regulation of internet commerce class four – january 8, 2013 professor michael geist university of ottawa, faculty of law
Privacy Law Basics
Privacy Law - The Basics- Based on the CSA Model Code- Proposed in 1998 - response to EU pressure- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)- Limited to commercial activity for constitutional reasons- Shared responsibility with provinces - substantially similar- Enforced by Privacy Commissioner of Canada in an ombuds+ role- Complaints driven + audit power
Privacy Law - The BasicsApplication - Subject matter• Personally identifiable information only - includes information about employees• Public domain exception – Telephone Directory – Professional or Business Directory – Registry Collected under Statutory Authority – Court Record – Information Appearing in the Media Where the Individual has Provided the Information• Federal Privacy Act exempt• Name, Title, Business address or Telephone number of an employee exempt - not email though
Privacy Law - The Basics10 PRINCIPLES -- 1. Accountability • organization is accountable for personal information • Includes privacy point person, training staff• 2. Identifying Purposes • purpose of collection must be clear • Identify any new purposes • Grandfathering issue• 3. Consent • individual has to give consent to collection, use, disclosure • “meaningful” consent -- will depend upon circumstances
Privacy Law - The Basics10 PRINCIPLES (cont.) --• 4. Limiting Collection • collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention • consent required for other purposes • Destroy or anonymize information once no longer needed• 6. Accuracy • keep as accurate as necessary for identified purpose
Privacy Law - The Basics10 PRINCIPLES (cont.) --7. Safeguards • protection and security required8. Openness • policies should be available • Clear language9. Individual Access – info available upon request, inaccuracies corrected10. Challenging Compliance – ability to challenge all practices
Privacy Law - The BasicsCompromise statute -- Purpose clause (s.3) The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Privacy Law - The Basics- Shared responsibility with provinces - “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy- Hundreds of OPC findings- Statutory review every 5 years - Last review in 2006 leads to Bill C-12 (first reading)- Privacy Act - governs public sector privacy law - No updates since first enacted- Multiple privacy legislative initiatives - C-12 (PIPEDA update) - C-30 (Lawful access) - Anti-spam legislation
Penalties & Enforcement
Privacy Law – Penalties/Enforcement- Non-binding findings- Court challenges- Powers largely limited to investigations- Call for: - Order making power - Expansion of naming names - Administrative monetary penalties
Findings…- Evolving approach to case management- Naming namesSAMPLE FINDINGS• NWT Video Surveillance - storefront video of the street is captured by the Act• IMS Health - doctors’ prescribing habits not personal information• Telus unlisted number - charging for unlisted number does not violate the Act; some success on appeal• Railway surveillance• Courier electronic signature
Damages - Nubody’s Fitness- Nubody’s a chain of fitness clubs- Randall joins the gym using company-sponsored membership- Company knows about frequency of use of the membership, Randall complains and that is also disclosed- Leaves company & later files complaint with the OPC- Well founded findingIssue: Any damages?- Randall wants $85,000- No damages awarded:- “Damages are awarded where the breach has been one of a very serious and violating nature such as video-taping and phone-line tapping”
Investigations - Blood Tribe- 2008 SCC decision (Blood Tribe Department of Health v. Canada (Privacy Commissioner))- Wrongful dismissal claim seeking access to records. Some records subject to privilege withheld- Ruling: - OPC does not have the power to compel disclosure of documents subject to solicitor-client privilege. - Must have explicit power included in the statute. - Can go to federal court to compel disclosure.
Constitutionality – Union Food- Union videotapes people crossing the picket line, threatens to post online- Complaints follow to the Alberta PC. Concludes no right to collect and use the personal information- Union challenges – PIPA provisions violation of Charter rights
ABCA – Union Food The pressing and substantial problem is the potential misuse of personal information. Limitingthe ability of organizations to collect, store, and use that information has a rational connection tothe objective. There is, however, a problem relating to proportionality. The constitutionalproblems with the Act arise because of its breadth. It does not appear to have been drafted in amanner that is adequately sensitive to protected Charter rights. There are a number of aspectsto the over-breadth of the Act:• It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.• The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.• The definition of “publicly available information” is artificially narrow.• There is no general exemption for information collected and used for free expression.• There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.
