Sometimes legislative or regulatory definitions create ambiguity rather than clarity. The definition of “family relationship” in the draft Industry Canada regulations regarding Canada’s Anti-Spam Legislation (CASL) is a case in point.

CASL is not yet in force. When it comes into force (no date set yet as of the date of this post), CASL will provide exemptions for a commercial electronic message (CEM) sent to a recipient with whom the sender has a “family relationship”. CASL typically requires express opt-in consent to CEMs and requires CEMs to contain prescribed information, including an unsubscribe mechanism. Those requirements won’t apply to CEMs to “family relationship” recipients.

What constitutes a “family relationship” for the purposes of CASL has been left to Industry Canada. The draft regulations did not disappoint for complexity, adopting, in part, definitions from Canada’s Income Tax Act. Does the complexity deprive the exemption of utility? Possibly. Take the question of whether your sister’s boyfriend will be able to send you his monthly business newsletter (without first getting your consent). If he wants to use the family relationship exemption, its availability seems to depend on where your sister and her boyfriend live in Canada, whether they are in a conjugal relationship, and how long they have lived together in that conjugal relationship! Or, in some cases, it might be relevant whether they have a child.

The draft Industry Canada regulations released in December 2012 contained the following definition:

“family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or is of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual, or

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual;

So, an electronic newsletter from your sister’s boyfriend could be exempt if you and your sister’s boyfriend are in a “family relationship”. You will be in a “family relationship” with your sister’s boyfriend, according to the draft regulations, if your sister and her boyfriend are in a common law partnership, since (taking the ordinary meaning of “sister”) you would be connected by a blood relationship to your sister.

The draft regulation assumes that there is something easily identifiable as a “common law partnership” in Canada. That’s an assumption worth examining.

Typically, whether an intimate or interdependent relationship is recognized as having marriage-like qualities depends on provincial legislation. When Canada’s Parliament wishes to impose a uniform definition, it does so through a defined term. For example, subsection 248(1) of the Income Tax Act defines a “common-law partner” as two people who are cohabiting in a conjugal relationship for a continuous period of at least one year. (To make matters complicated, there is another definition involving persons who have a child.)

Provinces also define types of de facto marriage relationships for specific purposes, typically family law support obligations. However, the term “common law partnership” is not a term of legal art.

In Ontario, for example, section 29 of the Family Law Act recognizes individuals as spouses of one another for certain family support obligations if they have lived in a conjugal continuously with one another for a period of not less than three years or are the natural or adoptive parents of a child and are living in a relationship of “some permanence”.

By contrast the period of conjugal relationship in subsection 3(1) of the British Columbia Family Law Act is two years.

By further contrast, the Alberta Interdependent Relationships Act recognizes interdependent relationships of three years or more but there is no necessity for the relationship to have a conjugal element.

In yet another variation, individuals may simply register their relationship as common law under the Manitoba Vital Statistics Act.

So what definition of common law partnership will be read into CASL? Family law where the couple lives? The commonly used federal legislative definition? Something else developed by the regulators or the courts?

The sky won’t fall, of course. There is also a “personal relationship” exemption. The proposed definition for this exemption is very broad. However, it does require direct, voluntary, two-way communications and enough factors to suggest that the relationship is personal. Relevant factors include whether there are shared interests, experiences, opinions and information “evidenced in the communications, the frequency of the communication, the length of time since the parties communicated and if the parties have met in person”. So, the exemptions may not quite overlap.

the Office of the Privacy Commissioner of Canada (OPC) has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an “Internet Privacy Sweep“.

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.

Canada’s Anti-Spam Legislation (CASL) restricts the ability of organizations to send commercial electronic messages without the consent of the recipient.

A critical step in the decision tree is, therefore, to determine what constitutes a “commercial electronic message”. Here’s the definition of a “commercial electronic message” in subsection 1(2) of CASL:

(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

When designing a compliance policy, care must be taken not to consider the items listed in (a) to (d) as being exhaustive. Instead, the critical part of the definition is the portion that is bolded –that is, “it would be reasonable to conclude [that the message] has as its purpose, or one of its purposes, to encourage participation in a commercial activity”.

“Commercial activity” is broadly, albeit ambiguously defined in subsection 1(1). A commercial activity does not require profit-making or even a profit-making motive. It involves any transaction, act or conduct or regular course of conduct that is of a “commercial character”.

The difficulty for organizations, particularly non-profit organizations, is that determining what is of a “commercial character” is not straightforward. Indeed, this seems to be acknowledged by the need to expressly exclude such activities as law enforcement, public safety, the protection of Canada and the conduct of international affairs or the defence of Canada.

Historically, Canadian courts have interpreted “commerce” as any activity involving the exchange for money, or by barter, of products. The debate has been whether a one-off transaction would be considered commerce. CASL seems to suggest that even a one-off transaction could be commerce, given the reference to a “particular” transaction, act or conduct. In the context of CASL, any electronic message that “encourages participation” in a commercial activity will be a CEM.

