Tuesday, May 29, 2012

Privacy Commissioner looks for stronger enforcement powers, ability to levy fines

Today, the Federal Privacy Commissioner appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics in its study on social media and privacy. What's most interesting are further statements calling for greater enforcement powers. Apparent satisfaction with being an ombudsman is clearly a thing of the past:

Other countries are moving towards more robust enforcement regimes, but Stoddart said Canada is at risk of falling behind and that the existing law – the personal information protection and electronic documents act (PIPEDA) – is too weak.

PIPEDA is due for a mandatory five-year review by Parliament, and the privacy watchdog said she hopes that MPs will push for greater enforcement powers and greater accountability standards for companies within the legislation.

The legislation currently doesn't require companies to report a privacy breach to Stoddart's office or to consumers, and Stoddart said with barely any penalties for breaching provisions in PIPEDA, there is little incentive for companies to invest in better data protection systems.

If there were stricter penalties for companies that would affect their bottom lines, they would be more inclined to adhere to the privacy laws, she suggested.

"I believe companies take notice … when they are subject to major fines or some kind of enforcement action. We have very limited power in that regard, and I believe more respect would be shown to Canada's laws if we did have that power," she said.

For more details, see CBC's coverage: Social media websites ignoring privacy laws, watchdog says - Politics - CBC News.

You can see the video of Jennifer Stoddart's testimony here and I'll post a link to the transcript when it's available.

Saturday, May 26, 2012

White paper compares government access to cloud data in ten jurisdictions

In the last week, law firm Hogan Lovells released a very interesting white paper on government access to cloud data across ten jurisdictions, mainly focused on debunking many of the myths associated with the USA Patriot Act. The white paper was released in association with a Round Table on Government Access to Data with European policy makers at the Openforum Academy.

More information is available at the Hogan Lovells Chronicle of Data Protection: Hogan Lovells White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique : HL Chronicle of Data Protection.

Here's the white paper: A Global Reality: Governmental Access to Data in the Cloud -- A comparative analysis of ten international jurisdictions.

Tuesday, May 15, 2012

Globe & Mail: Lawful Access bill should be sent back to the drawing board

John Ibbitson's column in the Globe & Mail suggests that Bill C-30 should be sent back to the drawing board since it will never be passed in its present (comatose) state. Once re-drafted from scratch, it should be introduced by a different minister because of the way Vic Toews mishandled it the first time:

Tory law-and-order agenda meets its match online - The Globe and Mail

The Internet surveillance legislation sponsored by Public Safety Minister Vic Toews has disappeared down a dark legislative hole. For all intents and purposes, the bill is dead.

If the Harper government still wants to pass a law that would make it easier for police to track people who use the web to commit crimes, it will have to start from scratch.

That new bill, if there is one, will probably be shepherded by a different minister. That’s how much damage this botched legislation inflicted on the government and on Mr. Toews.

Bill C-30, also known as the lawful access legislation, would allow police to compel Internet service providers to cough up identifying information about anyone using the Internet.

The authorities would not be able to track a person’s activity on the web without a warrant. But they could find out whose name is attached to an IP address without that warrant, and without the person’s knowledge or consent, which is why both the federal and provincial privacy commissioners strongly objected to the bill as an unjustified violation of privacy rights.

Many Tory MPs are also said to be unhappy with the bill. They wonder why the government would abolish both the mandatory long-form census and the long-gun firearms registry in the name of privacy rights, and then violate those same rights with a bill that lets the government snoop on people who go online.

Mr. Toews responded to the criticism by declaring critics “can either stand with us or with the child pornographers.” This was fatal. As the Public Safety Minister reeled from online attacks – including from a Liberal staffer who tweeted the details of his divorce – the government hastily retreated, declaring the bill needed further study.

What has happened since? Nothing. And that nothing is everything.

Normally, after a bill receives first reading, debate begins on second reading, which is approval in principle. Once the bill passes second reading, it goes to a committee, where only minor amendments are permitted before the bill returns for third and final reading.

Instead of this usual route, House Leader Peter Van Loan decided to send C-30 to the public safety committee first, where it is supposed to be extensively revised, before returning to the House for second and third reading.

