Saturday, December 02, 2017

Federal Court of Appeal: Past privacy consent does not prevent new means of handling and distributing personal information

The Federal Court of Appeal released its long-awaited decision in Toronto Real Estate Board v Commissioner of Competition on Friday, December 1, 2017. The decision is a statutory appeal and is the latest chapter in a very long saga in which the Competition Bureau has accused Canada's largest real estate board of acting in an anti-competitive manner to prevent new forms of competition in the real estate market.

The Canada Real Estate Board (CREA), and its members such as the Toronto Real Estate Board (TREB) own and operate the Canadian Multiple Listing Service (which is the backbone of realtor.ca). A lot of information about current properties on the market is available on the site and realtors have access to a much wider range of information, including historical sales and listing information that is essential to carrying out market analyses for buyers and sellers.

The main issue is that TREB has not permitted innovative forms of real estate sales, such as online, using this much richer information. And privacy was one of the reasons TREB pointed to in order to justify its practices:

[2] TREB maintains a database of information on current and previously available property listings in the GTA. TREB makes some of this information available to its members via an electronic data feed, which its members can then use to populate their websites. However, some data available in the database is not distributed via the data feed, and can only be viewed and distributed through more traditional channels. The Commissioner of Competition says this disadvantages innovative brokers who would prefer to establish virtual offices, resulting in a substantial prevention or lessening of competition in violation of subsection 79(1) of the Competition Act, R.S.C. 1985, c. C-34 (Competition Act). TREB says that the restrictions do not have the effect of substantially preventing or lessening competition. Furthermore, TREB claims the restrictions are due to privacy concerns and that its brokers’ clients have not consented to such disclosure of their information. TREB also claims a copyright interest in the database it has compiled, and that under subsection 79(5) of the Competition Act, the assertion of an intellectual property right cannot be an anti-competitive act.

Focusing on the privacy argument, TREB essentially argued that people who consented to having their information made available when they hired a realtor, really only consented to having it made available through traditional channels and not published online. The Tribunal below was of the view that TREB's privacy arguments were pretty flimsy and one gets the sense that it was really a pretext to justify their way of doing things.

[131] In considering privacy as a business justification under paragraph 79(1)(b), the Tribunal found that the “principal motivation in implementing the VOW Restrictions was to insulate its members from the disruptive competition that [motivated] Internet-based brokerages”. It concluded that there was little evidentiary support for the contention that the restrictions were motivated by privacy concerns of TREB’s clients. The Tribunal also found scant evidence that, in the development of the VOW Policy, the VOW committee had considered, been motivated by, or acted upon privacy considerations (TR at para. 321). The privacy concerns were “an afterthought and continue to be a pretext for TREB’s adoption and maintenance of the VOW Restrictions” (TR at para. 390).

TREB argued that nobody consented to having this information disseminated via the internet or "virtual office websites" (VOWs), so new consent would be required to do so. Absent new consent, this information cannot be disseminated online:

[160] While the Listing Agreement used by TREB provides consent to some uses of personal information, TREB asserts that had the Tribunal examined it more closely, it would have found that the Listing Agreement did not provide sufficiently specific wording to permit disclosure of personal information in the VOW data feed. Specifically, TREB contends that the consents do not permit the distribution of the data over the internet, and that is qualitatively different from the distribution of the same information by person, fax, or email.

The Commissioner argued that consent for PIPEDA purposes is to the "purposes" proposed for the collection, use and disclosure of personal information, and not the means by which it would be disseminated. The Court of Appeal agreed:

[164] The wording in the Listing Agreements from 2003 onwards is substantially similar to that quoted above. However, the phrase “during the term of the listing and thereafter” (underlined above), first appears in 2012. The Use and Distribution of Information clause in the Listing Agreement is broad and unrestricted. Sellers are informed that their data could be used for several purposes: for distribution in the database to market their house; to compile, retain, and publish statistics; for use as part of comparative market analysis; and any other use in connection with the listing, marketing, and selling of real estate. Nothing in the text implies the data would only be used during the time the listing is active. Indeed, the use of data for historical statistics of selling prices necessitates that the data will be kept. The Tribunal noted that TREB’s policies 102 and 103 add that, apart from inaccurate data, “[n]o other changes will be made in the historical data” (TR at para. 401). We note as well that clause 11 of the Listing Agreement allows for the property to be marketed “using any medium, including the internet”.

[165] PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet in the manner targeted by the VOW Policy−does not accord with the unequivocal language of the consent.

Why is this important? Because it is clear that though technology may shift and putting services online may change the extent of the distribution of information and the possible uses of the information by someone who accesses it, the key to obtaining consent is to clearly articulate the purposes of the collection. The stated purposes are what dictate how the information can be used, but do not dictate the means of dissemination.

Wednesday, November 15, 2017

Ontario Court of Appeal confirms online harassment conviction where threatening website was “about” the complainant but not a threat directed "to" the complainant

At a time when the courts and the rest of the justice system are grappling with how traditional Criminal Code offences and online misconduct intersect, the Ontario Court of Appeal has issued an important decision in R v. Sim on how criminal harassment can take place online. Often, police and others are stuck in an analog paradigm of traditional stalking and menacing.

In this case, the accused created an incredibly offensive website that was not directed at the complainant but was about her, and directed to a select audience that appears to have been intended to exclude her.

The accused used to work in the same building as the complainant lived. They became friends and when the accused showed a romantic interest in the complainant, the complainant made it clear that the feelings were not reciprocated. They went their separate ways, each married other people and started families. They communicated by email from time to time, apparently just to catch up on what the other was doing.

In the meantime, the accused created a Yahoo! Groups website that, according to a statement on the homepage, was dedicated to “the degradation and online spreading” of the complainant. He recruited at least 150 others to join the site. According to the Court:

[9] Sim posted extensive biographical details and photos of the complainant on the website. He authored false, degrading, vile, and grotesque sexualized commentary about her on the website’s messaging forum. He encouraged group members to post their own vile comments about the complainant, to author and share crude sexual fantasies involving her, and to alter photographs of her in a sexually degrading way and share those as well. …

The complainant became aware of the site in 2013 and, with the help of a friend, she created a username and password to get full access to the site.

The accused was charged with criminal harassment and publishing a defamatory libel. He was convicted of harassment and acquitted of defamatory libel. The accused appealed his conviction to the Ontario Court of Appeal, arguing that the necessary actus rea of harassment had been made out.

The accused had been convicted under paragraph 2(d) of section 264 of the Criminal Code:

(1) Criminal harassment – No person shall, without lawful authority and knowing that another person is harassed or recklessly as to whether the other person is harassed, engage in conduct referred to in subsection (2) that causes that other person reasonably, in all the circumstances, to fear for their safety or the safety of anyone known to them.

(2) Prohibited conduct – The conduct mentioned in subsection (1) consists of …

(d) engaging in threatening conduct directed at the other person or any member of their family.

The trial judge acknowledged that if “threatening conduct” required a subjective intention to threaten the complainant, the accused should be acquitted for lack of evidence. But the judge decided that there was no such requirement; rather the question is whether the conduct is objectively threatening.

