Privacy Laws Flashcards
Charter of Rights and Freedoms
Section 7 - Everyone has the right to life, liberty and security of the person
Doesn’t mention privacy, but case law supports view that s. 7 serves as a source of constitutional protection of the right to privacy
Sources of Law
- Legislation (PIPEDA, PIPAs, etc.)
- Common law
- Contracts
- Charter
3 Canadian Perspectives on Privacy
- Privacy of the individual viz the state
- Privacy of the individual viz other individuals
- Privacy of the individual viz organizations
3 Canadian Classes of Privacy (as defined by Jurists)
- Information Privacy - claim to determine for yourself when/how/to what extent info is communicated to others
- Personal Privacy (bodily integrity)
- Territorial Privacy - limitations on ability of individual to intrude on physical environment
Models of Data Protection
Comprehensive (Canada, EU)
Sectoral (US)
Self-Regulatory (US, Japan, Singapore)
Seal Programs (TrustArc, BBBOnline, WebTrust, Digital Advertising Alliance)
Technology-Based Model
Seal Programs
TrustArc - founded in 1997, license agreement
BBBOnline - subsidiary of Better Business Bureaus, from 1999
WebTrust - AICPA and Canadian Institute of Chartered Accountants
Digital Advertising Alliance (DAA) - 2010 self-regulatory org
5 Key Concepts of Canadian Privacy
Personal Information
Employee and Work-Product Information
Public Records and Publicly Available Information
Private and Sensitive Information
General concepts of Fair Information Practices and General
Privacy Principles
Federal Privacy Act - Types of Personal Information
a) Info relating to race, ethnic origin, religion, age or marital status;
b) information relating to education or medical/criminal/employment history, or info relating to financial transactions
c) identifying number, symbol or particular;
d) address, fingerprints, blood type;
e) personal opinions of individual except when about another individual proposal for a grant, award or prize
f) correspondence sent by gov’t to individual that is of private or confidential nature;
g) Views of another individual about the individual;
h) The views or opinions of another individual about a proposal for a grant/award/prize made to the individual by an institution, but excluding the name of the other individual where it appears with the views or opinions of the other individual
i) The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
Federal Privacy Act - Job-Related Information (not personal information)
i. The fact the individual is or was an officer or employee of the institution
ii. Title, business address and telephone number
iii. Classification, salary range and responsibilities of the position
iv. The name of the individual on a document prepared by the individual in the course of employment
v. The personal opinions or views of the individual given the course of employment
Employee Information
Personal information that is collected/used for the purposes of establishing, managing, or terminating an employment or volunteer relationship.
Does not include personal information about the individual that is unrelated to that relationship.
(from Alberta PIPA)
Work-product Information
Information about an individual that is related to that individual’s position, functions, and/or performance of their job
Privacy Act - Publicly Available Informaiton
Restrictions on gov’t ability to use and disclose personal information does not apply if info is publicly available.
Obligation to collect info in accordance with the act still apply to publicly available info.
Total exception to any information found in a library or museum material, or placed in the Library and Archives of Canada, National Gallery, etc.”
PIPEDA - Publicly Available Information - Regs
Org can collect/use/disclose PI without knowledge and consent if it is publicly available and specified by regs:
a) Name, address, number appearing in telephone directory (where the subscriber can opt out)
b) Name, address, number appearing in professional or business directory (where use relates directly to the purpose for which info appears in the directory)
c) PI that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law (where use relates to purpose for which info appears)
d) PI in record or document of judicial or quasi-judicial body (where use relates to purpose…)
e) PI that appears in a publication, including a magazine, book or newspaper, in printed or electronic form (where individual has provided the information)
PIPEDA - General Principles re: Publicly Available
- merely because an individual appears in public doesn’t automatically forfeit their interest in retaining control over the PI exposed
- For an org to be exempted from consent requirement, PI must be both publicly available and specified by the regs
- The exception to the consent requirement doesn’t apply to org that initially collects info for the purposes of making it publicly available
OPC Findings - Telephone Directories
- Individual phone number considered PI, even if published in a telephone directory, and subject to the “reasonable person” test.
