Friday, May 24, 2013

Canadian Privacy Commissioner calls for significant overhaul of country's privacy laws

Today, at the International Association of Privacy Professionals Canadian conference, the Canadian Privacy Commissioner unveiled her proposals for significant privacy law reforms. Some of this is not very surprising, but there were some unexpected elements.

The full release is here: New privacy challenges demand stronger protections for Canadians - May 23, 2013 and her speech to the conference can be found here: Looking back – and ahead – after a decade as Privacy Commissioner of Canada. The full discussion paper of her proposals is here: The Case for Reforming the Personal Information Protection and Electronic Documents Act.

In a nutshell, here's what she is calling for along with some of my unsolicited comments:

Stronger enforcement powers: Options include statutory damages to be administered by the Federal Court; providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where circumstances warrant. <- It is very interesting that she is putting forward a range of options rather than advocating one position.

Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted. Penalties should be applied in certain cases. A recent poll found that virtually all Canadians – 97 percent – would want to be notified of a breach involving their personal information. <- This is a bit of a no-brainer, as long as there is no requirement to notify of inconsequential breaches that would have no effect on individuals.

Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws. <- I think this is a great idea. Leaders in transparency, such as Google, are already providing information such as this and Canadians should know to what extent governments and law enforcement are seeking information without a warrant.

Promote accountability: Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit. <- This is an interesting proposal. I think I'll need to reflect on it a bit more before arriving at an opinion.

I expect all of this will fall on deaf ears in Ottawa, as the federal government has no appetite for any privacy law reforms.

Tuesday, May 21, 2013

It's an honour to be nominated: Top 25 Most Influential Lawyers in Canada 2013 Survey

Somehow, I've been nominated by Canadian Lawyer Magazine for inclusion in their annual Top 25 Most Influential Lawyers in Canada. It is truly an honour, particularly when I look at the other nominees. My category includes Michael Geist and other categories include my law partner Jack Innes QC and Professor Wayne MacKay of Dalhousie Law School. I was also delighted to see Fred Headon of Air Canada and my law school classmate, Kristi Taylor on the list.

The full list of nominees and the survey is here if you want to check it out and perhaps share your views: Top 25 Most Influential Lawyers in Canada 2013 Survey.

Tuesday, May 14, 2013

The Canadian government is likely the greatest threat to the privacy of Canadians

In case there was any doubt, the Canadian government is likely the greatest threat to the privacy of Canadians. Michael Geist does a great job in summing up the issue in one of his latest columns.

Michael Geist - Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform:

As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention. Canadians have faced high profile data breaches in the past - Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago - but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.

The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012. The resulting documentation is stunning in its breadth.

Virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.

Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 - more than three per week - affecting hundreds of people. The department only disclosed the breaches to the Privacy Commissioner of Canada on five occasions.

Human Resources and Skills Development Canada famously suffered a massive breach last year - 588,384 individuals were affected - but less well known is that the department has had thousands of other breaches over the past few years. In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure of whether the breach resulted in criminal activity.

Virtually no department has been immune to security breaches with nearly 100,000 individuals affected by breaches at Agriculture and Agri-Food Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with no reporting to the Privacy Commissioner of Canada, and just under 200 breaches at the RCMP affecting an unknown number of people.

If a similar situation occurred involving a major Canadian bank, retailer, or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches.

Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored.

Most recently, Privacy Commissioner of Canada Jennifer Stoddart identified twelve seemingly uncontroversial reforms, including strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislated security breach notification requirements. None of the recommendations have been implemented.

In fact, Canadian privacy failures dot the legislative landscape. Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006 lies dormant in the House of Commons. A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten. Anti-spam legislation passed in 2010 and touted as a key part of the government's cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.

No institution has greater access to the personal information of Canadians than the federal government. The public entrusts it to keep their information secure and to take all appropriate action should a security breach occur. The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at or online at

Monday, May 06, 2013

Nova Scotia anti-cyberbullying bill is on the fast track

It really would appear that the new Nova Scotia anti-cyberbullying bill is on the fast-track (or is being jammed through the legislature). It was introduced on April 25, debated on April 26, then sent to committee. It's been on the Law Amendments Committee agenda on May 2, 3, and 6.

Some are speculating that it'll be passed and proclaimed within a few days.

Here's the official status of the Bill: Status of Bills / Bills, Statutes, Regulations / Proceedings / The Nova Scotia Legislature.

Friday, May 03, 2013

Reddit revises its privacy policy and invites comments in reddit style

The social news site,, has revised its privacy policy. Though the new policy doesn't go into effect until May 15, 2013, the site has invited redditors to comment on it in true reddit style. Thousands of comments have been submitted and the author of the policy, Lauren Gelman, has been responding to the comments and making revisions in response.

Check out the discussion: reddit's privacy policy has been rewritten from the ground up - come check it out : blog.

As a privacy lawyer, I found the discussion to be very interesting, since you don't often get such a direct understanding of how different people approach these documents.