In 2008, the Ontario Court of Appeal in R. v. Burns determined that an objective standard was required for the actus rea of criminal harassment under paragraph 2(d):

To establish harassment under s. 264(2)(d) of the Criminal Code, the Crown had to establish that the appellant engaged in “threatening conduct”. We accept the definition of threatening conduct given in R. v. George at para. 39 that, in order to meet the objectives of s. 264, the threatening conduct must amount to a “tool of intimidation which is designed to instill a sense of fear in the recipient”. The impugned conduct is to be viewed objectively, with due consideration for the circumstances in which they took place, and with regards to the effects those acts had on the recipient. [Citation omitted.]

With regard to the accused’s specific arguments, Laskin JA, on behalf of a unanimous Court, wrote:

[18] First, Sim’s submission is inconsistent with s. 264(1) of the Code and thus is contrary to Parliament’s express intent. Subsection 264(1) specifies that the mens rea component of criminal harassment can be met by an accused’s knowledge or recklessness. To suggest that the actus reus of threatening conduct requires a specific intent to instil fear is contrary to the plain language of s. 264(1).

[19] Second, as this court said in Burns, under s. 264(2)(d) the conduct in question must be viewed objectively. In other words, would the accused’s threatening conduct cause a reasonable person in the complainant’s situation to fear for her safety? The word “designed” does not require the Crown to prove the accused’s subjective intention. And, in assessing whether an accused’s conduct is threatening under s. 264(2)(d), a judge is not required to get into the accused’s mind.

[20] Instead, the word “designed” is meant to focus on the effect of the accused’s conduct on a reasonable person in the shoes of the target of the conduct. In Burns, this court clarified that the objective assessment must consider the circumstances in which the conduct took place, and the effects that the conduct actually had on the complainant. Although an accused's threatening conduct may not affect every target of that conduct, in every conceivable situation, it could well instill fear in a reasonable person in the complainant’s specific situation, particularly when the actual effects of the conduct on the complaint are considered. That is the case here. The trial judge did not err in finding that the Crown had established the actus reus of the offence.

While the site at issue was clearly about the complainant, there was no evidence that it was directed at the complainant in order to threaten her. This decision will hopefully reinforce the notion that the criminal harassment offence may be made out in cases where the accused creates “threatening” content about the victim, rather than directed to the victim.

[An earlier version of this case summary was written for the Canadian Technology Law Association’s newsletter.]

Wednesday, November 01, 2017

My suggestions to the NS Minister of Justice to facilitate access to justice under the new cyberbullying law

I have expressed some concerns about Nova Scotia's new Intimate Images and Cyber-protection Act, mainly related to barriers to access to the courts by the adoption of a regular procedure for applications in the Supreme Court of Nova Scotia. The new law allows the Minister of Justice to make regulations about the procedures for such applications. I hope the Minister of Justice makes regulations that will facilitate access to the courts while ensuring fairness for everyone. To that end, I sent the below letter to the Minister today:

Dear Minister Furey:

RE: Bill 27, the Intimate Images and Cyber-protection Act

As you know, the Nova Scotia legislature recently passed Bill 27, the Intimate Images and Cyber-protection Act. The Act sets out a mechanism by which victims of cyberbullying and the non-consensual distribution of intimate images may seek an application for relief and damages in the Supreme Court of Nova Scotia.

I am writing in my personal capacity, and not on behalf of my firm or any of its clients.

I have expressed some concerns about the Act, to your department’s officials, through public commentary and in a written submission to the Law Amendments Committee. My main concern related to access to justice, given the cost and complexity that is inherent in applications in the Supreme Court of Nova Scotia under Rule 5 of the Civil Procedure Rules. Of course, these proceedings are simpler than Actions brought under Rule 4, but I expect that process will still be daunting, particularly for self-represented individuals or younger persons. It would be tragic if such complexity were the deter victims from seeking justice. I am also concerned about the administration of the courts, which I understand is challenged by self-represented litigants handling their own complex proceedings without the benefit of legal counsel. Given the fallout from R v Jordan, 2016 SCC 27, this concern is particularly acute.

The reason for my letter is to suggest that you exercise your authority as Minister to make regulations that, among other things, address procedures for applications. From the Act:

15 (1) The Minister may make regulations

(a) respecting forms and procedures for hearing an application under Section 5, including an application to extend, vary or terminate an order; and ….


If I may suggest some characteristics of these proceedings that you may wish to specifically consider:

  • The default timelines for applications should be abbreviated. It is my experience that victims of cyberbullying want the behaviour to stop or want their intimate images removed as quickly as possible.

  • Perhaps a specific form for the application can be prescribed, similar to the form currently used for peace bond applications in the Nova Scotia Provincial Court.

  • It is important for victims to be specifically “heard” and be given the opportunity to tell their story to the Court. Relying exclusively on affidavit evidence with only cross-examination in Court may not be appropriate for these proceedings, though it remains important that the respondent know and understand the specific allegations in advance.

  • The Civil Procedure Rules currently require a written brief, which is likely daunting for a victim to consider.

  • The Act prescribes circumstances where an applicant is entitled to a publication ban. I am afraid that without clear guidance, victims may be confused about the effect of including their full name in the style of cause for an application. Perhaps all applications can be sealed by the Court for a few business days until a Judge or the Prothonotary has determined whether a publication ban is being sought?

  • The Act also permits applications to seek information to identify an unknown respondent. A clear path, on an expedited basis, for seeking an ex parte order for the identification of an unknown respondent would be helpful.

  • Given that the Act addresses intimate images in which the victim has had and continues to have a privacy interest (some of which may include child pornography or voyeurism images), a streamlined procedure by which evidence can be sealed would be desirable.

I know we both share a common desire to make sure that this Act is effective in protecting victims. I hope that regulations along the lines set out above will make sure that legal remedies are within reach of victims.

If I can be of assistance with this process, please let me know.

Friday, October 20, 2017

CRTC finds CASL to be constitutional in CompuFinder challenge

On October 19, 2017, the CRTC issued its decision in a constitutional challenge to CASL brought by CompuFinder. You may recall that in 2015, the CRTC levied the largest penalty to date -- $1.1 million -- against CompuFinder. (My previous blog post.) The company challenged the constitutionality of the legislation, primarily on the grounds that it is ultra vires federal jurisdiction (outside of powers granted to the federal parliament under the constitution) and that it violated s. 2(b) of the Charter and could not be saved by s. 1.

For the non-lawyers out there, a law can violate Charter rights but can still be upheld if the infringement is justifiable using s. 1:

1. The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.

The framework for s. 1 analysis set by the Supreme Court requires all of the following to be met for a limitation on a constitutionally-guaranteed right to be upheld:

1. The limit must be prescribed by law

2. There must be a pressing and substantial objective

3. The means must be proportional
a. The means must be rationally connected to the objective

b. There must be minimal impairment of rights

c. There must be proportionality between the infringement and objective

In my personal view, the decision is incorrect in a number of ways. I think the Commission suffered the same issue that plagues much of the discussion of CASL: the use of the word "spam" in its colloquial sense when the focus really needs to be on what the law really regulates: commercial electronic messages. It is comparing apples to oranges, and statistics like "spam is down in Canada" is only slightly useful in the discussion.