If a broad scope is given to the meaning of “commercial character”, the definition may sweep in many types of messages that would not be commonly understood as such. For many organizations, branding is critical. Emails will frequently include at least some form of information to invite the reader to visit a website for a hyper-link or announce or promote a product or service. Once CASL comes into force, it will be important for organizations to have strict controls over the content of electronic messages and approvals for content. Choices may need to be made between promotional “add-ons” and ensuring consent is obtained or the organization has a viable exception to consent.

There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?

Asking “why” is a powerful deterrent to over collection and, as a recent Alberta case demonstrates, can be a powerful check on “over disclosure”.

In Order F2013-12, the issue for the Office of the Information and Privacy Commissioner of Alberta was whether the entirety of an accident report created from information collected from the driver of one vehicle should be automatically and routinely disclosed by the police to the other driver involved in the accident.

The form established by the Registrar for the accident report collects the driver’s name, address, date of birth, gender, home phone number, work phone number, and operator’s license.

The case for disclosure looked strong:

• The Alberta Traffic Safety Act requires drivers who are involved in an accident to complete an accident report with the policy.

• The form of accident report is prescribed by the Registrar of Motor Vehicles.

• The police are required to collect the accident report.

• If requested, a driver is required to disclose to the police or anyone sustaining loss or injury, the driver’s name, address, operator’s licence, name and address of the registered owner of the vehicle, licence plate of the vehicle, and the financial responsibility card issued in respect of the vehicle.

• The police are permitted to provide the Registrar with a copy of the accident report.

• The police are permitted to release information in the accident report to a person if the person may be liable to pay damages.

The Freedom of Information and Protection of Privacy Act permitted disclosure of personal information for a purpose in accordance with a law that authorizes or requires disclosure, but only to the extent necessary to carry out the purpose in a reasonable manner.

The Adjudicator agreed that in theory disclosure of an accident report was authorized by law. However, the disclosure provision was permissive – that is, the police had discretion to exercise.

So, why did the police exercise the discretion to disclose the entirety of the report? The Adjudicator didn’t receive a good answer. It seems it was the practice of the police to do so. But the drivers in this case had not asked for each other’s information. Even had they done so, the Traffic Safety Act did not require disclosure of the drivers’ birth dates or telephone numbers. Moreover, no party requested a copy of the accident report.

The disclosure was gratuitous in order that the drivers need not ask for copies of the report and in order to ensure that the drivers meet their obligations to one another. In the result, the Adjudicator ordered the police to cease disclosing more information than was necessary for that more limited purpose – such as name, address and operator’s licence.

Transition periods for new legislation are often critical in taking the sting out of compliance costs. But some transition periods are better than others. In the case of Canada’s Anti-Spam Legislation (CASL), organizations should consider the transition periods – not only what the cover, but also what they don’t. There are definitely winners and losers.

When CASL eventually comes into force, there will be two separate transition periods. The first is for consent to commercial electronic messages (CEMs) and the other is for the installation of computer programs. This Spam Smart Tip examines the transition period for CEMs and existing business relationships.

Section 66 provides for implied consent to CEMs for the shorter of:

• three years after the coming into force of the legislation; or

• the recipient’s “unsubscribe” or indication that they no longer.

An organization may relied on the transitional implied consent to CEMs if:

• the person has an “existing business relationship”; and

• that relationship includes CEMs

What’s an “existing business relationship”? For the purposes of the transition period, the existing business relationships that will be applicable to most enterprises are ones that arises out of:

• the purchase or lease of a product, goods, a service, land or an interest or right in land by the person to whom the message is sent from the person who sent the message or caused the message to be sent (the “purchaser / lease exception”);

• the acceptance by the person to whom the message is sent of a business, investment or gaming opportunity offered by the person who sent the message or caused the message to be sent (the “investment / gaming opportunity exception”);

• a written contract entered into between the person to whom the message is sent and the person who sent the message or caused the message to be sent (and that is not already covered by the purchaser / lease exception or the investment / opportunity exception);

• an inquiry or application made by the person to whom the message is sent to the person who sent the message or caused the message to be sent regarding the purchaser / lease exception or the investment / gaming opportunity exception.

Usually, there is a sunset provision for an existing business relationship under CASL. For example, an existing business relationship in respect of an inquiry or application ends 6 months after the inquiry or application for the purposes of implied consent for any new relationships after CASL comes into force. But that isn’t the case for those existing at the time of CASL coming into force. The sender may rely on implied consent for three years.

This is a significant transition period. Three years is a long time to refresh consents for existing business relationships and existing non-business relationships. Organizations may wish to consider this in planning priorities in their compliance strategy.

However, the story isn’t uniformly a good news one. Organizations should also carefully review the scope of the relationships captured by the transition period. The definition of an existing business relationship certainly does not cover the field of relationships that enterprises may have with individuals to whom they send CEMs. Notably, the transition period may not be of assistance to professions or enterprises with very long lead times to make sales.

Context and content matters to the assessment of reasonable expectations of privacy in criminal law matters.

