Privacy - May 7, 2014

57
Global Technology Law and Policy Privacy May 7, 2014 professor michael geist university of ottawa, faculty of law

description

 

Transcript of Privacy - May 7, 2014

Page 1: Privacy - May 7, 2014

Global Technology Law and PolicyPrivacy

May 7, 2014

professor michael geist

university of ottawa, faculty of law

Page 2: Privacy - May 7, 2014

Three PhasesPhase 1: 1999 – 2007 – Baseline privacy

Page 3: Privacy - May 7, 2014

Three PhasesPhase 1: 1999 – 2007 – Baseline privacy

Phase 2: 2008-2012 – Privacy stalls

Page 4: Privacy - May 7, 2014

Three PhasesPhase 1: 1999 – 2007 – Baseline privacy

Phase 2: 2008-2012 – Privacy stallsPhase 3: 2013 - ?? – Back on track

Page 5: Privacy - May 7, 2014

Phase One1999 - 2007

Page 6: Privacy - May 7, 2014

Privacy Law - The Basics

- Based on the CSA Model Code

- CSA Model Code based on OECD principles

- Proposed in 1998 - response to EU pressure

- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)

- Limited to commercial activity for constitutional reasons

- Shared responsibility with provinces - substantially similar

- Enforced by Privacy Commissioner of Canada in an ombuds+ role

- Complaints driven + audit power

Page 7: Privacy - May 7, 2014

Privacy Law - The Basics

Application - Subject matter

• Personally identifiable information only - includes information about employees

• Public domain exception

– Telephone Directory

– Professional or Business Directory

– Registry Collected under Statutory Authority

– Court Record

– Information Appearing in the Media Where the Individual has Provided the Information

• Federal Privacy Act exempt

• Name, Title, Business address or Telephone number of an employee exempt - not email though

Page 8: Privacy - May 7, 2014

Privacy Law - The Basics

10 PRINCIPLES -- 1 1. Accountability

• organization is accountable for personal information• Includes privacy point person, training staff

• 2. Identifying Purposes• purpose of collection must be clear• Identify any new purposes• Grandfathering issue

• 3. Consent• individual has to give consent to collection, use, disclosure• “meaningful” consent -- will depend upon circumstances

Page 9: Privacy - May 7, 2014

Privacy Law - The Basics

10 PRINCIPLES (cont.) -- • 4. Limiting Collection

• collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention

• consent required for other purposes• Destroy or anonymize information once no longer needed

• 6. Accuracy• keep as accurate as necessary for identified purpose

Page 10: Privacy - May 7, 2014

Privacy Law - The Basics

10 PRINCIPLES (cont.) -- 7. Safeguards

• protection and security required

8. Openness• policies should be available• Clear language

9. Individual Access– info available upon request, inaccuracies corrected

10. Challenging Compliance – ability to challenge all practices

Page 11: Privacy - May 7, 2014

Privacy Law - The Basics

Compromise statute -- Purpose clause (s.3)The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would

consider appropriate in the circumstances.

Page 12: Privacy - May 7, 2014

Privacy Law - The Basics - Shared responsibility with provinces

- “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy

- Hundreds of OPC findings

- Statutory review every 5 years

- Last review in 2006

- Privacy Act - governs public sector privacy law

- No updates since first enacted

Page 13: Privacy - May 7, 2014

Privacy Law – Penalties/Enforcement

- Non-binding findings

- Court challenges

- Powers largely limited to investigations

- Call for:

- Order making power

- Expansion of naming names

- Administrative monetary penalties

Page 14: Privacy - May 7, 2014

Phase Two2008 - 2012

Page 15: Privacy - May 7, 2014

DNCL

Page 16: Privacy - May 7, 2014

Do-Not-Call Legislation

• 12,000,000+ numbers in the database• 780,000+ complaints• Administered by the CRTC• Some serious penalties ($1 million +)• Complaints massively outnumber investigations• Numerous exceptions (charities, political parties,

newspapers, etc.)

Page 17: Privacy - May 7, 2014

Failed Reforms

Page 18: Privacy - May 7, 2014

PIPEDA ReformLawful access

Anti-spam (passes but doesn’t take effect)

Page 19: Privacy - May 7, 2014

Phase Three2013 - ???

