Global Technology Law and PolicyPrivacy
May 7, 2014
professor michael geist
university of ottawa, faculty of law
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
Phase 2: 2008-2012 – Privacy stalls
Three PhasesPhase 1: 1999 – 2007 – Baseline privacy
Phase 2: 2008-2012 – Privacy stallsPhase 3: 2013 - ?? – Back on track
Phase One1999 - 2007
Privacy Law - The Basics
- Based on the CSA Model Code
- CSA Model Code based on OECD principles
- Proposed in 1998 - response to EU pressure
- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)
- Limited to commercial activity for constitutional reasons
- Shared responsibility with provinces - substantially similar
- Enforced by Privacy Commissioner of Canada in an ombuds+ role
- Complaints driven + audit power
Privacy Law - The Basics
Application - Subject matter
• Personally identifiable information only - includes information about employees
• Public domain exception
– Telephone Directory
– Professional or Business Directory
– Registry Collected under Statutory Authority
– Court Record
– Information Appearing in the Media Where the Individual has Provided the Information
• Federal Privacy Act exempt
• Name, Title, Business address or Telephone number of an employee exempt - not email though
Privacy Law - The Basics
10 PRINCIPLES -- 1 1. Accountability
• organization is accountable for personal information• Includes privacy point person, training staff
• 2. Identifying Purposes• purpose of collection must be clear• Identify any new purposes• Grandfathering issue
• 3. Consent• individual has to give consent to collection, use, disclosure• “meaningful” consent -- will depend upon circumstances
Privacy Law - The Basics
10 PRINCIPLES (cont.) -- • 4. Limiting Collection
• collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention
• consent required for other purposes• Destroy or anonymize information once no longer needed
• 6. Accuracy• keep as accurate as necessary for identified purpose
Privacy Law - The Basics
10 PRINCIPLES (cont.) -- 7. Safeguards
• protection and security required
8. Openness• policies should be available• Clear language
9. Individual Access– info available upon request, inaccuracies corrected
10. Challenging Compliance – ability to challenge all practices
Privacy Law - The Basics
Compromise statute -- Purpose clause (s.3)The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
Privacy Law - The Basics - Shared responsibility with provinces
- “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy
- Hundreds of OPC findings
- Statutory review every 5 years
- Last review in 2006
- Privacy Act - governs public sector privacy law
- No updates since first enacted
Privacy Law – Penalties/Enforcement
- Non-binding findings
- Court challenges
- Powers largely limited to investigations
- Call for:
- Order making power
- Expansion of naming names
- Administrative monetary penalties
Phase Two2008 - 2012
DNCL
Do-Not-Call Legislation
• 12,000,000+ numbers in the database• 780,000+ complaints• Administered by the CRTC• Some serious penalties ($1 million +)• Complaints massively outnumber investigations• Numerous exceptions (charities, political parties,
newspapers, etc.)
Failed Reforms
PIPEDA ReformLawful access
Anti-spam (passes but doesn’t take effect)
Phase Three2013 - ???
Changing privacy commissioners (Stoddart, Cavoukian)
Supreme Court of Canada declares Alberta privacy law unconstitutional
(Union Foods)
OECD updates its privacy guidelines (includes security breach)
Government rejects private member’s bill on security breach
Do Not Track
CASL
CASL• Task Force conclusion - opt-in consent backed by penalties• Long delay in responding to recommendations• ECPA introduced in May 2009; dies with prorogation• FISA (re)introduced in May 2010• Bill receives royal assent in December 2010• Regs introduced in June 2011 • Regs reintroduced in January 2013• Regs finalized in December 2013• Law takes effect in July 2014
CASL - The Basics• Only applies to commercial electronic messages:
– Having regard to content, links, etc.:(a) offers to purchase, sell, barter or lease a product, goods, a
service, land or an interest or right in land;(b) offers to provide a business, investment or gaming
opportunity;(c) advertises or promotes anything referred to in paragraph (a)
or (b); or(d) promotes a person, including the public image of a person, as
being a person who does anything referred to in any of para- graphs (a) to (c), or who intends to do so.
