Thursday, May 26, 2011

Search Engine on Lawful Access

Episode 87 of Jesse Brown's "Search Engine" on TVO is all about lawful access and includes an interview with Micheal Vonn of the British Columbia Civil Liberties Association. Check it out here: Search Engine - Search Engine Blog.

Monday, May 23, 2011

Why Privacy Matters Even if You Have 'Nothing to Hide'

Daniel J. Solove, a leading American privacy scholar, has written an extensive article in the Chronicle of Higher Education (based on his upcoming book) that addresses the often-quoted cliche: Why Privacy Matters Even if You Have 'Nothing to Hide' - The Chronicle Review - The Chronicle of Higher Education.

Thursday, May 19, 2011

Tories plan to ram internet surveillance law through Parliament

I've ranted about this many times before, but it appears that the newly-elected Conservative government will include the so-called "lawful access" provisions in the omnibus crime bill they plan to shepherd quickly through parliament.

I couldn't agree more with Michael Geist (see below) that doing so is extremely problematic. The proposed provisions would give police and national security agents vastly expanded access to information about customers of telecommunications companies and internet service providers (that's everyone in Canada) even in the absence of any sort of investigation. This needs serious debate and should not be tucked into and camouflaged by other legislative initiatives.

Check out Michael's most recent op-ed on this topic: Tories aim to heighten web-surveillance powers.

Tuesday, May 17, 2011

Senator Leahy introduces much-needed update to Electronic Communications Privacy Act

Today, May 17, 2011, Patrick Leahy introduced a bill to amend and substantially fix the Electronic Communications Privacy Act (ECPA). The bill made sense at the time it was first authored by Leahy a quarter century ago, but it has needed a substantial re-write in this cloud computing age. The most problematic provision allows obtaining stored communications that are more than 180 days old with just a subpoena, rather than a warrant based on probable cause. Twenty-five years ago, you might consider an un-downloaded e-mail message to have been abandoned, but that is no longer the case when millions of users are keeping all of their e-mails and documents in the cloud.

The Digital Due Process Coalition has been heavily lobbying for this change for some time.

For more info: Patrick Leahy introduces update to electronic privacy law - Post Tech - The Washington Post

Ontario Information and Privacy Commissioner tables annual report for 2010

The Information and Privacy Commissioner of Ontario, Anne Cavoukian, has tabled her annual report for 2010 with the Ontario legislature. The report is here and below is her press release:

OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO | We must Be Proactive in our pursuit of Access and Privacy: Commissioner Cavoukian

We must Be Proactive in our pursuit of Access and Privacy: Commissioner Cavoukian 2010 Annual Report cites benchmark ruling to lower costs for Ontarians to access their own health records

TORONTO, May 17 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today issued a challenge for public organizations to "Be Proactive" with access and privacy initiatives, as she released her 2010 Annual Report.

Her call to action follows a year in which more Freedom of Information (FOI) requests were filed with government organizations in Ontario than ever before. In 2010, the Commissioner's office (IPC) also posted a new record for the number of privacy complaints closed.

The Commissioner's core concepts of Privacy by Design (PbD) and Access by Design (AbD) provide guiding principles for embedding default privacy and access within processes and technologies from the outset - avoiding many of the inefficiencies, costs and "harm" related to privacy breaches and requests for government-held information.

Rolling back fees for access to Ontarians' health records

Within her Annual Report, the Commissioner also stressed the importance of a benchmark ruling from her office in 2010. Following an Ontario citizen's complaint, a medical professional was ordered to significantly reduce a charge for access to health records. This followed an IPC review of fee structures in order to determine "reasonable cost recovery" - the amount that health care providers are permitted to charge.

"We have consistently urged the government to bring in a regulation that would set specific fees that health care providers can charge individuals," says Commissioner Cavoukian. "The fees vary dramatically across the health sector, and my office has received numerous complaints about excessive fees. This health order will now serve as a solid benchmark for decisions from my Office, until a regulation is officially introduced."