Recently, in R. v. B. (C.), 2013 CarswellOnt 3851 (SCJ), P. Smith J. considered the constitutionality of a warrantless search and seizure of a camera that was alleged to have been used to surreptitiously film a child in the accused’s residence as well as the seizure (but not search) of the accused’s computer.

According to the allegations, the complainant (a minor) found a video camera in her bedroom containing naked pictures of herself. The police were called to a relative’s house and were showed the pictures on the video camera. While the police were at the relative’s house, the accused showed up and identified the camera. The police took the camera.

Following taking the accused into custody, the police were given access to the accused’s home by other family members and a computer accessed by family members was seized but not searched.

The police then obtained two warrants to search the camera and the computer.

When the accused challenged the search and seizure of the camera, the court ruled that a video camera is different from a mobile phone. The court concluded that a video camera does not have the capability of storing private voice, text, e-mail communications, detailed personal contact lists, agendas and diaries, that are typically stored on a mobile phone. Accordingly, the accused did not have a heightened expectation of privacy.

But, more importantly, when the contents of the camera were first viewed by the police, the ownership of the camera was not yet known. Moreover, any privacy interest that the accused had was, in the court’s view, “relinquished” when the accused “decided to hide it in the bedroom” of the complainant.

Turning to the computer, the court noted that the fact that the entrance to the house was provided by the co-owner and the computer was commonly used by the family, including the accused, made the seizure of the computer “incident to arrest” reasonable in order to preserve potential evidence. The court noted that the computer was only searched after a warrant was obtained.

Some of the reports of this case stress the judge’s conclusion that a video camera is not like a cell phone. That certainly is part of the decision. Content matters. However, context matters as well. The video camera here was presented by the accused. The police were provided with the camera by the complainant and looked at it not knowing who the owner was in order to make a determination of whether to proceed. This is far different from searching and seizing a camera that was under the custody or control of the accused.

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Have you heard about the Internet of things? If it is industry’s great opportunity, it might be the Privacy Officer’s brainteaser over the next few years.

Increasingly objects are becoming “smart”. No human intervention is required to record and communicate data, permitting otherwise unconnected objects to interact with one another.

Objects are being embedded with a variety of sensors. These objects collect information about their environment, their operation, and their interaction with other objects. These devices can communicate with each other and with databases through wireless networks. All the of data that these objects collect and produce becomes fodder for analysis in Big Data projects for understanding complex systems.

Even though human intervention is not required; individuals are often interacting with those objects in some way, such that the information is, at least in part, about those individuals.

As the Federal Trade Commission (FTC) puts it:

“Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.”

For that reason, the FTC is holding a workshop on November 21, 2013 to study the Internet of Things.

FTC will accept submissions on the implications of these developments through June 1, 2013.

The #1 item on my “tough love list” for New Year’s 2013 was “Enough of the Unencrypted USB Keys“.

You won’t have been alone if you didn’t tackle that in the first quarter of 2013.

However, the Information and Privacy Commissioner of Ontario has filmed and posted a “Commissioner’s Corner” that might get this item onto your agenda. Following the latest loss of data in Ontario, Dr. Cavoukian spoke out on the transfer and storage of personal information on unencrypted storage devices.

Some salient quotes from Dr. Ann Cavoukian:

“It wasn’t encrypted; that’s what makes me crazy”

“You cannot allow data, sensitive data especially, to be transferred onto a mobile device, be it a laptop, a USB key, whatever, without encrypting the data”

“It’s not enough to have a policy that says you are supposed to encrypt the data, you have to have that reflected in concrete actions that take that from the policy stage to the front line staff who are doing these things and you have to train the staff […] and you have to give them the means by which they know how to encrypt the data […]”

“Don’t let there be one more data breach like this”

 Message received, Commissioner.

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced three recent settlements demonstrating that organizations would do well to ensure they are complying with Canada’s telemarketing rules.

On April 3, 2013, the CRTC announced a settlement for failure of a company to properly download monthly the National Do Not Call List. This resulted in the company’s dealers calling numbers that were registered. The settlement included a payment of $100,000 and, among other things, a requirement to provide an annual report documenting consumer complaints and the steps taken to resolve them.

On April 2, 2013, the CRTC announced settlements with two organizations who had used automated calling devices (robocalls) in violation of Canada’s Unsolicited Telecommunications Rules. Those rules require express consent to telecommunications through an automatic dialing-announcing device. In addition to administrative monetary penalties of $69,000 and $11,000 respectively, the CRTC’s settlement provided for, among other things, annual reporting to the CRTC for five years documenting customer complaints and steps to resolve them.

The scourge of online defamation poses enforcement challenges for victims. So much so that there may be a temptation to begin looking for gatekeepers. The direction of the law appears to be ready to assist.

Consider, for example, the problem of the anonymous blogger. The path to justice requires a number of separate steps. Obtain an order requiring disclosure of subscriber information. Cajole the host of the blog to take down the content. Seek an order to validate service of proceedings on the blogger by email. Finally, pursue default judgment. In Manson v. John Doe, 2013 ONSC 628, the plaintiff followed that route and was awarded C$200,000 in damages and nearly C$50,000 in costs on a motion for default judgment. Whether the judgment will ever be satisfied is unknown.

