Thursday, September 29, 2011

Government reintroduces PIPEDA amendments

This just in:

The Digital Economy in Canada - Reintroduction of amendments to the Personal Information Protection and Electronic Documents Act

On September 29,2011, the Government of Canada reintroduced enhancements to private sector privacy legislation in a bill seeking to amend the Personal Information Protection and Electronic Documents Act (PIPEDA).

This Bill, entitled the Safeguarding Canadians' Personal Information Act, implements the government's October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics arising from the first Parliamentary review of the Act. The Government Response addressed each of the 25 recommendations contained in the Committee's report and committed to amending the Act in agreement with many of the Committee's recommendations.

Bill C-12 includes provisions to better protect and empower consumers, clarify and streamline rules for business, and enable effective investigations by law enforcement and security agencies. Canada already has a solid legislative framework in place to ensure the protection of personal information. The majority of the proposed amendments seek to "fine-tune" the legislation and update it to reflect changes in markets and technology.

Which US Telecoms Store Customer Data the Longest?

Wired Magazine has gotten its hands on a US Department of Justice memo which summarizes the retention policies of the major US telco companies:

Which Telecoms Store Your Data the Longest? Secret Memo Tells All | Threat Level |

The single-page Department of Justice document, “Retention Periods of Major Cellular Service Providers,” (.pdf) is a guide for law enforcement agencies looking to get information — like customer IP addresses, call logs, text messages and web surfing habits – out of U.S. telecom companies, including AT&T, Sprint, T-Mobile and Verizon.

Saturday, September 24, 2011

Upcoming conference: Cloudlaw: Law and Policy in the Cloud

If you'll be in Toronto on October 14 and have an interest in law and policy related to the cloud, you should sign up for a full day conference on the topic organized by The Centre for Innovation Law and Policy at the University of Toronto Faculty of Law. Registration is free, but you have to sign up in advance.

More info is here: Welcome to Cloud Computing Blog | The Fall 2011 Cloud Computing Conference.

Developments in privacy law: A look south and beyond our shores

This past week, I presented at the Canadian Institute's annual privacy compliance event. I think this is the fifth year that I've attended this event and it was one of the best yet.

I was asked to present on international developments in privacy regulation. In case you are interested, the presentation is here or embedded below:

Thursday, September 22, 2011

Federal Court slaps law firm for publishing a Privacy Commissioner finding that identified the complainant

The Federal Court of Canada has just issued a decision in Girao v. Zarek Taylor Grossman Hanrahan LLP, 2011 FC 1070 (CanLII), in which it found a law firm liable for having posted on its website a previous report of findings from the Office of the Privacy Commissioner of Canada along with a cover letter that identified the complainant.

As is clear from the decision, this arises from a long-standing string of litigation and privacy complaints involving the complainant and All State Insurance. The firm was counsel to the insurer. The firm had posted the document thinking it would be useful and instructive to its clients.

The complainant said that the firm posted her personal information without her consent and should be liable for $5,000,000 in damages.

The Court agreed that it was a breach of PIPEDA and awarded $1500. Here is the Court's discussion on the appropriate quantum of damages:

[53] Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matters.

[54] Section 16 of PIPEDA provides no guidance as to the quantum of damages that may be granted. Here the applicant is claiming that she suffered mental anguish as a result of the breach. In calculating what might be an appropriate amount to award for such harms, it may be useful to refer to relevant provincial legislation. Section 65 of the Ontario Personal Health Information Act, 2004, SO 2004, c 3, Sch A, may be of assistance in this context as it deals with the protection of medical information. Under that provision, the Superior Court of Justice may award damages, not exceeding $10,000.00 for mental anguish resulting from the willful or reckless contravention of the statute.

[55] In some cases, such as Nammo, a damages award may also be used to compensate a complainant for economic loss and expense incurred in dealing with the consequences of the breach. Here, the respondent points to the lack of any evidence in the applicant’s record that would support a finding that she had suffered any damages as a result of the posting. The respondent submits that the posting of the 2009 Report has not attracted adverse attention to the applicant in any way that would sustain a claim of damages. I agree that the record does not establish that the applicant suffered humiliation as a result of the breach.

[56] The applicant asserts that her mental health was seriously affected. The record before me does not make a connection between the treatment she is presently undergoing and the disclosure of the personal information. The one medical report filed is from a psychiatrist dated April 4, 2008; almost one year before the 2009 Report and letter were posted. The letter speaks to the applicant’s psychological condition and treatment as it related to the car accident, and not in any way to the subsequent disclosure of her personal information.

[57] According to an exhibit attached to Mrs. Girao’s affidavit, her husband became aware of the ZTGH posting as early as May 2009. Mrs. Girao referred to it in a letter to a PCC investigator in August 2009, presumably while the first complaint was under review. No steps were taken to inform ZTGH of this prior to the PCC’s call to Mr. Grossman in February, 2010. The information thus remained on the ZTGH website for a much longer period than might have been the case if the firm had been notified in a timely manner. It is not clear when it first appeared on the US website.

