PIPEDA breach notification & recording starts Nov 1 – are you ready?

Starting Nov 1 2018 PIPEDA requires businesses to notify the Privacy Commissioner and affected individuals of any privacy breach that poses “a real risk of significant harm”.

It also requires businesses to keep a record of all breaches of security safeguards that involve personal information, even if there is no risk of harm. It must include details of why a breach does not pass the reporting threshold.

So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.

The Commissioner can ask to see that breach record at any time. Failure to comply with the recording and notification requirements can result in a penalty of up to $100,000.

From a practical perspective, it means that there must be awareness by staff about what a breach of security safeguards is, and who to tell about it. It can’t be based only on complaints.

The Privacy Commissioner has published guidance on this. I’ve written about it before.

This chart is an overview of the process. Be sure to follow the detailed definitions and requirements in PIPEDA.

Cross-posted to Slaw

Copyright Notice & Notice is Flawed

You may have read about the Supreme Court of Canada deciding Rogers can be paid its costs for telling a copyright owner the identity of movie downloading customers. What isn’t talked about is the notice and notice system that puts this in motion.

A summary of the Rogers v Voltage decision is here. Omar has written about this on Slaw as well.

This is a complex and controversial issue. The essence is that sections 41.25 and 41.26 of the Copyright Act allow the owner of a copyright (eg a movie studio) to create a notice to send to people who breached copyright by downloading the movie, or by allowing others to then upload the movie. At this point the copyright owner only knows the downloader’s IP address and their internet service provider (ISP) – not the person’s name or contact information. The ISP is obligated to forward that message on – hence the term notice and notice.

The concept of notice and notice sounds good on the surface. But no matter whether you side with the copyright owner or the downloader – it doesn’t work in practice – and doesn’t help either side.

If a consumer saw a notice that simply said:

We own movie X, we know you downloaded it, and your sharing software is allowing others to download from you. Delete it, and we will leave you alone. If you don’t, we might sue you.

most consumers would comply.

But in what I’ve seen, the notice ends up being a long email with that message buried closer to the end than the beginning. So the consumer’s first inclination is to delete it assuming it is just another unimportant message from their ISP that they can ignore along with other marketing, scam, and quasi- spam emails.

Like any email, if you don’t get the message across immediately and bluntly, it won’t be read.

The email tends to be long as the copyright owner must explain who it is, why they are emailing, and what they know about the consumer’s behaviour to convince the consumer it is legitimate, and that the consumer needs to stop. ISPs tend to add their own message on top of the copyright owner’s email. They want to clarify what is happening, who it is coming from, that they are obligated to send it on, and they won’t reveal the consumer’s identity unless ordered by a court. And both of those messages might be in both official languages.

That is understandable, but until those messages are structured to start off simple and blunt, and explain all that below it, they won’t be effective.

Cross-posted to Slaw

Facebook: We’re updating our terms …

Most of us have received a number of emails pointing us to revised terms of use and privacy/data policies, or asking us to consent. These have been driven by the GDPR, the new privacy regime in the EU.

Facebook’s starts with:

Hi David,

We’re updating our Terms, Data Policy, and Cookies Policy to make sure you know how your data is used so you can make the choices that are right for you.

(You have all taken the time to read, understand and make informed choices under these, right?)

Facebook has been under increasing scrutiny over what it does with our information. Frankly, the notion of privacy is somewhat inconsistent with Facebook’s fundamental mission to share information. But at least Facebook is now complying with the tougher consent rules of the GDPR, and giving us the choices we deserve. Or are they?

At least one privacy advocate doesn’t think so. On the same day the GDPR took effect, Austrian lawyer Max Schrems launched complaints against Facebook through a crowdfunded group called None Of Your Business. The gist of the complaints is that Facebook’s consents are not compliant with the GDPR.

Even Apple is on the anti-Facebook, anti-tracking movement. At its WWDC developer conference this week it announced new features in its Safari browser to stop Facebook and others from collecting so much information.

Cross-posted to Slaw

Pizza delivery – in the not too distant future

In the not too distant future…

“Hey Google, order me a pizza – the usual, but a large this time, and have it delivered.”

Google Duplex calls pizza place. Pizza place AI bot answers the phone.  The bots talk to each other.

Robots make the pizza.

Pizza is loaded into an autonomous vehicle containing a pizza oven that cooks it on the way to me.

Autonomous vehicle texts me when 2 minutes away.

I meet it at the curb.  It authenticates me using voice or facial recognition and gives me the pizza.

 

Cross-posted to Slaw

Are you ready for PIPEDA’s privacy breach recording obligation?