A more direct route might be to seek compensation is to impose a gatekeeping function on the owner of the website. That route might just become easier. Last year, in Canoë inc c. Corriveau, 2012 QCCA 109, the Quebec Court of Appeal upheld an award of C$150,000 in damages and C$50,000 in punitive damages against the website owner who was found to have been grossly negligent in permitting defamatory statements to remain on the site. The hook was that the website owner failed to enforce promptly a website code of conduct.

More recently, in February, the English Court of Appeal, in Tamiz v. Google Inc., [2013] EWCA Civ 68, held that the host of a blog could be liable for defamatory material in circumstances where the host provided a platform, provided assistance and services relating to the platform, and imposed terms and conditions that enabled it to remove or block service in the event of a breach of the terms. The Court of Appeal held that such a host could become liable for allowing defamatory material to remain on the site once the host had been notified of the defamatory material and had a reasonable period of time to remove the material.

Of course national laws may differ with respect to what constitutes defamation and defences to defamation.  So, as always, it is necessary to seek local guidance before jumping to conclusions.

However, the risk management message is clear. If an organization is operating a platform or interactive site with a social media component where users may post comments, reviews and interact, that organization would do well to review its policies and whether it has the resources and compliance structure to ensure that it monitors the site or at least can respond quickly to complaints.

Our New Look and International Legal Practice

Welcome to the new look for DataGovernanceLaw.com. Fraser Milner Casgrain (FMC) has become Dentons Canada LLP, and has joined Salans and SNR Denton to form Dentons, an international legal practice. For more on Dentons, visit www.dentons.com.

We are now working together with 2,500 talented lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.

Two Blogs!

This blog will continue to bring you developments in data governance law, including privacy, e-commerce and consumer protection topics that we think are interesting to you, with a Canadian spin.

We also invite you to visit our sister blog at www.privacydatasecurityblog.com, which will provide you with coverage and commentary from an international perspective on privacy and data security.

What does the future hold in store?

We have always covered international legal developments on this blog because e-commerce and m-commerce are not confined to geographical boundaries and because there is much to be learned from other jurisdictions in this evolving area of the law. I am personally delighted to join our colleagues from the former Salans and SNR Denton. Together, we will be able to provide you with insights regarding best practices in privacy and security and insights regarding data governance from around the world.

Over the coming months, we will be combining our blogs. These are exciting times. I look forward to sharing them with you.

This is the third post in a series on BYOD (bring-your-own-device) and the obligations of directors relating to the protection of corporate confidential information. The first post examined the issue from the perspective of the director’s statutory fiduciary duty and duty of care. The second post made the case for a board information governance policy. This post examines the content of a board information governance policy.

The elements of a board information governance policy will vary with the nature of the corporation, the sensitivity of the information, the importance of the information to the corporation, the technical skills of the directors, and the willingness and financial ability of the corporation to invest in technological solutions. The following is a non-exhaustive list of possible topics for inclusion in a policy.

Scope of the Policy

a. Scope of confidential information

A board information governance policy should define the scope of confidential information. At a minimum, this will include all material, non-public information about the corporation and all personal information collected or used by the corporation. However, the corporation may also owe express or implied duties of confidentiality to third parties, such as suppliers, business partners, shareholders and clients, among others. It is desirable to include this type of information under the policy as well.

b. Application of the policy

A board information governance policy should also describe the types of communications and records that are governed by the policy. Does the policy only apply to communications between corporate officers and the directors or to all records relating to the director’s duties or to specific classes of records? Although the focus of this post is on electronic communications, a board information governance policy may also address printed material.

Information Technology and Security

a. Security requirements on director-owned devices

A board information governance policy might define for directors the minimum security requirements for director-owned or third-party-owned devices. The policy could also provide directors with a point-person who can assist the director in implementing those requirements or assessing compliance with them.

The content of the security requirements should be determined in consultation with the corporation’s technology department. Consideration may be given to requiring that all devices be protected by strong passwords and remote wiping technology. The policy may require operating systems of a particular version or higher with anti-virus protection of a particular version or higher.

In situations where the board is expected to receive extremely sensitive information, the corporation may require the director to agree to permit the corporation to install software allowing the corporation to control the device and wipe the device remotely. A corporation may require that directors receiving or storing highly sensitive information or personal information of employees do so only on encrypted devices.

b. Use of personal or third-party email accounts

The board information governance policy might provide guidance on the use of personal or third-party (e.g. the director’s employer) email accounts. The corporation should consider whether the use of personal or third-party accounts is consistent with the corporation’s record retention and information security policies.

If personal or third-party email accounts are permitted by the corporation, consideration should be given to establishing clear guidelines regarding the terms of service for those accounts, back-up requirements and disaster recovery protocols.

