The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
Tuesday, September 28, 2010
Right to Know Week in Canada
Monday, September 27, 2010
Canada's Anti-Spam Act back on the order paper
Bill C-28, called the Fighting Internet and Wireless Spam Act (or, more formally: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act) is back on the order paper in Parliament today. Here's the bill's status and a link to the full-text: LEGISINFO - The Library of Parliament's research tool for finding information on legislation.
Via @kaplanmyrth.
Sunday, September 26, 2010
Facebook now anticipating and responding to privacy questions in Canada
CTV News is reporting that when Facebook launched their location-based service "Places" in Canada, the company did more than just have a teleconference with reporters to gush about how cool it is. Much of the call was spent talking about privacy, which is key to managing the inevitable privacy questions that any such product will raise in Canada. That's simply the new reality and good on Facebook for anticipating the questions and dealing with them up front. See: CTV News | Facebook tries to head privacy critics off at the pass.
Fear and loathing and a dude named “Third Party”
Dissent, over at PogoWasRight, has a good post on what I see as the most problematic characteristic of privacy law in the United States. Under American constitutional jurisprudence, as soon as you hand personal information over to a third party, you lose all expectation that it will be kept private. That makes it fair game for the authorities to compel it, subject only to antiquated statutes like the Electronic Communications Privacy Act. Read on: Fear and loathing and a dude named “Third Party” | Privacy News - PogoWasRight.org.
Friday, September 24, 2010
Striking a blow for cyber-privacy
Canadian Privacy Commissioner Jennifer Stoddart has a fan at the Edmonton Journal:
Striking a blow for cyber-privacyPrivacy commissioner Jennifer Stoddart has been a true friend of Canadians -- both in the old analog meaning of that word, and in the digitized, social media sense.
For seven years, she has been rock solid in recognizing that we are in the midst of a rapidly unfolding communications universe that is popular with consumers but has the capacity to do real damage to them if unchecked. Straddling the exploding information revolution while protecting the basic rights of individuals and organizations is a tricky, potentially dangerous business, a no-win scenario in shaky hands.
Stoddart has single-handedly put Canada on the global map among tech-savvy nations seeking to find an acceptable balance that encourages innovation while determined to protect privacy rights. Once a little-known bureaucrat in a middle-sized country that certain multinational corporate tech giants took for granted, Stoddart no longer has to worry about her e-mails and phone calls being returned by the heavyweights of Google, Apple and dozens more. She's got their attention by being smart, tough and informed.
And she's getting results. Tuesday, following a year-long investigation, Stoddart's office ruled that Facebook has made significant strides in complying with Canadian privacy law.
"Facebook has put in place measures to limit the sharing of personal information with third-party application developers and is now providing users with clear information about its policy practices," she said in a statement.
That said, the commissioner also announced a new probe on Facebook's popular "Like" button, which allows users to "vote" on products and services, media stories and other content.
In fact, those preferences are being widely shared on the Internet with interested parties to attract more web traffic. Other investigations are also underway.
Still, Stoddart pushed her own "Like" button, allowing that "we're also pleased that Facebook has developed simplified privacy settings and has implemented a tool that allows users to apply a privacy setting to each photo or comment they post."
No doubt, she will continue to be assiduous at the task of keeping global tech firms sensitive to the needs of legitimate privacy protection without smothering creators with undue bureaucratic strictures.
US Senate considers update to Electronic Communications Privacy Act
This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.
From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.
The Judiciary Committee page has a webcast link if you want to see the hearing.
Thursday, September 23, 2010
Queensland Privacy Commissioner calls Facebook suspect because of its profit motive
A day after the Canadian Privacy Commissioner stated that Facebook had gotten its house in order, the Privacy Commissioner of Queensland, Australia, has piled on the social networking site.
I have to take issue with some of her comments. She claims that Facebook is deceptive because it bills itself as a site for users to share and connect with friends, while its motives are to make money.
Give me a break. I've had issues with Facebook and their policies, but the suggestion that somehow they are suspect simply because it's a for-profit venture does nothing to move the privacy discussion forward. This is a notion I've been hearing more and more from speakers at conferences. Feel free to criticize them for for what they do or how they do it. Even be suspicious of their motives, but never lose sight of the fact that the service is what it is only because they make money.
