Friday, May 10, 2019

Presentation: What’s new in cross-border digital evidence gathering for criminal investigations?

I was invited to present at the High Technology Crime Investigation Association's first annual Canadian Cyber Summit.

I spoke about recent issues and trends in cross-border criminal investigations originating in Canada, starting with the current state of affairs and the Mutual Legal Assistance Treaty regime, issues caused by blocking statutes and what the CLOUD Act will mean for Canadian investigators.

In case it's of broader interest, here's the presentation:

Thursday, April 25, 2019

My Atlantic Security Conference 2019 Presentation: The New Privacy and Cybersecurity Legal Risk Landscape (or how to play nicely with lawyers)

I was invited back this year to the Atlantic Security Conference as a speaker. It's a great event and shows that Halifax really punches above its weight when it comes to tech and skills.



My presentation was on The New Privacy and Cybersecurity Legal Risk Landscape (or how to play nicely with lawyers), focusing on the drivers that are forcing a convergence between privacy and infosec. It also talks about the skills that infosec folks can cultivate to become of greater value to their clients, by developing skills to translate between business folks and lawyers on security issues. The crowd was great with some fantastic questions.

Here's the presentation for anyone who may be interested.

Saturday, April 20, 2019

Privacy Commissioner proposes new guidance on crossborder transfers, requiring consent for all outsourcing

In seeking to revise crossborder dataflows, the OPC’s position would require consent for all transfers of personal information for processing

The Office of the Privacy Commissioner of Canada (OPC) has initiated a consultation that proposes to completely reverse its previous guidance on crossborder dataflows under the Personal Information Protection and Electronic Documents Act (PIPEDA). And because they are trying to fit a round peg in a square hole, their position -- if implemented -- will have a huge impact on all outsourcing.

In 2009, the OPC published a position that was consistent with the actual wording of the statute. It held that when one organization gives personal information to a service provider, so that the service provider can process the data on behalf of the original organization, it was a transfer and not a disclosure. This is an important distinction because transfers do not require consent from the individual, as is the case with a disclosure. Data is disclosed when it is given to another organization for use by that organization for its own purposes. In a transfer scenario, the personal information is protected by operation of the accountability principle, which means the organization that originally collected the data and has transferred it to a service provider remains responsible for the personal data and has to use contractual and other means to make sure that the service provider takes good care of the personal information at issue. Importantly, in its 2009 guidance, the OPC correctly noted “PIPEDA does not distinguish between domestic and international transfers of data.” Consent was not required, but the OPC did recommend that notice be given to the individual:

Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.

The 2009 policy position reflects the consensus of most privacy practitioners since PIPEDA came into effect in 2001. The new position is a complete reversal and discards the notion of “transfers” of personal information for processing:

Under PIPEDA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. Naturally, other disclosures between organizations that are not in a controller/processor relationship, including cross border disclosures, also require consent. [emphasis added]

The new position concludes that because there is nothing in PIPEDA that specifically exempts transfers from consent, transfers can be folded into the mandatory consent scheme:

While it is true that Canada does not have an adequacy regime [as in Europe] and that PIPEDA in part regulates cross border data processing through the accountability principle, nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements. Therefore, as a matter of law, consent is required. Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.

This new position, while demanding consent, brings the true nature of that consent into question. One one hand, the organization has to get consent. On the other hand, the individual can be given no meaningful choice or ability to opt-out, because the organization can say “take it or leave it”:

Organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process. In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.

There is little basis in the statute for this position reversal, and their consultation document shows some significant mental gymnastics to get where they want to go notwithstanding the actual scheme of the Act.

Because PIPEDA does not deal with crossborder transfers in any specific way, the only way for the OPC to get to the result they seek is to impose their new requirements on all transfers for processing by a third party, regardless of whether that processing involves moving the personal information outside of Canada. And to highlight the shortcomings of trying to shoehorn this principle into the existing statute, it would not affect in any way a US company that operates in Canada deciding after the fact to move data to its own US-based data centre because it would not be a disclosure or a transfer from one entity to another.

When PIPEDA was first passed and as subsequently amended, Parliament expressly excluded crossborder barriers.

Parliament had the example of the European Data Protection Directive and its adequacy mechanism, but Parliament did not follow this model at all. The only way for the OPC to get to the result it is seeking is to impose new requirements on all transfers for processing by a third party, regardless of whether that processing involves moving the personal information outside of Canada. By going after crossborder transfers -- which is ill-conceived on its own -- the OPC is proposing to break all domestic outsourcing, as well. This is a massive cost with no discernible privacy benefit.