In a recent blog post I talked about the new privacy breach notification requirements coming under PIPEDA this November 1. I said that perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.”

Why is that so challenging?

Many large companies already have this kind of procedure in place. But most business do not. Maintaining a record sounds easy. But this is not so simple when you think it through. First, the business must create a procedure and educate its staff to recognize breaches and report them to its privacy officer, even if they are not significant. No longer can the business rely on staff recognizing a breach because it is serious and obvious, or someone complains.

Then for each one the privacy officer must go through the analysis required under PIPEDA to determine if there is a “real risk of significant harm” that triggers a reporting requirement. The rationale for that decision must be recorded.

Why does it matter?

The Privacy Commissioner has the right to inspect any business’s breach record at any time. If a business does not report a breach when it is supposed to, or if they don’t keep a breach record, they can be subject to a fine of up to $100,000.

What you need to do about it.

Before November 1, every business subject to PIPEDA should put a breach recording procedure in place, educate their staff what a breach is, and how to report it to the privacy officer.

Cross-posted to Slaw

New Stuff & Old Laws

A common issue for new technology is the application of existing laws that were created before the new tech was contemplated. Examples include fintech (financial applications), fitness and health applications, and ridesharing services (such as Uber).

What is the issue?

Some activities and services are highly regulated. Financial services and the taxi industry are good examples. New entrants create innovative applications and services that compete with incumbents, but may or may not be regulated the same.

In some areas the entity may be regulated rather than the activity (often the case in fintech).

Laws sometimes prescribe a specific solution, rather than a desired result. Regulations around car headlights, for example, tend to specify how they must be built rather than how they must perform.

New tech may start out unregulated, but may as it develops creep into areas that are regulated. Fitness and health devices can easily become subject to medical device regulations (under the Food and Drugs Act) that impose certain requirements or licensing.

Why does it matter?

These issues for new tech have always been around – but the pace of change and innovation is getting much faster. Tech like cheap sensors, cheap connectivity, the increased power of smartphones, autonomous cars, blockchain, and artificial intelligence can be disruptive. Rapid, disruptive change makes it more difficult to get regulation right.

If you are the innovator, you may have legal issues to address that are not immediately apparent. The playing field may not be even, and can unfairly favour new players or incumbents. It can stifle or slow innovation – such as better headlight technology.

What to do about it?

Anyone developing new technology needs to think about where it fits within existing laws. Then either comply, make it different so it doesn’t need to comply, work with an incumbent, work with the regulators, or perhaps take some calculated risk.

Lawmakers face some tough issues. They should focus on evidenced based regulation rather than sticking with partisan or historical perspectives. Do existing regulations have the wrong focus and unintentionally distort the playing field? Does the new tech solve a problem in a different way than the regulations contemplate? Do existing regulations make sense in the modern context? Do they properly address a real issue? Do existing or proposed regulations help, or do they cause more problems than they solve?

 

Cross-posted to Slaw

Apply for trademarks now to save money?

Canada has made significant changes to the Trademarks Act, mostly to make it more consistent with international practice. Anyone considering applying for a trademark might want to file before the new rules come into force.

What is the issue?

In early 2019 the trademark application process will undergo significant changes. The changes include:

  • Not having to state first use dates or declare actual use
  • Registration term reduced from the current 15 years to 10
  • Adoption of the class system and a class based fee structure
  • Proof of distinctiveness needed for some types of marks

Why does it matter?

CIPO fees are now $450 per application no matter how many classes of goods and services are listed. The new fees will be $330 for the first class, plus $100 for each additional class. So any more than 2 classes will cost more. It is not unusual, depending on the nature of the goods and services, and whether include promotional items are included (eg if you sell hats or t-shirts that have your brand on it) to have several classes. Add to that the effective increase caused by getting only 10 years of protection vs 15. It is not clear yet how the proof of distinctiveness will work in practice, other than it will take more time and effort when required.

What to do about it

Businesses should ponder their trademark situation over the coming months and whether they might want to file for new marks or expanded uses at some point.   If so, they might save some money by applying before the new rules take effect.

Cross-posted to Slaw

What happens to cryptocurrencies when you die?

Blockchain removes intermediaries from transactions. For the most part that’s a good thing – but it can also have unintended consequences. For example, cryptocurrencies like Bitcoin flow between people much like paper money would be handed over. No financial institution is involved in the transaction. The same is true for other assets being tracked by blockchain technology, such as corporate shares.

When someone dies or becomes incapacitated, trustees or attorneys typically get control of that person’s assets through the intermediary. For example, if a trustee knows that the person has a bank account at bank X, they merely contact the bank, prove they have authority, and the bank co-operates to transfer the assets.