If non-personal third-party accounts are being used, such as an account provided by the director’s employer or another organization in which the director is involved, special attention should be given to determining whether the policies related to those accounts are in conflict with the corporation’s interests. It is not uncommon for employers to claim the right of ownership and the right of inspection of all communications conducted through the employer-provided email account.

Records Management

a. Commingling of information

A board information governance policy should establish the corporation’s expectations regarding the commingling of corporate information with the director’s personal information or information related to the director’s employment or duties in connection with other corporations.

In addition to assessing whether commingling presents problems relating to the corporation’s records retention programs, consideration might be given to whether commingling creates an unacceptable risk of inadvertent disclosure.

The corporation should also consider electronic discovery issues in the event that the corporation’s information must be extracted for litigation. This is not simply an inconvenience issue. Is the corporation prepared to have its records reviewed in the course of another company extracting information related to litigation involving that other company?

b. Records retention and destruction obligations

A board information governance policy may address special records retention and destruction obligations relating to board materials and communications.

For example, what is the corporation’s policy regarding corporate records in the possession or control of the director at the end of his or her service? Are all records to be destroyed? If the director will retain the records, is it necessary for the corporation have an express agreement with the director to maintain those records for a minimum period of time and to provide the corporation with access to the records as may be required?

Another special issue may be records relating to committee work, including special committees appointed to review major transactions. Not infrequently the corporate secretary and management directors will be excluded from the work of these committees. Consideration should be given to whether and how those records will be retained without interfering with the independence of the work of those committees. If those records are to be retained, how will they be retained if the directors are using personal or third-party information technology and email accounts?

Even the basic application of a corporate records retention policy may involve special adaptation to the board. For example, if a director is using an email system controlled by a third party, such as the director’s employer, is the records retention policy applied to that email system in conflict with the corporation’s records retention schedule. Will directors during and subsequent to their service be asked to destroy records in accordance with a records retention schedule? Should any special consideration be given to records relating to the board’s conduct during major corporate transactions, such as mergers and acquisitions or dispositions?

c. Litigation hold obligations

A board information governance policy might clarify the director’s obligations with respect to the preservation of electronic records in the event of litigation. The policy may require directors using their own devices and personal email accounts to provide access to those devices and accounts for the purposes of preserving and gathering information that is relevant to the litigation. A board information governance policy will also describe the limits on that access. For example, it may be unreasonable to demand access if the director has been sued by the corporation or in situations where the corporation refuses to provide a defence to the director or is otherwise adverse in interest to the director.

Additional issues should be addressed if directors are permitted to use email accounts and information systems that are not controlled by the directors, such as those controlled by the director’s employer. Will the director be responsible for ensuring that the third party will provide access to those systems for the purpose of preserving and gathering relevant electronic information?

Communications Protocols

a. Special Classes of Communications

A board information governance policy may also set out protocols for handling particular types of communications. Prior to developing these protocols, the corporation may wish to employ a risk analysis of the likelihood and consequences of a breach of confidence relating to particular classes of communications.

A protocol for quarterly financial information might require password protected or encrypted formats. Directors may be prohibited from communicating about undisclosed financial results by email unless password protected or encrypted. Similarly, information relating to proposed executive compensation may be sufficiently sensitive to warrant special procedures. Communications and documents relating to a merger, a major acquisition or disposition, or litigation might be restricted to secure portals through which directors could access information and communicate with one another.

Protocols may also restrict communications to certain electronic addresses. For example, the board information governance policy may require directors to use designated email addresses for communication and not resort to text messages, instant messaging services or PIN messages or forwarding email from a work account to a personal account at the cottage. These alternative methods of communication may be convenient when dealing with a major, urgent event, but may also create security, record retention and litigation management problems precisely when those issues matter most to the corporation.

Informational Conflicts of Interest

a. Sharing information with corporate parents or subsidiaries

A board information governance policy could also address potential conflicts of interest relating to information. For example, in the case of cross-appointments between parents and subsidiaries, what are the duties of directors regarding corporate information? Appellate courts in Canada have yet to wrestle to the ground the problems created by information sharing in a corporate group, although one appellate court has commented in a judicial aside that it seemed impractical to say that the directors of a subsidiary can never tell its secrets to the parent company. Nevertheless, should there be official, documented channels of communication in order to manage issues where there may be emerging conflicts of interest or where sharing of information might result in a loss of privilege?

b. Sharing information with nominating or appointing shareholders

There is significant potential for informational conflicts of interest in the relationship between a director and his nominating or appointing shareholder. Leaving aside securities laws issues relating to selective disclosure, the basic corporate rule appears to be that the director is required to maintain confidentiality. This may, of course, lead to a conflict between the director’s duties to the corporation and the director’s duties to his or her nominating shareholder.

A board information governance policy may address this situation directly for the mutual protection of the director, the corporation and the shareholder. The policy may require official, documented channels of communication. The policy may also address whether in these circumstances it is appropriate for the director to use email accounts, devices or information systems owned or controlled by the shareholder, in order to avoid the perception of impropriety.