Celebrating Innovation in Privacy and Access

The Commissioner's Privacy by Design approach was officially centre-stage in 2010, as her made-in-Ontario solution was adopted as an "essential component of fundamental privacy protection" by International Data Protection Commissioners. Now an International Privacy Standard, Privacy by Design has been embraced by The U.S. Federal Trade Commission and European Union. The international acclaim in 2010 paved the way for continued innovation closer to home, to ensure that citizens' personal information is protected - by default.

The Commissioner praised Ontario organizations that stood out in their commitment to proactive privacy in 2010. They include Hydro One and Toronto Hydro for their work to embed privacy into Ontario's emerging Smart Grid, and The Ontario Lottery and Gaming Corporation, for a new privacy-protective biometric facial recognition system to support its voluntary self-exclusion program, for patrons who want to be kept out of gambling sites.

On the issue of access to information, the cities of Toronto and Ottawa earned special recognition for their leading open government initiatives - the proactive release of pertinent government-held information in open, usable formats.

Key Statistics: New records set for Privacy Complaints and FOI requests

  • Overall, the IPC closed 267 privacy complaints in 2010 under the two public sector information and privacy Acts, the highest number ever. The disclosure of personal information was the most cited reason for filing a privacy complaint;
  • The number of FOI requests filed across Ontario in 2010 climbed to 38,903, breaking the record of 38,584 set in 2007.
  • The total number of privacy complaints filed with the IPC (under the two public sector Acts and the Personal Health Information Protection Act) climbed to 440 in 2010
  • In 2010, 977 appeals (of decisions issued by individual government organizations related to FOI requests) were submitted to the IPC, the second highest number in 15 years.

Get Your Local Perspective - In-depth Statistics Available

A more detailed look at FOI compliance rates, requests, appeals and privacy statistics is available in the online section of the Commissioner's Annual Report. This lists specific 2010 statistics for Ontario's ministries, agencies and local government institutions covered under the Acts, such as municipalities, universities, health units and police services. Find it all at www.ipc.on.ca

Saturday, May 14, 2011

Alberta Commissioner steps down

According to the Edmonton Journal, Frank Work is stepping down as the information and Privacy Commissioner of Alberta. He has held the office for sixteen years, since its establishment.

See: http:// www.calgaryherald.com/health/Alberta+privacy+commissioner+stepping+down/ 4769094/story.html.

Friday, May 06, 2011

Canadian Privacy Commissioner releases consultation report on cloud computing and online profiling

The Privacy Commissioner of Canada has just today released her report that resulted from last year's consumer consultations, which focused on cloud computing, online tracking/profiling. The report is here: Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing.

The summary is:

In the spring of 2010, the Office of the Privacy Commissioner of Canada (OPC) held consultations on online tracking, profiling and targeting, and cloud computing. The OPC received in total 32 written submissions and held public events in Toronto, Montreal and Calgary, attended by representatives of other privacy commissioner offices and industry, as well as academics, advocates and members of the public. On October 25, 2010, the OPC released a draft report on the consultations, seeking further comments on a range of issues, from the public/private divide to cloud computing. Twelve responses were received, addressing some of these issues.

With respect to online tracking, profiling and targeting, we heard primarily about the privacy issues related to behavioural advertising: what it is, what the benefits are, what risks to privacy exist, and what self-regulatory measures are in place. In terms of general privacy concerns, the blurring of the public/private divide and its effects on reputation was seen as a significant issue that arises from online tracking, profiling and targeting. Children's activities online and the need to incorporate privacy into digital citizenship programs were also items that were raised.

The consultations were an opportunity to examine the practices of online tracking, profiling and targeting through the lens of the Personal Information Protection and Electronic Documents Act (PIPEDA). While most industry participants were of the view that PIPEDA can handle the evolving technological environment, certain challenges with respect to applying the law were raised by many respondents and participants. Defining what is (or is not) personal information, determining the appropriate form of consent, limiting the use of personal information, implementing reasonable safeguards, providing access and correction to online information, and ensuring accountability were cited as PIPEDA-related issues that need careful attention. Online tracking, profiling and targeting are still largely invisible to most individuals, and most respondents and participants agreed that greater transparency is needed for the benefit of individuals and to ensure innovation.

