Privacy - May 7, 2014

Global Technology Law and PolicyPrivacy

May 7, 2014

professor michael geist

university of ottawa, faculty of law

Three PhasesPhase 1: 1999 – 2007 – Baseline privacy


Phase 2: 2008-2012 – Privacy stalls


Phase 2: 2008-2012 – Privacy stallsPhase 3: 2013 - ?? – Back on track

Phase One1999 - 2007

Privacy Law - The Basics

- Based on the CSA Model Code

- CSA Model Code based on OECD principles

- Proposed in 1998 - response to EU pressure

- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)

- Limited to commercial activity for constitutional reasons

- Shared responsibility with provinces - substantially similar

- Enforced by Privacy Commissioner of Canada in an ombuds+ role

- Complaints driven + audit power


Application - Subject matter

• Personally identifiable information only - includes information about employees

• Public domain exception

– Telephone Directory

– Professional or Business Directory

– Registry Collected under Statutory Authority

– Court Record

– Information Appearing in the Media Where the Individual has Provided the Information

• Federal Privacy Act exempt

• Name, Title, Business address or Telephone number of an employee exempt - not email though


10 PRINCIPLES -- 1 1. Accountability

• organization is accountable for personal information• Includes privacy point person, training staff

• 2. Identifying Purposes• purpose of collection must be clear• Identify any new purposes• Grandfathering issue

• 3. Consent• individual has to give consent to collection, use, disclosure• “meaningful” consent -- will depend upon circumstances


10 PRINCIPLES (cont.) -- • 4. Limiting Collection

• collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention

• consent required for other purposes• Destroy or anonymize information once no longer needed

• 6. Accuracy• keep as accurate as necessary for identified purpose


10 PRINCIPLES (cont.) -- 7. Safeguards

• protection and security required

8. Openness• policies should be available• Clear language

9. Individual Access– info available upon request, inaccuracies corrected

10. Challenging Compliance – ability to challenge all practices


Compromise statute -- Purpose clause (s.3)The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would

consider appropriate in the circumstances.

Privacy Law - The Basics - Shared responsibility with provinces

- “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy

- Hundreds of OPC findings

- Statutory review every 5 years

- Last review in 2006

- Privacy Act - governs public sector privacy law

- No updates since first enacted

Privacy Law – Penalties/Enforcement

- Non-binding findings

- Court challenges

- Powers largely limited to investigations

- Call for:

- Order making power

- Expansion of naming names

- Administrative monetary penalties

Phase Two2008 - 2012

Do-Not-Call Legislation

• 12,000,000+ numbers in the database• 780,000+ complaints• Administered by the CRTC• Some serious penalties ($1 million +)• Complaints massively outnumber investigations• Numerous exceptions (charities, political parties,

newspapers, etc.)

Failed Reforms

PIPEDA ReformLawful access

Anti-spam (passes but doesn’t take effect)

Phase Three2013 - ???

Changing privacy commissioners (Stoddart, Cavoukian)

Supreme Court of Canada declares Alberta privacy law unconstitutional

(Union Foods)

OECD updates its privacy guidelines (includes security breach)

Government rejects private member’s bill on security breach

Do Not Track

CASL• Task Force conclusion - opt-in consent backed by penalties• Long delay in responding to recommendations• ECPA introduced in May 2009; dies with prorogation• FISA (re)introduced in May 2010• Bill receives royal assent in December 2010• Regs introduced in June 2011 • Regs reintroduced in January 2013• Regs finalized in December 2013• Law takes effect in July 2014

CASL - The Basics• Only applies to commercial electronic messages:

– Having regard to content, links, etc.:(a) offers to purchase, sell, barter or lease a product, goods, a

service, land or an interest or right in land;(b) offers to provide a business, investment or gaming

opportunity;(c) advertises or promotes anything referred to in paragraph (a)

or (b); or(d) promotes a person, including the public image of a person, as

being a person who does anything referred to in any of para- graphs (a) to (c), or who intends to do so.

• Exception for law enforcement

CASL - The Basics• Key prohibition - send or cause or permit to be sent to an electronic

address a commercial electronic message unless:(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and(b) message meets form requirements– Identifies sender– Sender contact information (valid for 60 days)– Unsubscribe mechanism

• Enable person to unsubscribe via email at no cost• Offer a web-based unsubscribe function• Must take off list within 10 days

• Does not matter if message is received

CASL - The Exceptions• Personal or family relationships• Business-to-business (if consists solely of inquiry related to

commercial activity)• Quote or estimate for product or service if requested by recipient• Confirms previously completed commercial transaction• Warranty information• Product recall information• Safety or security information about a product• Factual information on ongoing transaction such as subscription,

membership, account, loan, etc.• Employment relationship• Product upgrades• Telco providers merely providing telecommunications services• Charities