Facebook is free to all of its users, paid for by advertisers. The company operates multi-million dollar data centres loaded with expensive servers. Bandwidth isn't cheap, either. Would they have 500,000,000 users if they required each of them to pony up cash? Nope. Most of the internet is advertising supported and users are used to online services being free.
Part of the implicit contract that users have with almost all free services (broadcast TV included) is that it is paid for by ads. If the ads don't generate enough revenue, the users either have to pay or the service goes away. Often, if the users have to pay, they go away and the service goes away. This, in and of itself, is really a non-issue and Facebook is not at all unique in this.
Feel free to criticize Facebook for its privacy policies, its privacy practices and how it manages user information, but don't confuse the issue by pointing to the simple fact that they make their money from advertising.
Here is the full article from iTnews.com.au:
Facebook slammed for ‘deceptive’ approach - Security - Technology - News - iTnews.com.auQueensland Privacy Commissioner Linda Matthews has criticised Facebook for deceiving potential users about its purpose.
Speaking on a panel at the World Computer Congress in Brisbane, Matthews highlighted the "enormous power" wielded by the social network with more than 500 million users.
Facebook promoted itself as a community; a place to share and connect with other human beings. But like most companies, its goal was to make money, she said.
"There's nothing wrong with making money; what's wrong is that it deceives potential users about that," Matthews said.
"There's a big difference [to users] between choosing to share your personal information to make friends, and sharing your personal information to make someone lots of money."
Corporate advisory lawyer Anna Sharpe, who was also on the panel, described her work on brand networks, which companies used to build rapport with their customers.
Rather than the vague, oft-used statement, "we will use your information for marketing", Sharpe said companies should disclose the information stored, its use and the parties that may access it.
"Given the complexity, I think the onus is on organisations to be a lot clearer on their privacy wordings," she said.
Although companies like Facebook, Google and Sun Microsystems have previously claimed that privacy was a thing of the past, panellists said the case for privacy still could be won.
"The auction is in full swing," said Goethe University professor Kai Rannenberg, addressing the session's theme: "Privacy ... going, going, gone?"
Rannenberg highlighted "privacy gateway infrastructure components" used by mobile telcos T-mobile Germany and Deutche Telekom that allowed users to determine how their information was used and with whom it was shared.
Personal information, he said, was an asset, and privacy required: the minimisation and decentralisation of data; empowering users; user-controlled identity management; privacy by design; and privacy standards.
Fellow panellist and Australian Privacy Foundation chair Roger Clarke observed that privacy would become more of a concern for those born after 1995, the i-Generation.
He observed that as Generation Y - those born between 1980 and 1995 - faced the impact of having their information stored and published online, 'iGen' would become more careful.
"Youth have always been risk-talkers," Clarke said. "The big thing that's changed is not the behaviour; it's the impact of the behaviour, how long that data exists and how many people have access to it."
"iGens are already absorbing those messages ... What will actually happen is that the young generation of right now will be more privacy conscious and more privacy demanding than their predecessors were."
Former Australian Privacy Commissioner Malcolm Crompton noted, "privacy is a cloudy term", highlighting linked elements of control, trust, risk and accountability.
He said users could exercise "people power" by deciding whether or not to use Facebook, and any other consumer services that came with privacy risks.
Wednesday, September 22, 2010
Social media and the courts
I was honoured to speak on a panel this afternoon with Assistant Privacy Commissioner Chantal Benier and Professor Pierre Trudel at the Canadian Forum for Court Technology put on by the Canadian Centre for Court Technology. The panel was on the topic of the Ethical Implications of Technology. My presentation focused on social media and the courts.
For anyone who may be interested but wasn't there, here is my presentation:
Canadian Privacy Commissioner satisfied with Facebook resolution
This just posted on the OPC website:
News Release: Privacy Commissioner completes Facebook review - September 22, 2010Privacy Commissioner completes Facebook review
OTTAWA, September 22, 2010 – The Privacy Commissioner of Canada has finished reviewing the changes that Facebook implemented as a result of her investigation of the social networking site and has concluded that the issues raised in the complaint have been resolved to her satisfaction.
