Thursday, December 22, 2011

SCC decision on national securities regulation keeps PIPEDA's constitutionality as an open question

Today, the Supreme Court of Canada released its decision in Reference re Securities Act. The Court based much of its decision on existing caselaw, including the General Motors case, which requires certain criteria to be met for the proper exercise of the General Trade and Commerce Power:

As held in General Motors, to fall under the general branch of s. 91(2), legislation must engage the national interest in a manner that is qualitatively different from provincial concerns. Whether a law is validly adopted under the general trade and commerce power may be ascertained asking (1) whether the law is part of a general regulatory scheme; (2) whether the scheme is under the oversight of a regulatory agency; (3) whether the legislation is concerned with trade as a whole rather than with a particular industry; (4) whether it is of such a nature that provinces, acting alone or in concert, would be constitutionally incapable of enacting it; and (5) whether the legislative scheme is such that the failure to include one or more provinces or localities in the scheme would jeopardize its successful operation in other parts of the country. These indicia of validity are not exhaustive, nor is it necessary that they be present in every case. [from the headnote]

It thus remains a live issue whether PIPEDA meets these criteria. The fact that British Columbia, Alberta and Quebec are able to "opt out" by implementing their own substantially similar legislation undermines both (4) and (5).

It will be interesting to see if any such challenge is made or if the Quebec Court of Appeal reference re PIPEDA's constitutionality is ever dusted off.

Privacy Commissioner finding: Laurier Optical inappropriately disclosed customer's information

The Privacy Commissioner of Canada has published its fourth PIPEDA finding of 2011: Commissioner’s Findings - PIPEDA Report of Findings #2011-004: Laurier Optical Improperly Discloses Client’s Personal Information - March 31, 2011. What is most notable is that she "names names", principally because the organization did not respond to her recommendations:

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

Here is the summary of the investigation and "Lessons Learned":

An individual who was seeking a refund from Laurier Optical because two pairs of prescription eyeglasses didn’t satisfy him, was shocked to discover the company had copied its written response to his request to 10 different parties.

He complained to our Office that the optometry chain, which has locations in Ontario and Quebec, disclosed his personal information without consent and subsequently failed to provide him with access to his personal information.

The man had obtained two prescriptions from Laurier Optical and found that neither satisfied him. As a result, he obtained a prescription from an independent optometrist who worked elsewhere.

After receiving the refund request, Laurier Optical initiated a complaint against the independent optometrist with the Ontario College of Optometrists. The company alleged the optometrist had incorrectly told the complainant that Laurier Optical had not performed a proper eye exam.

In its written response to the refund request, Laurier Optical included the complainant’s home address, telephone number and details of his three prescriptions, as well as a description of the prescription dispute. The complainant felt it contained false statements damaging to his character. The letter also stated that Laurier Optical would ask two other professional bodies and the two biggest lens manufacturing labs in Canada to evaluate the three prescriptions and obtain neutral opinions.

The letter was copied to 10 different parties, including various Laurier Optical officials; the Ontario College of Optometrists; the College of Opticians of Ontario, the independent optometrist; the company that made the complainant’s lenses, as well as another lens manufacturing company.

The complainant also requested access to his personal information held by Laurier Optical, but received no documentation in response.

Following an investigation, our Office found both the disclosure and access complaints to be well founded.

It was not necessary for Laurier Optical to disclose the complainant’s personal information to the College of Opticians or the lens manufacturers in order to demonstrate that the lenses it had provided to the complainant were appropriate. Even if these organizations could provide relevant input, they could have done so without knowing the complainant’s name, address, telephone number or details of the dispute. Similarly, it was not necessary to provide the independent optometrist with this information.

We recommended that Laurier Optical train its staff about PIPEDA’s requirements regarding the protection of clients’ personal information.

The organization did not respond.

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

Lessons Learned:

  • If an organization is contemplating the disclosure of a client’s personal information without consent, it must ensure that one of the exceptions to consent under subsection 7(3) applies.
  • The sharing of personal information with other employees or agents of an organization is considered to be a “use” under the Act, rather than a “disclosure.” Therefore, if an organization is contemplating such a use of personal information without the individual’s consent, it must ensure that one of the exceptions to consent under subsection 7(2) applies.
  • When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information.