- Republishing personal white-pages telephone directory info in online format constitutes publicly available info
- Telecom can collect info from parent company’s white-pages directory, for its own purposes, without obtaining consent
OPC Findings - Professional and Business Directories
Information about a business collected from Yellow Pages (or other publicly available sources) does not constitute personal information
OPC Findings - Public Registries
- the purpose for which information is used is a key element in eval of whether exception to consent requirement applies
- purpose of use in a public registry must relate directly to the information’s purpose for being in that registry
- not enough that info is publicly available, must have been collected from source for specific purpose behind subsequent disclosure
OPC Findings - Court and Tribunal Records
- Court not required to disclose personal information that appears in publicly available court records where disclosure relates directly to advancing a claim in court
- PI found in court records of ongoing legal proceeding cannot be collected and used without individual consent for purposes unrelated to the legal proceedings
OPC Findings - Books, Magazines, and Newspapers
Publicly available PI can be collected from published books, magazines, and newspapers regardless of the purpose for which the info appears
- consent not required to use a business email for marketing purposes where email was posted on a publicly available website by the individual (decided before CASL that supersedes)
Private/Sensitive Info
PIPEDA doesn’t distinguish in definitions (although might in RROSH)
Some provincial statutes address the difference between all PI and info that deserves more protection because of its sensitive nature - typically applies when gov’t institutions are working through questions about whether info held by gov’t should be released.
Law (such as that in Nova Scotia) may enumerate types of information which would merit more or less protection
Nova Scotia Privacy Law - Unreasonable Invasion of Privacy Examples
a) medical information
b) PI related to possible violation of law
c) eligibility for income assistance or social service benefits
d) employment or educational history
e) tax returns or tax info
f) financial information
g) personal recommendations or evaluations
h) race/ethnicity, sexual orientation, religious or political beliefs
i) PI consists of name along with address and phone number and is to be used for mailing lists or solicitations by phone or other means
OECD Principles (1981) compared to CSA
Accountability
Purpose Specification -> Identifying Purposes
Collection Limitation -> Consent & Limiting Collection
Use Limitation -> Limiting Use, Disclosure and Retention
Data Quality -> Accuracy
Security Safeguards
Openness
Individual Participation -> Individual Access & Challenging Compliance
Canadian Standards Association (CSA) Principles - 1996
Model Code for the Protection of Personal Information
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure and Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
CSA Model Code Participants
Federal and Provincial Gov’ts
Consumer Advocates
Organized Labour
Security and IT Experts
Industries including:
Financial services
Telecommunications
Cable television
Direct Marketing
CSA Model Code Purpose
Balance between legitimate business interests and the individual right to privacy
CSA Principle - Accountability
- Org responsible for PI under its control
- Org shall designate individual accountable for org’s compliance
CSA Principle - Identifying Purposes
- Purpose for collection of PI identified before or at the time of collection
CSA Principle - Consent
Consent required for collection, use or disclosure of personal information (except where inappropriate)
CSA Principle - Limiting Collection
Collection shall be limited to that which is necessary for the purposes identified by the org.
Info shall be collected by fair and lawful means
CSA Principle - Limiting Use, Disclosure and Retention
PI shall not be used for purposes other than those for which it was collected (except with consent or required by law)
PI should be retained only as long as necessary
CSA Principle - Accuracy
PI shall be accurate, complete, up-to-date as necessary
CSA Principle - Safeguards
Security safeguards should be appropriate to sensitivity of the information
CSA Principle - Openness
Org shall make available specific info about its policies and practices
CSA Principle - Individual Access
Upon request, individual shall be informed of existence, use and disclosure of his/her personal information and shall be given access to that information.
Individual should be able to challenge accuracy and completeness of info and have it amended as appropriate.
CSA Principle - Challenging Compliance
Able to challenge org concerning compliance
Generally Accepted Privacy Principles (CICA)
Management
Notice
Choice and Consent
Collection
Use, Retention, Disposal
Access
Disclosure to Third Parties
Security for Privacy
Quality
Monitoring and Enforcement
Sensitive Personal Information
Information more significantly related to the notion of a reasonable expectation of privacy.
Medical or financial!
Information that could result in identity theft.
2016-2017 Parliamentary Report of OPC - Challenges to Consent
- Opaque nature of privacy policies that are the basis of consent
- Complex information flows
- Business processes that involve a multitude of third-party intermediaries
OPC stated that consent model needs to be updated and altered rather than replaced
Retention Period - 2 Points to Remember
- Personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access.