Privacy Commissioner Jennifer Stoddart today issued the following statement:
The changes Facebook has put in place in response to concerns we raised as part of our investigation last year are reasonable and meet the expectations set out under Canadian privacy law.
The investigation has resulted in many significant changes. Facebook has put in place measures to limit the sharing of personal information with third-party application developers and is now providing users with clear information about its privacy practices.
A major concern during our investigation was that third-party developers of games and other applications on the site had virtually unrestricted access to Facebook users’ personal information. Facebook has since rolled out a permissions model that is a vast improvement. Applications must now inform users of the categories of data they require to run and seek consent to access and use this data. Technical controls ensure that applications can only access user information that they specifically request.
We’re also pleased that Facebook has developed simplified privacy settings and has implemented a tool that allows users to apply a privacy setting to each photo or comment they post.
It has been a long road in arriving at this point. These changes are the result of extensive and often intense discussions with Facebook. Our follow-up work was complicated by the fact that we were dealing with a site that was continually changing.
Overall, Facebook has implemented the changes it promised following our investigation.
The issues related to the investigation – and, to be clear, I am only speaking about those issues rather than the site as a whole – have been resolved to my satisfaction.
However, our work with Facebook is not over.
While we are satisfied that the changes address the concerns raised during our investigation, there is still room for improvement in some areas. We’ve asked Facebook to continue to improve its oversight of application developers and to better educate them about their privacy responsibilities. We have also cautioned Facebook against expanding the categories of user information made available to everyone on the Internet – and over which users cannot control through privacy settings. As well, we had recommended that Facebook make its default settings for photo albums more restrictive than “everyone on the Internet” – though this concern has been mitigated to a large extent by Facebook’s per-object privacy tool.
Facebook is constantly evolving and we are actively following the changes there – as well as on other social networking sites. We will take action if we feel there are potential new violations of Canadian privacy law.
As well, we have received several further complaints about issues that were not part of our first investigation and we are now examining those. The new complaints deal with Facebook’s invitation feature and Facebook “Like” buttons on other websites.
Our ongoing work does not take away from the improvements Facebook has already made. Indeed, I would like to express my sincere appreciation to Facebook for the cooperation it has provided throughout our discussions. We recognize that some of the changes needed in order for Facebook to meet its legal obligations in Canada were complex and time-consuming to implement. Ultimately, Facebook has made several privacy improvements that will benefit its users around the globe. I believe we have also demonstrated that privacy protection does not stand in the way of innovation.
I would also like to offer my gratitude to the Canadian Internet Policy and Public Interest Clinic for bringing these important issues forward. CIPPIC recognizes how much Canadians value their privacy and has become an important voice for privacy rights in Canada.
A large focus of our work with Facebook related to third-party applications. It is our expectation that application developers will take note of our investigation. Like Facebook, many of them have an obligation to respect Canadian privacy law.
Finally, Facebook users also have a responsibility here. They need to inform themselves about how their personal information is going to be used and shared. The investigation has led to more privacy information and improved privacy tools – Facebook users should take advantage of those changes.
A backgrounder with detailed information about the investigation is available on the Office of the Privacy Commissioner of Canada’s website, www.priv.gc.ca.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
The Commissioner's "backgrounder" is here: http://priv.gc.ca/media/nr-c/2010/bg_100922_e.cfm .
International data protection authorities form Global Privacy Enforcement Network
Privacy regulators from around the world have joined forces to establish the "Global Privacy Enforcement Network" to facilitate interjurisdictional cooperation on privacy matters. The network includes:
- U.S. Federal Trade Commission
- Office of the Privacy Commissioner of Canada
- Commission Nationale de l’Informatique et des Libertés (France)
- Office of the Privacy Commissioner, New Zealand
- Israeli Law, Information and Technology Authority
- Office of the Privacy Commissioner, Australia
- Office of the Data Protection Commissioner, Ireland
- Agencia Española de Protección de Datos (Spain)
- Information Commissioner’s Office (United Kingdom)
- Garante Per La Protezione Dei Dati Personali (Italy)
- Dutch Data Protection Authority (the Netherlands)
- Federal Commissioner for Data Protection and Freedom of Information (Germany)
- Office of the Victorian Privacy Commissioner, (Victoria, Australia)
Here is the announcement from the Canadian Commissioner's office: Announcement: Canada joins privacy enforcement agencies in establishing Global Privacy Enforcement Network - September 21, 2010.
