Emerging tech – potentially awesome and a privacy quagmire

I attended an event last night where Duncan Stewart of Deloitte talked about their TMT predictions for 2016.

It reinforced for me that the future of tech and what it will do for us is potentially awesome.  But also at the same time the amount of information that is being collected and stored about each of us is staggering.  That creates real privacy challenges, and real possibilities for abuse.  And because the information is there, there is a tendency for government and business alike to want to use it.

One scary aspect is that the more we get used to more information being collected about us, the more complacent we get.  Our personal freaky line – the line at which we stop using services because we are concerned about privacy issues – moves a little farther away.  That is in spite of the fact that the more information there is about us, the more ripe for abuse it is, and the more that we temper or alter our behaviour because we know we are being watched.

Think for a moment about all the information that is increasingly being collected about us.

  • Smartphones that know our every move and the most intimate and personal aspects of our lives.
  • Intelligent cars that know where we go and how we drive.
  • The internet of things where the stuff we own collects information about us.
  • Wearable tech that collects information about our fitness, and increasingly our health.
  • The trend for information and services to be performed in the cloud rather than locally, and stored in various motherships.
  • Big data that functions by saving as much information as possible.
  • Artificial intelligence and cognitive learning tools that can turn data into useful information and make inferences based on seemingly unconnected information.
  • Blockchain technology that has the potential to record surprising things about us.

On top of all this, it is becoming increasingly harder to understand when our info is staying on our device, when it goes somewhere else, how long it stays there, who has access to it, when it is encrypted, and who has access to the encryption keys.

It is in this context, and the fact that we just don’t have the time to spend to understand and make all the privacy choices that we need to make, that the Privacy Commissioner of Canada last week released a discussion paper titled Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act

The introduction states in part:

PIPEDA is based on a technologically neutral framework of ten principles, including consent, that were conceived to be flexible enough to work in a variety of environments. However, there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent.

Indeed, during the Office of the Privacy Commissioner’s (OPC’s) Privacy Priority Setting discussions in 2015, some stakeholders questioned the continued viability of the consent model in an ecosystem of vast, complex information flows and ubiquitous computing. PIPEDA predates technologies such as smart phones and cloud computing, as well as business models predicated on unlimited access to personal information and automated processes. Stakeholders echoed a larger global debate about the role of consent in privacy protection regimes that has gained momentum as advances in big data analytics and the increasing prominence of data collection through the Internet of Things start to pervade our everyday activities.

Cross-posted to Slaw

Invasion of Privacy tort continues to develop

In Ontario, conventional wisdom was that invasion of privacy was not something you could sue for.  But that is changing, as evidenced by a just released decision of the Ontario Superior Court of Justice called Jane Doe 464533. That decision awarded damages and costs totaling $141,000, plus an order for the defendant to destroy any video or images he may still have, never to share any intimate images of the plaintiff, and to not communicate with the plaintiff or her family. A pdf version of the decision is here: Doe – redacted

Until this decision, the first case of a successful tort action for invasion of privacy was Jones and Tsige.  The tort in that case was called intrusion upon seclusion, and basically applies only to nosy neighbour cases.  In other words, where an individual accesses personal information on someone for nothing more than curiosity.  The damages for that are capped to such an extent that in practice it probably isn’t worth taking it to court.

Some privacy class actions have been started since then, which would require an expansion of current law to succeed, but none have reached trial.

In the Jane Doe case the defendant was a former boyfriend of the plaintiff who convinced her to take an intimate video of herself, promising that he would not show it to anyone. But of course he posted it online. That lead to severe emotional distress for the plaintiff.

While the decision is ground breaking, there is a caveat to it.  The defendant did not file a statement of defence, and this decision was based on a motion for default judgment.  So while the decision is well reasoned, there was no contrary position presented. This issue will eventually make it to an appeal court in another case to settle the law.

This decision will no doubt be analysed and cited by anyone attempting to sue for a privacy breach, or seeking a remedy for cyberbullying or revenge porn.

Cross-posted to Slaw

11 things you should know about privacy

top legal issues for tech bus

Privacy laws apply to every business that knows any information about individuals.

Here are 11 things you should know about privacy.

