Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw

Self driving cars – privacy points to ponder

Cars collect a significant amount of information about our driving. That data will increase dramatically as we move to autonomous vehicles – and with more data comes more ways to use it.

This information can be used now to find fault in an accident or convict us of driving offences. Some insurance companies offer discounts if we share that data with them and they decide we are a safe driver.

Cars increasingly rely on electronic systems for safety features, and self driving cars are coming. They will increasingly collect and store data about not just the car itself but also its surroundings, and will share that with other cars around it.

What might our morning commute look like in a few years?

A driverless car pulls up to your door. You are ready to go because the car sent you a text when it was 2 minutes away. When you get in the car greets you by name, and tells you traffic is light today. As it pulls out it, it asks if you would like to try a new coffee on promo at Starbucks instead of your usual Tim’s stop. You say yes, and it takes you through the Starbucks drive through. Your coffee is ready because the car has already ordered it and told Starbucks when you will arrive. And the car paid for it.

The car tells you your Amazon package should arrive at the pickup point today, and asks if you want to stop there on the way home.

You pass near a restaurant you have gone to before, and the car tells you about an upcoming special. The car makes a reservation for Friday at your request. As you near your office it shows you your schedule for today, and asks if you want to be picked up a few minutes later because of a late meeting.

So what’s going on here?

You may have programed in things like stopping at Tims on the way to work. Or it may have learned your habit after a couple of commutes. Starbucks may have paid for the special to be mentioned. It may have learned about the restaurant and your Amazon order by reading your emails and schedule.

That all sounds very convenient, but the price of convenience is surveillance. And with surveillance comes the ability for others to use that information for good and for evil.

It has been estimated that a self driving car might generate a gigabyte of data per second. It will be tempting to use that data for all sorts of things.

One vehicle data startup CEO says that by 2020, automakers will be able to make more money selling vehicle data than the cars themselves.

It is not far-fetched to imagine a scenario where a self-driving taxi ride could be immensely cheap or even free, because the revenue from advertising and data generated from the ride might be more valuable than the taxi fare.

For example, car cameras and sensors could spot available parking spaces, know how much traffic there is, how many pedestrians are on a block, and how many cars are in line at a drivethrough.

Who owns this information? Who has the right to use it? Car manufacturers will no doubt claim they do. Keep in mind that in the US secondary use of personal information is more acceptable than it is in Canada or Europe.

The privacy implications are enormous. It’s one thing to know that there are two empty parking spaces on a block. Its totally another to know that my car is parked there, or what stops I make on my commute.

Current privacy laws may not be adequate to deal with these issues. And it challenges the notion of meaningful consent.

As interesting as the idea of self driving cars is, we need to be sure that the price is not too high in terms of privacy and surveillance.

Anyone interested in a deeper dive (drive?) on this subject should look at the BC Freedom of Information and Privacy Association study titled The Connected Car: Who is in the Driver’s Seat?

Cross-posted to Slaw

Privacy Commissioner posts new case summaries

Privacy breaches and complaints can often be resolved cooperatively.  We usually hear about the large, dramatic, far reaching breaches more so than the smaller ones that get resolved.

The privacy commissioner just released some examples.

In one example, a malfeasant social engineered some information from customer service representatives that enabled the malfeasant to contact customers and try to obtain more information that could be used for fraud.  The business investigated, contacted the individuals who may have been compromised, and took steps to reduce the chances of it happening again.

In another situation, a rogue employee took customer information which was used to impersonate the company to collect money from a customer.  The business was not very responsive to the customer complaint until the privacy commissioner got involved.   In the end the employee was dismised, the customer made whole, and steps were taken to reduce the chances of it happening again.

From a business perspective, it shows the need to take privacy complaints seriously, and deal with them quickly and effectively.

From a consumer perspective, it shows the need to be cautious when you are asked for your information – especially when someone contacts you.  And be patient when your service providers take steps to make sure you are who you say you are.

Cross-posted to Slaw.

Trump’s executive order on foreigners strips privacy protection for Canadians

Included in Trump’s reprehensible executive order “Enhancing Public Safety in the Interior of the United States” was this:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The Privacy Act covers personal information held by US Federal agencies.  This would apply, for example, to information collected about Canadians entering the United States.

This should be attracting the wrath of the Canadian privacy commissioner and the Canadian government.

More detail is in this post by Michael Geist and this post on Open Media.

Given this attitude, we should be redoubling efforts to make sure our communications are encrypted.

Conventional wisdom has been that our data is just as safe in the US as Canada given that both countries have limits on privacy when it comes to law enforcement and government ability to dip into our information.  But this cavalier attitude puts that into question, and it may be prudent for Canadian entities to keep their data in Canada to the extent possible.  Where that isn’t practical, attempts should be taken (and assurances obtained from vendors) to encrypt that the data in a way that the provider doesn’t have access to it.