[58] The evidence is that 247 persons accessed the information on the ZTGH site prior to the filing of the complaint, including members of the firm itself. I expect that most of those persons would have been interested in the legal issues arising from the case and not in Mrs. Girao’s personal information. While the 2009 Report may still be accessed at the U.S. site and could be disseminated further by visitors to that site, the evidence indicates that the traffic to that page was minimal. In any event, there is nothing before me to indicate that there would be any broader interest in the applicant’s personal information or that it has been used in any way to cause any adverse effects to her health and welfare.

[59] There is no evidence before me that the respondent posted the information for economic gain. Mr. Grossman saw the 2009 Report to be an important precedent in the domain of insurance defence litigation and posted it on his firm’s website to inform their clients and others about the development of the law in that field. It is a common business practice for law firms to post such information. Success achieved by the firm in litigation may help to retain or attract clients. But there is no basis in law upon which Mrs. Girao would be entitled to an accounting of any benefits that may have flowed to ZTGH from the publication of the 2009 Report even if the value of such benefits could be calculated, which is unlikely.

[60] The nature of this breach fits somewhere at the low end between the breach committed in Randall: “the result of an unfortunate misunderstanding”; and that which was committed in Nammo: a “serious breach involving financial information of high personal and professional importance”. That is not the case here. While the information related to her claim for increased benefits, there was no disclosure of her financial status. The applicant submitted evidence of her current limited income on this application, but there is no evidence that this is due to the disclosure of her personal information or that she has missed opportunities to earn income as a result.

[61] The respondent was careless in posting but did not act in bad faith. ZTGH deleted from its website all references to the applicant as soon as it became aware that there was a concern. The law firm was negligent in not taking steps to ensure that any personal information about an identifiable complainant was removed before it posted the report. In the result I consider it appropriate to make an award of $1500.00.

Tuesday, September 20, 2011

Government introduces omnibus crime bill without lawful access

In an unexpected turn, the Government of Canada has introduced its omnibus crime bill without any reference to lawful access (at least in the press release: Government of Canada Introduces the Safe Streets and Communities Act).

Monday, September 19, 2011

How lawful access may backfire

The buzz I've been hearing suggests that the Harper Government will be tabling its omnibus crime legislation tomorrow (September 20, 2011). There's still some uncertainty about whether the most offensive provisions will be in there, but in case they are I'd like to add a thought about how allowing warrantless access to customer information may backfire.

I've done my fair share of sleuthing on behalf of clients to track down people who use the supposed cloak of anonymity to harm others and, almost universally, the miscreants do not take any steps to cover their tracks. (Anyone with an interest in doing so, a general knowledge of how the net works and how these things are investigated can easily make investigations very, very difficult.)

But if it becomes common knowledge that the police can put all the pieces of your online meanderings together without any warrant or any suspicion of wrong-doing, more people will take steps to cover their tracks online. Not because they have something to hide, but out of fear of abuse of this new police power. And the more that people routinely cover their tracks, the greater the likelihood that people who are doing Bad Things will routinely use very easily obtained technologies and easily adopted practices to effectively disappear.

The power to connect someone's online actions to their real-word identity should be used sparingly and only when an impartial judge determines that the public interest in a real criminal investigation overrides the individual's privacy interests. The police cannot be counted on to make that determination and this much coveted power may backfire.

Saturday, September 17, 2011

What lawful access is all about

Yesterday, I posted about three new public service announcements made by, which are part of a campaign against "lawful access". (Canadian Privacy Law Blog: launches "lawful access" PSAs).

The ads themselves will probably raise awareness about lawful access, but don't do a good job of really explaining what lawful access is. The ads suggest that police will be able to read your e-mail, intercept your calls and watch your online shopping without a warrant. That's not the case.

We don't really know what the Harper Government(TM) plans to put in the legislation when it is introduced later this year, but we can take a look at what has been put forward by the liberals and the conservatives over the past few years. In short, the police will be able to go to your ISP, your phone company or any other online service provider and get the following information about you:

  • name,
  • address,
  • telephone number and
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number that are associated with the subscriber’s service and equipment.

All they would need is one piece of that puzzle and the service provider has to provide all the other pieces. If they have your IP address, they get your address. If they have your name, they get your phone's built-in identifier.

So why does this matter? The Internet is not quite like the real world. When you go to a library, you don't have to provide ID or leave a record of what you looked at or that you were even there. When you step into a store in the real world, you don't necessarily leave a trace of what you perused and what you bought (if you paid cash). You can send an anonymous letter to the editor of your local newspaper to voice an unpopular opinion without giving your name or any other identifying information. (They probably will not publish it, but that's beside the point.) But the Internet doesn't work like that.

Every device on the network (phone, computer, etc) has an IP address. IP addresses can be tied to an individual computer or a range of computers sitting behind a firewall or a router. Every mobile device, such as a cell phone or a smart phone, has a number of unique identifiers that it chirps out to the network that it's attached to. Every interaction that you have online, you can assume is being logged in some fashion in connection with that IP address. Many e-mails you send include in the headers the IP address of the computer it was written on.

It's just the nature of how networks work. That IP can perhaps be traced to you, to your household or to your employer. In most cases, where residential internet accounts are concerned, they are connected to the name and address of the account holder. With phones, that identifier is connected to the individual who owns the phone.

