Friday, September 28, 2018

Presentation: Privacy 101 for Psychologists

I was invited to present at an professional development event by the Association of Psychologists of Nova Scotia, on the topic of Privacy 101. In case it's of use to others, here's my slide deck:

Saturday, September 22, 2018

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

Thursday, April 26, 2018

AtlSecCon Presentation: Canada's new data breach notification regime

I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.

Friday, March 16, 2018

Presentation: Privacy and privilege at the Canadian border

The Canadian Bar Association's British Columbia Privacy and Access Law Section and the Immigration Section kindly invited me to Vancouver this past week to give a presentation on the topic of privacy and privilege at the border. Much of this was based on my advocacy work with the CBA in presenting on the topic to the Parliamentary Standing Committee on Privacy, Access to Information and Ethics and pro bono work for the Canadian Civil Liberties Association as an amicus.

In case it's of interest, here's my presentation:



One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.

Friday, January 26, 2018

Privacy Commissioner thinks there's a right to be forgotten in Canada

The Office of the Privacy Commissioner of Canada just released a news release, another notice of consultation and a draft position paper on "online reputation".

Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".

I'm just digesting it all, but my preliminary view is that it is incorrect and constitutionally untenable. You can see my submission on the earlier consultation here: You'd better forget the right to be forgotten in Canada.

Here's the OPC's press release on this latest development:

Improvements needed to protect online reputation, Privacy Commissioner says

New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education

GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.

The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.

“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”

The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.

The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.

With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.

Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.

All of these considerations need to be balanced with other important values such as freedom of expression and public interest.

For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.

“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.

There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.

While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.

The report also emphasizes the importance of privacy education.

Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.

“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”

The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.

Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.

After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.

Friday, January 12, 2018

Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company

The British Columbia Court of Appeal has whipped the door open for the greater use of production orders requiring non-Canadian companies to provide user information. Here's the summary I prepared for my firm (also available here):

The Legal Reality: Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company in British Columbia (Attorney General) v. Brecknell

January 12, 2018

By David Fraser, at McInnes Cooper

Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:

The Legal Trend. The decision lines up with the Supreme Court of Canada’s increasing awareness of the Internet’s inherently global nature, willingness to take jurisdiction in cases that cross borders, and readiness to apply existing legal principles to online business – all as illustrated in the Court’s June 2017 decisions in Google Inc. v. Equustek Solutions Inc. and Douez v. Facebook, Inc. There’s every reason to believe this trend is here to stay – and foreign companies doing business in Canada, even if only virtually, should be prepared for the increased legal exposure it entails.

Broader Implications. The Court’s conclusion that the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders. Whether its reasoning vis-a-vis an internet-based company’s “presence” in Canada will have application to, for example, tax laws, remains to be seen.

More Production Orders & More Content. Non-Canadian companies will likely see more production orders from Canadian courts. Canadian courts will more willingly assume jurisdiction over companies where the only contacts with Canada are virtual (i.e. over the internet), and more readily available to police to obtain production orders against such companies – no matter where they are “physically” present. And this route is much preferred by police compared to proceeding under mutual legal assistance procedures. In addition to more Canadian production orders against internet companies, more of those orders will likely be for “content”, not just identifying information and metadata. And this decision will likely lead Canadian police to conclude that compliance is no longer a question of voluntariness: many internet companies “voluntarily” comply with Canadian orders for non-content data but require Mutual Legal Assistance Treaties (MLAT) processes for content such as email and other communications.

In 2016, the Royal Canadian Mounted Police (R.C.M.P.) applied to the B.C. Provincial Court for a production order requiring Craigslist to produce certain information about one of its users. In particular, R.C.M.P. sought the user’s name or physical address, its email address, the IP address assigned to the user when the post was created, the phone numbers used to verify the user account, the dates and times the post was created post and the record of the posting. The court refused on the basis Craigslist had only a “virtual presence in B.C.” The R.C.M.P. appealed and on January 9, 2018, the B.C. Court of Appeal agreed: Craigslist is “present” in the province of B.C. and police can obtain a production order naming it, even though it has no “physical” presence in Canada or an address in Canada to effect service:

Virtual Presence = Physical Presence. Under Canadian law, a Canadian court has jurisdiction where there is a “real and substantial connection” between Canada (or a Canadian province) and the activity in issue. There’s no “bright line” rule, but courts have consistently decided that actively doing business over the internet with residents of a particular Canadian province is enough to create that connection. This in turn gives the court jurisdiction over the specific subject matter and parties (a.k.a “in personam” jurisdiction), a proposition about which the Supreme Court of Canada most recently pronounced in its June 2017 decision in Google v. Equustek Solutions Inc. Here, the Court of Appeal interpreted the Criminal Code provisions as limiting courts’ ability to issue a production order “…only against a person in Canada”, making the question whether Craigslist – a U.S. company with no physical presence in Canada – is “a person in Canada” for this purpose. The Court concluded the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference (at para. 40):

“… [I]n the Internet era it is formalistic and artificial to draw a distinction between physical and virtual presence. Corporate persons … can exist in more than one place at the same time. … I do not think anything turns on whether the corporate person in the jurisdiction has a physical or only a virtual presence. To draw on and rely on such a distinction would defeat the purpose of the legislation and ignore the realities of modern day electronic commerce…”

The Test is Canadian Presence – not Canadian Possession. The Court was clear that the test for a production order is only the presence of the recipient – and not the information sought to be produced – in Canada. Once the Court of Appeal concluded Craigslist was “a person in Canada”, the test was met (at para. 39):

“In the first instance, the [Criminal Code] section, properly interpreted, stipulates only that the person subject to the order must be a person in the jurisdiction. In my view, Craigslist is such a person. Second, the person must be a person who has possession or control of a document. The section says nothing expressly about where that possession or control exists. Indeed, it may not even be sensible to pose the question in terms of the location of control. A person either does or does not have possession of a document. The question is one of control, not where the control is exercised. In this case, Craigslist has possession or control of the relevant records and the provision requires nothing further. In other words, there is nothing in the section that requires the person in the jurisdiction to be a custodian of the documents in the jurisdiction. In my view, it is sufficient that the person is present within the jurisdiction. I do not think that there is anything extraterritorial in such an interpretation. To conclude that Craigslist is a person within the jurisdiction who has possession or control of documents does not give the section an impermissibly extraterritorial interpretation.”

No Other Barriers. The Court of Appeal rejected the argument that a production order against a foreign company effectively intrudes into another country’s sovereignty, essentially deputizing a non-Canadian company to carry out a search in a foreign country that Canadian police could never carry out themselves. The Court concluded the weight of U.S. legal authority doesn’t treat subpoenas in this manner, noting it appears instead to recognize the U.S. validity of subpoenas directed to persons in the U.S. over whom there is personal jurisdiction to disclose documents in the U.S. even where they must be obtained from outside the U.S. The Court also considered – and rejected – the arguments that enforcement difficulties or the existence of Mutual Legal Assistance Treaties (MLAT) militate against the use of production orders in cases like this.