If Parliament had intended to address crossborder data transfers, it would have done so. It can still do so. It is not the role of the Privacy Commissioner of Canada to usurp Parliament’s prerogatives in this manner.

This reimagining of PIPEDA really stretches statutory interpretation past the breaking point. It also has the effect of undermining the rule of law when an Officer of Parliament decides unilaterally to reinterpret and essentially re-write the statute presented to him by the institution to which he is accountable. This should have been a consultation that would lead to a report to Parliament, not the imposition of GDPR-envy on companies operating in Canada.


The proposal immediately garnered significant criticism. Lisa Lifshitz wrote for Canadian Lawyer Magazine:

This is problematic in several respects as this analysis flies in the face of years of guidance from the OPC and reiterated repeatedly, including in the 2012 Privacy and Outsourcing for Businesses guidance document) that a transfer for processing is a "use" of the information, not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.

***

The OPC’s implement-first-ask-permission-later approach to changing the consent requirements for cross-border data transfers is troublesome at best and judging from initial reactions, sits uneasily with many (me included).

Likely knowing this, at the same time it released the Equifax decision the privacy commissioner also announced a “Consultation on transborder dataflows” under PIPEDA, not only for cross-border transfers between controllers and processors but for other cross border disclosures of personal information between organizations. The GDPR-style language used in this document is no accident and our regulator is seemingly trying to ensure the continued adequacy designation of PIPEDA (and continued data transfers from the EU to Canada) by adopting policy reinterpretations (and new policies) pending any actual legal reform of our law. Meanwhile, the OPC’s sudden new declaration that express consent is required if personal information will cross borders (and the related requirement that individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders) introduces a whole new level of confusion and complexity regarding the advice that practitioners are supposed to be giving their clients pending the results of the consultations review, not to mention the potential negative business impacts (for consumers/vendors of cloud/managed services and mobile/ecommerce services, just to name a few examples) that may arise as a consequence.


Michael Geist has written about the OPC’s approach on his blog:

While the OPC position is a preliminary one – the office is accepting comments in a consultation until June 4 – there are distinct similarities with its attempt to add the right to be forgotten (the European privacy rule that allows individuals to request removal of otherwise lawful content about themselves from search results) into Canadian law. In that instance, despite the absence of a right-to-be-forgotten principle in the statute, the OPC simply ruled that it was reading in a right to de-index search results into PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act). The issue is currently being challenged before the courts.

In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform.



The OPC is inviting comments up to June 4, 2019 and I am sure expected they’ll get an earful.


This posting is based, in part, on a summary I prepared for the Canadian Technology Law Association's newsletter.



The OPC has just posted a bit of a justification/explanation for their consultation, along with some specific questions they'd like addressed. They are specifically looking for guidance on the following:

Questions for Stakeholders
  1. In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
  2. Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
    What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
    1. In what circumstances should consent be implicit or explicit?
    2. What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
    3. Should the notice to the affected person name the third parties?
    4. Should the notice contain other pieces of information?
  3. Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
  4. If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
  5. What elements should be included in obtaining consent for transfers for processing that are not transborder?
  6. Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
  7. Any other comments or feedback you think may be helpful.

Monday, April 01, 2019

Ontario court refuses to order accused to unlock his smartphone

Not sure how I missed this one when it came out in January ...

The Ontario Court of Justice has refused to order an accused to unlock his smartphone or to provide the crown with the password for the device. In R v Shergill, 2019 ONCJ 54, the Crown made an application for a search warrant for a phone seized from the accused. The interesting part is that the Crown also sought an assistance order under s. 487.02 of the Criminal Code. Notably, the application was not made ex parte so the accused was able to make submissions.

The Crown argued that the accused's Charter rights were not engaged.

[3] The Crown says that basic principles of statutory interpretation allow for an accused to be the subject of an assistance order in relation to his or her own investigation. The Crown further submits that this request for an assistance order does not raise Charter concerns, but is instead a matter of mere practicality. The Crown’s factum focusses entirely on the principle against self-incrimination, submitting that the proposed assistance order does not engage that principle because it only compels Mr. Shergill to provide access to, and not create, material the police are judicially authorized to examine, and because any self-incrimination concerns are met by the grant of use immunity over Mr. Shergill’s knowledge of the password.

