Friday, January 31, 2014

Nova Scotia FOIPOP Review Officer resigns after not being reappointed

Dulcie McCallum has resigned as Freedom of Information and Protection of Privacy Review Officer, effective next week. Here's the message from her, released today:

Message from Dulcie McCallum

Freedom of Information and Protection of Privacy Review Officer

January 31, 2014

On January 17, 2014, I was advised by the government of Nova Scotia that it had elected not to offer me reappointment for another term as the Nova Scotia Freedom of Information and Protection of Privacy [“FOIPOP”] Review Officer which was an option available to it under the statute. Therefore I am announcing my departure from my position as Nova Scotia’s FOIPOP Review Officer is effective Tuesday February 4, 2014.

I was honoured to be appointed in 2007 as the first female FOIPOP Review Officer for Nova Scotia and in 2009 as Nova Scotia's first Privacy Review Officer. During my term, the oversight role of FOIPOP Review Officer was significantly expanded to include privacy under the Privacy Review Officer Act and access and privacy under the Personal Health Information Act. I have thoroughly enjoyed my seven year tenure in this position particularly having the support and collaboration of my Federal/ Provincial/ Territorial Access and Privacy Commissioner colleagues and being part of the effective and vibrant team at the FOIPOP Review Office.

I am most proud of how much our small team of only six people has accomplished over the past seven years: tabled six Annual Reports with the House of Assembly to which the FOIPOP Review Officer reports, received over 8,500 inquiries, opened 716 Reviews, closed 521 investigations, 314 of which were informally resolved or mediated, issued 62 public and private Review Reports, built up a body of best practices and hosted the 2012 Annual Summit of the Canadian Access and Privacy Commissioners for the first time in Nova Scotia.

My Director Ms. Carmen Stuart will be appointed as Acting FOIPOP Review Officer effective February 5, 2014. I am confident she will meet this challenge while a search is conducted for the new FOIPOP Review Officer. I trust that my team and I were able to effectively serve the access and privacy interests of Nova Scotians during this seven year period. In particular, the applicants who entrusted us with their Requests for Review and the public bodies, municipalities and health custodians who worked with my office to diligently protect the rights of access and privacy. Thank you for being given the opportunity to make a contribution to Nova Scotia’s public service.

Tuesday, January 28, 2014

Interim Privacy Commissioner makes recommendations to Parliament for intelligence oversight

This Special Report to Parliament on surveillance oversight is important and will hopefully be carefully considered by the government of Canada:

News Release: Interim Privacy Commissioner provides recommendations to Parliament for the protection of privacy rights in national security efforts - January 28, 2014

Ottawa, January 28, 2014 — On the occasion of International Data Privacy Day, a special report to Parliament by the Office of the Privacy Commissioner of Canada, with specific recommendations to address current issues surrounding privacy and national security, was tabled in Parliament. Building from consultation with a range of experts and civil society, the Office’s report makes a series of recommendations for Parliament to consider in order to strengthen privacy protection. Specifically, it suggests ways to increase transparency, modernize privacy laws and bolster Parliament’s oversight role.

“Revelations surfacing over the past months have raised questions among many Canadians about privacy in the context of national security,” said Interim Privacy Commissioner of Canada Chantal Bernier. “While a certain level of secrecy is necessary within intelligence activities, so is accountability within a democracy. Given our mission to protect and promote privacy, and our responsibility to provide advice to Parliament, we are putting forward some recommendations and ideas for Parliamentarians to consider on these important issues.”

Increasing transparency

The report recommends measures to increase transparency when it comes to privacy protection to give Canadians a better understanding of the collection, use or disclosure of personal information in the context of federal intelligence activities.

For example, the Communication Security Establishment Canada (CSEC) could make public more detailed, current, statistical information about its operations regarding privacy protection, and submit an annual report on its work to Parliament, as does the Canadian Security Intelligence Service (CSIS).

Reforming federal privacy laws

The report also renews recommendations to amend privacy laws to increase the accountability of federal institutions collecting personal information, as well as businesses that share personal information with authorities.

The Privacy Act, which applies to federal institutions, should require organizations to demonstrate the necessity for collecting personal information and to better promote privacy when such data is exchanged with foreign governments. Changes should also be made to broaden the grounds for Federal Court review to cover institutions’ collection, use and disclosure of personal information.

The report however noted that while the Privacy Act applies to security agencies, CSIS and CSEC are subject to oversight by dedicated, specialised bodies in the form of the Security and Intelligence Review Committee and the Office of the CSE Commissioner. Parliament has entrusted these bodies to monitor the compliance of CSIS and CSEC with their respective enabling legislation and, among other things, privacy protection.

While oversight for privacy protection in the national security context is divided among multiple bodies, the Privacy Act does not allow the OPC to cooperate with the others. As a result, the report recommends the Act should be amended to enable cooperation.