Building Board Capacity and Compliance

a. Assistance and Education

Although directors may have a statutory duty to supervise the management of the corporation, non-management directors may not know who within the organization to call to get assistance or how to obtain information on technological issues associated with complying with their duties to protect the corporation’s information.

Consideration might be given to providing directors with direct access to a knowledgeable information technology and security professional who can assist the director in securing his or her devices and home networks and troubleshoot issues that the director has. The simple act of setting up a separate email folder on a smartphone or assisting the director in installing personal, remote wiping software may greatly enhance the security of the corporation’s information.

Depending on the technical sophistication of the directors and the technology and security complexity of the corporation’s information governance and records retention standards, corporations may also wish to consider providing education to directors upon first appointment and periodically thereafter.

b. Breach Disclosure

Directors should also have a clear understanding of their obligations with respect to what the corporation considers to be a breach of confidentiality as well as the director’s duty to report a breach. Directors should understand the protocol for losing a tablet, laptop or smartphone containing corporate confidential information.

c. Self-Audit and Review

Board self-evaluation might include consideration of whether directors and the corporation are complying with the board information governance policy. Periodic review of the board’s actual practices against the information governance policy is advisable not only to enhance compliance but also to ensure that the information governance policy is practical and does not become an unintended liability in litigation as a result of not being followed.

The security and information governance issues that arise with “bring your own device” or BYOD are not restricted to employees of the corporation. These issues also affect information governance practices when communicating with the board of directors. In my previous post in this series, I examined the duties that directors have in safeguarding corporate information and the questions that directors might ask themselves in assessing whether they are being prudent and diligent.

This post examines the case for a board information governance policy. The last post in this series will address the elements of a board information governance policy.

The purposes of a board information governance policy

The fundamental reasons for developing a board information governance policy are (1) to establish expectations regarding the standard of care the directors are expected to bring to the management of corporate information and (2) to assist directors through corporate procedures and technology in fulfilling their duties to protect that information.

The special position and risks of BYOD and directors

Directors occupy a special position within the corporation. Except with respect to matters reserved to shareholders, the board of directors are the ultimate decision-makers. Information that they receive is likely to be highly sensitive corporate financial and strategic information, which may not become publicly known until authorized for disclosure by the board.

The board of directors of a public corporation will be comprised of at least some non-management directors. Unlike senior officers and management directors, these “independent directors” are unlikely to be working on corporate-owned or corporate-controlled devices. These directors may not even use corporate-controlled email accounts. Instead, these directors may be using personal email accounts or those of their employer. Electronic communications with these directors and among the directors as a group will, therefore, be mediated through non-corporate-controlled information technology systems, notwithstanding that the directors are likely to be dealing with some of the most sensitive information of the corporation.

Independent directors are also more likely to have other employment or sit on the boards of other corporations. This introduces the possibility of the commingling of the corporation’s information with information of third parties in a way that will complicate the application of the corporation’s records retention and security policies.

Consider, for example, the simple issue of a corporate information security department being able to remotely control the corporate director’s mobile device to enforce security protocols. If a director is also using the same device to receive information from his or her employer and another corporation on which he or she sits as a director, who, if anyone, should have control over that mobile device? What are the consequences if the device is remotely wiped by one corporation resulting in the loss of information relevant to the other corporation?

The case for the board information governance policy

The utility of a board information governance policy is that it provides the flexibility to recognize that the information governance challenges at the board level and with senior officers communicating with directors may be different from those relating to other employees. It provides an opportunity for the directors to set out a set of guidelines to govern their information practices and heightens attention to cybersecurity issues at the board level at a time when security regulators are increasingly requiring corporations to disclose material cybersecurity risks and breaches.

The next and last post in this series outlines the elements of a board information governance policy.

The information security concerns relating to employees using their own devices for work (such as smart phones, netbooks and laptops) are a hot topic. Although “bring your own device” or BYOD is here to stay, the practice of employees using their own devices for employment duties creates information governance challenges.

What about the role of BYOD at the level of the board of directors? Corporate officers, including the corporate secretary, frequently communicate with board members through electronic means. Directors are also likely to communicate with one another between meetings through electronic means. It is not uncommon that these electronic communications may include preliminary evaluation of strategic matters, legal advice, draft employee compensation arrangements, material contracts and draft financial reports.

This post examines some of the duties of directors with respect to the use of their own devices and email accounts. Subsequent posts will set out the case for a board information governance policy and examine some of the elements of such a policy.

Is it really a problem?

Before dismissing the information governance challenges related to electronic board communications, consider the following questions:

• How often is information sent to directors at personal email addresses or to email addresses belonging to other companies that may employ the director?

• Does the corporation have a good handle on the device and security standards being used by directors when they are handling some of the most sensitive material non-public information of the corporation?

• What assurance is there that third-party technology policies do not create rights in the information sent to those third-party accounts, such as, for example, when a director is employed by another company?

• What happens if confidential information is retrieved and stored on a director’s personal device and the device is lost or stolen or lacks security protection? Is the device capable of being wiped?

