Privacy - May 7, 2014
-
Upload
mgeist -
Category
Technology
-
view
230 -
download
0
description
Transcript of Privacy - May 7, 2014
![Page 1: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/1.jpg)
Global Technology Law and PolicyPrivacy
May 7, 2014
professor michael geist
university of ottawa, faculty of law
![Page 2: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/2.jpg)
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
![Page 3: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/3.jpg)
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
Phase 2: 2008-2012 – Privacy stalls
![Page 4: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/4.jpg)
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
Phase 2: 2008-2012 – Privacy stallsPhase 3: 2013 - ?? – Back on track
![Page 5: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/5.jpg)
Phase One1999 - 2007
![Page 6: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/6.jpg)
Privacy Law - The Basics
- Based on the CSA Model Code
- CSA Model Code based on OECD principles
- Proposed in 1998 - response to EU pressure
- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)
- Limited to commercial activity for constitutional reasons
- Shared responsibility with provinces - substantially similar
- Enforced by Privacy Commissioner of Canada in an ombuds+ role
- Complaints driven + audit power
![Page 7: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/7.jpg)
Privacy Law - The Basics
Application - Subject matter
• Personally identifiable information only - includes information about employees
• Public domain exception
– Telephone Directory
– Professional or Business Directory
– Registry Collected under Statutory Authority
– Court Record
– Information Appearing in the Media Where the Individual has Provided the Information
• Federal Privacy Act exempt
• Name, Title, Business address or Telephone number of an employee exempt - not email though
![Page 8: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/8.jpg)
Privacy Law - The Basics
10 PRINCIPLES -- 1 1. Accountability
• organization is accountable for personal information• Includes privacy point person, training staff
• 2. Identifying Purposes• purpose of collection must be clear• Identify any new purposes• Grandfathering issue
• 3. Consent• individual has to give consent to collection, use, disclosure• “meaningful” consent -- will depend upon circumstances
![Page 9: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/9.jpg)
Privacy Law - The Basics
10 PRINCIPLES (cont.) -- • 4. Limiting Collection
• collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention
• consent required for other purposes• Destroy or anonymize information once no longer needed
• 6. Accuracy• keep as accurate as necessary for identified purpose
![Page 10: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/10.jpg)
Privacy Law - The Basics
10 PRINCIPLES (cont.) -- 7. Safeguards
• protection and security required
8. Openness• policies should be available• Clear language
9. Individual Access– info available upon request, inaccuracies corrected
10. Challenging Compliance – ability to challenge all practices
![Page 11: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/11.jpg)
Privacy Law - The Basics
Compromise statute -- Purpose clause (s.3)The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
![Page 12: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/12.jpg)
Privacy Law - The Basics - Shared responsibility with provinces
- “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy
- Hundreds of OPC findings
- Statutory review every 5 years
- Last review in 2006
- Privacy Act - governs public sector privacy law
- No updates since first enacted
![Page 13: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/13.jpg)
Privacy Law – Penalties/Enforcement
- Non-binding findings
- Court challenges
- Powers largely limited to investigations
- Call for:
- Order making power
- Expansion of naming names
- Administrative monetary penalties
![Page 14: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/14.jpg)
Phase Two2008 - 2012
![Page 15: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/15.jpg)
DNCL
![Page 16: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/16.jpg)
Do-Not-Call Legislation
• 12,000,000+ numbers in the database• 780,000+ complaints• Administered by the CRTC• Some serious penalties ($1 million +)• Complaints massively outnumber investigations• Numerous exceptions (charities, political parties,
newspapers, etc.)
![Page 17: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/17.jpg)
Failed Reforms
![Page 18: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/18.jpg)
PIPEDA ReformLawful access
Anti-spam (passes but doesn’t take effect)
![Page 19: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/19.jpg)
Phase Three2013 - ???