In short: Everywhere you go on the internet or with your mobile phone, you leave digital footprints. That's the nature of the modern, networked world. So what protects your privacy when you do anything online? The fact that whoever allocated that IP address or provides your cell phone service has to keep it confidential unless a judge decides that the public interest (or the state interest) overrides your privacy interest. That's why we have a Charter of Rights and Freedoms in Canada and why we have an independent judiciary. There is no absolute anonymity online, but there is effective privacy by obscurity because anyone who can connect your IP address to an individual is bound to keep it confidential unless a judge says otherwise.

However, the Harper Government's lawful access bill proposed to take that important balance away. It would give police forces and national security folks virtually unfettered powers to connect those otherwise anonymous footprints to an actual person (or small group of persons).

That is inconsistent with your rights to privacy and is dangerous to the free and open internet. Whoever is elected needs to know that privacy is something that all Canadians value.

Friday, September 16, 2011 launches "lawful access" PSAs

The Canadian internet advocacy association,, has just launched a series of public service announcements to call attention to the anticipated "lawful access" legislation which is expected to be buried in the Harper Government's omnibus crime legislation this fall. Check them out:

Tuesday, September 06, 2011

Alberta court declares portions of provincial privacy law unconstitutional

The Alberta Courts have once again issued a stunning decision regarding privacy laws in that province. In this case, United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner), 2011 ABQB 415 (CanLII), the Alberta Court of Queen's Bench has determined that portions of the Personal Information Protection Act (Alberta) ("PIPA") are unconstitutional.

This particular case is a judicial review of a decision of the Office of the Information and Privacy Commissioner that held a trade union violated PIPA by videotaping at a picket line. PIPA allows the collection, use and disclosure of personal information that is "publicly available", which is very narrowly defined in the Act and its regulations. In addition, it does not apply to information that is collected for journalistic purposes "and for no other purpose".

On a bare reading of the Act, information from a public protest or picket line does not fit within the definition of "publicly available". In addition, the information collected by the union was collected for journalistic purposes, among others, which meant that exception was not available.

The Court found that PIPA violates freedom of expression under Section 2(b) of the Charter and these provisions cannot be justified by Section 1 of the Charter.

In particular, the Court noted:

[159] I conclude that the impairment is not minimal. The narrow definition of “publicly available information” protects information in public view, and in which there is no reasonable expectation of privacy. The British Columbia’s Personal Information Protection Act strikes the balance by permitting collection, use, and disclosure of personal information collected by observation at a performance, a sports meet or a similar event at which the individual voluntarily appears, and that is open to the public (ss. 12(1)(d), 15(1)(d) and 18(1)(d)). PIPA has no exception for personal information collected at a public event, including a public, political event.

[160] Moreover, personal information is not protected any further by prohibiting an organization with both a journalistic purpose and some other purpose from collecting, using and disclosing it, but not prohibiting an organization with only a journalistic purpose. This merely favours some organizations over others. Regardless of the prohibition on organizations with a journalistic purpose and some other additional purpose, the personal information could be collected, used and disclosed by another organization with only a journalistic purpose.

The Court also determined that PIPA is not in the nature of human rights regulation (which would endow it with quasi-constitutional status), but is merely regulatory:

[142] Moreover, the Quebec Charter enjoys quasi-constitutional status as human rights legislation: see Quebec (Commission des droits de la personne et des droits de la jeunesse) v. Montréal (City); Quebec (Commission des droits de la personne et des droits de la jeunesse) v. Boisbriand (City), 2000 SCC 27 (CanLII), 2000 SCC 27, [2000] 1 S.C.R. 665 at paras. 27-28; Globe and Mail v. Canada (Attorney General), 2010 SCC 41 (CanLII), 2010 SCC 41, [2010] 2 S.C.R. 592 (at para. 29). Such statutes are to be interpreted differently, see Quebec (Commission des droits de la personne et des droits de la jeunesse) at para. 29:
Professor R. Sullivan summarized as follows the rules of interpretation that apply to human rights legislation:

(1) Human rights legislation is given a liberal and purposive interpretation. Protected rights receive a broad interpretation, while exceptions and defences are narrowly construed.

(2) In responding to general terms and concepts, the approach is organic and flexible. The key provisions of the legislation are adapted not only to changing social conditions but also to evolving conceptions of human rights.

[143] PIPA, however, is regulatory and does not establish human rights; it regulates the collection, use and disclosure of personal information, and in doing so limits the freedom of expression of some, but not all. For example, individuals would not be prevented from collecting, using and disclosing the personal information at issue here, nor would the traditional media.

This is a big deal and has potential effects outside of the province given that the federal privacy law, the Personal Information Protection and Electronic Documents Act (Canada) has very similar provisions about journalism and publicly available information.

I would be surprised if the Alberta government didn't appeal the decision.

Time to check your permissions

Everyone should make it a habit to check your app permissions in any websites you use. I posted in March about it (Canadian Privacy Law Blog: Time to check your permissions) and now, six months later, time to do it again.

Here's where you should go to check your settings:

Take control over your accounts.