But before any of that can happen, the rules state that the House must debate the motion to send the bill to committee. That debate must last at least five hours – in effect, one sitting day.

But that debate hasn’t happened. And sources report that it won’t happen before the House rises for summer recess. That makes C-30 dead in the water.

Of course, the Conservatives could decide to send C-30 it to the public safety committee in the autumn. But it would take months to rewrite the bill, and then weeks to get it through second and third reading, before the bill went to the Senate for further study.

Long before then, Stephen Harper is expected to prorogue Parliament in preparation for a new Throne Speech. With that prorogation, Bill C-30 will quietly expire.

Before proroguing the House, Mr. Harper is expected to shuffle his cabinet. Public Safety is near the top of the list of portfolios in need of a fresh face. A new minister will have the job of putting together a new lawful-access bill, one that doesn’t unite opposition parties, privacy commissioners and the Tory caucus.

To assuage these concerns, the new bill will have to restrict the right of police to acquire any information about someone’s online identity without first obtaining a judicial warrant.

“If they truly removed the warrantless access provisions of the bill, across the board, then we would be delighted to sit with the government and work with them on additional amendments that we would still be seeking, but that would be doable,” said Ann Cavoukian, Ontario’s Information and Privacy Commissioner, in an interview.

But C-30 in its present form will never become law. The Conservatives’ law-and-order agenda has finally had a comeuppance. It was delivered by everyone who wants to be left alone online.

Friday, May 11, 2012

Cloud Computing and the Patriot Act: A Red Herring?

The 2012 International Association of Privacy Professionals Canada Symposium has just wrapped up. I had the pleasure of giving a presentation on cloud computing and the USA PATRIOT Act with Lindsey Finch, the Senior Global Privacy Counsel with salesforce.com. Our presentation is here:

Cloud Computing and the Patriot Act: A Red Herring?

Cloud computing is revolutionizing the information technology industry by providing cost savings, flexibility and innovation. But many Canadian companies are concerned that use of cloud computing services may cause them to violate Canadian privacy laws, particularly because of potential non-Canadian government access to data stored in the cloud. Join our expert panel as they address persistent Canadian myths regarding cloud computing and privacy, discuss how cloud computing services can be used in compliance with Canadian privacy laws and the real impact of the Patriot Act, and provide tips to use during RFP cycles and contractual negotiations.

Lindsey Finch, CIPP/US, Senior Global Privacy Counsel, salesforce.com
David T.S. Fraser, Partner, McInnes Cooper, Halifax

What you’ll take away:

  • Learn how to manage privacy risk and legal compliance in cloud computing decisions, including both public and private sector privacy laws
  • Understand the similarities and differences between U.S. and Canadian government powers to access data in the course of a terrorism investigation and how the two governments share data to assist each other in such investigations
  • Learn when Canadian privacy law permits the transfer of personal information outside of country for processing purposes
  • Leave with a checklist, based on established best practices, to facilitate decisions about moving information to the cloud and a checklist to use in a RFP or contract with a cloud provider

Most of the other conference presentations are here.

Tuesday, May 08, 2012

Privacy icons a la creative commons

A group of law students have put together a scheme of icons to describe in a succinct way a website's privacy practices (much like the creative commons icons), so you'll know at a glance what to expect. Check it out: Privacy Simplified.

privacy simplified

One big problem, however, is that they are binary (yes/no). For example, there is no "not applicable" option if, for example, the website does not collect user data.

Interesting nonetheless.

Monday, May 07, 2012

Alberta Court of Appeal finds applying provincial privacy law to picket-line activities unconstitutional

You may recall in September of last year when the Alberta Court of Queen's Bench declared portions of the province's Personal Information Protection Act to be unconstitutional (See: Alberta court declares portions of provincial privacy law unconstitutional). As expected, the case was appealed and the Court of Appeal has just recently handed down its decision. In United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, the Court of Appeal upheld the decision of the Court of Queen's Bench.

