Facebook: We’re updating our terms …

Most of us have received a number of emails pointing us to revised terms of use and privacy/data policies, or asking us to consent. These have been driven by the GDPR, the new privacy regime in the EU.

Facebook’s starts with:

Hi David,

We’re updating our Terms, Data Policy, and Cookies Policy to make sure you know how your data is used so you can make the choices that are right for you.

(You have all taken the time to read, understand and make informed choices under these, right?)

Facebook has been under increasing scrutiny over what it does with our information. Frankly, the notion of privacy is somewhat inconsistent with Facebook’s fundamental mission to share information. But at least Facebook is now complying with the tougher consent rules of the GDPR, and giving us the choices we deserve. Or are they?

At least one privacy advocate doesn’t think so. On the same day the GDPR took effect, Austrian lawyer Max Schrems launched complaints against Facebook through a crowdfunded group called None Of Your Business. The gist of the complaints is that Facebook’s consents are not compliant with the GDPR.

Even Apple is on the anti-Facebook, anti-tracking movement. At its WWDC developer conference this week it announced new features in its Safari browser to stop Facebook and others from collecting so much information.

Cross-posted to Slaw

Are you ready for PIPEDA’s privacy breach recording obligation?

In a recent blog post I talked about the new privacy breach notification requirements coming under PIPEDA this November 1. I said that perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.”

Why is that so challenging?

Many large companies already have this kind of procedure in place. But most business do not. Maintaining a record sounds easy. But this is not so simple when you think it through. First, the business must create a procedure and educate its staff to recognize breaches and report them to its privacy officer, even if they are not significant. No longer can the business rely on staff recognizing a breach because it is serious and obvious, or someone complains.

Then for each one the privacy officer must go through the analysis required under PIPEDA to determine if there is a “real risk of significant harm” that triggers a reporting requirement. The rationale for that decision must be recorded.

Why does it matter?

The Privacy Commissioner has the right to inspect any business’s breach record at any time. If a business does not report a breach when it is supposed to, or if they don’t keep a breach record, they can be subject to a fine of up to $100,000.

What you need to do about it.

Before November 1, every business subject to PIPEDA should put a breach recording procedure in place, educate their staff what a breach is, and how to report it to the privacy officer.

Cross-posted to Slaw

PIPEDA privacy breach notification coming Nov 1

Effective Nov 1, 2018, businesses that have a privacy breach must give notice of the breach under PIPEDA – the privacy legislation affecting the private sector in most Canadian provinces. The final regulations containing the details are about to be published.

Here are the highlights.

When do I have to report?

If there is a privacy breach that “creates a real risk of significant harm to an individual”. That includes bodily harm, humiliation, damage to reputation, financial loss, identity theft. Risk factors to decide the reporting threshold are provided.  The report must be made “as soon as feasible after the organization determines that the breach has occurred.”

What do I have to report?

Circumstances of the breach, when it happened, what information was breached, steps taken to reduce the risk of harm, steps individuals can take to reduce risk, contact information.

Who do I have to report to?

The Privacy Commissioner, the individuals, and third parties that “may be able to reduce the risk of harm.” That third party requirement will require some pondering.

But wait, there’s more

Perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.” That must be shown to the Privacy Commissioner on request. The challenge is that there is no threshold, and every breach, even trivial ones, must be recorded.

What are the penalties?

Failure to report when required, and failure to keep the breach records can result in a penalty of up to $100,000.

What do I need to do now?

Businesses should review their privacy policies and processes and amend as needed. Record keeping systems must be put in place for recording all breaches. A breach reporting and incident response process should be put in place.

 

Cross-posted to Slaw

Data Privacy Day

January 28 is Data Privacy Day.

Privacy is becoming more challenging with new tech such as artificial intelligence, quantum computing, blockchain, autonomous cars, the internet of things, drones, and government agencies recording massive amounts of data in the name of security.  Basic privacy concepts such as consent as we now know it may no longer be adequate to deal with some of these challenges.  And the sheer number of ways our information gets used makes it almost impossible to truly understand, let alone trust, what others are doing with our information.

The IAPP is hosting Privacy After Hours events in a number of cites around the world on Thursday Jan 25 to recognize Data Privacy Day.

Cross-posted to Slaw

Privacy event in London

The IAPP (International Association of Privacy Professionals) is providing “Privacy After Hours” events on Thursday January 25th in recognition of Data Privacy Day.

Privacy professionals in London Ontario are welcome to attend the event being held at McGinnis Landing restaurant.  Harrison Pensa is pleased to provide the appetizers for the event.

You can sign up for the event on the IAPP website.

Cars and the data they share

Anyone interested in cars and the data they will increasingly collect should read the article in the November Automobile magazine titled The Big Data Boom – How the race to monetize the connected car will drive change in the auto industry.