  1. There are many privacy statutes that may apply depending on the nature of the information, the nature of your business, and what province your customers are in. Health information, for example, is usually subject to different statutes than other personal information.
  2. In general, if you want to use someone’s personal information for something they would not think is necessary to provide your services, you need their permission.
  3. Mandatory breach notification is becoming more common. Some provincial statutes require it, PIPEDA now includes breach notification provisions that are coming into effect soon.  The notice requirements include some rather subjective tests, and must be reviewed carefully if you have a privacy breach.
  4. The definition of personal information is fairly broad. It includes things like an IP address, and depending on the jurisdiction, may include car license plates.
  5. You need to have a privacy policy that clearly describes what you collect and what you do with personal information. The nature and complexity of that policy will vary depending on the nature of your business, the nature of the information, and what you want to do with the personal information.
  6. You must have a privacy officer who is accountable and available to your customers.
  7. A privacy policy should cover your organization as a whole, not just your web site or one product.
  8. A privacy audit may be in order. Make sure you understand what information you actually do collect, use and disclose.  A disconnect between reality and what your policy says is a recipe for disaster.
  9. Privacy, anti-spam legislation (CASL), and Don Not Call legislation complement each other, work together, and shouldn’t be viewed in isolation.
  10. Some privacy laws (in particular some provincial laws dealing with public sector or health information) say that data can’t reside outside of Canada.
  11. Having processes and protections in place to keep personal information out of the wrong hands is crucial. It is equally crucial to deal with a privacy breach appropriately to reduce legal, customer, and headline risk.

Digital Privacy Act amends PIPEDA

Several amendments were made last week to PIPEDA, the federal private sector privacy legislation.   This has been sitting around in draft for a long time.  Except for sections creating a new mandatory breach notification scheme, the amendments are now in force.  The breach notification scheme requires some regulations before it comes into effect.  More on that at the end of this post.

Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.

Here are some of the highlights that are in force now:

  • The business contact exception from the definition of personal information has been broadened.
  • Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
  • A new section says consent is only valid if the individual would understand what they are consenting to.  This speaks to the clarity of the explanation, and is particularly important when dealing with children.
  • Several new exceptions to the collection, use and disclosure of personal information without consent have been added.  Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
  • The Commissioner now has a compliance agreement remedy.

The breach notification sections that come into effect at a later date include:

  • Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”  That test is somewhat subjective, and will no doubt cause some consternation in practice.  Guidance is included on relevant factors to consider and what constitutes “significant harm”.
  • The report must contain certain information and be on a form that will be in the regulations yet to be released.
  • Affected individuals must be similarly notified.
  • Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold.  This could pose a challenging compliance issue for large organizations.
  • The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
  • The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements.  That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.

Cross-posted to Slaw

Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on Openmedia.ca .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Happy Data Privacy Day

From the Privacy Commissioner of Canada: “On January 28, Canada, along with many countries around the world, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.”

Privacy becomes increasingly challenging with new tech such as big data, the internet of things, wearable computers, drones, and government agencies recording massive amounts of data in the name of security.  Sober thought needs to go into balancing the advantages of such things with privacy rights, creating them in a privacy sensitive way, and giving people informed choices.

dpd_englishprivacy sample

Cross-posted to Slaw 



Here’s how changes to PIPEDA would work

For the London Free Press – July 8, 2013 – Read this at lfpress.com

The Privacy Commissioner of Canada (OPC) recently released a report recommending reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the privacy legislation that governs private-sector privacy generally in Ontario and many other provinces.

The report noted that, “Ninety per cent of the data that exists in the world today has been created in the last two years,” and PIPEDA needs to evolve.

The report highlighted four recommendations.

1: Strengthen enforcement and encourage greater compliance

Statutory damages (meaning set damages without any requirement of proof) for certain contraventions of PIPEDA. The report cites the Copyright Act as a successful example of a statutory-damages regime.

Order-making powers to give the Commissioner the ability to issue a binding order to either enforce an action or prevent one from being committed. At present, the Commissioner can only recommend this type of action.

Administrative monetary penalties (AMPs) are suggested as a means of bringing organizations into compliance with PIPEDA. AMPs are similar to fines, but would be assessed directly by the Commissioner.

Why the OPC wants this: “It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.”

2: Shine a light on privacy breaches

Require organizations to report breaches of personal information to the Commissioner and to affected individuals.

Why the OPC wants this: Some organizations voluntarily report and inform individuals of privacy breaches. Some organizations do not. Those that do voluntarily report may face negative financial and reputational consequences while those that do not report may escape any form of recourse. This “creates an uneven playing field for organizations.”