I think the Commission was dramatically wrong in finding that there was a minimal impairment of constitutional rights. This generally asks whether the restriction unduly limits speech or expression that is outside of the scope of the "pressing and substantial objective."

In its decision (Compliance and Enforcement Decision CRTC 2017-367 | CRTC), the CRTC agreed with the government regarding the law's objective:

108. The government’s objective in enacting CASL is revealed within the title of the Act: “to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities….”

109. The Act is clearly focused on e-commerce in Canada as a whole. This is expanded on in the objective clause of the Act (section 3).

110. In the Commission’s view, it is clear that the government’s objective is pressing and substantial. The factual evidence put forward by the Attorney General is detailed and convincingly supports this conclusion. There is an abundance of literature, analyses, reports, and statistical evidence that demonstrate the existence of spam and other electronic threats, the impact that they have on Canadian businesses and consumers, and how countries around the world have been compelled to introduce legislation to address these threats.


Note again the use of the word "spam". The law regulates and generally prohibits "commercial electronic message" and its main defect -- in my view -- is that it goes after "spam" by limiting legitimate expression that is not "spam" and that has little if anything to do with harming confidence in electronic commerce.

However, the Commission did not follow CompuFinder's argument that the law is not minimally impairing.

152. CompuFinder’s argument at this stage is essentially that CASL’s CEM prohibition regime is overbroad, capturing more forms of expression than are necessary to achieve the statute’s purpose.

153. The Attorney General did not directly respond to each specific allegation of the law’s overreach. Instead, its main response to the overbreadth arguments raised by CompuFinder is that the Act does not impose a total ban on the sending of CEMs. Persons wishing to send commercial messages are not barred from using the Internet or email to advertise. In addition, the exceptions and exemptions to the general prohibition contained in section 6 of CASL act as levers that further limit the infringement of freedom of expression.

154. The Commission notes that, as indicated by the Supreme Court in JTI-Macdonald Corp., when interpreting these exceptions and exemptions, specific words should not be considered in isolation; rather, the interpretation must be guided by Parliament’s objective and its global intention sought.

155. In the case of CASL, Parliament’s concern was to combat a multitude of electronic threats that could have deleterious effects on Canada’s e-economy, Canadian businesses, and Canadian Internet users. In pursuing its objectives, Parliament has deliberately narrowed, and empowered the Governor in Council to make regulations narrowing, the applicability of the Act to certain commercial activities (as defined in subsection 1(1) of the Act), and enacted a long series of exceptions, exclusions, and limitations to the application of prohibitions on the sending of CEMs.

156. Examples of these exceptions can be found in subsections 6(5) and 6(6) of CASL and in the provisions regarding excluded messages in section 3 of the Governor in Council regulations. As a result of these and other exceptions and exemptions, the prohibition in section 6 of CASL does not apply to numerous types of CEMs, including those sent by or on behalf of an individual who has a personal or family relationship with the recipient, those consisting of an inquiry relating to a commercial activity engaged in by the recipient, certain notice-giving or transactional messages, and certain intra-organizational and inter-organizational messages.

157. Further, given that, in cases of ambiguity, claims of overbreadth may be resolved by appropriate interpretation, where the application of these exceptions and exclusions are potentially ambiguous, and such ambiguity could potentially lead to overbreadth of the provisions in question, they must be interpreted in the manner that would result in the least possible intrusion upon protected expression, while also respecting the intention of Parliament.

158. Accordingly, the Commission agrees with the Attorney General that the expression limited by CASL is substantially lessened as a result of its exceptions and exemptions. These exceptions, when taken as a whole, significantly narrow the application of section 6 and, as a result, on a balance of probabilities, the impugned provisions do not impair free expression more than necessary to achieve the objectives of CASL. In these circumstances, the limitations on the sending of CEMs, are not unreasonable in light of their legislative purpose.

I disagree with this overall, but I am particularly concerned with what the Commission said in paragraph 157. It essentially said that the law can be made constitutional in some cases by erring on the side of a constitutional interpretation in the event of any ambiguity. That essentially says that the law can remain constitutional because the CRTC enforcement folks can interpret in a manner that scales back its overbreadth. I don't think I know anyone who practices in this area who thinks that the CRTC enforcement folks can be counted on to do that.

I remain of the view that CASL is overbroad and unduly limits protected expression that has nothing to do with protecting consumer confidence in e-commerce. The Commission's decision doesn't change my mind on that at all, and it will be interesting to see if this particular case goes any further.

Thursday, October 19, 2017

My comments on Nova Scotia's Intimate Images and Cyber-protection Act

Note: Because of very short notice, I will not be able to appear at the Nova Scotia Legislature's Law Amendments Committee to provide my views on Nova Scotia's new cyberbullying law. Here are my written comments that will be sent to the Committee for their consideration.

Thank you for the opportunity to provide my views on Bill 27, the Intimate Images and Cyber-protection Act.


I am a lawyer with McInnes Cooper whose practice is focused on internet and privacy law matters. I need to emphasise from the outset that these are my own personal and professional comments, and do not necessarily represent the views of my firm, its clients or any other organizations with which I am associated. I have been practicing in this area of law for over fifteen years. In this context, I am perhaps best known as being a vocal critic of the Cyber-Safety Act and being the lawyer who argued in Court that the old Act was unconstitutional.


If I could first comment on a matter of process, I am disappointed that I am not able to appear before the committee and answer any questions you may have. When this bill was first considered on October 16, 2017, I had less than one business day’s notice of the hearing and was out of town. I was advised on Thursday, October 19 that it would be before the committee on Monday, October 23. That’s one and a half day’s notice and I will be out of town on Monday. If the government were serious about getting this right, surely it would make it easier for experts to appear on the Bill. I am sure the Committee would benefit from testimony from Canadian Civil Liberties Association or the Canadian Bar Association, but these organizations can’t just drop tools, consult with their stakeholders and develop a coherent and helpful position with that kind of notice. I can name  at least five people who have immense expertise in the field of civil rights, cyberbullying, restorative justice and youth suicide who this Committee and Nova Scotians should hear from, but none will have a chance to provide their well-informed and expert views. I do not know if this is peculiar to this bill, but it certainly was the case with the original Cyber-Safety Act and Nova Scotians have suffered as a result.


In the meantime, the government has had a number of targeted consultations. I did meet with Justice officials twice to provide my views, with the final meeting commenting on a draft of the bill. I had some misgivings then which I’ll share with you today.


As I mentioned, I was the lawyer in the case that resulted in the Cyber-Safety Act being declared unconstitutional. I was previously very critical of the law and the former Premier said he “could not disagree with me more”. When that quote was posted by the CBC on their website, that cyberbullied me according to the law’s definition.


While the law was declared unconstitutional on December 10, 2015, it was unconstitutional on the day it was introduced on April 25, 2013, fewer than three weeks after the tragic death of Rehtaeh Parsons.


I stood up in court and called the Cyber-Safety Act a “dumpster fire”. Justice McDougall called it, much more politely, a “colossal failure” as far as the Charter is concerned.  


