Cars and the data they share

Anyone interested in cars and the data they will increasingly collect should read the article in the November Automobile magazine titled The Big Data Boom – How the race to monetize the connected car will drive change in the auto industry.

It talks about how much data might be generated (4,000 GB per day), how that sheer volume will be handled, and how it might be monetized. And the challenges of cybersecurity and privacy.

Auto makers are well aware of the privacy issues.  Challenges will include how to deal with privacy laws that vary dramatically around the world.  Will they default to the highest standard? Or will the data be valuable enough to make it worth their while to deal with information differently in different countries?

How will auto makers give drivers comfort that their information will be secure and won’t be misused?  How will they explain what info will be anonymized, and what will remain identified with the driver?

How many drivers will not be eager to share driving info with insurers and others either for privacy reasons or skepticism about what arbitrary decisions about them will be made based on that info?

For more about this topic, see this post I wrote a few months ago.  It is also on the agenda for the upcoming Canadian IT Law Association conference.

Cross-posted to Slaw

PIPEDA privacy breach notification regulations published for comment

The draft privacy breach regulations under PIPEDA have just been published.  They are open for comment for 30 days.

These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach.   PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”.  Those provisions will come into force after the regulations are passed.

The draft regulations are about what were expected.  They are similar to those under Alberta privacy legislation.

I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for.  A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach.  These notifications are for the benefit of the individual, so why make it harder for organizations to send it?

The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests.  In other words, organizations must be able to prove that any decision not to notify was justified.

Cross-posted to Slaw

I’ve got nothing to hide…

“I’ve got nothing to hide” is a common retort from people who are blasé about privacy.  Their point is that they have done nothing wrong, so they don’t care how much of their information and habits are public.

The flaw in that retort is that information about us can be used in many ways and for many things that we might not expect.  And things that we may think are normal and innocuous may be offensive to others who can make life difficult because of it.  For example, the US Justice department is trying to get the names of over a million people who visited an anti-Trump website from Dreamhost.  Using a VPN gets more attractive every day.

For more on this, I’ve written about it here and here.  For a deeper dive see this academic paper.

Cross-posted to Slaw

Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw

Self driving cars – privacy points to ponder

Cars collect a significant amount of information about our driving. That data will increase dramatically as we move to autonomous vehicles – and with more data comes more ways to use it.

This information can be used now to find fault in an accident or convict us of driving offences. Some insurance companies offer discounts if we share that data with them and they decide we are a safe driver.

Cars increasingly rely on electronic systems for safety features, and self driving cars are coming. They will increasingly collect and store data about not just the car itself but also its surroundings, and will share that with other cars around it.

What might our morning commute look like in a few years?

A driverless car pulls up to your door. You are ready to go because the car sent you a text when it was 2 minutes away. When you get in the car greets you by name, and tells you traffic is light today. As it pulls out it, it asks if you would like to try a new coffee on promo at Starbucks instead of your usual Tim’s stop. You say yes, and it takes you through the Starbucks drive through. Your coffee is ready because the car has already ordered it and told Starbucks when you will arrive. And the car paid for it.

The car tells you your Amazon package should arrive at the pickup point today, and asks if you want to stop there on the way home.

You pass near a restaurant you have gone to before, and the car tells you about an upcoming special. The car makes a reservation for Friday at your request. As you near your office it shows you your schedule for today, and asks if you want to be picked up a few minutes later because of a late meeting.

So what’s going on here?

You may have programed in things like stopping at Tims on the way to work. Or it may have learned your habit after a couple of commutes. Starbucks may have paid for the special to be mentioned. It may have learned about the restaurant and your Amazon order by reading your emails and schedule.

That all sounds very convenient, but the price of convenience is surveillance. And with surveillance comes the ability for others to use that information for good and for evil.

It has been estimated that a self driving car might generate a gigabyte of data per second. It will be tempting to use that data for all sorts of things.

One vehicle data startup CEO says that by 2020, automakers will be able to make more money selling vehicle data than the cars themselves.

It is not far-fetched to imagine a scenario where a self-driving taxi ride could be immensely cheap or even free, because the revenue from advertising and data generated from the ride might be more valuable than the taxi fare.