Here is the joint press release:
Global Privacy Enforcement Network Launches WebsitePage created on 21 September 2010 - 11:35.
September 21, 2010
Thirteen privacy enforcement agencies around the world have joined forces to launch the “Global Privacy Enforcement Network” (GPEN), a network designed to facilitate cross-border cooperation in the enforcement of privacy laws. In developing this network, the participating agencies recognized the need for greater international cooperation in this area. In the Action Plan launching the network, the founding privacy enforcement authorities stressed that “it is important that government authorities charged with enforcing domestic privacy laws strengthen their understanding of different privacy enforcement regimes as well as their capacities for cross-border cooperation.”
“Cooperation is critical in the enforcement of privacy laws. GPEN will provide us with the necessary tools to facilitate cooperation with our international counterparts,” stated Jon Leibowitz, Chairman of the US Federal Trade Commission, one of the network’s launching members.
Discussions that led to the creation of GPEN began in the fall of 2009, and on March 10, 2010, representatives from many of the founding GPEN agencies met in Paris to discuss the network’s direction and to officially launch GPEN.
“We live in a globalized world with new technologies providing infinite possibilities for sharing and re-using information globally. Privacy has thereby also become a global issue. If we want to continue to protect the privacy rights of our national citizens, it is essential that we work together internationally,” stated Jacob Kohnstamm, Chair of the Dutch Data Protection Authority, another founding GPEN member.
The need for greater cooperation in the enforcement of privacy laws has been recognized not only by privacy regulators, but also by multilateral organizations, including the Organisation for Economic Cooperation and Development (OECD) and the Asia Pacific Economic Cooperation (APEC) forum.
The agencies participating in GPEN are pleased to unveil the public GPEN website today, www.privacyenforcement.net, and thank the OECD for supporting the website. Government agencies interested in participating in GPEN are encouraged to review the guidelines and instructions available on the GPEN website.
“The challenges in obtaining redress for consumers whose privacy has been compromised in today’s digital environment can be daunting. GPEN is part of a collective effort to provide more effective cross-border enforcement and complaints resolution. This is as relevant for a small economy in the South Pacific as it is for Europe and North America and New Zealand is pleased to play its part,” said New Zealand Privacy Commissioner, Marie Shroff, another GPEN founding member.
“As host of the 32nd International Conference of Data Protection and Privacy Commissioners, which will take place next month in Jerusalem, I have decided to devote part of the regulators’ closed session to discussion of collaboration not only among data protection regulators, but also between data protection regulators and additional regulatory authorities, such as consumer protection, competition, and securities authorities. I hope the Jerusalem conference will mark the first step in establishing innovative modules for such collaboration,” said Yoram Hacohen, Head of ILITA, the Israeli Law, Information and Technology Authority, another GPEN founding member.
Tuesday, September 21, 2010
Canadian Privacy Commissioner to announce Facebook conclusions tomorrow
Sarah Schmidt of Postmedia News is reporting that the Office of the Privacy Commissioner of Canada is about to release her conclusions about whether Facebook has done enough to comply with Canadian privacy laws. See the coverage in the Montreal Gazette: Canadian watchdog to weigh in on Facebook's privacy changes.
Watch this space.
Department of Homeland Security Privacy Office annual report
Canada may introduce "naked naked" machines for airport security
Yesterday was the Canadian Bar Association's first full-day continuing education event in Ottawa. The first panel of the morning was particularly interesting, composed of the information and privacy commissioners from British Columbia, Saskatchewan, Quebec and the two federal offices. Each commissioner was asked what keeps them up at night and Jennifer Stoddart foreshadowed the possible introduction of "naked naked" machines in Canadian airports. Sarah Schmidt from CanWest was in the audience and reported on it:
'Naked' screening may land at Canadian airports, says privacy czarOTTAWA — Canada's privacy watchdog has warned that even more intrusive "naked" screening machines at airports could be in the works with the federal government's emphasis on national security.