I argued, and the Court agreed, that the law had two principal failures. The first was that the definition of “cyberbullying” was far, far too broad and would include anything that could hurt someone’s feelings (including legitimate, political speech). The second failure was that a complainant could get a protection order without the alleged cyberbullying ever having an opportunity to defend themselves. The justice of the peace would make a decision on the basis of only hearing one side of the case. And the first that the respondent would hear of it would be when a police officer would show up at their house -- usually at night -- and serve them with the order.


I think both of these issues have been addressed in the new Bill. The definition of “cyberbullying” raises the bar much, much higher. It may be too high, by requiring “malice”, but it does capture communications that are intended to harm the victim. The issue of procedural fairness has certainly been addressed, but I am afraid the pendulum may have swung too far the other way.


The way the Bill sets it out, a victim of cyberbullying has only one option: to commence an application in the Supreme Court of Nova Scotia following the Nova Scotia Civil Procedure Rules. I have 100% confidence in the fairness of a judge of the Supreme Court. But forcing a victim of cyberbullying to start a conventional lawsuit will represent a huge barrier to access to justice.


What I am saying is completely contrary to my own pecuniary self interests. I am a lawyer who practices law in this area. My law partners much prefer that I charge clients for my time and for my services. We have a great pro bono program -- I think it’s one of the best in the country of any law firm that I am familiar with -- but I am not able to take the cases of all victims of cyberbullying. Going to the Supreme Court requires that a victim understand and follow Civil Procedure Rules. They’ll have to read and understand Rules 5, 4, 5, and 6. They have to prepare a notice of application in court and an affidavit, all according to the rules. They’ll have to hire a process server to serve the documents on the respondent. They likely have to be in court across from their tormentor to schedule the next steps and the court hearing. They get a written affidavit from the respondent. They can then maybe file another response affidavit. They can maybe cross-examine the respondent outside of Court, assuming they are in a position to pay a court reporting service to transcribe the cross-examination on an expedited basis. Then they have to file their brief. And then they have their day in Court, except they never get to directly tell a judge their story. They don’t get to testify on their own behalf, since their testimony is only in their affidavit.


I would expect it would cost at least $10,000 for me to represent an applicant in this process. That is daunting. But what’s equally daunting is the prospect of a traumatized cyberbullying victim having to find, let alone understand and precisely follow, the civil procedure rules. That greatly troubles me and I think it should trouble you.


The legislature should seriously consider a different approach. I do not think I have all the answers, but I would suggest that the legislature should consider a less formal approach that still preserves the procedural fairness that was lacking in the old Cyber-safety Act. While the procedure for a peace bond is not without its shortcomings, there should be a procedure through which an applicant can go to court and tell their story. The respondent has the same right to know what is being alleged, to appear, to present their story and possible justification. If neither adduced evidence about some of the essential factors to be considered under the Act, the judge can ask them questions. And a decision follows. This can be before the Supreme Court of Nova Scotia or a judge of the Provincial Court.
I do agree with sidelining the CyberSCAN unit from enforcement of the law. In my experience and in my opinion, they were the wrong tool for the job. While perhaps not representative of all the people with whom they interacted, I consistently heard from and about people whose political or legitimate Charter-protected speech was removed from the internet because they bullied the people into removing it under threat of unspecified “legal action” that could include removing their internet access. It may have been a matter of who they hired for the role or how they were led, but the CyberSCAN unit was part and parcel of the speech suppression that the law represented. When I asked Roger Merrick how the CyberSCAN unit took the Charter into account in doing their jobs, I was told that the legislature took it into account when the bill was passed by this House. That was clearly incorrect.


I do think the CyberSCAN unit or some replacement of it could go good things. Education and awareness is important. Providing support to victims is important. I am sure that victims will need a lot of help in figuring out how to have their day in court, and they can be a resource for that.

One final concern that I have is that the legislation says that if the victim is a minor, their parent or guardian has to commence the application on their behalf. There should be a mechanism by which a minor can do this on their own. First of all, there may be a case where the case relates to intimate images and the minor does not want to tell their parents. Secondly, I can imagine a scenario where the parent is either the perpetrator or is unwilling to help the child. Some safeguard needs to be in place to give a child direct access to the courts.


I do want to take the opportunity to praise the manner in which the non-consensual distribution of intimate images is treated in the statute. By separating this from the definition of cyberbullying, it will effectively shield this from being struck down if the conventional cyberbullying aspect is found to be unconstitutional.


Again, I regret that there was not enough notice for me to appear in person and answer any questions by the Committee. However, I am easy to find and I would be pleased to discuss this important matter with any Committee members or their staffers.

Wednesday, October 11, 2017

Nova Scotia introduces new "secure" ID and licenses; fails to mention use of biometrics

The Government of Nova Scotia just announced that it is introducing new "secure" provincial ID cards and drivers licenses.

What they failed to mention in any of their press releases or in any of the media coverage is that the new system will incorporate facial recognition technology. How this will be used or controlled is still unclear.

I contacted the province, which confirmed the use of facial recognition, but was unable to provide me with any information about the incidence of forgery and fraud that they use to justify the new licenses.

Privacy geeks will recall that the provincial authority in British Columbia offered police the use of their massive biometric database to identify people involved in the Vancouver Stanley Cup riot. (Canadian Privacy Law Blog: ICBC offers up its drivers' license database (with facial recognition) to ID Vancouver rioters) Who controls the database and how it will be used is very important, and very unclear at the moment.

Added later: See below for some follow-up questions and answers.

Here's their media release:

New Secure Driver’s Licence and Photo ID Cards

Transportation and Infrastructure Renewal/Service Nova Scotia

October 10, 2017 12:44 PM

Nova Scotia driver’s licence and photo ID cards will soon be better protected against identity theft, fraud and forgery.

Nova Scotia and the three other Atlantic provinces, are introducing a new, highly secure driver’s licence and photo ID card. Starting in November, the cards will be printed at a central facility shared by all four provinces and mailed to clients within 14 days.

“The main reason for this change is to protect Nova Scotians against identity theft and fraud,” said Lloyd Hines, Minister of Transportation and Infrastructure Renewal. “These changes will help us keep pace with the latest security and technology advances, and bring us in line with the rest of the country.”

Nova Scotians do not need to get a new licence or photo ID card until their current one is up for renewal. Since the cards will no longer be printed at Access Nova Scotia Centres and Registry of Motor Vehicles offices, clients renewing their licence will be given a 30-day temporary document to use until their new licence arrives.

There will be a strict review process before cards are issued to help prevent fraud and identify theft. Highly advanced, anti-counterfeiting security features will also help ensure they cannot be copied using new printing technologies.

"As Nova Scotia's provincial police, the RCMP is pleased to see any initiative that decreases opportunities for fraudulent activity," says Chief Superintendent Marlene Snowman, Nova Scotia RCMP Criminal Operations Officer. "Police officers often rely on the validity of licence information for a variety of reasons so these changes will make a positive difference for frontline officers across the province."

Access Nova Scotia will start to move to the new process for driver’s licences and photo ID cards next month with full implementation expected to be in place by the end of December.

In December 2016, the four Atlantic provinces awarded Gemalto, a world leader in digital security, a five-year contract to produce and mail the driver's licences and photo ID cards.