- An org may be subject to legislative requirements w/r/t retention periods for certain types of information
PIPEDA - Accuracy Principle - Updating Personal Information
An org shall not routinely update personal info, unless necessary to fulfill the purposes for which the information was collected
PIPEDA - Openness Principle - Information Made Available
- Name of accountable person
- Means of gaining access to personal information
- Description of PI held and its use
- Brochure that explains policies/standards/codes
- The PI that is made available to related orgs
Time Limits for Access to Own Information Requests
PIPEDA, BC, QC - 30 Days
Alberta PIPA - 45 days with liimited right to extend
PIPEDA - Purpose of Legislation
Reconcile:
* Individual right to privacy
* Commercial need for access to personal information
Express recognition that right to privacy is not absolute
Last goal: ensure that Canadian org’s could receive data from the EU (which had passed the Directive on Data Protection in 1995)
PIPEDA - Application
Applies to the entire private sector - every org that collects/uses personal info in the course of commercial activity OR
- is about an employee of a federal work
Does not apply to:
* gov’t institutions covered by Privacy Act
* Individual that collects info for personal or domestic purposes
* Org that collects info for journalistic, artistic or literary purposes and no other
OPC - Federal Work, Business or Undertaking
“Any work that is under the legislative authority of Parliament”
Specific examples:
- interprovincial/international transport by air or water
- airports, aircraft, airlines
- telecomms
- radio and TV broadcasting
- banks
- grain elevators
- nuclear facilities
- offshore drilling
- any company subject to any part of the Canada Labour Code
NOT Federal:
- insurance companies
- credit unions
Substantially Similar to PIPEDA - 3 Requirements
- Consistent with the Schedule for PIPEDA
- Independent oversight body like the OPC
- Contain a redress mechanism for the aggrieved
PIPEDA - Substantially Similar Laws
- Alberta PIPA
- BC PIPA
- the Quebec Act
w/r/t Health Only
- Ontario Personal Health Information Protection Act
- NB Personal Health Information Privacy and Access Act (wrt health information custodians only)
- NL Personal Health Information Act (wrt health information custodians only)
- NS Personal Health Information Act (wrt health information custodians only)
PIPEDA - Commercial Activity
Transaction, Act or Conduct that is of a commercial character, including selling/buying donor lists
PIPEDA - Commercial Activity - Court Interpretatoin
- Taxable status is not relevant
- Mere contractual relationship is not enough
- information-gathering in preparation for civil tort action not commercial activity contemplated by PIPEDA
- information-gathering by insurance company to defend a lawsuit in part of obligations to insured not covered by PIPEDA
- Physician conducting independent medical exam on behalf of insurance company - this is commercial activity
Commercial Activity - OPC Interpretation
Broad! 2 Part test:
- What is the core activity of the institution (e.g. if educational, presumed not to have ‘commercial character’)
- Presumption against commercial character rebutted if one of the objectives is to earn profit for its owners
- emphasis is on transaction rather than enterprise
- for the most part, nonprofit associations (incl unions) and private schools operate outside of any commercial activity
In:
- relaying financial information into and out of Canada for international transactions with Canadian Bakns
- bankruptcy trustee collecting PI to be used in administering bankruptcy
- day care (even though a nonprofit)
- in certain cases, tort litigation, landlord-tenant relationships, online advertising and social networking
PIPEDA - Obligations
- Org can only collect/use info for purposes that a reasonable person would consider appropriate in the circumstances
- Burden on org to be prepared to demonstrate it is acting reasonably (even if they obtained consent!)