The report also recommends amending the Personal Information Protection and Electronic Documents Act, the federal private sector privacy law, to require private sector companies to publicly report on the use of disclosure provisions that permit organizations to share personal information with authorities without individuals’ consent or court oversight.

Focusing on Parliament’s oversight role

The report recommends as well that a Committee could undertake a specific study of Canada’s intelligence activities and oversight involving academic, civil society, legal, technology and intelligence experts.

“By submitting this report to Parliament, our goal is to contribute to a constructive debate about accountability for the protection of individuals’ privacy in this new age of national security threats,” added Interim Commissioner Bernier. “In striving to protect public safety, it must not be forgotten that the right to privacy is fundamental in our democracy.”

See also: Special Report to Parliament – Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance

Monday, January 27, 2014

Canadian privacy commissioner to table special report on recommendations on the protection of privacy rights in national security efforts

This is interesting ...

Office of the Privacy Commissioner of Canada | Media Advisory - Special report expected to be tabled in Parliament: Interim Privacy Commissioner to provide recommendations on the protection of privacy rights in national security efforts

OTTAWA, Jan. 27, 2014 /CNW/ - A special report from the Interim Privacy Commissioner of Canada regarding privacy protection in an era of cyber-surveillance is expected to be tabled in Parliament on Tuesday, January 28, 2013 at approximately 10 a.m. ET. The report will include comprehensive recommendations for improving oversight of national security activities.

Following the tabling, the report will be available online at www.priv.gc.ca.

SOURCE Office of the Privacy Commissioner of Canada

Wednesday, January 22, 2014

Microsoft to agree to local storage of foreign users' data

Crossposted from Canadian Cloud Law Blog: Microsoft to agree to local storage of foreign users' data:

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data - FT.com

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...


This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...


While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

Citizen Lab calls for transparency by Canadian telcos

The smart folks a the Citizen Lab at the University of Toronto are calling for Canadian telecommunications companies to come clean about the extent to which they provide customer information and law enforcement agencies and under what circumstances.

We have seen a number of the large US internet-based companies, led by Google, provide detailed statistics about government requests for customer information. So far, no Canadian companies have followed this example so we continue to be in the dark. This is particularly important because PIPEDA has been consistently interpreted by Canadian telcos to have a massive backdoor to allow warrantless access to customer data.

Check out the details on this project from the Citizen Lab: Towards Transparency in Canadian Telecommunications - The Citizen Lab.

Tuesday, January 14, 2014

International Privacy Day Symposium on surveillance and privacy

On January 29, 2014 I'll be in Toronto with a great group of privacy advocates and privacy experts at the invitaion of Ontario's Information and Privacy Commissioner Ann Cavoukian for a symposium entitled Big Surveillance Demands Big Privacy - Enter Privacy-Protective Surveillance - Real Privacy. All the details are on the site, but before you get your hopes up you should know the event is now full. But you can register for the webcast.

Thursday, January 09, 2014

Global Networking Initiative assesses Google, Microsoft, and Yahoo on compliance with privacy and freedom of expression principles

This is very cool. As someone who believes very strongly in the rights to privacy and freedom of expression, I am very impressed that Microsoft, Google and Yahoo have not only founded an organization like the Global Network Initiative, but have all been subject to an assessment of their compliance with these important principles to see if they practice what they preach.

Yesterday, the GNI released the Public Report on the Independent Assessment Process for Google, Microsoft and Yahoo, all of which were found to be generally in compliance with the GNI's principles. Of concern was the exclusion of Skype China from Microsoft's assessment, but hopefully that will be remedied in future reports.

For more info, check out: GNI Report Finds Google, Microsoft, and Yahoo Compliant with Free Expression and Privacy Principles | Global Network Initiative.

Tuesday, January 07, 2014

CSEC spies on Canadians 'incidentally' to its mandate (but deliberately when helping other agencies)

The Communications Security Establishment of Canada (CSEC) has said, in a new informational website meant to be more transparent, that it sometimes "incidentally" intercepts the communications of Canada when fulfilling its mandate, though it often deliberately does so when assisting other agencies.

However, in the course of targeting foreign entities outside Canada in an interconnected and highly networked world, it is possible that we may incidentally intercept Canadian communications or information. The National Defence Act acknowledges that this may happen and provides for the Minister of National Defence to authorize this interception in specific circumstances. If a private communication is incidentally intercepted (e.g. a foreign individual we are targeting overseas is communicating with someone in Canada), CSE takes steps to protect the privacy of that information.
The website also has a reasonably clear page on the assistance they provide to federal law enforcement and security agencies.

The Ottawa Citizen is reporting on this (Spy agency admits it spies on Canadians ‘incidentally’) as well as the recent Federal Court decision that found CSIS and Department of Justice lawyers deliberately misled the Court in order to obtain warrants.

It's heartening to see that Michael Geist and Tamir Israel share my feelings about that case and are also calling for an independent review of the conduct of those involved.

