CIPPIC welcomed the announcement of private member's Bill C-475, which proposed amendments to Canada’s federal privacy legislation, PIPEDA. The proposals will bring long overdue privacy protections for Canadians, including a comprehensive data breach notification regime and, critically, much needed enforcement powers for Canada’s privacy laws. A long-enduring and central gap in Canada’s privacy protections is the ongoing inability of the Privacy Commissioner to force non-compliant organizations to meet their privacy obligations. Even as our Courts, our provincial legislatures, and most of our international counterparts have recognized the increasing need to protect privacy in a digital era, our federal privacy regime remains toothless and our federal Privacy Commissioner lacks the basic power to enforce her own compliance orders.
In addition, the lack of a comprehensive data breach notification regime puts Canadians personal information at great risk. Experience from jurisdictions around the world has demonstrated that a legal obligation to notify individuals when their data has been put at risk is an essential component of any privacy protection regime. Not only does this notification requirement provide an opportunity for individuals to take protective measures against privacy harms ranging from identity theft to great embarrassment, but it also provides a poignant incentive for organizations to put in place the practical and technical mechanisms necessary to avoid such breaches in the first place.
Data Privacy Day and its European counterpart, Data Protection Day, commemorates the signing of the world's first international treaty on data protection -- the Council of Europe's Convention 108. Data protection is rapidly becoming an international norm, as recent developments have brought the number of countries with data protection legislation to 89, globally. Additionally, 2012 saw an unprecedented commitment by lawmakers in one of the largest data markets -- the United States, a long-time adherence of a sectoral approach to privacy protection -- committing to the enactment of data protection laws. Our courts have similarly advanced the cause of privacy with landmark decisions that recognized the right to anonymity in judicial proceedings, a constitutional right to individual notification when police intercept communications in an emergency, and the right to privacy in our work computers. In addition, our Federal Privacy Commissioner released a sweeping (but yet to be enforced) Finding on the privacy practices of a youth-based social networking site, Nexopia. Finally, advances in transparency have helped us better understand how our information is being accessed by the government, as more organizations began publishing statistics on government access, and Google, who pioneered the transparency reporting model, has increased the scope of their own reports so that the public can better assess the nature of government requests.
At the same time, the challenges have never been greater with online surveillance legislation, long over-due updates to our federal privacy statutes (PIPEDA and the Privacy Act) still nowhere in sight, and legislative inititiatives that will allow our online service providers to hand over our data to litigants and copyright trolls alike -- all on the horizon. More after the jump.
Last week, Voltage Pictures filed a motion to identify approximatel 2,000 IP addresses allegedly belonging to individuals who have infringed its copyrights by means of peer-to-peer file sharing mechanisms. CIPPIC is seeking to intervene in this matter to ensure that procedural safeguards and the privacy rights of the anonymous Does are respected.
On December 14, 2012, CIPPIC filed a letter with the Federal Court seeking to delay the hearing of Voltage's motion to compel Internet Service Provider Teksavvy Solutions to disclose the identities of its subscribers alleged to have downloaded movies the copyright to which Voltage owns. Although supporting evidence for the motion was only filed on Tuesday, December 11, it was scheduled to be heard today (only 6 days later). While CIPPIC is not yet a party to this proceeding, its letter was intended to ensure the Court was aware of the nuemrous legal and policy issues raised by Voltage's request. The letter asked the Court to provide more time for defendants to respond to the motion, as well as to provide time for CIPPICs own intended intervention. Today, in court, Teksavvy similarly asked the Court to extend timelines for this process, which it did. The next hearing date will be January 14, 2013.
The Supreme Court of Canada recently issued A.B. v. Bragg Communications Inc., 2012 SCC 46, in which it reasserted the need to protect privacy, as well as the sensitivities of cyberbullying victims within the discovery process. Historically, the ever-important principle that justice must be public prevented victims of certain wrongs from protecting their identity when pursuing lawsuits. In its intervention, CIPPIC argued that in an age of heightened privacy concerns, the impact of forcing litigants to air their dirty laundry in a public, permanent online record will in many cases exceed what is typically a narrow public interest in knowing the identity of a litigant. Further, in scenarios involving cyberbullying, preventing litigants from proceeding pseudonymously will in many cases prevent access to the law, as a desire to avoid re-victimization may push the objects of cyberbullying to forgo enforcement of their rights altogether.
While reaffirming the vital importance of the open court principle, the Court, in a unanimous judgement penned by Madam Justice Abella, held that the relationship between this principle and the right to privacy, as well as the realities of cyberbullying, requires elaboration. The Court particularly emphasized the importance of respecting the privacy of youths, the need to avoid discouraging litigation by exposing victims of cyberbullying to revictimization as a result of litigation. Allowing broader scope for anonymous litigants would advance privacy rights and allow victims of cyberbullying to access the justice system. Furthering these values outweigh the minimal harm that may result to the open justice principle if the identity of litigants is protected from the public eye.
