You’ve probably heard a lot recently about Bill C-30. It’s technically called the Protecting Children from Internet Predators Act but commonly referred to as the “Lawful Access” Bill. To learn more about this highly controversial law please watch this short video – click here>>
Thanks to everyone from across Canada who attended today’s Access to Information webinar. If you weren’t able to attend, you can now watch/listen to the webinar here. Topics covered included:
- Overview of access to information 101: the basics
- The 3 vantage points: public bodies, applicants & third parties
- Review of recent cases/headlines
- Identifying key legal and PR landmines
- Discussion of trends in access to information
- Practical tips for managing requests in a cost-effective manner
The Supreme Court of Canada (SCC) released an important decision today that considered whether an individual home owner had a reasonable expectation of privacy in electric meter data.
The police had asked a local utility company to attach a digital recording ammeter (DRA) to the electric meter on a home in order to monitor electrical usage. The data gleaned from the DRA and from other sources was then used to obtain a warrant to search the home. The search resulted in exposing a marijuana grow op. The defence argued that the installation of the DRA infringed the privacy rights of the accused to be secure against unreasonable search contained in Canada’s Charter of Rights and Freedoms.
A critical factual consideration, on which much of the disagreement in the case turned, was the degree to which the use of DRA technology reveals private information. The SCC ultimately decided that DRA technology merely indicates electricity use, not what the electricity was used for, so it was a reasonable loss of privacy.
Here’s an excerpt from the decision:
The central issue in this case is thus whether the DRA discloses intimate details of the lifestyle and personal choices of the individual that form part of the biographical core data protected by the Charter’s guarantee of informational privacy. The evidence available on the record offers no foundation for concluding that the information disclosed by the utility company yielded any useful information at all about household activities of an intimate or private nature that form part of the inhabitants’ biographical core data. The DRA’s capabilities depend of course on the state of the technology at the time of its use. As DRA technology now stands, it is not capable of giving access to the occupants’ personal information. Instead, the DRA data merely yield an additional piece of information to evaluate suspicions — based on an independent evidentiary foundation — police already have about a particular activity taking place in the home.
A final factor affecting the informational privacy analysis is the fact that G’s interest in the electricity use data was not exclusive. G’s electricity consumption history was not confidential or private information which he had entrusted to the utility company. As the supplier of electricity, the utility company had a legitimate interest of its own in the quantity of electricity its customers consumed. Consequently, it is beyond dispute that the utility company was within its rights to install a DRA on a customer’s line on its own initiative to measure the electricity being consumed. The utility company was not an interloper exploiting its access to private information to circumvent the Charter at the behest of the state; rather, its role is limited to the wholly voluntary cooperation of a potential crime victim.
While a territorial privacy interest involving the home is a relevant aspect of the totality of the circumstances informing the reasonable expectation of privacy determination, the Charter’s protection of territorial privacy in the home is not absolute. Where, as in the case at bar, there was no direct search of the home itself, the informational privacy interest should be the focal point of the analysis. The fact that the home was the focus of an otherwise non-invasive and unintrusive search should be subsidiary to what the investigative technique was capable of revealing about the home and what information was actually disclosed. The fact that the search includes a territorial privacy aspect involving the home should not be allowed to inflate the actual impact of the search to a point where it bears disproportionately on the expectation of privacy analysis.
Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.
Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.
Read the full Annual Report here>>.
Have you ever wondered if an electronic document like an e-mail or a scanned image can be used instead of a paper document to meet a legal requirement? How about using an electronic signature as opposed to a written signature?
Unfortunately, the provincial government’s dithering over the past decade will not help you answer these important questions.
Manitoba’s e-commerce legislation, called The Electronic Commerce and Information Act, was passed in the Manitoba Legislature in 2000. It was then billed as a cutting edge law that would help Manitobans to prosper in the online world.
It’s safe to say that the Alberta provincial government is regarded as being right wing. But Manitoba’s? Not at all. So why then is Alberta light years ahead of Manitoba at protecting workers’ privacy?
The above link takes you to the Winnipeg Sun. I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis. I hope you find them of interest!