If a trustee wants access to social media and other online accounts such as email, they need to have the person’s logon credentials. Some social media platforms have procedures in place to allow trustee access through authentication processes designed for that situation much like traditional assets.

But what happens if a person dies or becomes incapacitated owning Bitcoin or other assets tracked by blockchain? Some people use third party wallet and exchange services to track their cryptocurrency, which may offer a solution for a trustee. But not everyone uses those, and there may be no intermediary to contact. If the person used a pseudonym for their credentials, it would make it even more difficult to prove who owned the account.

There have been stories about people who have lost their bitcoin private keys and have been unable to access their own money. A trustee would be in the same position if they don’t have the person’s private key. Potentially huge amounts of money or assets could be unrecoverable.

Blockchain and cryptocurrency holders might want to store their logon credentials and private keys in a safe place and let a family member know where it is. Or they might keep these credentials and private keys in a password manager, store the access details somewhere, and let a family member know where to find that.

Does blockchain itself perhaps provide a solution to this? Smart contracts execute automatically based on the happening of an event. Such as a market price threshold or temperature. Is there a smart contract solution that transfers access to cryptocurrency or other blockchain tracked assets of a person based on proof of a trustee or attorney’s authority to act? What would that proof look like? It is not, after all, a simple objective event such as a market price threshold.

Cross-posted to Slaw

Data Privacy Day

January 28 is Data Privacy Day.

Privacy is becoming more challenging with new tech such as artificial intelligence, quantum computing, blockchain, autonomous cars, the internet of things, drones, and government agencies recording massive amounts of data in the name of security.  Basic privacy concepts such as consent as we now know it may no longer be adequate to deal with some of these challenges.  And the sheer number of ways our information gets used makes it almost impossible to truly understand, let alone trust, what others are doing with our information.

The IAPP is hosting Privacy After Hours events in a number of cites around the world on Thursday Jan 25 to recognize Data Privacy Day.

Cross-posted to Slaw

8 Legal/Tech Issues for 2018

Blockchain (the technology behind Bitcoin) is in a hype phase. It has been touted as the solution to many issues around trust. To some extent blockchain is still a solution in search of a problem. Blockchain will, however, become an important technology, and perhaps during 2018 we will begin to see some practical uses.

CASL, Canada’s anti-spam legislation, has been under review. It is a horrible law where the cost / benefit ratio is way off. Most small businesses simply don’t have the resources to comply. And no matter how hard they try, larger businesses have a difficult time complying with all the technical and record keeping requirements. To me CASL is like using a sledgehammer to kill a fly in a china shop. You may or may not kill the fly, but the collateral damage simply isn’t worth it. The House of Commons Standing Committee on Industry, Science and Technology recently presented its report entitled Canada’s Anti-Spam Legislation: Clarifications are in Order. The report recommends changes, but I fear the changes we will end up with won’t go far enough.

Mandatory breach notification under PIPEDA (the federal privacy legislation that governs in most provinces) should be in effect sometime in 2018. It will require mandatory notice to the privacy commissioner and/or possible victims when there is a serious privacy breach. It will also require entities to keep records of all privacy breaches, even if they are not reportable under the act’s thresholds.

Security and privacy breaches will continue to be a problem. Sometimes these occur because of intensive attacks, but sometimes they are caused by stupid decisions or errors. Authentication by passwords can work to reduce the risks if done right, but it is a very difficult thing to do right. Another solution is needed – might blockchain come to the rescue here?

We will continue to hear about security issues around the internet of things, or IOT. IOT devices can be a gateway to mayhem. IOT things include such disparate devices as thermostats, light switches, home appliances, door locks, and baby monitors. The problem is that far too often IOT device designers don’t design them with security in mind. That makes it easy for malfeasants to use these devices to break into whatever networks they are connected to.

Artificial Intelligence is now employed in many things we use – ranging from google translate to semi-autonomous cars. Voice controlled screen and non-screen interactions – which use AI – are on the rise. In the short term, AI will continue to creep in behind the scenes with things we interact with regularly. In the long term, it will have disruptive effects for many, including the legal profession.

Bitcoin and other crypto-currencies have moved from the geek phase to get more mainstream attention. Crypto-currencies will be ripe for fraud as more people dip their toes in. There has already been ICO (Initial Coin Offering) fraud. And “drive by currency mining” where software gets surreptitiously installed on PC’s and phones to mine currency.

Another thing to keep an eye on is whether people’s “freaky line” will move. That’s the line that people refuse to cross because of privacy concerns about their information. Will, for example, the advantages of the automated home (which combines IOT and AI) lead people to adopt it in spite of privacy and security concerns?

Cross-posted to Slaw