With respect to cloud computing, the OPC learned about the different characteristics and models of cloud computing. We heard about its benefits and risks to enterprises and consumers. Again, most respondents and participants were of the view that PIPEDA can address issues that arise from cloud computing while others suggested that more should be done. Most of the PIPEDA-related issues concerned jurisdiction and availability of personal information to third parties; safeguards; new uses for the personal information and retention; and access.

The OPC is proposing to undertake specific activities in relation to online tracking, profiling and targeting, specifically in terms of research and outreach activities, as well as policy development. The OPC also intends to reach out to individuals and small and medium-sized enterprises with respect to privacy issues related to cloud computing. The comments related to PIPEDA compliance will also be considered in any review of the legislation.

Wednesday, May 04, 2011

Comment on Privacy Commissioner's suggestion about levying fines

Earlier today, I posted about a very interesting development: the Privacy Commissioner of Canada is looking to have PIPEDA amended to permit the imposition of significant fines for privacy breaches (see: Canadian Privacy Law Blog: Canadian Privacy Commissioner calls for power to levy fines against corporations).

We're now hearing interesting statements from the OPC suggesting that the ombudsman model is no longer satisfactory. It began with the release of the report prepared by France Houle and Lorne Sossin entitled Powers and Functions of the Ombudsman in the Personal Information Protection and Electronic Documents Act: An Effectiveness Study, which called for a re-examination of whether the Commissioner should have order-making powers. Now, the Commissioner herself is suggesting that she should be able to levy fines to ensure compliance.

This is a very significant change in tone and one that needs very, very careful consideration. As said in the Commissioner's release, "The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada." The Commissioner is -- quite rightly -- an advocate for privacy, an educator about privacy and an officer of parliament with a mandate to resolve privacy issues.

If the Commissioner were granted order making powers or the ability to levy fines against organizations, her many roles would need to be closely examined in light of basic principles of procedural fairness and natural justice. One should not lightly give one person or officer (however well-intentioned he or she may be) the powers of an educational authority, an investigator, a prosecutor and a judge. These functions are generally separated and are separated for a reason. It's an inherent conflict of interest to have the same person identify the bad guys, prosecute them and then punish them. Currently, if an aggrieved party wants a remedy or an order against a company to stop doing something, they complain to the Commissioner and then go to the Federal Court, where an impartial and disinterested judge hears the whole matter from the beginning and makes a decision.

Before we abandon the current model and consolidate the roles of privacy police, prosecutor and judge, we need to have a thorough debate. I agree wholeheartedly with the Commissioner's final comments:

As you can see, the information and communications revolution is giving us plenty to think about in terms of how to ensure that Canada maintains its tradition of leadership in privacy protection.

The next few years promise to be extremely interesting.

Thank you – I am looking forward to a thought-provoking dialogue on these and other issues.

Canadian Privacy Commissioner calls for power to levy fines against corporations

This just in: The Privacy Commissioner of Canada is calling for privacy laws to be "beefed up" to allow for fine against large corporations:

News Release: Fines needed to help stem growing data breaches, Privacy Commissioner says - May 4, 2011

Trends suggest it’s time for Parliament to pass legislation that would impose fines on companies when poor privacy and security measures lead to significant data breaches.

STRATFORD, Ontario, May 4, 2011 – An alarming trend of ever-bigger data breaches is prompting Privacy Commissioner Jennifer Stoddart to call for substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.

“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ says Commissioner Stoddart.

During a speech today at the Canada 3.0 forum in Stratford, Ontario, the Commissioner stated: “Too many companies are collecting more personal information than they are able to effectively protect…. It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.’’

Before the federal election campaign, the Canadian Parliament was considering legislation to create a requirement for private-sector organizations to report significant data breaches to the Privacy Commissioner and affected individuals.

Commissioner Stoddart said the new session of Parliament creates the opportunity to strengthen the legislation to give the Privacy Commissioner the power to impose substantial fines in appropriate cases.

“I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance,’’ she said, noting that her counterparts in a number of other countries, including the United Kingdom, France and Spain, have already moved to impose hefty fines following breaches.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.