- In Sections 6 to 9 of PIPEDA, some CSA standards modified to be mandatory:
- Only collect with consent
- consent only valid if person would understand nature, purpose and consequence of PI collection and use
- obliged to provide access to personal information
PIPEDA - NOT Obligations
Where Schedule 1 says an org “should” do something, org is not obliged to follow that standard
PIPEDA - Consent Not Required
a) Collection clearly in the interests of the individual and consent cannot be obtained quickly
b) collection related to investigating a breach of agreement or law, and collection with consent of individual would compromise information
c) contained in a witness statement and collection necessary for adjudicating insurance claim
d) produced by the individual in the course of their employment and consistent with that purpose
e) journalistic/artistic/literary purposes
f) info publicly available and specified by regs
g) collection made for purpose of making a disclosure required by law
PIPEDA - Exceptions to Right to Access to PI
- if access would reveal info about a third party
- specified national security or law enforcement reasons
- solicitor-client information
- commercially sensitive information
- threaten the life or security of another
- info gathered as part of formal dispute resolution mechanism
- info collected without consent during investigation of a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that information
PIPEDA - Right of Access - Cost Recovery
Orgs may provide access on a cost recovery basis, but cost must be “at minimal or no cost to the individual”
Any type of flat fee likely not acceptable; org ought to assess minimal fee and apply it only in exceptional cases
OPC Powers - Decline to Investigate a Complaint
- Other available grievance or review procedures not exhausted
- Could be dealt with more appropriately by a procedure under other federal or provincial laws
- Not filed in reasonable period of time
OPC Powers - Discontinue an Investigation
- Insufficient evidence to pursue
- Complaint is trivial, frivolous or vexatious, or bad faith
- Org already provided fair response to complaint
- Matter already object of investigation
- matter is object of compliance agreement with OPC
- matter is subject of a report by OPC
- matter already addressed under a procedure in PIPEDA s 12(1)(a) or (b)
OPC - When to Federal Court
- Can apply to feds if recommendations from investigation report are not implemented
- Can apply if org fails to live up to commitments in a compliance agreement
- Cannot apply to fed court if recommendations in a audit report are not implemented
Digital Privacy Act (2015) Updates to PIPEDA
- Breach Notification and Record-Keeping Requirements (fines of up to $100k)
- Update to personal information and business contact information
- Update to consent, including new exceptions
- Compliance agreements
- Public Interest Disclosures broadened
DPA Consent Exceptions
- Investigations/fraud detection - may disclose PI to another org if reasonable to expect that knowledge would compromise investigation
- Business transactions - Sale of business, merger, lease of assets
- Witness statements in insurance claims
- Identifying injured, ill, deceased; communicating with next of kin
- Financial abuse - disclose to gov’t or next of kin/representative
- Employment relationships in federally regulated workplaces
- PI produced in course of employment, business, or profession
Possibilities for Work Product under PIPEDA
- Exclude Work Product from definition of “personal information”, as is done in BC PIPA;
- Consider work product to be personal information, but state that data protection provisions do not apply (similar to approach to PI collected for journalistic/artistic purposes);
- Include work product in definition of personal information, but state that consent requirements in Sec 7 of PIPEDA don’t apply.
Currently: personal information that may be work product is subject to the Act and would be addressed on a case-by-case basis.
Alberta PIPA - Professional Regulatory Bodies
For these entities, an org can establish personal information codes and thereafter abide by the code instead of all obligations imposed by PIPA
The Ombudsperson Model
A recommendation-only model for Privacy Commissioners (i.e. like the Federal OPC) rather than the ability to order compliance.
Said to be less adversarial and formalistic.
The Quebec Act - Three Principles
- Every person who establishes a file on another person must have a serious and legit reason for doing so
- The person establishing the file may not deny the individual concerned access to the information contained in the file
- The person must respect certain rules that are applicable to the collection, storage, use and communication of the information
The Quebec Act - Application
Applies to every “enterprise” that collects/stores/uses/communicates (aka discloses) information about a natural person to third parties.
The Quebec Act - Exceptions to Application
- PI collected and used by public bodies;
- Journalistic material
The Quebec Act - Enterprise
Carrying on by one or more persons of an organized economic activity, whether or not commercial in nature, consisting of producing, administering or alienating property, providing a service.
Not limited to commercial activity, applies to unions, lawyers, doctors, other associations
The Quebec Act - Communication Outside of Quebec
Similar to EU, enterprise in QC can disclose info to 3rd party outside of QC if:
- info will not be used for purposes not relevant to the object of the file or communicated without consent
- in case of marketing lists, persons concerned have valid opportunity to refuse to allow their personal information to be used for commercial purposes
Third parties include any separate legal entity, so related companies and orgs have to abide by third party rules
The Quebec Act - Personal Information Agent
A person who, on a commercial basis, establishes files on other persons and prepares and communicates credit reports bearing on reputation or solvency of the persons to whom the info contained in such files relates
CASL
- Rules for sending of commercial electronic messages (CEM)
- Rules for the installation of computer programs
- Prohibition on the unauthorized alteration of transmission data
CASL - Application
Applies to all forms of electronic messaging, including:
- Email
- SMS text messages
- Messages sent via social networking
Applies to all messages sent from or received in Canada
Applies to nonprofit orgs and registered charities
CASL - Obligations - Consent
- Consent must be obtained before CEM is sent
- Express consent cannot be provided by silence or inaction (e.g. a pre-checked box) - must be “opt-in” by positive action to indicate consent
- can be orally or in writing
CASL - Consent - Proof of Consent
Key information
- whether consent was obtained in writing or orally
- when it was obtained
- why it was obtained
- manner in which is was obtained
CASL - Implied Consent
- Existing business relationship
- Existing non-business relationship
- Recipient conspiciously published electronic address (e.g. on a website) and doesn’t say they don’t wish to receive messages
- Recipient has disclosed electronic address directly to the sender and hasn’t said they don’t want messages - must be related to professional capacity
CASL - Additional Exceptions to Consent
- sent to a friend or family member
- inquiry about a service offered by recipient
- provides a requested quote
- facilitates a commercial transaction
- provides warranty or safety information
- information about ongoing subscription or membership
- information related to employment relationship or benefit plan
- delivers a good or service
CASL - Identification
Senders must clearly identify themselves, including person (or multiple persons) message sent on behalf of.