![Page 20: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/20.jpg)
Changing privacy commissioners (Stoddart, Cavoukian)
![Page 21: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/21.jpg)
Supreme Court of Canada declares Alberta privacy law unconstitutional
(Union Foods)
![Page 22: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/22.jpg)
OECD updates its privacy guidelines (includes security breach)
![Page 23: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/23.jpg)
Government rejects private member’s bill on security breach
![Page 24: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/24.jpg)
Do Not Track
![Page 25: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/25.jpg)
CASL
![Page 26: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/26.jpg)
CASL• Task Force conclusion - opt-in consent backed by penalties• Long delay in responding to recommendations• ECPA introduced in May 2009; dies with prorogation• FISA (re)introduced in May 2010• Bill receives royal assent in December 2010• Regs introduced in June 2011 • Regs reintroduced in January 2013• Regs finalized in December 2013• Law takes effect in July 2014
![Page 27: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/27.jpg)
CASL - The Basics• Only applies to commercial electronic messages:
– Having regard to content, links, etc.:(a) offers to purchase, sell, barter or lease a product, goods, a
service, land or an interest or right in land;(b) offers to provide a business, investment or gaming
opportunity;(c) advertises or promotes anything referred to in paragraph (a)
or (b); or(d) promotes a person, including the public image of a person, as
being a person who does anything referred to in any of para- graphs (a) to (c), or who intends to do so.
• Exception for law enforcement
![Page 28: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/28.jpg)
CASL - The Basics• Key prohibition - send or cause or permit to be sent to an electronic
address a commercial electronic message unless:(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and(b) message meets form requirements– Identifies sender– Sender contact information (valid for 60 days)– Unsubscribe mechanism
• Enable person to unsubscribe via email at no cost• Offer a web-based unsubscribe function• Must take off list within 10 days
• Does not matter if message is received
![Page 29: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/29.jpg)
CASL - The Exceptions• Personal or family relationships• Business-to-business (if consists solely of inquiry related to
commercial activity)• Quote or estimate for product or service if requested by recipient• Confirms previously completed commercial transaction• Warranty information• Product recall information• Safety or security information about a product• Factual information on ongoing transaction such as subscription,
membership, account, loan, etc.• Employment relationship• Product upgrades• Telco providers merely providing telecommunications services• Charities
![Page 30: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/30.jpg)
CASL- The Consent• Can be implied consent if:
– Existing business relationship• Purchase or lease of any product, service, etc. over prior 2 year period• Business, investment, gaming opportunity over prior 2 year period• Bartering of good, service, etc.• Written contract• Inquiry within past six months
– Existing non-business relationship• Donation or gift to political party or candidate over prior 2 year
period• Volunteer work over prior 2 year period (charity, political party,
candidate)• Membership in a club, association, etc. over 2 year period (in regs)
– Person conspicuously publishes email address– Person discloses email address to sender
![Page 31: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/31.jpg)
CASL - Additional Prohibitions• No altering transmission data without consent
– Exception for network management• No installing computer programs without consent• No installing computer programs and using to send
electronic messages
![Page 32: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/32.jpg)
CASL- Additional Prohibitions• Statute identifies requirements for express consent
– For computer programs includes describing function and purpose of the program
– Additional express consent requirement (w/description) if program:• Collects personal information• Interferes with control of personal computer• Changes settings• Interferes with data• Communicates with other computers without consent• Installs another program
• Doesn’t apply:– to computer upgrades where user has given broad consent– cookies, HTML, JavaScripts, OS– Where reasonable to assume has given consent
![Page 33: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/33.jpg)
CASL - Additional Prohibitions• Competition Act violations
– New false or misleading representations in electronic message• Sender information• Content• Locator information
– These apply whether or not deceived• PIPEDA Violations
– Collection of email addresses if used by program designed to capture email addresses
– Use of email addresses if collected from program (as above)– Commissioner has some discretion on investigation
• Telecommunications Act– Possible replacement of do-not-call list
![Page 34: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/34.jpg)
CASL - Penalties/Enforce• Preservation orders - may require telco to preserve data
– Valid for 21 days– May be extended once– May limit disclosure of preservation order for up to six months– Telco must preserve for up to six months; destroy thereafter– Within 5 days, can ask CRTC to review if undue burden– CRTC can vary, rescind, etc.