The Canadian Identity Theft Support Centre
(CITSC) is scheduled for its official launch on June 28, 2012. The CITSC will be Canada's first comprehensive support centre for victims of identity theft. It will provide much needed support services for victims of identity theft who undertake the often long and difficult road to recovering their identities. This identy recovery process is typically lengthy and time-consuming. Modelled on the successful U.S. based Identity Theft Resource Center
, the CITSC will operate as a source of guidance for Canadians in their attempts to navigate this process.
The CITSC will also act as a source of educational materials aimed at educting Canadians on how to protect their identities and on steps that can be taken by Canadians to help spot early signs their identity may have been stolen. In addition, the CITSC will act as a source of research and knowledge dissemination regarding the parameters and nature of identity theft harms in Canada.
CIPPIC is highly supportive of the CITSC's initiatives, and will be participating in the public launch of the Centre. Join us in person at the Ottawa launch, which will be held from 1:30 pm - 4:30 pm EST in the Newfoundland Room of the Westin (11 Colonel By Drive) in Ottawa. The Centre will be simultaneously launched in Vancouver, B.C., at Library Square.
CIPPIC has joined an international coalition of civil society organizations including CDT, EFF, IGP and EDRi in a letter of protest (Spanish) sent to the International Telecommunications Union (ITU). The letter protests the secrecy and exclusivity surrounding its preparations for the World Conference on International Communications (WCIT). Slated for negotiation during WCIT-12 is a potential re-envisioning of the International Telecommunications Regulations (ITR), an international treaty that currently governs traditional telephone communications amongst the numerous countries who have signed on to it. While the current ITRs are limited in scope primarily to telephone systems, the renegotiated text (which will be up for discussion and adoption at WCIT-12) is rumoured to weigh in heavily on several aspects of Internet governance.
We say 'rumoured' because all the preparatory documents for WCIT-12 are sealed and civil society has been excluded from the discussions. The current ITU framework does not allow for open participation. Further, the ITU's business model (premised on the dubious concept of selling access to documents and decision-makers to corporate associates at prohibitive rates) is a significant barrier to civil society participation. While perhaps workable for regulation of telephone lines, this approach is antithetical to the distributed, multi-stakeholder governance model that has made the Internet the engine for innovation and freedom that it is today. The letter calls on the ITU to open the WCIT-12 preparatory documents up to public debate and to ensure all stakeholders, including civil society, the technical community, governments, and corporate interests are able to participate on equal footing.
In 2010, the Office of the Privacy Commissioner of Canada initiated consultations on privacy issues related to developing internet-related technologies: "Tracking, Profiling and Targeting", and "Cloud Computing". The OPC sought comment on the deployment of these technologies and their implications for individuals, organizations, and businesses. CIPPIC offered two submissions: one focusing on geolocational technologies and their use in targeted advertising, and a second addressing cloud computing more generally.
The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.
On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information. In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants. CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Privacy in domain name registration (CIRA & ICANN)
FAQ on privacy and copyright issues raised by photography-related activities.
Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.
Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.
The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.
Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.
With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.
The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.
National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.
Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.
Regulators provide guidance on mobile privacy, tracking & advertising
A.B. v. Bragg Communications, 2012 SCC 46, SCC File No. 34240, Anonymity in judicial proceedings
Warman v. Fournier, 2010 ONSC 2126,  100 O.R. (3d) 648, 319 D.L.R. (4th) 268 (Ont. Div. Ct.)
CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.
On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. This finding was in response to CIPPIC's complaint against Abika.com.
Royal Bank of Canada - Refusal to deal for secondary purposes
CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.
PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI
CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
Winners/Homesense (collection minimization & disclosure for secondary purposes)
Ticketmaster (November 2005)
CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.
We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.
CIPPIC's letter, Nov.17,2005.
InfoCanada (July 2005)
On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.
In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.
Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry.
Abika.com and National Locator Services (June 2004)
In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, Abika.com and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the Abika.com "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that
"While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."
Bank's wrongful access to and disclosure of individual's credit report (May 2004)
CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.
CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.
Privacy Commissioner, letter, July 13,2005.
MBNA Mastercard (Blanket consent to unlimited & unnecessary use/disclosure)
Houst of Commons ETHI Committee Study: Privacy & Social Media Sites
Industry Canada: Questionnaire on Updating OECD Privacy Guidelines
Modernizing Convention 108: the Council of Europe's Privacy Framework
OPC Consultations on Online Tracking, Behavioural Targeting & Cloud Computing
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.
As part of its intention to help Canada regain its leadership position in the global digital economy, the government recently concluded a public consultation process which sought submissions from all sectors of the public on who to achieve this objective. In its submission, CIPPIC calls on the government to encourage the creation of a digital environment that will be better for all Canadians and will serve as a model for other jurisdictions. CIPPIC offers recommendations on issues such as privacy, online file-sharing, and on quality and access to communications that will help the government achieve this objective.
The Privacy Act is a federal statute governing the federal government's treatment of personal information. It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats. The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.
PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).
APEC Cross Border Privacy Rules
In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.