If not practical to include information in body of CEM, must include a hyperlink to a web page containing this information - must be clearly and prominently set out in the CEM
CASL - Unsubscribe Mechanism
- link must be functional for minimum 60 days after sending
- unsubscribe must be processed without delay, and in any event, no more than 10 days after request
- unsubscribe must be “readily performed”, and quick, simple and easy for the end user
CASL - Record-keeping
Record-keeping extremely important when interacting with CRTC / Responding to Notice to Produce
Should include:
- All evidence of express and implied consent
- documented methods through which consent was collected
- policies and procedures regarding CASL compliance
- all unsubscribe requests and resulting actions
CASL - Enforcement
Enforced by CRTC, with related amendments to Competition Act and PIPEDA enforced by Competition Bureau and OPC
CASL - Blackstone Case Study - Why Reduce Fine
- Purpose of penalty - compliance, not punishment
- scope, nature, duration of violation
- Blackstone ability to pay
- Blackstone cooperation
- Notice of self-correction
- No history of non-compliance
- Blackstone made inquiries of regulator
CASL - Compu-Finder Case Study
OPC Investigated Compu-Finder for collecting and using business emails to promote business
- examined Compu-finder websites
- reviewed online media and other public content about org
- submissions to CRTC Spam Reporting Centre
- Interviewed 8 individuals who complained
- Got representations from Compu-Finder
OPC concerned with integrity and comprehensiveness of CF representations
Found CF was unaware of and did not respect privacy obligations; lacked appropriate consent for use of emails
CF implemented OPC recommendations on “without admission” basis - OPC said complaint well-founded and resolved in part/conditionally resolved in part. Entered compliance agreement.
CRTC assessed administrative monetary penalty (AMP) of $1.1 million
CASL - Installation of Computer Programs - Purpose
Protect consumers from programs such as malware that pose a real threat to individuals - enforcement is focused here
CASL - Computer Programs - Safeguards
- Monitoring client activities
- written contracts with clients/suppliers requiring CASL compliance
- written CASL policy
CASL - “caused to be installed”
- malware installed along with other software
- concealed software automatically executed when consumer inserts (for example) a CD or USB
CASL - Express Consent without Requesting Installation
- Cookies
- HMTL
- JavaScript
- An Operating System
- Program executable through a program to which end user consented
- Software installed to correct a failure (i.e. bug fixes)
Telecoms do not need consent to install software to protect security of system
Consent only assumed if user doesn’t take steps to vitiate - i.e. disabling javascript in the browser
CASL - Automatic Downloads with Consent
Vendors can:
- implement user-installed updates (user must click)
- can obtain consent for automatic downloads at point of initial install
- can allow automatic downloads to be activated or de-activated via a user setting
CASL - Competition Act Materiality
No Materiality Requirement: false info in
- Sender line
- Subject Line
- locator information (e.g. URL)
Materiality requirement:
- False or misleading statement in the content of the electronic message
CASL - Competition Act - Private Right of Action created by CASL
Consumers can sue for $200 per message that contains false and misleading misrepresentations
CASL - INDU Recommendations
- Enforcement agencies issue clear, accessible, regularly updated guidance materials
- Parliament amend:
1. Definitions of CEM, “electronic address”, “implied consent”, “express consent” to clarify them;
2. Increase transparency in how CRTC investigates and penalizes violations;
3. Short title, Electronic Commerce Protection Act (ECPA)
Gov’t agreed but no changes to law yet.
