Economy: Moving Forward.

In a modern, information-based economy, or "digital economy", a solid, efficient regime for the protection of personal information is vitally important for both consumers and businesses.

To ensure that PIPEDA continues to keep pace with rapid marketplace and technological changes, and their societal impacts, the proposed amendments in this Bill are designed to:

protect and empower consumers;

clarify and streamline rules for business;

enable effective investigations by law enforcement and security agencies; and,

make linguistic and other technical drafting corrections.

EMPOWERING CONSUMERS

The proposed amendments will make a significant contribution to the government's efforts to ensure a safe and secure Internet for Canadians. A key proposed amendment would require organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the organization deems the breach to pose a real risk of significant harm, such as identity theft or fraud, or damage to reputation. This amendment will not only provide consumers with the information they need to mitigate harm resulting from a breach of their personal information, it will also encourage better information security practices in organizations. This proposed amendment will complement the government's new identity theft law, An Act to amend the Criminal Code (identity theft and related misconduct).

Acknowledging the increasing Internet usage rates of children, Canada is working with a number of international organizations to develop strategies to better protect children online. The Bill proposes an amendment to PIPEDA's consent regime that will provide further protection for children online by requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information.

The Bill also proposes additional exceptions to allow for the release of personal information to help protect victims of financial abuse, to help locate missing persons and to identify injured, ill or deceased individuals.

STREAMLINING RULES FOR BUSINESS

In its October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics, the Government committed to supporting business by providing greater clarity and certainty with respect to key provisions of PIPEDA. The Bill proposes exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes ("work product"), and information used for due diligence in business transactions. Organizations will also be able to share and use business contact information that is required to conduct day-to-day business.

In addition, a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.

SUPPORTING EFFECTIVE LAW ENFORCEMENT

Another key thrust of the Bill is supporting effective law enforcement. The Government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order. To avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

COMPLETING A PARLIAMENTARY PROCESS

Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in the course of commercial activity. It has been in force since January 1, 2001, and is mandated to be reviewed by Parliament every five years.

This Bill acts on the Government's October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics arising from the first Parliamentary review of the Act. The Government Response addressed each of the 25 recommendations contained in the Committee's report and committed to amending the Act in agreement with many of the Committee's recommendations.

In its report, the Committee recognized that the Act is working well and does not require major changes at this time. The Committee recommended the "fine-tuning" of some of the Act's provisions and encouraged increased harmonization with provincial privacy laws.

Industry Canada, which administers the Act, conducted formal consultations with stakeholders in order to further develop and define options for implementing the Government Response to the Committee report. The Government received 76 written submissions, and officials held more than 25 meetings involving a wide range of stakeholders including business, consumer and privacy advocates, the Privacy Commissioner of Canada, provincial governments and law enforcement authorities.

Where possible, the proposed amendments take into consideration approaches taken in provincial privacy laws.

Update: Here is the First Reading text of Bill C-29.

Monday, May 24, 2010

Anti-Spam and data breach notification bills expected next week

According to Michael Geist, the conservative government has given notice that it will table two bills next week. The first is the reintroduction of the Anti-Spam Act, also known as the Electronic Commerce Protection Act. The second, an Act to amend PIPEDA, is expected to add data breach notification.

Thursday, May 20, 2010

New UK government to scale back surveillance

According to the CBC, the new UK government plans to scale back many of the grossly intrusive surveillance measures adopted and planned by the previous government. This includes more closely regulating CCTV, abandoning the national identity card programme and limiting the retention of DNA samples.

All welcome news.

See: CBC News - Technology & Science - U.K. surveillance systems scaled back.

Sunday, May 09, 2010

TSA employee arrested for assault after being teased about what body scanner revealed

With all the fuss over full body scanners in airports, I did not expect this.

According to The Smoking Gun, an airport security officer has been arrested after assaulting a co-worker. The spat arose because the accused was imaged in the scanner during a training exercise, exposing all his bits and pieces to his colleagues. As a result, the accused was allegedly teased mercilessly about what the image revealed.

Pretty grim.

See a summary and a copy of the arrest report here: For Airport Security, Size Matters - May 6, 2010.

Saturday, May 08, 2010

Google responds to international Privacy Commissioners

Yesterday, Google responded by letter to the international group of Privacy Commissioners who criticized the company and its information practices. Here's the post from the Google Public Policy Blog, Our letter to data protection commissioners on privacy, and the letter itself.

Elizabeth Denham appointed BC Commissioner

Elizabeth Denham has just been appointed as the Information and Privacy Commissioner for British Columbia, replacing David Loukidelis who has assumed the role of Deputy Attorney General for BC.

Currently the Assistant Privacy Commissioner of Canada, responsible for the administration of PIPEDA, Liz has previously worked in the Information and Privacy Commissioner of Alberta's office. She is well regarded among privacy professionals in Canada and has been very vocal recently, particularly in high-profile investigations of Facebook.

The Vancouver Sun has more info here: New privacy watchdog has clashed with Facebook.

Her official bio from the OPCC is here: Biography of Elizabeth Denham - Assistant Privacy Commissioner of Canada.

This is a significant change in the federal office, as Jennifer Stoddart is scheduled to end her term this fall.

Sunday, May 02, 2010

The (d)evolution of Facebook's privacy policy

The Electronic Frontier Foundation has an ineresting review of key changes to Facebook's privacy statement, ending with this conclusion:
Facebook's Eroding Privacy Policy: A Timeline Electronic Frontier Foundation
...Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it's slowly but surely helped itself — and its advertising and business partners — to more and more of its users' information, while limiting the users' options to control their own information.