A director’s duty of to protect corporate information

A director has a duty to bring the care, diligence and skill of a reasonably prudent person to the protection of confidential corporate information.

Directors owe a statutory duty of care in fulfilling their obligations to the corporation. Paragraph 122(b) of the Canada Business Corporations Act, RSC 1985, c C-44 (CBCA), for example, provides that directors and officers must “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances”.

In addition to the duty of care, directors of Canadian business corporations owe a duty of loyalty to the corporation. The duty of loyalty is a common law duty that has been incorporated into most corporate legislation in Canada. For example, paragraph 122(a) of the CBCA provides that every director must act honestly and in good faith with a view to the best interests of the corporation.

The Supreme Court of Canada has described this “statutory fiduciary duty” as including a duty to maintain the confidentiality of information acquired by being a director. This statutory duty also typically prohibits directors from using information acquired by virtue of their position for personal gain.

Even leaving aside the fiduciary duties of a director, a duty of confidence may arise anytime a person receives information that has a quality of confidence about it in circumstances in which there is an express or implied obligation of confidentiality.

Issues for directors to consider

The care, diligence and skill to be exercised by a reasonably prudent director depend on the circumstances. There is, therefore, no single prescriptive information governance practice that will fulfil a director’s statutory duty of care. The types of controls that a director may wish to consider deploying depend on the sensitivity of the information and its importance to the corporation.

Below is a checklist of questions that a director may wish to review as part of determining whether the director’s information governance practices are consistent with, and capable of, fulfilling the director’s duties of confidentiality to the corporation.

Device and Network Security

• Is the device only used by the director or is it shared with other people, such as family members?

• Are all devices on which the director views electronic communications and material secured by a strong password (at least 8 characters containing at least one number, one capitalized letter and one symbol) and protected by anti-virus software that is frequently updated?

• Are all devices on which the director stores corporate information encrypted? If not, are there particular types of information that should not be stored on those devices, such as personal information of employees and officers or material non-public information relating to merger discussions or financial results?

• Is the device enabled with a remote wiping technology in the even that it is lost or stolen?

• Is the director using the device when connected to wifi? Does the director use secure wifi connections? Is the director’s home network protected by a firewall?

Account and Information Security

• Does the director access information through a secure portal? If not, are there particular types of sensitive information that should only be available in this way?

•  Is the director receiving information through an email address to which others have access, such as an administrative assistant? Should those third parties be bound by a confidentiality agreement?

• Is the director receiving information at a personal email address or an email address belonging to another corporation? If so, is this appropriate for all types of information? Do the terms of service of the personal email address provider or the terms of use of another corporation’s email policy permit access to the email account by third parties? Are those third parties governed by confidentiality agreements?

• Is the email account protected by a strong password? Is email encrypted when transmitted? Are email and other electronic records encrypted when stored?

• Is the email address provided as part of a cloud-based service? If so, does the director understand what limitations there are on that service?

• Does the director have the technical skills to understand whether information retained on the device is being collected, used or stored by other applications without the director’s knowledge?

Document Management

• Is the director storing electronic records on a third-party’s system? If so, are the records password protected or logically separated from records that can be viewed by others? For example, are records received by the director stored on his or her employer’s systems in a manner that would permit others to view or otherwise inspect those records?

• Does the director print material? Is that material stored in a secure location? Who else has access to the information?

Records Retention

• Does the director have the technical and administrative capability to comply with the corporation’s records retention policy? For example, does the corporation’s records retention policy require retention of emails between directors about the corporation’s business for a defined period of time? Is the director able to ensure compliance?

• If the director is using the email or electronic storage services of another corporation in which he serves as an employee, will the director have access to that email if he or she is no longer employed by that corporation? If not, has provision been made to migrate those records in the event of retirement or dismissal?

Litigation

• Does the director have the technical and administrative capability to comply with a litigation hold in the event that litigation arises and records created, retained or received by the director are responsive to the issues in the litigation?

• Has the director mixed personal and business uses on the device in a way that will make it more likely that the director’s personal records or records relating to his or her duties to another corporation will need to be inspected in the event the device must be produced for litigation purposes?

• These issues may be daunting for directors. However, there are technological solutions. Directors may wish to consider more structured ways to receive board information, such as through secure portals or third-party cloud based board communication service providers.

In subsequent posts on this topic, I’ll look at these issues from the perspective of the corporation embarking on creating information governance policies for the board.

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

• Main takeaways from recent Canada and U.S. guidelines
• Dealing with Address Book Information
• Online Behavioural Tracking and Analytics
• Geolocation Data
• Collecting Information from Children
• Transparency and Accountability in Design
• Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

The use of personal email for business is a significant problem for records retention and privacy programs.

On March 18, 2013, the British Columbia Information and Privacy Commissioner (OIPBC) announced an investigation into the use of personal email accounts by public servants in that province. Although the investigation is taking place in a public sector context, the investigation is also relevant for organizations in the private sector.