CRTC issued guidelines on implied/express consent and started issuing enforcement advisories in 2018, but most issues in report are unaddressed.
Bank Act - Scheduled Banks
Schedule I - domestic banks
Schedule II - Subsidiaries of foreign banks
Schedule III - Foreign bank branches of foreign banks
Privacy Issues to Consider
- Transborder Data Flows
- Online Behavioural Advertising
- Data Breach Reporting
- Surveillance
Transborder Information Transfer
- law and OPC decisions show transfers outside of Canada are permitted
- Orgs must still be transparent, receive consent for transfers, and be accountable (i.e. responsible for information held by third party transferees)
- OPC had consultation process about proposed changes 1) mandatory consent for cross-border transfer; and 2) require communication of options for opt-out of international transfer; feedback was this was too onerous and the changes were shelved.
Online Behavioural Advertising
Typified by the use of a cookie
May be “first party” (placed by website visited), or “third party” (if they are placed by some other party)
May be “session” or “persistent”
Cookie permits data regarding browser history to be recorded
Online Behavioural Advertising - Regulation
Covered by PIPEDA or Quebec, Alberta, BC Privacy Laws
Online Behavioural Advertising - Application
OPC says IP address and cookie-related information are personal information.
SCC and OCA also comment on privacy interests in browsing history.
Obtaining consent in timely and informed way remains a challenge.
Online Behavioural Advertising - Google Complaint 2013
Google’s online service used sensitive health information to target users with health-related adds, contrary to its own policies and in violation of PIPEDA
Online Behavioural Advertising - Bell RAP
Relevant Advertising Program - tracked customer habits and created detailed profiles to be shared with 3rd party advertisers in violation of PIPEDA.
Data Breach Reporting - Notification to OPC in the Digital Privacy Act (2018)
- Description of the circumstances of the breach
- Period of breach
- Type of Personal Information
- Estimated number of individuals
- Steps org has taken to reduce risk of harm
- Steps org has taken to notify
- Name and contact of accountable person
Data Breach Reporting - Notification to Individuals
- Circumstances of breach
- period of breach
- description of personal information
- Steps the org has taken to reduce risk of harm
- steps individual could take to reduce harm
- toll-free number or e-mail address the affected individual can use
- information about the org’s internal complaint process
Data Breach Reporting - Record Retention
Must keep record of every breach of security safeguards for 24 months after the day breach discovered
Data Breach Reporting - PIPEDA Penalties
Fines of up to $100,000 for knowingly violating notification or record-keeping requirements
Data Breach Reporting - Alberta
PIPA Requires notifying commissioner of a breach if there is a real risk of significant harm to an individual.
- Description of incident
- time period
- personal information involved
- assessment of risk of harm to individuals
- estimated number of individuals
- steps taken to reduce harm
- contact information
Data Breach Reporting - Risk of Harm Factors
- Sensitivity of personal information
- Probability that the personal information will be misused
- Any other prescribed factor
Privacy Incidents - SWIFT
- complaint that SWIFT/Canadian banks were turning over information to US government
- SWIFT said it was responding to subpoenas from OFAC
- SWIFT subject to PIPEDA (operates in Canada)
- SWIFT hadn’t contravened PIPEDA - must abide by legitimate laws of other countries in which it operates
- Banks met their obligations because contractual documentation exists between SWIFT and the banks that ensured comparable level of protection
Privacy Incidents - TJX (Winners/Homesense)
- TJX company breached - intruder got credit card numbers, names and addresses, and Canadian driver’s licenses
- Collected DL to prevent fraud
- Commissioners considered:
1. Whether the org had a reasonable purpose for collecting info
2. Whether org retained info in compliance with legislation
3. Whether org had reasonable safeguards - determined DL was irrelevant to legitimate purpose; should not be an identifier for the purposes of analyzing shopping-return habits
- TJX decided to use hashing to create a unique number that could be stored that wasn’t a driver’s license
- info had been stored indefinitely, in violation of retention periods
- used only WEP encryption in stores
TJX/SWIFT - Key Conclusions
- International flow of data will not impede applicability of laws in Canada
- Canadian privacy law will not stand in the way of legitimate business uses of personal information
- Responsibility will lie with the org to prove it is reasonably safeguarding
- Orgs must collect only the personal information necessary to fulfill legitimate purposes
Incidents - Facebook 2008
Complaint from University of Ottawa Cybersecurity Group
OPC Report - Facebook had not met knowledge and consent obligations under PIPEDA
OPC recommended Facebook and Developers
- receive no more personal information than necessary
- provide users with sufficient notice about which data will be collected
- provide opportunity to give meaningful consent
Incidents - Nexopia
Youth-oriented social networking site; complaints:
- Disclosure of user personal information to public did not meet reasonable expectations of the users
- Site had inappropriate and unreasonable default privacy settings
- users not adequately informed about how info would be shared
- Consent not obtained at time of registration for collection of PI
- Non-Nexopia users’ PI retained without their knowledge and consent
- All PI retained indefinitely and w/o an option to request for deletion
Incidents - Google
In 2010, investigated “inadvertant” collection from unsecured WiFi networks from camera cars doing street images.