There is no fee increase for the new driver’s licence and photo ID card. The new cards will be implemented over the next five years as driver’s licences expire.

Edit: I asked the government some follow-up questions and the Q/A is below ...

For more information, visit www.novascotia.ca/driverslicence .


Edit: I had some follow-up questions for the government's spokesperson. Here are my questions and the answers:

The new IDs will bring NS in line with the cutting edge of security features. That being said, protecting the privacy of citizens remains a top priority. The sole purpose of the facial recognition is to help identify individuals attempting to obtain fraudulent duplicate IDs. The province has no authority to share it for any other purpose, with any other entity, unless ordered by the courts. To your specific questions:


1. Will the biometric database be managed by the contractor or by the government? Government

2. If by the government, which department? Transportation and Infrastructure Renewal and Service Nova Scotia.

3. Will the database for NS be combined with those of the other provinces? No

4. Was a privacy impact assessment carried out? If so, by whom? Was it reviewed by the Information and Privacy Commissioner? Yes, the PIA was conducted by Nicom IT and IAP Services (at the department of Internal Services) has participated in the process, reviewed and recommended for approval, also as per their usual practice. It will be provided to the Commissioner for their records.

5. Are there any policies in place or being developed for access to or use of the database, other than administration of the license/ID card system? No.

6. Will any contents of the database be provided to any other government and under what circumstances? No.

7. Will faces in the database be matched to any other database? No.

Friday, October 06, 2017

Nova Scotia introduces new anti-cyberbullying bill

On October 5, 2017, the Nova Scotia Liberal government introduced a new bill to replace the former Cyber-safety Act, which was struck down as unconstitutional (a "colossal failure", said the judge). The Intimate Images and Cyber-protection Act is the result of a serious re-think of all the defects found in the Cyber-safety Act.

Some important differences:

1. The bill has a much more narrow definition of "cyberbullying". The previous law would have considered anything done online that could hurt your feelings to be cyberbullying. In this version, the alleged cyberbully has to maliciously intend to cause harm or has to be reckless with regard to the risk.

(c) "cyber-bullying" means an electronic communication, direct or indirect, that causes or is likely to cause harm to another individual's health or well-being where the person responsible for the communication maliciously intended to cause harm to another individual's health or well-being or was reckless with regard to the risk of harm to another individual's health or well-being, and may include

(i) creating a web page, blog or profile in which the creator assumes the identity of another person,

(ii) impersonating another person as the author of content or a message,

(iii) disclosure of sensitive personal facts or breach of confidence,

(iv) threats, intimidation or menacing conduct,

(v) communications that are grossly offensive, indecent, or obscene,

(vi) communications that are harassment,

(vii) making a false allegation,

(viii) communications that incite or encourage another person to commit suicide,

(ix) communications that denigrate another person because of any prohibited ground of discrimination listed in Section 5 of the Human Rights Act, or

(x) communications that incite or encourage another person to do any of the foregoing;




2. Applications are no longer ex parte. The accused cyberbully has to be given notice of the application and is given an opportunity to appear and respond to the allegations. This fixes the Charter s. 7 defect in the old law.

3. There are a range of defences available. One defect identified in the old Cyber-safety Act was that there were no defences available to an allegation of cyberbullying. In the new bill, there are a few that are intended to protect freedom of expression:

7(2) In an application for an order respecting cyber-bullying under this Act, it is a defence for the respondent to show that

(a) the victim of the cyber-bullying expressly or by implication consented to the making of the communication;

(b) the publication of a communication was, in accordance with the rules of law relating to defamation,

(i) fair comment on a matter of public interest,

(ii) done in a manner consistent with principles of responsible journalism, or

(iii) privileged;


(c) where the respondent is a peace officer acting in the course of the peace officer's duties, that the communication was necessary to prevent a crime or discover, investigate or prosecute the perpetrators of a crime and did not extend beyond what was necessary;

(d) where the respondent is a public officer acting in the course of the duties of the public officer's office, that the communication was necessary to fulfil the duties of that office and did not extend beyond what was necessary.



4. The bill addresses the non-consensual distribution of intimate images separately, which is a good thing. The language for this is essentially drawn from Criminal Code offence of distributing an intimate image without consent, but this bill provides civil remedies including an order for removal.

5. The CyberSCAN unit has no role in enforcement. I heard about a number of instances where the CyberSCAN unit itself bullied people to remove political content, so taking away their ability to do that is a good thing. The downside is that individuals don't have a publicly-funded organization that they can look to for legal remedies.

6. The remedies are all self-help. Applications for orders and damages go only to the Supreme Court of Nova Scotia, using the usual processes for applications under the complicated civil procedure rules. This will lead to self-represented litigants getting lost in the civil justice system or having to hire lawyers. I think I would have preferred a simplified process, similar to a peace bond, in the Nova Scotia Provincial Court.

7. Orders to prevent the identification of victims are virtually automatic. A publication ban to protect the identity of the complainant is automatic if the applicant is a minor and will automatically be granted on request to an applicant related to an intimate images proceeding. This is a good thing, as putting discretion in the hands of the court would discourage applicants from coming forward. They can proceed knowing their identity is protected and they will not be re-victimized by the court process.

8. The bill seems to anticipate possible diversion to restorative justice. How this will play out is anyone's guess, but it makes sense to encourage diversion where appropriate.

I expect I'll have more comments on it as I fully digest it, but these are the principal differences between the old and the new.

The government appears to be planning to spend the next few months consulting publicly, with the bill slated to pass in the spring of 2018.

Friday, September 01, 2017

Canadian breach notification requirements finally published for comment

The Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (Canada) to add notification requirements for "breaches of security safeguards", but we've all been anxiously awaiting regulations that will breathe life into the provisions. Finally, the'll be published in the Canada Gazette tomorrow.

The text (below) and the Regulatory Impact Analysis Statement do not really contain any surprises, other than a silly requirement that you can only give notice of a breach by email if "the affected individual has consented to receiving information from the organization in that manner." This seems to be a silly nod to Canada's asinine anti-spam law, which would otherwise permit such notices by email.

Here is the regulatory impact analysis statement. You can get the proposed regulation from the Canada Gazette publication:

Canada Gazette Part I, Vol. 151, No. 35 — September 2, 2017 - Breach of Security Safeguards Regulations

Statutory authority

Personal Information Protection and Electronic Documents Act

Sponsoring department

Department of Industry

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Issues

On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA or the Act), in a number of areas. A key change was the establishment of mandatory data breach reporting requirements.

These new provisions are set out in Division 1.1 of PIPEDA, but are not yet in force. The proposed Regulations provide further details pertaining to certain statutory requirements, and prescribe the process for the coming into force of the Regulations.

Background

Legislative framework

PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.

The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Further, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.

Even in those provinces that have adopted legislation substantially similar to the federal privacy legislation, PIPEDA continues to apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

PIPEDA also continues to apply in those provinces to federally regulated organizations — “federal works, undertakings or businesses” — such as banks, and telecommunications and transportation companies.

The purpose of PIPEDA is to facilitate growth in electronic commerce through increasing the confidence of Canadians and businesses in the digital economy. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of business to use or exchange information.