I’m very pleased to be able to post the following conversation with Jennifer Stoddart.
Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism. As a result, Canadians have been exceptionally well-served.
Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.
Q. How did you get involved in the world of privacy?
A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.
I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.
Q. But it’s coming to an end.
A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.
Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.
Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?
A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.
As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.
Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.
Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?
A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.
We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.
So the challenges are real, and they are huge.
Q. So how does an Office like yours keep up?
A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.
We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.
But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.
Q. If you could make a few recommendations for Canadian business leaders, what would you say?
A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.
Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.
I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance.
Q. Do you have any “privacy-related” predictions for 2010?
A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.
And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.
I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.
Bill C-27, commonly referred to as the ”Anti-Spam Bill”, passed third reading in the House of Commons yesterday and has been referred to the Senate. I originally posted about the Anti-Spam Bill being introduced back in April, so don’t count on speedy passage through the Senate.
(Hat tip to @privacylawyer David Fraser for the heads-up!)
Call off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA). However, there hasn’t yet been a case summary or court action under PIPEDA that definitively determines whether a union that collects personal information in their general capacity is obligated to observe the rules outlined in the legislation. As a result, some unions are complying with PIPEDA’s obligations to protect their members’ privacy and, regrettably, some unions are not.
The application of PIPEDA is dependent on the existence of a “commercial activity.” Although this term is vague, the case is strong that most union activities are, in fact, captured by PIPEDA. What is certain is the application of Alberta’s privacy legislation, the Personal Information Protection Act (“Alberta’s PIPA”), to the management of personal information by unions. The application of Alberta’s PIPA is not dependent on the existence of a “commercial activity”. As a result, a 2006 Investigation Report from the Alberta Information and Privacy Commissioner found that the collection of personal information by unions in their general capacity subjects them to the requirements found in Alberta’s PIPA. Manitoba’s Bill 219, The Personal Information Protection and Identity Theft Protection Act (the “Manitoba Bill”) is modeled after Alberta’s PIPA. Similar to Alberta’s PIPA, the application of the Manitoba Bill does not depend on whether an organization is engaged in a “commercial activity.”
As I’ve argued in previous posts, the Manitoba Government should support the Manitoba Bill (which was introduced as a private member’s bill by opposition member, Mavis Taillieu). The Manitoba Bill creates a level of certainty with regards to the privacy rights of union members. That’s one of the many reasons why the Manitoba government should ”cross the picket lines” to privacy and support the Manitoba Bill in this fall session of the Manitoba Legislature.
Of the 198 new access complaints that were launched, 134 (68%) dealt with “refused access”. This indicates that the provincial government and public bodies either have to be more willing to grant access when requested or do a better job at explaining their rationale for refusing access. Of the 207 cases that were closed in 2008, 38% of the complaints were supported by the Ombudsman, 35% were not supported and 5% were resolved before the Ombudsman could issue a finding. This indicates that all of the complaints brought to the Ombudsman are not without merit. The public appears to have a relatively good understanding of what their rights are under FIPPA and PHIA.
The Ombudsman has also been proactively involved in the development stages of legislation and programs in order to address potential privacy issues. For example, the Ombudsman expressed concerns about the technology used in Enhanced Drivers Licenses (EIC). Radio Frequency Identification chips store the necessary information on the EICs, but the chips are always “on”, meaning that they can be read by unauthorized individuals. This concern is being addressed by providing the cardholder with a protective sleeve. However, if the sleeve is ripped, torn or used improperly, it will not provide the necessary protection. Therefore, the Ombudsman has stressed that it is essential that individuals understand the privacy implications of opting into the EIC program.
The Ombudsman was also been involved in assessing the use of closed-circuit television monitoring by Winnipeg Police, who have agreed to follow the recommendations of the Ombudsman and will not live-monitor the cameras and will work towards developing retention policies and technology to “sever” individuals from images which are not relevant.
Overall, the Ombudsman largely applauds public bodies and government agencies for addressing privacy concerns in the development phases of new programs and legislation. However, it is clear that public bodies need to do a better job of dealing with access requests.