Wednesday, December 21, 2011

SCC to release decision on securities regulation that may affect privacy regulation

On Thursday, the Supreme Court of Canada will be delivering its decision In the Matter of Section 53 of the Supreme Court Act, R.S.C. 1985, C. S-26 and in the Matter of a Reference by the Governor General in Council concerning the proposed Canadian Securities Act, as set out in Order in Council P.C. 2010-667, dated May 26, 2010 (33718).

What does this have to do with privacy, you ask? A lot. Our federal privacy law is on shaky constitutional ground, as it may reasonably be characterized as an incursion into purely provincial jurisdiction in the regulatory realm. We'll see what the SCC has to say about securities regulation, which may have a real spill-over into privacy regulation.

Monday, December 12, 2011

Beware of "surveillance by design" symposium

The Information and Privacy Commissioner of Ontario is organizing a symposium about "Surveillance by Design" which should be very interesting:

Upcoming Events « Privacy by Design

Beware of "Surveillance by Design" Symposium

Date January 27th, 2012

Time: 09:00 AM - 11:00 AM

Location: MaRS Discovery District, MaRS Centre South tower, Suite 100 (Auditorium – Lower Level), 101 College St., M5G 1L7 Toronto, ON, Canada

Beware of "Surveillance by Design:"

The Threat of Looming “Lawful Access” Legislation

Join Ontario's Information and Privacy Commissioner Dr. Ann Cavoukian and leading privacy, legal, and academic experts as we discuss the implications of “lawful access” legislation in Canada

Concern is mounting regarding the impact of proposed “lawful access” legislation in Canada. Media coverage has greatly increased, with this issue becoming a hot topic of discussion by all stakeholders, from the legal community to telecom providers. The Information and Privacy Commissioner of Ontario has been instrumental in bringing attention to this upcoming legislation — which in our view, would represent a system of “surveillance by design.”

The anticipated re-introduction of a trio of federal bills (Bills C-50, C-51, C-52) will provide police with much greater ability to access and track information, via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, including without a warrant or oversight. Taken together, the three pieces of legislation will diminish the privacy rights of Ontarians and indeed of all Canadians.

We have an opportunity to raise awareness on this very important issue, with the goal of impacting the legislation as it is re-introduced. Please join us as we bring together diverse thought leaders to discuss the implications of these federal bills.

The event is being held to celebrate International Privacy Day, marking 31 years since the first binding international convention of privacy came into force.

We are delighted to have as guest speakers:

  • Dr. Ron Deibert, Professor, Political Science, University of Toronto
  • Nathalie Des Rosiers, General Counsel, Canadian Civil Liberties Association
  • David Fraser, Lead, McInnes Cooper Privacy Practice Group
  • John Ibbitson, Ottawa Bureau Chief, Globe and Mail

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

Hogan Lovells Chronicle of Data Protection has a good summary of what's expected in the reform of European Data Protection laws in the coming year: Details of EU Data Protection Reform Reveal Dramatic Proposed Changes : HL Chronicle of Data Protection.

Wednesday, December 07, 2011

Bill C-12: Redline of proposed amendments to PIPEDA

Later today, I'm going to be giving a presentation with Lisa Lifshitz from Gowlings on the proposed amendments to the Personal Information Protection and Electronic Documents Act (AKA C-29), which are stagnating at first reading stage in Parliament. I'll be referring to the redline that I've prepared which shows the amendments in place and is a handy reference. Anyone who wants a copy is welcome to it as well: PIPEDA Amdended to include FISA, C-29 and C-12 (Google Doc).

Tuesday, December 06, 2011

Privacy Commissioner issues guidelines on online advertising

The Office of the Privacy Commissioner of Canada has today released a guidance document on online advertising and "tracking".