Mandatory data breach reporting under PIPEDA

With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will have certain obligations, as follows:

  • The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
  • When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
  • The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  • The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.

Subsection 26(1)(c) of PIPEDA provides the Governor in Council with the authority to make any regulations that are required under the Act. The objective of this regulatory proposal is to provide greater certainty and specificity with respect to certain elements of the Act’s data breach reporting requirements under Division 1.1.

Objectives

The objectives of the proposed Regulations are to

Ensure that all Canadians will receive consistent information about data breaches that pose a risk of significant harm to them.

Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.

Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.

Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.

Description and rationale

With regard to the statutory requirements for data breach reporting under Division 1.1 of PIPEDA, the proposed Regulations will

  • specify the minimum requirements for providing a data breach report to the Commissioner;
  • specify the minimum requirements for notifying affected individuals of a data breach; and
  • confirm the scope and retention period for data breach record-keeping.

Recognizing the vast range of organizations that are subject to PIPEDA, the proposed Regulations are designed to provide maximum flexibility for organizations to fulfill their statutory obligations in a manner that is compatible with their particular circumstances.

Data breach report to the Commissioner

The proposed Regulations list the categories of information that must be contained in a report to the Commissioner, but do not preclude additional information from being provided by the organization, should it believe that the information is pertinent to the Commissioner’s understanding of the incident.

The proposal aligns closely with what is currently recommended in guidance by the Office of the Privacy Commissioner of Canada (OPC) for voluntary data breach reporting, and with what is required for mandatory breach reporting in Alberta (see footnote 1) and in the European Union. (see footnote 2)

The proposed Regulations allow for data breach reports to be submitted with the best information available to the reporting organization at the time. This allows an organization to report breaches within an appropriate time frame, even when all information is not yet available. In these cases, organizations may provide updates to the report at a later date, if further pertinent information becomes available.

Notifying affected individuals of a data breach

The proposed Regulations also list the categories of information that must be contained in a notification to affected individuals. However, organizations are not precluded from providing additional information or designing the notice to suit the intended audience.

This approach provides some certainty to organizations as to what is required as a minimum to comply with the statutory requirements for notification. At the same time, it provides flexibility on the format, design and means of notification. This allows organizations to conduct notifications in line with established practices and expectations of their stakeholders.

The proposed Regulations identify certain commonly used forms of communication as appropriate means of direct notification to individuals, with some caveats to ensure that prompt and secure communication of the information takes place. The proposal also recognizes that notification by other unspecified means of communication may also be appropriate, if they are considered to be secure and prompt, and have been established by the organization as a means of communicating important information to the intended audience.

Circumstances where indirect notification to affected individuals would be permitted, in place of direct notification, have been listed in the proposed Regulations. These circumstances are generally considered by stakeholders to be situations where direct notification to all individuals affected by a breach may be impossible or unfeasible for the breached organization, or where direct notification may not be in the best interest of the individuals themselves. The proposed Regulations also confirm that public announcements or advertisements can be considered as appropriate for indirect notifications. Additional requirements for the use of these communication channels are prescribed to increase the probability that affected individuals will receive the information.

Data breach record-keeping

The proposed Regulations will affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner to ensure compliance with the requirements to report to the Commissioner and notify affected individuals of significant breaches. This in turn will encourage better data security practices by the organizations.

To this end, the proposed Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information. The proposal allows for a broad interpretation of what information would constitute a “record” for the purpose of PIPEDA.

This approach provides protection for any material, regardless of medium or form, that may be provided to the Commissioner in response to a request for data breach records. By not enumerating what constitutes a record in regulations, the Access to Information Act exemption in PIPEDA may be extended to whatever is considered a breach record for the purpose of the Act.

The proposed Regulations specify that organizations must hold data breach records for a minimum period of time; specifically 24 months. This allows the Commissioner to request and review the history of breaches experienced by a particular organization within a two-year window. The proposed time frame reflects the standard practice in most provinces for limitations on initiating civil litigation. It is intended to be a minimum requirement, providing for the retention of data breach records for longer than two years, if an organization’s other obligations, practices or requirements so dictate.

For greater certainty, the proposed Regulations clarify that a data breach report provided to the Commissioner under subsection 10.1(1) of PIPEDA can also be considered a data breach record.

Coming into force

To facilitate compliance with the new data breach reporting regime under PIPEDA, the proposed Regulations provide for implementation at the same time as the related statutory requirements under Division 1.1 of PIPEDA, and allow for a lag period between the publication of final Regulations and their coming into force.

Impacts

Businesses

All organizations subject to PIPEDA will be impacted by the proposed Regulations. However, many will have already implemented data breach reporting practices that align with the proposal, given that it reflects existing best practices established by the OPC and legislative requirements in Alberta.

For those organizations that do not have established processes and procedures for tracking data breaches and reporting accordingly, the proposed Regulations provide for a delayed coming into force date after the publication of the final Regulations.

Consumers

The Canadian marketplace will see a positive impact of the proposed Regulations. Consumers will have the assurance that when they are affected by a data breach posing a risk of significant harm, they will receive the right information in an appropriate manner, regardless of where the breach occurred.

Office of the Privacy Commissioner of Canada

The responsibility for overseeing compliance with PIPEDA rests with the Commissioner. As part of its oversight of data breach reporting requirements under the Act, the OPC will receive reports on data breaches posing a real risk of significant harm, request data breach records of organizations, at its own discretion, and provide advice and guidance to organizations as to how to comply with their breach reporting obligations under the Act. Where appropriate, the Commissioner will investigate complaints pertaining to suspected contraventions of data breach reporting requirements, and conduct audits of organizational practices in this regard.

As part of its annual report to Parliament on PIPEDA, the OPC may provide information on the extent and nature of reported data breaches in an aggregate and anonymized manner.

Benefits and costs

Social benefits

The proposed Regulations are expected to contribute positively to the privacy and security of individuals. Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.

The proposed Regulations are anticipated to help mitigate harm to individuals who are affected by a data breach, and to increase the protection of Canadians’ personal information in general by encouraging better data security practices.

The costs to consumers stemming from data breaches are significant and far-reaching. According to Javelin Strategy and Research, which has done comprehensive annual studies of identity theft in the United States since 2006, a significant proportion of individuals who are impacted by a data breach become victims of identity theft or fraud. Beyond financial costs, the potential for humiliation and loss of opportunity resulting from breaches of personal information also exists, and has been recognized by the courts in Canada.

Mandatory data breach notification under PIPEDA provides an increased level of protection for Canadians and other consumers in the Canadian marketplace by allowing them to take steps to protect themselves from potential harm resulting from that breach.

The proposed Regulations will enhance this protection in a number of ways. By ensuring that all breach notifications contain a core set of information and are provided in an appropriate manner, the proposed Regulations will result in more effective notifications by increasing the probability that affected individuals will receive the information and understand its significance.

A minimum standard for notification also assures Canadians that they can expect a similar approach to notification by all organizations.

Economic benefits

The proposed Regulations will serve to codify existing best practices for data breach reporting and create certainty across the marketplace about how organizations notify individuals affected by a breach. They will also harmonize Canada’s regime for data breach reporting with those of other jurisdictions, reducing the burden of reporting for organizations operating in multiple jurisdictions.