CASL- The Consent• Can be implied consent if:

– Existing business relationship• Purchase or lease of any product, service, etc. over prior 2 year period• Business, investment, gaming opportunity over prior 2 year period• Bartering of good, service, etc.• Written contract• Inquiry within past six months

– Existing non-business relationship• Donation or gift to political party or candidate over prior 2 year

period• Volunteer work over prior 2 year period (charity, political party,

candidate)• Membership in a club, association, etc. over 2 year period (in regs)

– Person conspicuously publishes email address– Person discloses email address to sender

CASL - Additional Prohibitions• No altering transmission data without consent

– Exception for network management• No installing computer programs without consent• No installing computer programs and using to send

electronic messages

CASL- Additional Prohibitions• Statute identifies requirements for express consent

– For computer programs includes describing function and purpose of the program

– Additional express consent requirement (w/description) if program:• Collects personal information• Interferes with control of personal computer• Changes settings• Interferes with data• Communicates with other computers without consent• Installs another program

• Doesn’t apply:– to computer upgrades where user has given broad consent– cookies, HTML, JavaScripts, OS– Where reasonable to assume has given consent

CASL - Additional Prohibitions• Competition Act violations

– New false or misleading representations in electronic message• Sender information• Content• Locator information

– These apply whether or not deceived• PIPEDA Violations

– Collection of email addresses if used by program designed to capture email addresses

– Use of email addresses if collected from program (as above)– Commissioner has some discretion on investigation

• Telecommunications Act– Possible replacement of do-not-call list

CASL - Penalties/Enforce• Preservation orders - may require telco to preserve data

– Valid for 21 days– May be extended once– May limit disclosure of preservation order for up to six months– Telco must preserve for up to six months; destroy thereafter– Within 5 days, can ask CRTC to review if undue burden– CRTC can vary, rescind, etc.

• Production order– May require production of document or data– Similar standards as preservation orders (no disclosure, CRTC review)

• Warrants– Enter premises to ensure compliance, investigate violations

CASL - Penalties/Enforce• AMPs

– $1,000,000 for individual per violation– $10,000,000 for corporation per violation

• Undertakings– Essentially a settlement of forthcoming notice of violation

• Notice of Violation– Set out violations, penalties, etc.

• Injunctions

CASL- Private Right of Action• Can bring action to court within three years of violation• No action against someone who has agreed to an

undertaking• CRTC, Competition Bureau, OPC may all intervene• Court can order up to $1,000,000 per violation

Lawful Access

“any attempts that we will continue to have to modernize the Criminal Code

will not contain the measures in C-30”

C-13: New Warrants– Transmission data warrant – Metadata

• What it covers» relates to the telecommunication functions of dialling, routing,

addressing or signalling» generated during the creation, transmission or reception of a

communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication

» does not reveal the substance, meaning or purpose of the communication

– Warrant needed for real-time information– Production order for historical data– Expires 21 days after initial demand

• Reason to suspect standard

C-13: New Warrants– Preservation orders

• Designed as temporary order to preserve subscriber information• Includes data related to particular subscriber, specific communication• Expires 90 days after issued• Must destroy information after conclusion

– Production orders• General production order of a document• Specified communication - transmission data to identify person or device• Transmission data• Tracking data• Financial data• Judge may order prohibition on disclosing production order• ISP, FI, etc. may apply to vary order within 30 days

C-13: Disclosure Immunity

“For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.”

“A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so”

Public Sector Privacy

Bill S-4 – Digital Privacy Act

Business Definitions• Changes definition of business contact information - exclude business email

• Business transaction exception – Covers due diligence in transactions– Doesn’t apply if personal information is primary reason for transaction

• Exception for collection, use, & disclosure in witness statement related to insurance claim

• Work product exception• Exception for businesses that voluntarily disclose personal information

to other organizations investigating breach of agreement


security breach disclosure• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)

• California disclosure law spreading fast - at least 40 other states with similar laws

• Two possible reporting requirements in event of breach:– Requirement to report “material breach of security safeguards involving

personal information under control” to Privacy Commissioner– Criteria to determine whether to report:

• Sensitivity of information• Number of affected individuals• Cause of breach/systemic problem


security breach disclosure– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”

– What is significant harm?• bodily harm• humiliation• damage to reputation or relationships• loss of employment, business or professional opportunities• financial loss• identity theft• negative effects on the credit record and damage to or loss of property

– Risk factors - (1) sensitivity of info; (2) risk of misuse


security breach disclosure– Notifications • “ as soon as feasible”• Understandable to affected individuals• To other organizations who may be able to mitigate harm


– Security breach disclosure requirements– Business transaction reforms– Warrantless disclosure expansion

Privacy - May 7, 2014

Technology

Transcript of Privacy - May 7, 2014