Here's the Commissioner's media release:

News Release: New online advertising guidance sets out restrictions for tracking - December 6, 2011

New online advertising guidance sets out restrictions for tracking

Privacy Commissioner of Canada Jennifer Stoddart calls on organizations involved in online behavioural advertising to provide better information about their practices; says the tracking of children and use of tracking technologies that can’t be turned off should be off-limits.

TORONTO, December 6, 2011 – Advertisers who use targeted online ads need to be upfront with Canadians about what they’re doing and must make it easy for people to say No to being tracked, says Privacy Commissioner of Canada Jennifer Stoddart.

The Commissioner today launched new guidelines on online behavioural advertising which also set out restrictions on the tracking of children and tracking technologies that people can’t turn off. Behavioural advertising involves tracking consumers’ online activities over time, in order to deliver advertisements that are targeted to their inferred interests.

“The use of online behavioural advertising has exploded and we’re concerned that Canadians’ privacy rights aren’t always being respected,” says Commissioner Stoddart, who launched the guidelines in a speech to the Marketing and the Law conference in Toronto.

“Many Canadians don’t know how they’re being tracked – and that’s no surprise because, in too many cases, they have to dig down to the bottom of a long and legalistic privacy policy to find out.”

The new guidance document says information about behavioural advertising should be clear, obvious and understandable. Accepting participation in online behavioural advertising should not be considered a condition for people to use the Internet generally. People must be able to easily opt out of this practice.

“Some people like receiving ads targeted to their specific interests. Others are extremely uncomfortable with the notion of their online activities being tracked. People’s choices must be respected,” says Commissioner Stoddart.

She also flagged some important restrictions when it comes to online behavioural advertising.

“If an individual can’t say no to the technology being used for tracking or targeting, then the industry shouldn’t use that technology for behavioural advertising purposes,” she told the advertising industry conference. “So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline.”

Another restricted area involves the online tracking of children. The guidelines state that organizations should avoid knowingly tracking children and tracking on websites aimed at children.

“Children are not likely able to provide the meaningful consent required under our privacy law for the tracking of their online activities. This is an increasingly important issue as we see the average age of first-time Internet users dropping,” says the Commissioner.

The guidelines also say advertisers should avoid collecting other sensitive information, such as individuals’ health information.

Commissioner Stoddart says her Office developed the guidance document to help organizations involved in online behavioural advertising ensure their practices are fair and transparent and in compliance with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

“The approach we’re taking – as prescribed under Canadian law – is reasonable. It allows industry to be innovative and to grow while respecting individuals’ right to privacy.”

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

Saturday, December 03, 2011

Public Safety minister continues to mislead about "phone book information" and lawful access

In today's Globe & Mail, the Public Safety Minister continues to peddle the wholly erroneous and completely misleading line about "phone book information".

Dec. 3: Letters to the editor - The Globe and Mail

The poop on e-snoop

Re Tories Have Yet To Prove Case For E-Snooping Bill (online, Dec. 1): Technology is a critical aspect of the way Canadians do business and communicate with each other. But as technology advances, criminal activities become easier. The government will propose legislation that strikes an appropriate balance between the privacy rights of Canadians and the ability of police to enforce our laws.

We will allow police to access “phone book”-type information from Internet service providers. If it becomes necessary to find a suspect's name, address, phone number or other similar identifier, ISPs will be required to disclose that information. ISPs will be required to have the capacity to allow police to investigate – strictly with a warrant – all communication methods.

Let me be clear: No legislation proposed will create powers for police to read e-mails without a warrant. Our proposed approach of linking an Internet address to subscriber information is on par with a phone book linking phone numbers to a residential address.

Vic Toews, Minister of Public Safety, Ottawa

If you want a definitive view on how this is completely misleading, check out this great analysis by Christopher Parsons: "The Anatomy of Lawful Access Phone Records".

Most notably, the article he is responding to is about the fact that the government hasn't made any compelling case for why it is necessary and a letter to the editor would have been a good opportunity to do so. He didn't. Not at all. Not one iota. They haven't even attempted to make a compelling case.