ABCA – Union Food“This appeal clearly demonstrates the impact that the Act can have onprotected rights. The legitimate right of the union to express itself andcommunicate about the strike and its economic objectives have beendirectly impacted by the Adjudicator’s order. The appellant has notdemonstrated why this heavy handed approach to privacy isnecessary, given the impact it has on expressive rights.”- SCC to hear appeal in June 2013- Reference Re: Securities Act (Dec 2011) raises other constitutional concerns for PIPEDA
C-12• Mandatory review every five years• Years to respond with bill• Overdue for another round of reform• Privacy Act reform?
C-12 new business exceptions• Changes definition of business contact information - exclude business email• Business transaction exception – Covers due diligence in transactions – Doesn’t apply if personal information is primary reason for transaction• Exception for collection, use, & disclosure in witness statement related to insurance claim• Work product exception• Exception for businesses that voluntarily disclose personal information to other organizations investigating breach of agreement
C-12 law enforcement changes• Attempted clarification of “lawful authority” - circular approach as lawful authority is lawful authority• Encourages disclosures without court oversight• Once information disclosed – Organization prohibited from disclosing the disclosure – Organization cannot comply with access request from individual – Must notify lawful authority if plans to disclose and delay by at least 30 days
C-12 security breach disclosure• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)• California disclosure law spreading fast - at least 40 other states with similar laws• Two possible reporting requirements in event of breach: – Requirement to report “material breach of security safeguards involving personal information under control” to Privacy Commissioner – Criteria to determine whether to report: • Sensitivity of information • Number of affected individuals • Cause of breach/systemic problem
C-12 security breach disclosure– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”– What is significant harm? • bodily harm • humiliation • damage to reputation or relationships • loss of employment, business or professional opportunities • financial loss • identity theft • negative effects on the credit record and damage to or loss of property– Risk factors - (1) sensitivity of info; (2) risk of misuse
C-12security breach disclosure– Notifications • “ as soon as feasible” • Understandable to affected individuals • To other organizations who may be able to mitigate harm
lawful access - history– 2002 - documents/consultation on lawful access– 2005 - Liberals introduce first lawful access bill (dies on the order paper)– 2007 - Conservatives launch lawful access consultation; Day pledges no mandatory disclosure without court oversight– 2009 - Conservatives introduce second lawful access bill (dies on the order paper)– 2010 - Conservatives introduce third lawful access bill (dies on the order paper)– 2012 - Bill C-30 introduced
C-30 - 1st layer• Mandatory subscriber info disclosure to “designated person” (CSIS, law enforcement): – Name – Address – telephone number – Email address – Internet protocol address• Individual police officer can also require in exceptional circumstances• Data obtained via Access to Information indicates TSPs provide this information 94% of the time without a warrant already
C-30 - 2nd layer• Interception equipment capabilities – Capability to provide intercepted communications – In same format as the communication (no requirement to decrypt)• Operational requirements – Enable interception – Isolate communication – Provide proscribed info – Multiple interceptions• Must maintain capabilities with new software, services• Must report some new equipment to government if acquire from another telco provider• Every telco provider must submit report on equipment within 6 months of law taking effect• Government can reduce requirements – Phase in period - 18 months for new equipment; 3 years for ISPs with <100,000 subscribers• Penalties for non-compliance
C-30 - 3rd layer– Transmission data warrant – What it covers » relates to the telecommunication functions of dialling, routing, addressing or signalling » generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication » does not reveal the substance, meaning or purpose of the communication – Warrant needed for real-time information – Production order for historical data – Expires 21 days after initial demand
C-30 - 3rd layer– Preservation orders • Designed as temporary order to preserve subscriber information • Includes data related to particular subscriber, specific communication • Expires 90 days after issued • Must destroy information after conclusion– Production orders • General production order of a document • Specified communication - transmission data to identify person or device • Transmission data • Tracking data • Financial data • Judge may order prohibition on disclosing production order • ISP, FI, etc. may apply to vary order within 30 days
Can lawful access be saved?
C-30 - Key Concerns1. Evidence, Evidence, Evidence2. No Mandatory Warrantless Access to Subscriber Information3. Reporting Warrantless Disclosure of Subscriber Information4. Remove the Disclosure Gag Order5. "Voluntary" Warrantless Data Preservation and Production6. Government Installation of Surveillance Equipment
C-30 - Key Concerns7. Reconsider the Internet Provider Regulatory Framework8. Improve Lawful Access Oversight9. Limit the Law to Serious Crimes10. Come Clean on Costs11. The Missing Regulations12. Deal With The Failure of Privacy Laws To Keep Pace