Speaking to members of the Canadian Bar Association, Jennifer Stoddart on Monday highlighted national security as one of the pressing issues that keeps her "up at night" and mused openly about second generation full-body scanners coming to Canada in the future, calling them "naked, naked" scanners.
"National security pressures — they're real, they're constant," Stoddart, Canada's privacy commissioner since 2003, told participants of the special symposium about privacy in the age of technology.
"Are we going to get naked, naked machines? Apparently, not for the moment." ...
Sunday, September 19, 2010
Summary of PIPEDA amendments from Library of Parliament
Saturday, September 18, 2010
Tracking digital shadows
Today's Montreal Gazette has an interesting article on the data trail that people generate day-to-day.
Tracking digital shadows"It's the sort of trail that you may not be aware of, because you don't have physical contact with the machine that may be collecting the information," said Colin Mc-Kay, the director of research, education and outreach with the office of the Privacy Commissioner of Canada.
"There are a large number of data points that you leave in your daily life that don't necessarily identify you, but certainly identify your behaviours, your preferences and the choices you make."
Monday, September 13, 2010
Former Commissioner Phillips receives Order of Canada
Thursday, September 09, 2010
NYT editorial on tracking kids
I blogged last week about California schools tracking preschoolers with RFID. Now the New York Times has an editorial condemning the practice. The big issue comes down to this:
Editorial - Keeping Track of the Kids - NYTimes.com Though it may seem innocuous to attach a chip to our preschoolers’ clothes, do we really want to raise a generation of kids that are accustomed to being tracked, like cattle or warehouse inventory?
Wednesday, September 08, 2010
Privacy commissioner’s fate up in the air
In today's Vancouver Sun, Sarah Schmidt writes on the uncertainty about the reappointment of Federal Privacy Commissioner Jennifer Stoddart. This has been a subject of much speculation among privacy professionals over the last year, which was intensified when Liz Denham was appointed Information and Privacy Commissioner for British Columbia. Mme. Stoddart's term is up in November and it is unclear whether the Harper government is planning to reappoint her. The author quotes the OPC's official spokesperson as saying that Mme. Stoddart stands ready to serve. See: Privacy commissioner’s fate up in the air.
Personal Health Information Act and health research
I have been invited to give a presentation to health researchers at Dalhousie, the IWK Health Centre and the Capital District Health Authority on the upcoming Personal Health Information Act and its impact on health research.
For any others who may be interested, here is the presentation:
The bill fell off the order paper of the Nova Scotia legislature when the house rose for the summer, but we are expecting it will be reintroduced sometime this fall.
The Cloud, Security & Standards
Check out Michael Power's new blog post: Michael Power � The Cloud, Security & Standards.
Friday, September 03, 2010
Correctional Service of Canada settles privacy lawsuit over leak of employee information to inmate
The Correctional Service of Canada has settled a privacy lawsuit brought by 366 staff members whose home addresses were leaked to an inmate. The settlement (below) provides a payment of $1000 per plaintiff, along with a separate fund for any employee who can prove psychological or psychiatric harm from the breach. See: Joyceville staff to get payment for privacy breach.
Thursday, September 02, 2010
California preschoolers get RFID tracking chips
The San Jose Mercury News is reporting that at least one California school is using RFID chips to more efficiently warehouse, store and track preschoolers. See: California students get tracking devices - San Jose Mercury News.
Unsurprisingly, the ACLU has a different take on it: Don't Let Schools Chip Your Kids.
Conference: Introduction to the Personal Health Information Privacy and Access Act
The Privacy Law section of the Canadian Bar Association (New Brunswick) is organizing a one-day professional development event on the province's new health privacy legislation. The keynote speaker will be Anne Cavoukian, speaking on her experience with PHIPA in Ontario.
More details here: CBA - An Introduction to the Personal Health Information Privacy and Access Act.