Cross posted to Slaw

Data Privacy Day event in London

January 28 is Data Privacy Day – “an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information. ”

The IAPP (International Association of Privacy Professionals) is honouring the day with local “Privacy After Hours” events on Thursday January 26th.

Privacy professionals in London are welcome to attend the event being held at McGinnis Landing restaurant.  Harrison Pensa is pleased to provide the appetizers for the event.

You can sign up for the event on the IAPP website.  You have to create an IAPP logon ID to register – which is quick and painless to do.

SCC renders practical privacy decision on mortgage information

The Supreme Court of Canada, in Royal Bank v Trang, made a privacy decision that will bring a sigh of relief to lenders and creditors.

A judgment creditor asked the sheriff to seize and sell a house to satisfy the judgment.  To do that, the sheriff needed to know how much was owed on the mortgage on the house.  The mortgage lender didn’t have express consent to provide the information, and said PIPEDA prevented it from giving it.  Lower courts agreed.

But the SCC took a more practical approach.  The issue was whether there was implied consent to release that personal information.  The SCC said there was.

They interpreted implied consent in a broader perspective, looking at the entire situation, including the legitimate business interests of other creditors.  Financial information is considered to be sensitive personal information, and thus in general faces a higher threshold for implied consent.  But in this context, they held that it is a reasonable expectation of a debtor for a mortgage lender to provide a discharge statement to another creditor wanting to enforce its rights against that property.

Cross-posted to Slaw

Big data privacy challenges

Big data and privacy was one of the topics discussed at the Canadian IT Law Association conference this week.  Some of the issues worth pondering include:

  • Privacy principles say one should collect only what you need, and keep only as long as needed.  Big data says collect and retain as much as possible in case it is useful.
  • Accuracy is a basic privacy principle – but with big data accuracy is being replaced by probability.
  • A fundamental privacy notion is informed consent for the use of one’s personal information.  How do you have informed consent and control for big data uses when you don’t know what it might be used for or combined with?
  • Probability means that the inferences drawn may not always be accurate.  How do we deal with that if we as individuals are faced with erroneous inferences about us?
  • If based on information that may itself be questionable, the results may be questionable.  (The old garbage in, garbage out concept.)  It has been proposed that for big data and AI, we might want to add to Asimov’s 3 laws of robotics that it won’t discriminate, and that it will disclose its algorithm.
  • If AI reaches conclusions that lead to discriminatory results, is that going to be dealt with by privacy regulators, or human rights regulators, or some combination?
  • Should some of this be dealt with by ethical layers on top of privacy principles? Perhaps no go zones for things felt to be improper, such as capturing audio and video without notice, charging to remove or amend information, or re-identifying anonymized information.

Cross-posted to Slaw

Cloud computing: It’s all Good – or Mostly Good

A ZDNet article entitled Cloud computing: Four reasons why companies are choosing public over private or hybrid clouds makes a case for the value of the public cloud.

The reasons:

  • Innovation comes as standard with the public cloud
  • Flexibility provides a business advantage
  • External providers are the experts in secure provision
  • CIOs can direct more attention to business change

This is all good – or mostly good.

The caveat is that the use of the cloud can fail if a business adopts the cloud without thinking it through from the perspectives of mission criticality, security, privacy, and continuity.  If a business runs mission critical systems in the cloud, and that system fails, the business could be out of business.

The IT Manager no longer has to consider day to day issues around keeping software and security up to date.  But they still have to consider higher level issues.

It is important to understand what the needs are for the situation at hand.  A system that is not mission critical, or does not contain sensitive information, for example, would not require as much scrutiny as a system that runs an e-commerce site.

Issues to consider include:

  • how mission critical the system is
  • what the consequences are of a short term and long term outage
  • how confidential or personal the information is in the system
  • can the information be encrypted in transit and at rest
  • how robust the vendor’s continuity plan is
  • the need for the business to have its own continuity plan – such as a local copy of the data
  • how robust the vendor’s security is
  • does the vendor have third party security validation to accepted standards
  • does the vendor’s agreement have provisions that back these issues up with contractual terms and service levels with meaningful remedies

Cross-posted to Slaw

Privacy by Design is Crucial to avoid IoT Disasters

network-782707_1280

If anyone doubts that Privacy by Design is not a fundamentally important principle, consider these two recent articles.

This Wired article describes a hack being detailed at the upcoming Defcon conference that can easily read and type keystrokes from wireless keyboards that are not Bluetooth.  So you might want to consider replacing any non-Bluetooth wireless keyboards you have.

Security expert Bruce Schneier wrote this article entitled The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters that explains the IoT risks. The fundamental problem is that not enough attention is being paid to security for IoT devices.  This leaves a door open to situations where a hacker can, for example, easily get in to your thermostat and then use that as a connection point to your network.  Cory Doctorow of Boing Boing refers to this as a coming IoT security dumpster-fire.

Bruce describes it this way:

The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the internet. That number is about to explode.

 

Cross-posted to Slaw