Page 20: Privacy - May 7, 2014

Changing privacy commissioners (Stoddart, Cavoukian)

Page 21: Privacy - May 7, 2014

Supreme Court of Canada declares Alberta privacy law unconstitutional

(Union Foods)

Page 22: Privacy - May 7, 2014

OECD updates its privacy guidelines (includes security breach)

Page 23: Privacy - May 7, 2014

Government rejects private member’s bill on security breach

Page 24: Privacy - May 7, 2014

Do Not Track

Page 25: Privacy - May 7, 2014

CASL

Page 26: Privacy - May 7, 2014

CASL• Task Force conclusion - opt-in consent backed by penalties• Long delay in responding to recommendations• ECPA introduced in May 2009; dies with prorogation• FISA (re)introduced in May 2010• Bill receives royal assent in December 2010• Regs introduced in June 2011 • Regs reintroduced in January 2013• Regs finalized in December 2013• Law takes effect in July 2014

Page 27: Privacy - May 7, 2014

CASL - The Basics• Only applies to commercial electronic messages:

– Having regard to content, links, etc.:(a) offers to purchase, sell, barter or lease a product, goods, a

service, land or an interest or right in land;(b) offers to provide a business, investment or gaming

opportunity;(c) advertises or promotes anything referred to in paragraph (a)

or (b); or(d) promotes a person, including the public image of a person, as

being a person who does anything referred to in any of para- graphs (a) to (c), or who intends to do so.

• Exception for law enforcement

Page 28: Privacy - May 7, 2014

CASL - The Basics• Key prohibition - send or cause or permit to be sent to an electronic

address a commercial electronic message unless:(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and(b) message meets form requirements– Identifies sender– Sender contact information (valid for 60 days)– Unsubscribe mechanism

• Enable person to unsubscribe via email at no cost• Offer a web-based unsubscribe function• Must take off list within 10 days

• Does not matter if message is received

Page 29: Privacy - May 7, 2014

CASL - The Exceptions• Personal or family relationships• Business-to-business (if consists solely of inquiry related to

commercial activity)• Quote or estimate for product or service if requested by recipient• Confirms previously completed commercial transaction• Warranty information• Product recall information• Safety or security information about a product• Factual information on ongoing transaction such as subscription,

membership, account, loan, etc.• Employment relationship• Product upgrades• Telco providers merely providing telecommunications services• Charities

Page 30: Privacy - May 7, 2014

CASL- The Consent• Can be implied consent if:

– Existing business relationship• Purchase or lease of any product, service, etc. over prior 2 year period• Business, investment, gaming opportunity over prior 2 year period• Bartering of good, service, etc.• Written contract• Inquiry within past six months

– Existing non-business relationship• Donation or gift to political party or candidate over prior 2 year

period• Volunteer work over prior 2 year period (charity, political party,

candidate)• Membership in a club, association, etc. over 2 year period (in regs)

– Person conspicuously publishes email address– Person discloses email address to sender

Page 31: Privacy - May 7, 2014

CASL - Additional Prohibitions• No altering transmission data without consent

– Exception for network management• No installing computer programs without consent• No installing computer programs and using to send

electronic messages

Page 32: Privacy - May 7, 2014

CASL- Additional Prohibitions• Statute identifies requirements for express consent

– For computer programs includes describing function and purpose of the program

– Additional express consent requirement (w/description) if program:• Collects personal information• Interferes with control of personal computer• Changes settings• Interferes with data• Communicates with other computers without consent• Installs another program

• Doesn’t apply:– to computer upgrades where user has given broad consent– cookies, HTML, JavaScripts, OS– Where reasonable to assume has given consent

Page 33: Privacy - May 7, 2014

CASL - Additional Prohibitions• Competition Act violations

– New false or misleading representations in electronic message• Sender information• Content• Locator information

– These apply whether or not deceived• PIPEDA Violations

– Collection of email addresses if used by program designed to capture email addresses

– Use of email addresses if collected from program (as above)– Commissioner has some discretion on investigation

• Telecommunications Act– Possible replacement of do-not-call list

Page 34: Privacy - May 7, 2014

CASL - Penalties/Enforce• Preservation orders - may require telco to preserve data

– Valid for 21 days– May be extended once– May limit disclosure of preservation order for up to six months– Telco must preserve for up to six months; destroy thereafter– Within 5 days, can ask CRTC to review if undue burden– CRTC can vary, rescind, etc.