- gathered PI in excess of the purposes of collection
In 2013, complaint about health-related ads
- Joint investigation with FTC, OPC identified several shortcomings in systems for monitoring compliance with policies
In 2014, more complaints filed when Search App updated to collect PI beyond that required for functionality
- OPC concluded that complains were not well-founded
- Granting app permissions alone does not liken to consent for collection
Incidents - Ganz
Toy manufacturer with web-enabled toys for children age 6-13 to log in and play with virtual version
Complaint: collecting and retaining PI of children without adequately explaining purpose or obtaining appropriate consent
- shared with third-party advertisers to track and profile children
Recommendations:
- provide greater clarity during online account registration
- importance of involving parents
- parental consent
- language appropriate to site’s user base
- updating privacy policy to better reflect actual practices
- improve communication of policies
Incidents - Apple
OPC investigated allegations that Apple used Unique Device Identifiers (UDID) for tracking purposes without knowledge and consent of individuals.
OPC - UDID considered personal information, disclosed to third-party app developers for targeted advertising purposes
- UDIDs considered to be sensitive personal information
- Apple replaced UDIDs with Ad IDs and provided option for users to reset their tracking history
Incidents - Equifax
OPC found:
- Inadequate vulnerability management
- Inadequate network segregation
- Inadequate implementation of basic information security practices
- Inadequate oversight
Incidents - Facebook 2019
April 2019 - Facebook and TYDL (This is Your Digital Life)
- data in hands of individual who sold PI of American Facebook users to Cambridge Analytica
- Users filled out personality quiz and disclosed info about friends
- Four major conclusions:
1. Failed to obtain valid and meaningful consent
2. Failed to obtain consent from friends
3. Inadequate safeguards
4. Failed to be accountable
Legal Developments - Biometric Info
Telus Voiceprint case - 4 employees complained
- FCA: characteristics of voice are personal information
- weighed privacy rights against TELUS business interests
- reasonable person would find use of e.Speak tech to be reasonable in the circumstances
Legal Developments - Eastmond
Video Cameras installed in workplace.
Test used by court:
1. Is the collection necessary to meet a specific need?
2. Is collection likely to be effective?
3. Loss of privacy proportional to benefit gained?
4. Less privacy-invasive way of achieving the same end?
Court determined it was permitted non-consensual collection because tapes would only be viewed in context of an investigation
Application was de novo, and OPC report not given much deference
Blood Tribe Case
- Individual made request to Blood Tribe for info, OPC sought info during investigation
- COURT: OPC does not have the power to compel the production of documents covered by solicitor-client privilege, and cannot even ask an org to otherwise prove that a doc is privileged
Contesting OPC Finding - Accusearch
Accusearch (ABIKA) brought to court - applicant felt OPC was wrong that they had no jurisdiction over an American org collecting info on Canadians.