Friday, December 02, 2011

Smartphones are equivalent to computers for purposes of police search, says Nova Scotia court

In R. v. Hiscoe, 2011 NSPC 84, the Provincial Court of Nova Scotia has determined that the police can read texts on the accused's smartphone without a warrant (as incident to arrest) but need a warrant to forensically dump the contents of the phone for analysis.

Notably, the Court characterized the phone as a computer and observed that the same considerations come into play as with a search of a personal computer:

[39] The Crown acknowledges that the accused had a reasonable expectation of privacy in the contents of his cellphone and that the three occasions when the police examined and retrieved information from the cellphone constituted a warrantless search which constituted a prima facie unreasonable search[30] for the purposes of s. 8 of the Charter. Having said that, in my opinion it is important to characterize the degree or level of privacy in the smart phone information and how that information is stored because, in my opinion, it is a factor in deciding the scope of the police authority to search a cellphone incident to arrest.

[40] Here the cellphone which was seized was described as a “regular smart phone, a Blackberry sort of phone”. Phones of this sort have been described as “mini computers”[31]. These phones are capable of storing dozens of gigabytes of data not unlike personal or home computers. There is a high level of privacy associated with personal computers[32]. In R. v. Morelli, supra Justice Fish said at para. 2 “It is difficult to imagine a search more intrusive, extensive, or invasive of one's privacy than the search and seizure of a personal computer”. He continues at para. 3 :

First, police officers enter your home, take possession of your computer, and carry it off for examination in a place unknown and inaccessible to you. There, without supervision or constraint, they scour the entire contents of your hard drive: your emails sent and received; accompanying attachments; your personal notes and correspondence; your meetings and appointments; your medical and financial records; and all other saved documents that you have downloaded, copied, scanned, or created. The police scrutinize as well the electronic roadmap of your cybernetic peregrinations, where you have been and what you appear to have seen on the Internet -- generally by design, but sometimes by accident.

[41] Later at para. 105 he describes the nature of information computers contain:

Computers often contain our most intimate correspondence. They contain the details of our financial, medical, and personal situations. They even reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read, watch, or listen to on the Internet.

Blackberrys and other smart phones function in the same way as personal computers[33].

[42] Other case authorities[34] are consistent in their conclusions that smartphone devices have the capacity to store vast amounts of sensitive and personal and private information including emails, text messages, contact lists, diaries, medical information and personal photographs as well as internet browsing histories.

[43] Given the advances in technology, these types of devices allow individuals to carry their entire personal information library with them. In my opinion, it is difficult to compare a smartphone with a notebook or briefcase one might carry or have for a specific purpose. Smartphones have several gigabytes of data storage which can store literally thousands of documents, photographs, messages or hundreds of thousands of filed data[35]. This, of course, does not take into account current technological advances regarding Cloud[36] storage and electronic and computer device sharing features which could increase the information available from a hand-held electronic device.

[44] While the accused did not testify as to the level of privacy – the Crown has admitted the accused had a reasonable expectation of privacy in the cell phone. I agree with the conclusion reached by Fuerst, J in R. v. Little, supra, at para. 120, that the subjective expectation of privacy can be presumed. This subjective expectation of privacy is objectively reasonable for the reasons I expressed above. Furthermore, the high level of privacy which I described can be inferred as well. In my opinion this privacy level exists irrespective of whether the phone is password protected. The lack of a password is not an invitation to view the personal contents contained in the device especially from the prying eyes of the state.

[45] Finally, I would add that like other computers, cellphones are organized in a way that separates voice messages, text messages, documents, photographs, browser history and other information. The information is not stored in one big container to use perhaps a poor analogy. It is possible to look at text messages without looking at photographs, for example. It is not necessary to examine ones voice memos to read text messages or documents.

Thursday, December 01, 2011

Never mind the Patriot Act, watch your thumb drives

Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...

Never mind the Patriot Act, watch your thumb drives - Page 1 - Security

By: Grant Buckler
On: 01 Dec 2011
For: ComputerWorld Canada

Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security

OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.

David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.

Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.

But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.

And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.

“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”

And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”

Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.

Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.

Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”

The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.

The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.

Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.