It talks about how much data might be generated (4,000 GB per day), how that sheer volume will be handled, and how it might be monetized. And the challenges of cybersecurity and privacy.

Auto makers are well aware of the privacy issues.  Challenges will include how to deal with privacy laws that vary dramatically around the world.  Will they default to the highest standard? Or will the data be valuable enough to make it worth their while to deal with information differently in different countries?

How will auto makers give drivers comfort that their information will be secure and won’t be misused?  How will they explain what info will be anonymized, and what will remain identified with the driver?

How many drivers will not be eager to share driving info with insurers and others either for privacy reasons or skepticism about what arbitrary decisions about them will be made based on that info?

For more about this topic, see this post I wrote a few months ago.  It is also on the agenda for the upcoming Canadian IT Law Association conference.

Cross-posted to Slaw

PIPEDA privacy breach notification regulations published for comment

The draft privacy breach regulations under PIPEDA have just been published.  They are open for comment for 30 days.

These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach.   PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”.  Those provisions will come into force after the regulations are passed.

The draft regulations are about what were expected.  They are similar to those under Alberta privacy legislation.

I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for.  A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach.  These notifications are for the benefit of the individual, so why make it harder for organizations to send it?

The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests.  In other words, organizations must be able to prove that any decision not to notify was justified.

Cross-posted to Slaw

I’ve got nothing to hide…

“I’ve got nothing to hide” is a common retort from people who are blasé about privacy.  Their point is that they have done nothing wrong, so they don’t care how much of their information and habits are public.

The flaw in that retort is that information about us can be used in many ways and for many things that we might not expect.  And things that we may think are normal and innocuous may be offensive to others who can make life difficult because of it.  For example, the US Justice department is trying to get the names of over a million people who visited an anti-Trump website from Dreamhost.  Using a VPN gets more attractive every day.

For more on this, I’ve written about it here and here.  For a deeper dive see this academic paper.

Cross-posted to Slaw

Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw

Self driving cars – privacy points to ponder

Cars collect a significant amount of information about our driving. That data will increase dramatically as we move to autonomous vehicles – and with more data comes more ways to use it.

This information can be used now to find fault in an accident or convict us of driving offences. Some insurance companies offer discounts if we share that data with them and they decide we are a safe driver.

Cars increasingly rely on electronic systems for safety features, and self driving cars are coming. They will increasingly collect and store data about not just the car itself but also its surroundings, and will share that with other cars around it.

What might our morning commute look like in a few years?

A driverless car pulls up to your door. You are ready to go because the car sent you a text when it was 2 minutes away. When you get in the car greets you by name, and tells you traffic is light today. As it pulls out it, it asks if you would like to try a new coffee on promo at Starbucks instead of your usual Tim’s stop. You say yes, and it takes you through the Starbucks drive through. Your coffee is ready because the car has already ordered it and told Starbucks when you will arrive. And the car paid for it.

The car tells you your Amazon package should arrive at the pickup point today, and asks if you want to stop there on the way home.

You pass near a restaurant you have gone to before, and the car tells you about an upcoming special. The car makes a reservation for Friday at your request. As you near your office it shows you your schedule for today, and asks if you want to be picked up a few minutes later because of a late meeting.

So what’s going on here?

You may have programed in things like stopping at Tims on the way to work. Or it may have learned your habit after a couple of commutes. Starbucks may have paid for the special to be mentioned. It may have learned about the restaurant and your Amazon order by reading your emails and schedule.

That all sounds very convenient, but the price of convenience is surveillance. And with surveillance comes the ability for others to use that information for good and for evil.

It has been estimated that a self driving car might generate a gigabyte of data per second. It will be tempting to use that data for all sorts of things.

One vehicle data startup CEO says that by 2020, automakers will be able to make more money selling vehicle data than the cars themselves.

It is not far-fetched to imagine a scenario where a self-driving taxi ride could be immensely cheap or even free, because the revenue from advertising and data generated from the ride might be more valuable than the taxi fare.

For example, car cameras and sensors could spot available parking spaces, know how much traffic there is, how many pedestrians are on a block, and how many cars are in line at a drivethrough.

Who owns this information? Who has the right to use it? Car manufacturers will no doubt claim they do. Keep in mind that in the US secondary use of personal information is more acceptable than it is in Canada or Europe.

The privacy implications are enormous. It’s one thing to know that there are two empty parking spaces on a block. Its totally another to know that my car is parked there, or what stops I make on my commute.

Current privacy laws may not be adequate to deal with these issues. And it challenges the notion of meaningful consent.

As interesting as the idea of self driving cars is, we need to be sure that the price is not too high in terms of privacy and surveillance.

Anyone interested in a deeper dive (drive?) on this subject should look at the BC Freedom of Information and Privacy Association study titled The Connected Car: Who is in the Driver’s Seat?

Cross-posted to Slaw