The Court decided in favour of the accused, finding that this order would engage the accused's right to silence and the protection against self-incrimination. The Court wrote:

(e) The Right to Silence

[21] In my view, the more significant principle of fundamental justice at stake is the right to silence. This right emerged as a component of the protection against self-incrimination in R. v. Hebert in which McLachlin J. (as she then was), held:

If the Charter guarantees against self-incrimination at trial are to be given their full effect, an effective right of choice as to whether to make a statement must exist at the pre-trial stage… the right to silence of a detained person under s. 7 of the Charter must be broad enough to accord to the detained person a free choice on the matter of whether to speak to the authorities or to remain silent.

McLachlin J. also reaffirmed the Court’s prior holding that the right to silence was “a well-settled principle that has for generations been part of the basic tenets of our law.”

[22] The “common theme” underlying the right to silence is “the idea that a person in the power of the state in the course of the criminal process has the right to choose whether to speak to the police or remain silent.” In tracing the history of the right, McLachlin J. referred to an “array of distinguished Canadian jurists who recognized the importance of the suspect’s freedom to choose whether to give a statement to the police or not” and described the essence of the right to silence as the “notion that the person whose freedom is placed in question by the judicial process must be given the choice of whether to speak to the authorities or not.”[21] Finally, Hebert held that s. 7 provides “a positive right to make a free choice as to whether to remain silent or speak to the authorities.”

[23] The pre-trial right to silence is a concept which, as Iacobucci held in R.J.S., has been “elevated to the status of a constitutional right.”[footnotes omitted]


The Court then discussed some of the challenges that law enforcement are facing in light of new technology and encryption in particular. Though there is always a compelling public interest in the investigation and prosecution of crimes, the final balancing came down on the side of the accused's liberty interests under s. 7 of the Charter.

[51] I accept that the current digital landscape as it relates to effective law enforcement and the protection of privacy presents many challenges. It may be that a different approach to this issue is warranted, whether through legislative initiatives or modifications to what I see as jurisprudence which is binding on me. But on my best application of controlling authority, I am simply not persuaded that the order sought can issue without fundamentally breaching Mr. Shergill’s s. 7 liberty interests, a breach which would not be in accordance with the principle of fundamental justice which says that he has the right to remain silent in the investigative context.

The search warrant was issued, but the assistance order was denied.

Tuesday, February 19, 2019

Privacy for start-ups and growing businesses

I was invited with my colleague Sarah Anderson Dykema to present on privacy by design for start-ups at Volta Labs. Volta is Eastern Canada's innovation hub, incubating and accelerating start-ups.

The turnout was great and the presentation was well received. I promised to publish it on my blog for the attendees, and for anyone else who may find it of interest.

>

Thursday, February 14, 2019

Supreme Court of Canada lays down a very nuanced, contextual understanding of "expectation of privacy"

Today the Supreme Court of Canada issued a very important privacy decision in R v Jarvis. I say it’s important for a number of reasons. First, it’s an important decision that strongly defines expectation of privacy for the Canadian Criminal Code offence of voyeurism. Second, I expect it will have serious knock-on effects on considering privacy in the regulatory and common-law contexts. Finally, it will inform other instances in our Criminal Code where an expectation of privacy is relevant. The decision has a very highly nuanced and contextual test for determining where there is a reasonable expectation of privacy.

The case is largely about a teacher in a high school who used a covert, miniature camera to take videos of young women’s cleavage over more than a year. It was discovered and he was charged under the relatively new voyeurism offence in the Code. Two essential elements of the offence are that there have to be circumstances that give rise to a reasonable expectation of privacy and the recording has to be done for a sexual purpose.* In R v Jarvis, the recording took place in otherwise “public areas” of the school, so not in washrooms or changing rooms. It also has to be "surreptitious", but the observation itself was not surreptitious. What was being recorded was largely observed in real-time by the teacher. The recording was surreptitious.

The trial judge found that there was a reasonable expectation of privacy but the crown had not proven the sexual purpose beyond a reasonable doubt. It’s hard to get one’s head around that, as the teacher had many, many recordings spanning more than a year of students’ cleavage and chest areas. I’m not sure what other purpose he could have had.

The crown appealed to the Ontario Court of Appeal, which had little difficulty concluding that there was a sexual purpose but split on the reasonable expectation of privacy in a "public place" where the young women could generally be observed by teachers and other students.

On appeal to the Supreme Court of Canada, the Court found the accused to be guilty of the offence and provided a very nuanced and contextual framework for determining where and when there is a reasonable expectation of privacy. What is particularly notable for technology lawyers is the role that the covert recording device plays in this analysis. It is not simply a matter that what was recorded could have been observed with one’s bare eyes. The tech plays a role in a couple of ways. Recording is more intrusive than mere observation and awareness of (or the lack of awareness) the observation also plays an important role.