The Court of Queen's Bench had found that the exception in the Act for journalistic collection was too narrowly drafted, as it required that the collection of personal information be for journalistic purposes and for no other purposes. This was an unreasonable restriction; if the collection were, in part, for journalistic purposes, then the Act should not restrict or regulate it. The Court of Appeal, in contrast, concluded that the purposes were not really journalistic, but were nevertheless constitutionally protected freedom of expression.

[58] The Act contains no general exemption for forms of expression that are constitutionally protected. To the extent that the exemptions in the Act are not sufficient to permit the type of collection and use of information engaged in by the union, its constitutionality should be analyzed directly, not indirectly through an artificial screen of journalistic purposes. Whether the restrictions on the union’s expression are demonstrably justified in a free and democratic society should not be based on the premise that a journalistic purpose was involved. The issue is whether it is justifiable to restrain expression in support of labour relations and collective bargaining activities such as existed here.

[59] In summary, it is not helpful to analyze this situation as “journalism”. Not every piece of information posted on the Internet qualifies. If the union wished to publish information about the activities on the picket line in a newspaper or on television, that would likely qualify as journalism. But that need not be decided here, because that is not what the complaints were about.

The collection of information at a picketline is inherently expressive and is limited by the Act:

[67] It is clear that there are many aspects of the Adjudicator’s order that had a direct impact on the right of the union to free expression:
  • Newsletters and strike leaflets are entirely expressive; preventing the use of the images in them was a serious infringement on free expression;
  • Spreading news of the existence of the strike, and attempting to dissuade people from entering the casino are essentially expressive activities;
  • The use of the vice president’s image was also expressive. Satire has always been a powerful form of persuasion;
  • Education of union members, and providing information to other unions is expressive at its core.

Dissuading people from crossing the picket line, enhancing morale of the strikers, deterring violence and threats, and achieving a favourable end to the strike are all legitimate purposes supported by the right to free expression. Persuading people to think or act in a certain way is a direct purpose of free expression.

[72] The union has established a prima facie breach of its s. 2 Charter rights. Are the provisions of the Act demonstrably justified in a free and democratic society? Is the Adjudicator’s decision unreasonable because its effect on the union’s expressive rights is disproportional? To paraphrase DorĂ© at para. 66, the appellant must demonstrate that the Adjudicator’s decision gave due regard to the importance of the expressive rights at issue, both in light of the union’s right to expression and the public’s interest in open discussion.

In order to determine if the infringement of the freedom guaranteed in s. 2 of the Charter is justified, the Court carried out the traditional Oakes test and found the legislation wanting in the proportionality branch of the test:

[77] There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:
  • It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.
  • The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.
  • The definition of “publicly available information” is artificially narrow.
  • There is no general exemption for information collected and used for free expression.
  • There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

The result is that the Court declared the application of the Act to the union's constitutionally protected activities was unconstitutional.

This case will almost undoubtedly be appealed to the Supreme Court of Canada. Stay tuned.

It's also notable that the decision contains the following observation, quoted above but worth restating: "There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses." This statement was not necessary for the determination of the case under appeal, but potentially has significant consequences for the future.

Friday, May 04, 2012

FBI seeking wiretap-ready internet, like Canada

There's a lot of buzz around the internet on the FBI's quiet effort to have the Communications Assistance to Law Enforocement Act expanded beyond traditional telcos to include anyone who provides communications services online. (See: FBI: We need wiretap-ready Web sites -- now.)

If this sounds oddly familiar to Canadians, it should. While most of the buzz about Bill C-30 was connected to warrantless access to subscriber information, a large part of the Bill requires any teleecommunications service provider to provide real-time, simultaneous access to transmissions. What's under-reported is the incredibly expansive definition of "telecommunications service provider", which depends on other definitions as well:

“telecommunications facility” means any facility, apparatus or other thing that is used for telecommunications or for any operation directly connected with telecommunications.

“telecommunications service” means a service, or a feature of a service, that is provided by means of telecommunications facilities, whether the provider owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.

“telecommunications service provider” means a person that, independently or as part of a group or association, provides telecommunications services.

This definition, though convoluted, is pretty broad and goes well beyond what many would consider to be traditional telcos.

So before you look south of the border and sneer about the FBI's latest initiative, look toward Ottawa as well.