For example, car cameras and sensors could spot available parking spaces, know how much traffic there is, how many pedestrians are on a block, and how many cars are in line at a drivethrough.

Who owns this information? Who has the right to use it? Car manufacturers will no doubt claim they do. Keep in mind that in the US secondary use of personal information is more acceptable than it is in Canada or Europe.

The privacy implications are enormous. It’s one thing to know that there are two empty parking spaces on a block. Its totally another to know that my car is parked there, or what stops I make on my commute.

Current privacy laws may not be adequate to deal with these issues. And it challenges the notion of meaningful consent.

As interesting as the idea of self driving cars is, we need to be sure that the price is not too high in terms of privacy and surveillance.

Anyone interested in a deeper dive (drive?) on this subject should look at the BC Freedom of Information and Privacy Association study titled The Connected Car: Who is in the Driver’s Seat?

Cross-posted to Slaw

Privacy Commissioner posts new case summaries

Privacy breaches and complaints can often be resolved cooperatively.  We usually hear about the large, dramatic, far reaching breaches more so than the smaller ones that get resolved.

The privacy commissioner just released some examples.

In one example, a malfeasant social engineered some information from customer service representatives that enabled the malfeasant to contact customers and try to obtain more information that could be used for fraud.  The business investigated, contacted the individuals who may have been compromised, and took steps to reduce the chances of it happening again.

In another situation, a rogue employee took customer information which was used to impersonate the company to collect money from a customer.  The business was not very responsive to the customer complaint until the privacy commissioner got involved.   In the end the employee was dismised, the customer made whole, and steps were taken to reduce the chances of it happening again.

From a business perspective, it shows the need to take privacy complaints seriously, and deal with them quickly and effectively.

From a consumer perspective, it shows the need to be cautious when you are asked for your information – especially when someone contacts you.  And be patient when your service providers take steps to make sure you are who you say you are.

Cross-posted to Slaw.

Trump’s executive order on foreigners strips privacy protection for Canadians

Included in Trump’s reprehensible executive order “Enhancing Public Safety in the Interior of the United States” was this:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The Privacy Act covers personal information held by US Federal agencies.  This would apply, for example, to information collected about Canadians entering the United States.

This should be attracting the wrath of the Canadian privacy commissioner and the Canadian government.

More detail is in this post by Michael Geist and this post on Open Media.

Given this attitude, we should be redoubling efforts to make sure our communications are encrypted.

Conventional wisdom has been that our data is just as safe in the US as Canada given that both countries have limits on privacy when it comes to law enforcement and government ability to dip into our information.  But this cavalier attitude puts that into question, and it may be prudent for Canadian entities to keep their data in Canada to the extent possible.  Where that isn’t practical, attempts should be taken (and assurances obtained from vendors) to encrypt that the data in a way that the provider doesn’t have access to it.

Cross posted to Slaw

Data Privacy Day event in London

January 28 is Data Privacy Day – “an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information. ”

The IAPP (International Association of Privacy Professionals) is honouring the day with local “Privacy After Hours” events on Thursday January 26th.

Privacy professionals in London are welcome to attend the event being held at McGinnis Landing restaurant.  Harrison Pensa is pleased to provide the appetizers for the event.

You can sign up for the event on the IAPP website.  You have to create an IAPP logon ID to register – which is quick and painless to do.

SCC renders practical privacy decision on mortgage information

The Supreme Court of Canada, in Royal Bank v Trang, made a privacy decision that will bring a sigh of relief to lenders and creditors.

A judgment creditor asked the sheriff to seize and sell a house to satisfy the judgment.  To do that, the sheriff needed to know how much was owed on the mortgage on the house.  The mortgage lender didn’t have express consent to provide the information, and said PIPEDA prevented it from giving it.  Lower courts agreed.

But the SCC took a more practical approach.  The issue was whether there was implied consent to release that personal information.  The SCC said there was.

They interpreted implied consent in a broader perspective, looking at the entire situation, including the legitimate business interests of other creditors.  Financial information is considered to be sensitive personal information, and thus in general faces a higher threshold for implied consent.  But in this context, they held that it is a reasonable expectation of a debtor for a mortgage lender to provide a discharge statement to another creditor wanting to enforce its rights against that property.

Cross-posted to Slaw