In particular, the proposed Regulations will specify the minimum content of a breach report to the Commissioner, ensuring that reports contain adequate and consistent information to enable the Commissioner’s oversight of the requirement to notify individuals. It ensures that all organizations are held to the same standard when reporting breaches and creates a level playing field for regulated organizations across Canada.

Prescribing the content of notifications to individuals and reports to the Commissioner will align the federal private sector regime for mandatory breach reporting with equivalent provincial legislation, and those of Canada’s major trading partners.

In particular, the European Union General Data Protection Regulation (GDPR), which comes into force in 2018, includes mandatory data breach reporting and requires organizations to include similar information in reports to authorities and to individuals. Also in line with the proposed Regulations, EU companies will be required to keep a record of all data breaches for the purpose of demonstrating due diligence with regard to their reporting obligations.

This alignment is important to Canada–EU trade. PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the European Union, which allows for the free flow of personal information from the European Union to Canadian organizations.

It is also an important factor in mitigating compliance costs for organizations that operate in multiple jurisdictions. Many organizations subject to PIPEDA are also required to comply with provincial or international laws, and in the case of a data breach may be required to notify individuals in various jurisdictions. To the extent that the proposed Regulations can align data breach reporting under PIPEDA with requirements in other jurisdictions, this would reduce the burden of notification for many organizations in Canada.

Public security benefits

The proposed Regulations are expected to contribute positively to the security of individuals and the cyber security readiness of Canadian businesses. The regulatory proposal implements statutory requirements to report data breaches, which has been established as an important element of Canada’s cyber security policy.

Experts in data security believe that data breaches are on the rise because organizations are not taking appropriate measures to protect the data they hold. A 2016 report by the Internet Society on the economics of data breaches surmises that the reason for this is twofold: (1) organizations do not bear all the costs of data breach (much is borne by affected individuals), and (2) there is not enough benefit to them in better protecting their users’ data. (see footnote 3) Mandatory breach reporting and record-keeping provide a much needed incentive for organizations to adopt better security practices.

A requirement to maintain records of all breaches for a two-year period will incentivize organizations to track and analyze the impact of all data security incidents. Although many data breaches appear to bear no harm, there may be data security implications. The EY 2016 Global Information Security Survey found that the majority of organizations currently do not increase their cyber security spending after experiencing a breach that does not appear to do any harm. The authors of the report indicate that this is concerning given that cyber criminals often make “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to. (see footnote 4)

The proposed Regulations will also ensure that breach reports to the Commissioner are provided in such a way that incidents can be compared and aggregated to provide a much needed repository of information on data security incidents in Canada; something that experts say will lead to a better shared understanding of cyber security threats. According to the Internet Society report, sharing this information responsibly has a number of benefits: it helps organizations globally improve their data security, helps policy-makers improve policies, helps regulators pursue attackers, and helps the data security industry produce better solutions. (see footnote 5) The report recommends that in order to reduce incidents of data breaches we must increase transparency of the issues through data breach notifications and disclosure.

Consistency in reporting will also allow for metrics to be developed for evidence-based policy-making. Currently there is little data available about the extent and nature of data breaches across the Canadian marketplace, outside of Alberta and the health sector in certain provinces.

Costs

The costs to business directly resulting from the proposed Regulations are expected to be nominal, given that the bulk of the compliance and administrative burden arises from the statutory obligations imposed by the Digital Privacy Act.

Further, the proposed Regulations reflect in large part existing best practices that have been established under the voluntary reporting initiative of the OPC, and under equivalent legislation in certain provinces. Given that these practices have been in place for several years, it is expected that many regulated organizations will have already incorporated them to some degree into their own policies and procedures.

It is anticipated that the flexible approach taken in the proposed Regulations will serve to mitigate the costs of complying with the statutory requirements for notifying individuals. The proposed Regulations allow for organizations to notify individuals indirectly where directly contacting each affected individual may prove unreasonably costly. In these cases, the proposed Regulations allow notification to take place via communication channels that are much more cost effective and efficient, greatly reducing the burden of notification. This may be particularly important for small to medium-sized organizations that may experience a data breach involving a very large number of customers.

The proposed Regulations also allow for organizations to craft notifications in a way that is appropriate for the circumstances and the audience. Though a core set of information is required to be included in notifications to individuals, the proposed Regulations are silent on their format and design.

Consultation

During Parliament’s review of the Digital Privacy Act, many stakeholders representing businesses, consumers and the legal community presented their views on the proposed regime for data breach reporting. The majority were generally supportive of the Bill’s approach, which proposed the use of regulations to provide details on statutory requirements.

Subsequent to the royal assent of the Digital Privacy Act, stakeholders were specifically consulted on the proposed use of regulations. Innovation, Science and Economic Development Canada (ISED) published a comprehensive discussion paper that posed a series of specific questions and invited stakeholders to provide their views on how the Government should exercise its regulatory authority. The discussion paper was posted on the Government’s consultation portal (www.consultingcanadians.gc.ca) and was distributed directly to specific stakeholder groups. ISED also held bilateral and multilateral meetings and teleconferences with interested stakeholders to allow them to express their views on the proposed Regulations.

The majority of stakeholders expressed support for the use of regulations to provide more certainty around how certain statutory provisions should be interpreted. A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances. The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.

Another theme was the desire for harmonization with established best practices for breach reporting: in particular, existing guidance by the OPC for voluntary breach reporting and mandatory reporting requirements in Alberta and the European Union were cited.

Generally, there was some consensus on the need for regulations to clarify content and format of reports to the Commissioner and notifications to affected individuals. Likewise, there was a general desire to see further direction in regulations on record-keeping requirements. However, the majority of stakeholders indicated that guidelines may be more appropriate than regulations to provide further direction in certain areas, including the use of additional factors to be considered when conducting an assessment of risk and determining which third-party organizations should be informed of a breach.

The OPC concurred that guidance material would be appropriate in these areas to assist regulated organizations and indicated that it would take steps to provide the necessary material.

Several stakeholders called for regulations to speak to the role of encryption in a data breach: specifically, whether a data breach involving encrypted information could be presumed to carry a low risk of harm, effectively providing a “safe harbour” against mandatory notification. The OPC held an opposing view in its response, stating that there are other factors that influence the effectiveness of encryption, including the level of encryption employed and whether or not the encryption key has been compromised. As a result, despite the use of encryption there remains a possibility that personal information could be decrypted, potentially posing a real risk of significant harm to the individual involved.

Some stakeholders, including the OPC, called for data breach reports to include an assessment of the type of harm(s) that may result from the breach, in line with the approach in Alberta. However, the proposed Regulations do not prescribe this as mandatory content in order to address concerns that this type of information is speculative and hypothetical. Stakeholders also argued that it would be difficult for many small and medium-sized organizations to make such an assessment given that they may not have the expertise or resources to do so.

Some organizations proposed that the Regulations should specify which organization is required to undertake notification to individuals in situations where a breach occurs at a service provider or supplier organization. However, the majority held the view that determining which organization is responsible for conducting the notification should be in accordance with the existing Accountability Principle in Schedule 1 of PIPEDA, such that overall responsibility for ensuring compliance rests with the organization having control of the personal information in question. In some cases the term “control” does not necessarily equate to “custody,” but instead refers to overall responsibility for the personal information.