• Production order– May require production of document or data– Similar standards as preservation orders (no disclosure, CRTC review)
• Warrants– Enter premises to ensure compliance, investigate violations
![Page 35: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/35.jpg)
CASL - Penalties/Enforce• AMPs
– $1,000,000 for individual per violation– $10,000,000 for corporation per violation
• Undertakings– Essentially a settlement of forthcoming notice of violation
• Notice of Violation– Set out violations, penalties, etc.
• Injunctions
![Page 36: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/36.jpg)
CASL- Private Right of Action• Can bring action to court within three years of violation• No action against someone who has agreed to an
undertaking• CRTC, Competition Bureau, OPC may all intervene• Court can order up to $1,000,000 per violation
![Page 37: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/37.jpg)
Lawful Access
![Page 38: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/38.jpg)
![Page 39: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/39.jpg)
![Page 40: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/40.jpg)
![Page 41: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/41.jpg)
![Page 42: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/42.jpg)
![Page 43: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/43.jpg)
![Page 44: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/44.jpg)
![Page 45: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/45.jpg)
![Page 46: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/46.jpg)
![Page 47: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/47.jpg)
“any attempts that we will continue to have to modernize the Criminal Code
will not contain the measures in C-30”
![Page 48: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/48.jpg)
![Page 49: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/49.jpg)
C-13: New Warrants– Transmission data warrant – Metadata
• What it covers» relates to the telecommunication functions of dialling, routing,
addressing or signalling» generated during the creation, transmission or reception of a
communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication
» does not reveal the substance, meaning or purpose of the communication
– Warrant needed for real-time information– Production order for historical data– Expires 21 days after initial demand
• Reason to suspect standard
![Page 50: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/50.jpg)
C-13: New Warrants– Preservation orders
• Designed as temporary order to preserve subscriber information• Includes data related to particular subscriber, specific communication• Expires 90 days after issued• Must destroy information after conclusion
– Production orders• General production order of a document• Specified communication - transmission data to identify person or device• Transmission data• Tracking data• Financial data• Judge may order prohibition on disclosing production order• ISP, FI, etc. may apply to vary order within 30 days
![Page 51: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/51.jpg)
C-13: Disclosure Immunity
“For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.”
“A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so”
![Page 52: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/52.jpg)
Public Sector Privacy
![Page 53: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/53.jpg)
Bill S-4 – Digital Privacy Act
Business Definitions• Changes definition of business contact information - exclude business email
• Business transaction exception – Covers due diligence in transactions– Doesn’t apply if personal information is primary reason for transaction
• Exception for collection, use, & disclosure in witness statement related to insurance claim
• Work product exception• Exception for businesses that voluntarily disclose personal information
to other organizations investigating breach of agreement
![Page 54: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/54.jpg)
Bill S-4 – Digital Privacy Act
security breach disclosure• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)
• California disclosure law spreading fast - at least 40 other states with similar laws
• Two possible reporting requirements in event of breach:– Requirement to report “material breach of security safeguards involving
personal information under control” to Privacy Commissioner– Criteria to determine whether to report:
• Sensitivity of information• Number of affected individuals• Cause of breach/systemic problem
![Page 55: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/55.jpg)
Bill S-4 – Digital Privacy Act
security breach disclosure– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”
– What is significant harm?• bodily harm• humiliation• damage to reputation or relationships• loss of employment, business or professional opportunities• financial loss• identity theft• negative effects on the credit record and damage to or loss of property
– Risk factors - (1) sensitivity of info; (2) risk of misuse
![Page 56: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/56.jpg)
Bill S-4 – Digital Privacy Act
security breach disclosure– Notifications • “ as soon as feasible”• Understandable to affected individuals• To other organizations who may be able to mitigate harm
![Page 57: Privacy - May 7, 2014](https://reader033.fdocuments.us/reader033/viewer/2022061218/54b64b574a7959f4358b456f/html5/thumbnails/57.jpg)
Bill S-4 – Digital Privacy Act
– Security breach disclosure requirements– Business transaction reforms– Warrantless disclosure expansion