3: Lift the veil on authorized disclosures

PIPEDA allows disclosure of personal information to a government institution without the knowledge or consent of the affected individual, upon request. Organizations may, but don’t always, challenge or refuse these requests. The OPC would require organizations to maintain a record of disclosures to government and make it publically available.

Why the OPC wants this: Canadians seeking access to their personal information would be able to find out if their information had been disclosed. There is no transparency or clear rules about what information can and should be provided to government institutions without a court order.

4: Walk the talk

Enforceable agreements would force an organization, at the end of a privacy investigation, to agree with the Commissioner’s recommendations and to comply within a set time period.

Make accountability provisions subject to review by the Federal Court.

Why the OPC wants this: Monitoring and analyzing a company’s actions are just as time-consuming as the Commissioner’s investigations.


Holistic strategy is better for privacy laws

For the London Free Press – May 6, 2013 – Read this at lfpress.com

There has been controversy in the United States in the last few weeks about their patchwork of privacy laws in contrast to the holistic approach favoured by Canada and the European Union. This matters as commerce and cloud services become more borderless.

The U.S. approach to privacy has been to enact laws that apply to narrow areas as problems are perceived, rather than to look at privacy as a broader subject to regulate.

For example, in 1988 the United States Congress passed the Video Privacy and Protection Act to prevent wrongful disclosure of videotape rental or sale records. Though such laws may be effective in the short term, they have a narrow focus, fail to address future technology and leave gaps. And the process to change existing laws is typically glacier slow.

Some privacy regulation is the U.S, isn’t based on privacy laws at all, but on regulatory action and class-action lawsuits based on notions such as the breach of a company’s privacy policy. In other words, the wrong was a breach of a privacy promise, not a breach of a legal privacy requirement.

In contrast, the Canadian and European model deals with privacy on a holistic basis. The holistic approach allows for existing privacy laws to adapt to new technologies rather than having to create new privacy laws in response to new technologies.

In any given Canadian province there are likely no more than two privacy statutes that apply to the private sector.

One applies to personal information generally, and there’s often a separate one that applies to medical records. This is a far more stable, all-encompassing and technology-neutral approach to privacy issues than the U.S. model.

Peter Fleischer, global privacy counsel at Google, recently commented on this issue and his desire to see the United States enact better privacy laws. He notes not a single country has followed the U.S. model.

Fleischer praises European privacy laws for their simplicity and warns if changes aren’t made to the U.S. approach “privacy will prove a serious roadblock to any such future trade back (with the European Union), as long as some people in Europe can argue that the U.S. has not-effective privacy laws.”

Fleischer provides the example of Uruguay that has looked to Spain. as opposed to the U.S., when drafting its recent privacy laws.

In the long run, the holistic approach is a far better and more effective model to protect privacy interests. The holistic approach makes it easier for businesses to understand their obligations and comply, easier for individuals to know where they stand, has less risk of leaving privacy gaps, and makes it easier to deal internationally when other countries require privacy protection as a condition of personal information crossing borders.

As the world continues to emerge from the global economic crisis and the trend toward global integration continues, Canada’s holistic privacy framework will help us take advantage of global opportunities while a less-effective framework could damage U.S. efforts.


Perspective is an important element of Privacy

Todays Slaw post:

One thing I find consistent about privacy issues is an inconsistency in approach and viewpoint.  What is and is not deemed acceptable seems to change dramatically based on several factors, including geographic location (which I suppose is really more of a cultural issue than a geographic one), whether it is about one’s own information or you are doing something with someone else’s information, and whether the party with the information is government or business.

Many times it comes down to issues of trust, understanding, surprise, and how public one wants their life to be.

An example is in this article entitled Eric Schmidt is using the same argument against drones that others use against Google Glass.

One of the most common concerns raised about Google Glass (other than looking like a nerd) is the potential for privacy invasion.  The more of these there are around, the more likely each one of us is going to be captured on the video they can take whether we like it or not. And where is all this video going to end up?  That issue has also been raised about drones.  Google’s Eric Schmidt has apparently stated that drones should be strictly regulated for privacy reasons, which seems inconsistent with their approach to Google Glass.

Perhaps one explanation for this could be that privacy in the United States is viewed differently than in Canada and other parts of the world.  In the US, privacy is not approached as a holistic discrete topic to be regulated by general principles.  Instead, it is regulated on a piecemeal basis, such as a privacy law that applies only to movie rentals.


Privacy Abuses and Leaks

Today’s Slaw post

Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.

Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent.

Here is an infographic on web leakage provided by the Commissioner.

While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.

UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.