Court: OPC did have jurisdiction; concerns about ineffectiveness were irrelevant; OPC required to prepare a report, barring the application of certain exemptions
Authentication Guidelines
- Authenticate based only on the risks associated with not authenticating
- Know the individual and choose the correct level of authentication
- Regularly reassess risks and deploy risk mitigation measures
- Keep vigilant in relation to “risk creep”
- monitor any attempted attacks
- give individuals choice
Model Codes - Generally Accepted Privacy Principles
Promulgated by AICPA and CICA
1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use and Retention
6. Access
7. Disclosure to Third Parties
8. Security for Privacy
9. Quality
10. Monitoring and Enforcement
Decisions to Appeal Public-Sector Entity Decision
- Denial of access
- Disagreement with fee
- Deemed refusal
- Advice that extension beyond 30 days is necessary
- Denial of request for correction
- Someone requesting applicant’s personal information
The Privacy Act - Collection
- Collect if info relates to an operating program or activity
- No need for dta subject consent
- Obligation to collect directly from the individual except where this is impossible, individual has authorized indirect collection, or collection is pursuant to one of the exceptoins
Administrative Purpose
Use of the information in a decision-making process that directly affects that individual
The Privacy Act - Use
Use requires consent, unless the info is being used for the purpose for which the information was obtained or compiled
The Privacy Act - Disclosure
Must not disclose PI without consent, with 13 exceptions
- for the purpose for which the info was obtained
- for any purpose in accordance with an Act of Parliament
- complying with subpoena
- to the AG for legal proceedings
- to an investigative body
- under agreement between feds and provinces/foreign states
- to a member of Parliament for assisting an individual
- internal audit
- Library and Archives
- research or statistical purposes
- any aboriginal government
- for purpose of locating individual to collect a debt
- any purpose where public interest outweighs invasion of privacy
The Privacy Act - Consistent Use - Revenue Canada
CRA released info on travelers to Canada Employment and Immigrations Commission to catch people receiving EI while out of the country
FCA - breadth of Section 8(2) demonstrated a clear intention on the part of Parliament to allow many non-consensual disclosures
Later, tribunal could not release PI in forms/transcripts for use in separate hearings
The Privacy Act - Info in Info Source
- Description of class of individuals
- Name of gov’t institution
- title and address of the person to whom requests should be made
- statement of purpose of PI collection and uses consistent with those purposes
- Details of the retention and disposal standards
Right of Access - Denials
- PI obtained in confidence from foreign state
- Fed-Provincial Affairs would be injured
- Injury to international affairs or national security
- Less than 20 years old and relates to the enforcement of laws
- injury to enforcement of laws
- Injury to security of a penal institution
- PI collected by RCMP performing police services
- Release of PI would reveal snitch identity
- disruption of parole program
- threaten the safety of individuals
- PI of someone other than the requestor
- subject to S-C privilege
- Contrary to requestor’s interest considering the particular physical or mental health
The Privacy Act - Exempt Banks
Personal information holdings consisting of PI obtained by investigative bodies in the course of lawful investigations pertaining to the enforcement of law
The Privacy Act - Retention
No obligation to properly safeguard and retain personal information in the Act, but in the regulations states that info shall be retained for at least 2 years following the last time personal information was used for an administrative purpose
Privacy Commissioner
- Broad powers of investigation
- can only recommend solutions to gov’t institutions that have been found to be noncompliant
- if an individual erroneously denied access to personal information, commissioner may proceed to federal court for determination of whether or not info was properly withheld
- prereq - commissioner must complete the investigation and issue a report
Privacy Commissioner - No Fly List
Commissioners asked
- Gov’t refer program to Parliament so could be publicly debated
- Enact clear legislation setting out criteria
- Confer an appropriate oversight body
Video Surveillance Guidelines
- Exceptional step, taken only in absence of less privacy-invasive alternative
- public advised that surveillance is happening
- right of individuals to have their personal info respected
- subject to independent audit and evaluation
- FIP respected
Body-Worn Cameras
- inform public of program
- notify individuals when recording takes place
- safeguard recordings
- training and accountability processes
- respond to civilian requests
- minimize recording of innocent civilians
- protect for secondary uses (training and performance evaluation)
Federal versus Provincial Approaches
- Provinces have concept of “unreasonable invasion of privacy” to have greater protection for some types of info and less for others
- BC and Nova Scotia place significant restrictions on public body transfer of information out of that jurisdiction
- Most provinces give commissions power to issue orders
Privacy Act - Needed Updates
- New technologies
- Written before development of Fair Information Practices
- Does not require same degree of openness and transparency
- fails to address transborder data flows
- should have accountability when outsourcing
- greater recourse to federal court or order-making power
Digital Charter - 10 Principles
Not a legal document, principles have no enforceable effect
OPC 2018-2019 Report
- Public Sector adopt principles of “necessity and proportionality”
- Strengthen enforcement mechanisms
- Demonstrable accountability
PIA - Privacy Impact Assessments
Must be commensurate with level of risk;
whenever new program or change to program must audit
Org that fails might not get required approvals from the Treasury Board