• Exception for law enforcement
CASL - The Basics• Key prohibition - send or cause or permit to be sent to an electronic
address a commercial electronic message unless:(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and(b) message meets form requirements– Identifies sender– Sender contact information (valid for 60 days)– Unsubscribe mechanism
• Enable person to unsubscribe via email at no cost• Offer a web-based unsubscribe function• Must take off list within 10 days
• Does not matter if message is received
CASL - The Exceptions• Personal or family relationships• Business-to-business (if consists solely of inquiry related to
commercial activity)• Quote or estimate for product or service if requested by recipient• Confirms previously completed commercial transaction• Warranty information• Product recall information• Safety or security information about a product• Factual information on ongoing transaction such as subscription,
membership, account, loan, etc.• Employment relationship• Product upgrades• Telco providers merely providing telecommunications services• Charities
CASL- The Consent• Can be implied consent if:
– Existing business relationship• Purchase or lease of any product, service, etc. over prior 2 year period• Business, investment, gaming opportunity over prior 2 year period• Bartering of good, service, etc.• Written contract• Inquiry within past six months
– Existing non-business relationship• Donation or gift to political party or candidate over prior 2 year
period• Volunteer work over prior 2 year period (charity, political party,
candidate)• Membership in a club, association, etc. over 2 year period (in regs)
– Person conspicuously publishes email address– Person discloses email address to sender
CASL - Additional Prohibitions• No altering transmission data without consent
– Exception for network management• No installing computer programs without consent• No installing computer programs and using to send
electronic messages
CASL- Additional Prohibitions• Statute identifies requirements for express consent
– For computer programs includes describing function and purpose of the program
– Additional express consent requirement (w/description) if program:• Collects personal information• Interferes with control of personal computer• Changes settings• Interferes with data• Communicates with other computers without consent• Installs another program
• Doesn’t apply:– to computer upgrades where user has given broad consent– cookies, HTML, JavaScripts, OS– Where reasonable to assume has given consent
CASL - Additional Prohibitions• Competition Act violations
– New false or misleading representations in electronic message• Sender information• Content• Locator information
– These apply whether or not deceived• PIPEDA Violations
– Collection of email addresses if used by program designed to capture email addresses
– Use of email addresses if collected from program (as above)– Commissioner has some discretion on investigation
• Telecommunications Act– Possible replacement of do-not-call list
CASL - Penalties/Enforce• Preservation orders - may require telco to preserve data
– Valid for 21 days– May be extended once– May limit disclosure of preservation order for up to six months– Telco must preserve for up to six months; destroy thereafter– Within 5 days, can ask CRTC to review if undue burden– CRTC can vary, rescind, etc.
• Production order– May require production of document or data– Similar standards as preservation orders (no disclosure, CRTC review)
• Warrants– Enter premises to ensure compliance, investigate violations
CASL - Penalties/Enforce• AMPs
– $1,000,000 for individual per violation– $10,000,000 for corporation per violation
• Undertakings– Essentially a settlement of forthcoming notice of violation
• Notice of Violation– Set out violations, penalties, etc.
• Injunctions
CASL- Private Right of Action• Can bring action to court within three years of violation• No action against someone who has agreed to an
undertaking• CRTC, Competition Bureau, OPC may all intervene• Court can order up to $1,000,000 per violation
Lawful Access
“any attempts that we will continue to have to modernize the Criminal Code
will not contain the measures in C-30”
C-13: New Warrants– Transmission data warrant – Metadata
• What it covers» relates to the telecommunication functions of dialling, routing,
addressing or signalling» generated during the creation, transmission or reception of a
communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication
» does not reveal the substance, meaning or purpose of the communication
– Warrant needed for real-time information– Production order for historical data– Expires 21 days after initial demand
• Reason to suspect standard
C-13: New Warrants– Preservation orders
• Designed as temporary order to preserve subscriber information• Includes data related to particular subscriber, specific communication• Expires 90 days after issued• Must destroy information after conclusion
– Production orders• General production order of a document• Specified communication - transmission data to identify person or device• Transmission data• Tracking data• Financial data• Judge may order prohibition on disclosing production order• ISP, FI, etc. may apply to vary order within 30 days
C-13: Disclosure Immunity
“For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.”
“A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so”
Public Sector Privacy
Bill S-4 – Digital Privacy Act
Business Definitions• Changes definition of business contact information - exclude business email
• Business transaction exception – Covers due diligence in transactions– Doesn’t apply if personal information is primary reason for transaction
• Exception for collection, use, & disclosure in witness statement related to insurance claim
• Work product exception• Exception for businesses that voluntarily disclose personal information
to other organizations investigating breach of agreement
Bill S-4 – Digital Privacy Act
security breach disclosure• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)
• California disclosure law spreading fast - at least 40 other states with similar laws
• Two possible reporting requirements in event of breach:– Requirement to report “material breach of security safeguards involving
personal information under control” to Privacy Commissioner– Criteria to determine whether to report:
• Sensitivity of information• Number of affected individuals• Cause of breach/systemic problem
Bill S-4 – Digital Privacy Act
security breach disclosure– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”
– What is significant harm?• bodily harm• humiliation• damage to reputation or relationships• loss of employment, business or professional opportunities• financial loss• identity theft• negative effects on the credit record and damage to or loss of property
– Risk factors - (1) sensitivity of info; (2) risk of misuse
Bill S-4 – Digital Privacy Act
security breach disclosure– Notifications • “ as soon as feasible”• Understandable to affected individuals• To other organizations who may be able to mitigate harm
Bill S-4 – Digital Privacy Act
– Security breach disclosure requirements– Business transaction reforms– Warrantless disclosure expansion
Top Related