The Court provided a non-exhaustive list of nine factors that courts should consider in deciding the question:

[29] The following non-exhaustive list of considerations may assist a court in determining whether a person who was observed or recorded was in circumstances that give rise to a reasonable expectation of privacy:

(1) The location the person was in when she was observed or recorded. The fact that the location was one from which the person had sought to exclude all others, in which she felt confident that she was not being observed, or in which she expected to be observed only by a select group of people may inform whether there was a reasonable expectation of privacy in a particular case.

(2) The nature of the impugned conduct, that is, whether it consisted of observation or recording. Given that recording is more intrusive on privacy than mere observation, a person’s expectation regarding whether she will be observed may reasonably be different than her expectation regarding whether she will be recorded in any particular situation. The heightened impact of recording on privacy has been recognized by this Court in other contexts, as will be discussed further at para. 62 of these reasons.

(3) Awareness of or consent to potential observation or recording. I will discuss further how awareness of observation or recording may inform the reasonable expectation of privacy inquiry at para. 33 of these reasons.

(4) The manner in which the observation or recording was done. Relevant considerations may include whether the observation or recording was fleeting or sustained, whether it was aided or enhanced by technology and, if so, what type of technology was used. The potential impact of evolving technologies on privacy has been recognized by the courts, as I will discuss further at para. 63 of these reasons.

(5) The subject matter or content of the observation or recording. Relevant considerations may include whether the observation or recording targeted a specific person or persons, what activity the person who was observed or recorded was engaged in at the relevant time, and whether the focus of the observation or recording was on intimate parts of a person’s body. This Court has recognized, in other contexts, that the nature and quality of the information at issue are relevant to assessing reasonable expectations of privacy in that information. As I will discuss further at paras. 65-67 of these reasons, this principle is relevant in the present context as well.

(6) Any rules, regulations or policies that governed the observation or recording in question. However, formal rules, regulations or policies will not necessarily be determinative, and the weight they are to be accorded will vary with the context.

(7) The relationship between the person who was observed or recorded and the person who did the observing or recording. Relevant considerations may include whether the relationship was one of trust or authority and whether the observation or recording constituted a breach or abuse of the trust or authority that characterized the relationship. This circumstance is relevant because it would be reasonable for a person to expect that another person who is in a position of trust or authority toward her will not abuse this position by engaging in unconsented, unauthorized, unwanted or otherwise inappropriate observation or recording.

(8) The purpose for which the observation or recording was done. I will explain why this may be a relevant consideration at paras. 31-32 of these reasons.

(9) The personal attributes of the person who was observed or recorded. Considerations such as whether the person was a child or a young person may be relevant in some contexts.


[30] I emphasize that the list of considerations that can reasonably inform the inquiry into whether a person who was observed or recorded had a reasonable expectation of privacy is not exhaustive. Nor will every consideration listed above be relevant in every case. For example, recordings made using a camera hidden inside a washroom will breach reasonable expectations of privacy regardless of the purpose for which they are made, the age of the person recorded, or the relationship between the person recorded and the person who did the recording. In another context, however, these latter considerations may play a more significant role. The inquiry is a contextual one, and the question in each case is whether there was a reasonable expectation of privacy in the totality of the circumstances.


While anyone could have observed these young women in a relatively public place, what made it particularly problematic was the person who did the observing, in their position of power as a teacher, the victim of the offence, what was focused on and the manner of the observing. Not all of the factors weigh strongly in favour of a finding reasonable expectation of privacy in this case, but the vast majority of them do.

So what does this mean? I expect that we'll be able to see more charges and convictions for similar practices, including "upskirting". We'll also have to see a more nuanced discussion about what is an expectation of privacy in generally public places and I'm confident this will inform judicial decision-making in the context of the privacy torts, which largely hinge on reasonable expectations of privacy, and what it unreasonable. We'll also have to think hard about what role technology plays in privacy, particularly where CCTV cameras are said to be largely equivalent to real-time supervision by managers.

One aspect that I haven't really turned my mind to at this point is the impact of this analysis on expectations of privacy vis-a-vis the state, where section 8 of the Charter is concerned.



* There are other permutations that can give rise to the offence, which do require an expectation of privacy and are largely place-based:

Voyeurism

162 (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if

(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;

(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or

(c) the observation or recording is done for a sexual purpose.


At least in a school, subsections (a) and (b) would generally be found in washrooms and change rooms.