• Production order– May require production of document or data– Similar standards as preservation orders (no disclosure, CRTC review)

• Warrants– Enter premises to ensure compliance, investigate violations

Page 35: Privacy - May 7, 2014

CASL - Penalties/Enforce• AMPs

– $1,000,000 for individual per violation– $10,000,000 for corporation per violation

• Undertakings– Essentially a settlement of forthcoming notice of violation

• Notice of Violation– Set out violations, penalties, etc.

• Injunctions

Page 36: Privacy - May 7, 2014

CASL- Private Right of Action• Can bring action to court within three years of violation• No action against someone who has agreed to an

undertaking• CRTC, Competition Bureau, OPC may all intervene• Court can order up to $1,000,000 per violation

Page 37: Privacy - May 7, 2014

Lawful Access

Page 38: Privacy - May 7, 2014
Page 39: Privacy - May 7, 2014
Page 40: Privacy - May 7, 2014
Page 41: Privacy - May 7, 2014
Page 42: Privacy - May 7, 2014
Page 43: Privacy - May 7, 2014
Page 44: Privacy - May 7, 2014
Page 45: Privacy - May 7, 2014
Page 46: Privacy - May 7, 2014
Page 47: Privacy - May 7, 2014

“any attempts that we will continue to have to modernize the Criminal Code

will not contain the measures in C-30”

Page 48: Privacy - May 7, 2014
Page 49: Privacy - May 7, 2014

C-13: New Warrants– Transmission data warrant – Metadata

• What it covers» relates to the telecommunication functions of dialling, routing,

addressing or signalling» generated during the creation, transmission or reception of a

communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication

» does not reveal the substance, meaning or purpose of the communication

– Warrant needed for real-time information– Production order for historical data– Expires 21 days after initial demand

• Reason to suspect standard

Page 50: Privacy - May 7, 2014

C-13: New Warrants– Preservation orders

• Designed as temporary order to preserve subscriber information• Includes data related to particular subscriber, specific communication• Expires 90 days after issued• Must destroy information after conclusion

– Production orders• General production order of a document• Specified communication - transmission data to identify person or device• Transmission data• Tracking data• Financial data• Judge may order prohibition on disclosing production order• ISP, FI, etc. may apply to vary order within 30 days

Page 51: Privacy - May 7, 2014

C-13: Disclosure Immunity

“For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.”

“A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so”

Page 52: Privacy - May 7, 2014

Public Sector Privacy

Page 53: Privacy - May 7, 2014

Bill S-4 – Digital Privacy Act

Business Definitions• Changes definition of business contact information - exclude business email

• Business transaction exception – Covers due diligence in transactions– Doesn’t apply if personal information is primary reason for transaction

• Exception for collection, use, & disclosure in witness statement related to insurance claim

• Work product exception• Exception for businesses that voluntarily disclose personal information

to other organizations investigating breach of agreement

Page 54: Privacy - May 7, 2014

Bill S-4 – Digital Privacy Act

security breach disclosure• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)

• California disclosure law spreading fast - at least 40 other states with similar laws

• Two possible reporting requirements in event of breach:– Requirement to report “material breach of security safeguards involving

personal information under control” to Privacy Commissioner– Criteria to determine whether to report:

• Sensitivity of information• Number of affected individuals• Cause of breach/systemic problem

Page 55: Privacy - May 7, 2014

Bill S-4 – Digital Privacy Act

security breach disclosure– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”

– What is significant harm?• bodily harm• humiliation• damage to reputation or relationships• loss of employment, business or professional opportunities• financial loss• identity theft• negative effects on the credit record and damage to or loss of property

– Risk factors - (1) sensitivity of info; (2) risk of misuse

Page 56: Privacy - May 7, 2014

Bill S-4 – Digital Privacy Act

security breach disclosure– Notifications • “ as soon as feasible”• Understandable to affected individuals• To other organizations who may be able to mitigate harm

Page 57: Privacy - May 7, 2014

Bill S-4 – Digital Privacy Act

– Security breach disclosure requirements– Business transaction reforms– Warrantless disclosure expansion