During consultations, many organizations called for a transition period between the publication of the final Regulations and the date of coming into force. They argued this would provide adequate time for organizations to implement required changes to information management systems and to train employees accordingly. Proposed transition periods ranged from 6 to 18 months.

Many organizations also raised concerns about the confidentiality of information contained in breach reports and breach records and the potential for inadvertent public disclosure of sensitive data security details or other proprietary information. It should be noted that the Digital Privacy Act amended the Access to Information Act (ATIA) to create a statutory exemption to the disclosure of any data breach record or data breach report in response to an access to information request. This amendment to the ATIA will come into force with PIPEDA’s other data breach notification and reporting provisions found in Division 1.1 of PIPEDA.

Finally, some organizations called for the Regulations to reduce the scope of the statutory requirement for data breach record-keeping, such that organizations would only be required to keep records of “material” or significant breaches. However, the Government has clearly indicated that the purpose of the record-keeping provisions is to provide the Commissioner with an ability to determine whether or not organizations are tracking all breaches and complying with the requirements to report significant breaches and notify affected individuals.

“One-for-One” Rule

This regulatory proposal is not expected to directly increase the administrative burden on business and is therefore exempt from the “One-for-One” Rule.

Costs to regulated organizations resulting from this regulatory proposal are considered to be nominal, given that the administrative burden arises from the statutory obligations for reporting breaches to the Commissioner, notifying affected individuals, and for record-keeping imposed by the Digital Privacy Act. The proposed Regulations simply provide further specification on those obligations.

Small business lens

The small business lens does not apply because the estimated nationwide cost impact of this regulatory proposal is less than $1 million per year.

Implementation, enforcement and service standards

The proposed Regulations would come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1 of PIPEDA. The coming into force of the statutory requirements will be established through a subsequent Order in Council once the Regulations are final.

The proposed Regulations will allow for a delayed coming into force after the publication of the Regulations. This will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience.

In the meantime, ISED will work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. Particular consideration will be given to providing guidance on conducting a risk assessment.

Enforcement of the proposed Regulations would reflect the existing compliance regime under PIPEDA, whereby the Commissioner is responsible for providing oversight and investigating complaints. Record-keeping plays a key role in the oversight regime — the Commissioner can conduct an audit or launch an investigation based on a record or group of data breach records. The OPC will also use data breach information to increase awareness and understanding of the extent and nature of data breaches in Canada.

New provisions for offences and fines for willful and deliberate contravention of these new requirements were imposed by the Digital Privacy Act. As per other contraventions and offences under PIPEDA, courts are authorized to impose fines pertaining to a contravention of the data breach reporting provisions and to order non-compliant organizations to change practices.

ISED will evaluate the need for amendments to the Regulations on an ongoing basis based on results of data breach reporting that are provided by the OPC, and on informal stakeholder feedback from regulated organizations.

Contact

Charles Taillefer

Director

Privacy and Data Protection Directorate

Marketplace Framework Policy Branch

Strategy and Innovation Policy Sector

Innovation, Science and Economic Development Canada

Telephone: 343-291-1774

Email: charles.taillefer@canada.ca

Wednesday, July 26, 2017

British Columbia Commissioner finds that "Creep Catchers" violated province's privacy law

The Information and Privacy Commissioner of British Columbia has just released a very interesting decision and order against the "Surrey Creep Catchers". The Creep Catchers are a loosely affiliated group of people whose stated purpose is to expose online predators, particularly those who will then arrange to meet with children for nefarious purposes. Their modus operandi is to engage with people online, on dating sites and other sites, suggest they are underage and arrange a meeting. They then post video, chat logs, etc. to "expose" or shame the individuals.

In this case, two individuals who were targeted complained to the Information and Privacy Commissioner, who has found that the Creep Catchers violated the Personal Information Protection Act of BC. Most interestingly, the decision found (a) they are an "organization" for the purposes of the Act, (b) they are not engaged in journalism, so that exclusion doesn't help them, and (c) they cannot take advantage of the consent exceptions that apply for legitimate investigations.

A bit troubling is the uncritical following of the definition of journalism used in the Globe24h.com decision of the Federal Court. One will hopefully recall that case was uncontested and the Court simply adopted the restrictive definition put forward by the Office of the Privacy Commissioner of Canada:

[18] In order for s. 3(2)(b) to apply, the Organization must be collecting, using, or disclosing personal information for a journalistic purpose. In A.T. v. Globe24h.com, the Federal Court of Canada considered what constitutes journalism for the purposes of the analogous section of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The “journalistic” purpose exception is not defined in PIPEDA and it has not received substantive treatment in the jurisprudence. The OPCC submits that the Canadian Association of Journalists has suggested that an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation”. Those criteria appear to be a reasonable framework for defining the exception. None of them would
apply to what the respondent has done.

[19] I use the above three criteria to determine whether an organization is carrying out its activities for a journalistic purpose under s. 3(2)(b) of PIPA.


I have cautioned before that one should be cautious in applying Globe24h because the entire court case was unopposed and the Court appears to have simply adopted the OPC's argument without too much critical discussion.

It should also be noted that the BC statute applies to a broader range of "organizations" than PIPEDA, for example. If this case were to arise under the federal statute, I'm not sure the OPC would be able to find jurisdiction.

Here is the summary of the decision prepared by the OIPC:

Two individuals complained that an organization improperly collected, used and disclosed their personal information. The organization had induced each individual to have online communication with a fictitious woman over the age of 18, subsequently conveyed that this decoy was under the age of 16, and arranged a meeting to confront each man for attempting to lure a minor. The organization video-recorded the encounter and disseminated the video on social media. The Acting Commissioner found that the organization collected, used and disclosed the complainants’ personal information contrary to the Personal Information Protection Act because it had not obtained their consent and had no other authority to collect, use or disclose their personal information. He ordered the organization to stop collecting, using and disclosing the complainants’ personal information, to destroy all of their personal information in its custody or under its control, and to ask others who disseminated the information to remove and destroy it as well.​

Wednesday, June 07, 2017

Canadian government pulls the plug on the Canadian Anti-Spam Law private right of action

It's official ... the ability to sue for damages under Canada's Anti-Spam Law (CASL) has been put on ice. An order-in-council dated June 2, 2017 repealed the provision of a previous cabinet order that set the commencement of the private right of action as July 1, 2017. Without that provision, the private right of action will not come into effect.

PC Number: 2017-0580

Date: 2017-06-02

His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to section 91 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, chapter 23 of the Statutes of Canada, 2010, amends Order in Council P.C. 2013-1323 of December 3, 2013 by repealing paragraph (c).


The Precis sets out the rationale:

Order Amending Order in Council P.C. 2013-1323 of December 3, 2013 in order to delay the Coming into Force date of sections 47 to 51 and 55 of Canada's Anti-spam Law, which provides for a private right of action, in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.


This gives Canadian business, government and consumers the chance to take a breath and figure out whether this dumpster fire of a law is the right tool for the job.