Editorial tribute to Gary Dickson: He will be a tough act to follow

The Regina Leader Post has a very fitting tribute to Gary Dickson, who is retiring as Information and Privacy Commissioner of Saskatchewan:

Editorial: Dickson will be a tough act to follow

Gary Dickson has done fine job as privacy watchdog

THE LEADER-POST JANUARY 7, 2014

Gary Dickson announced last week that he would be resigning from his post as Saskatchewan’s Information and Privacy Commissioner.

Gary Dickson once described his role as "the umpire of the information age" and there's no doubt he's been a game changer as Saskatchewan's information and privacy commissioner.

Appointed in 2003 as the first full-time holder of the office, Dickson has significantly raised the profile of the public's right to privacy when it comes to the personal information held by government ministries and health agencies, and also a person's right to see their personal files and other information on how government works..

Sadly, he's chosen to leave at the end of this month following what he calls "a fascinating 10 years" in the job.

"Fascinating" might not be the word some in the corridors of power would use to describe Dickson's two terms of office. He's been a tenacious critic of politicians, bureaucrats and health officials in countless investigations that have exposed careless use of personal information, ignorance of privacy and access laws and a pitiful lack of consequences when things go wrong:

"Those arbitration decisions signal that if you have breached the privacy of a patient in Saskatchewan it's just no big deal. You can expect little more than the proverbial slap on the wrist." - Dickson's 2010 verdict on arbitration panels overturning dismissal of staff for privacy breaches.

"What we have here is a cascading series of bad decisions ... that ultimately culminated in the tossing of all of this patient information into the recycling bin." - From Dickson's damning 2011 report on how 2,682 patient files from a medical clinic wound up in a south Regina dumpster.

"You should never send anything by email - and I'm not talking about a closed email system within an organization, but a general email - that you wouldn't be prepared to see on an electronic billboard on Victoria Avenue." - Dickson's 2010 comment after the psychiatric assessment of an offender was emailed in error to a member of the public.

"When it comes to access and privacy, Saskatchewan is still a have-not province." - From Dickson's 2012-13 annual report criticizing successive governments for failing to update privacy and access laws.

A lawyer, past president of the Alberta Civil Liberties Association and a former Alberta Liberal MLA, Dickson served for nine years on the Alberta committee overseeing that province's information and privacy commissioner. A non-partisan committee selected him for the Saskatchewan post from a field of 52 candidates in 2003.

Dickson leaves some very big shoes to fill. The Saskatchewan Party government could make his successor's job easier by a) bringing privacy and access legislation up to the standards of other provinces and b) adding the fourth investigator Dickson has been requesting for the past six years.

Friday, January 03, 2014

Saskatchewan Information and Privacy Commissioner, Gary Dickson, stepping down

The long-serving and very well-regarded Information and Privacy Commissioner for the province of Saskatchewan, Gary Dickson, has announced he will be stepping down effective as of the end of this month: Sask. information and privacy commissioner stepping down | CTV Regina News.

I have had the great pleasure of getting to know Gary over the years, particularly in connection with his very gracious relationship with practitioners in the Canadian Bar Association's National Privacy and Access Law Section. I hope he will continue his involvement with the privacy community while he enjoys more time with his family.

Thursday, January 02, 2014

Happy tenth birthday to the Canadian Privacy Law Blog

Ten years ago, on January 2, 2004, I hit "publish" on the first post for this blog: Canadian Privacy Law Blog: Welcome to the Canadian Privacy Law blog. That was immediately after the full coming-into-force of the Canadian federal privacy law, the Personal Information Protection and Electronic Documents Act.

Since then, there have been 3647 posts and over two million page views. But, more importantly, I've had the opportunity to connect with and in many cases meet many of my colleagues and others who share my interest in privacy law. As a lawyer based in the relative hinterlands of Atlantic Canada, it has enabled me to build a practice exclusively devoted to privacy and internet law, working with great clients around the world who have to grapple with questions related to Canadian privacy law. I am sure that this would not have been possible without my blog.

For those who have been following since day one and others who have found this blog more recently, thanks so much for your support and encouragement. I am grateful. And I hope I can keep it up for another ten.

And if you're similarly inclined to take a stroll down memory lane, here are the most popular posts over the past ten years, at least in terms of page views:

1 - From August 2012 - Photographing and filming police officers in Canada

2 - From June 2006 - Can you record telephone calls without consent?

3 - From December 2006 - Phoenix airport rolling out backscatter x-ray tech

4 - From April 2011 - Cloud Computing and Privacy FAQ

5 - From August 208 - First conviction under Canada's new voyeurism law

6 - From February 2004 - Canadian privacy law and video surveillance

7 - From April 2010 - Some thoughts on street photography

8 - From February 2012 - The hidden gag order in Bill C-30 (aka the lawful access bill)

9 - From August 2007 - Montreal mall fake toilet cam raising concerns

10 - From March 2008 - Toilet cameras are for research purposes only

Thanks again for stopping by and for your support.