Records Management Obligations

Communications taking place outside of the organization’s email records management system may not be captured in compliance with the organization’s records management system. The OIPBC reminds public servants in Guidelines on the Use of Personal Email Accounts for Public Business (released on March 18, 2013) that personal email may still be subject to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).

FIPPA applies to records in the custody or control of a public body. A record will be under the control of the organization if (a) the record relates to a departmental matter and (b) the government institution could reasonably expect to obtain a copy of the record upon request. The OIPBC’s general rule is that “any email that an employee sends or receives as part of her or his employment duties will be a record under the public body’s control, even if a personal account is use.” These records may, therefore, be subject to access to information requests even though the organization does not have possession of the email record.

This isn’t just a public sector problem. For example, subsection 23(1) of the British Columbia Personal Information Protection Act (“PIPA”), which applies to private sector organizations in British Columbia, provides that an organization must provide an individual with the individual’s personal information under the control of the organization. There is no obvious reason why the meaning of “control” in PIPA should be narrower than FIPAA.

Information Security Obligations

The OIPBC also expressed concern regarding the security of personal email in the Guidelines. This issue applies equally to the public and private sectors. Depending on the service used by the employees and whether copies of the email are downloaded to unencrypted devices, the email may be stored in an insecure environment.

Private organizations should be aware that section 34 of PIPA requires the organization to protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. Organizations may be faulted for turning a blind-eye to the practice of employees using personal email systems that do not provide for adequate security. In assessing the risk, organizations should consider whether they would have breach notification responsibilities in the event an employee’s personal email was compromised and that email contained personal information collected by or on behalf of the organization.

Even leaving aside the possibility of a breach, organizations should consider whether employees transmitting personal information outside of the administrative, technical and physical security controls established by organization would violate representations made by the organization in its public privacy policies.

An adjudicator of the Office of the Information and Privacy Commissioner of Alberta (OIPC) has concluded that the Personal Information Protection Act (Alberta) (PIPA) applies to the Legal Aid Society of Alberta. The decision is of broader interest because it continues the trend to interpret the definition of “commercial activity” broadly, resulting in the application of PIPA to the activities of many non-profit organizations.

PIPA applies to non-profit organizations when engaged in a “commercial activity”. Pursuant to subsection 56(1) of PIPA, a “commercial activity” means any transaction, act or conduct, or any regular course of conduct that is of a commercial character. Pursuant to subsection 56(3) of PIPA, non-profit organizations are subject to PIPA in respect of personal information that is collected, used or disclosed by the non-profit organization in connection with any commercial activity carried out by the non-profit organization.

The Legal Aid Society of Alberta provides legal assistance to individuals in defined areas of the law on a means-test basis. In the case that gave rise to the complaint, the applicant sought assistance from the Legal Aid Society on two separate occasions but was refused representation (although the second time he was provided with limited advice and referral information). The applicant then sought access to his file at the Legal Aid Society. The Legal Aid Society provided copies of the staff lawyers notes from one of the applicant’s interactions, records relating to the appeal of the determination of whether to provide him with representation and confirmed certain other facts. The applicant complained to the OIPC relating to certain alleged failures of the Legal Aid Society in addressing his access request. The adjudicator’s decision did not consider the alleged failures.

Instead, as a preliminary matter, the adjudicator considered whether PIPA applied to the Legal Aid Society. In particular, the adjudicator considered whether the Legal Aid Society was engaged in a commercial activity when collection, using or disclosing the applicant’s personal information. In assessing whether the Legal Aid Society’s activities were commercial, the adjudicator accepted the following principles:

• a commercial activity is of a trade-like or business-like nature;

• an exchange of consideration, while important to establishing a contractual relationship, was not an essential characteristic of a commerical activity;

• profit-making need not be the “predonderant” purpose of the activity to make it commercial;

• the activity need not be commercial in itself, provided that it is of a “commercial character”; that is, an activity that is “more or less commercial” or one that would “appear to be commercial by most accounts”; and

• The fact that an activity confers a public benefit or could also be characterized as charitable was irrelevant to whether it is a commercial activity for the purposes of PIPA.

Focusing on the fact that the Legal Aid Society “meets with prospective clients and decides whether to provide legal services, which might be performed by a private lawyer engaged by the [Legal Aid Society] or by its own staff lawyers, the adjudicator concluded that there was very little to distinguish the Legal Aid Society from a private law practice or business. Both were carrying out a trade or business. Moreover, the adjudicator concluded that it would be arbitrary to treat clients who partially reimbursed the Legal Aid Society for services differently from those who did not.

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a summary of findings in two cases arising out of inappropriate sharing of information between two summer camps about a child following an online application for a summer camp spot.

The issue arose when the child’s legal guardian completed an online application for a position at a camp. The child had spent the previous two summers at a different camp. The OPC report of findings notes that the child is disabled. During the online application process, the legal guardian accepted an “Additional Agreement”, which, according to the OPC, provided that “camp directors, at their discretion, could use the information supplied in applications for any means.”

The prospective camp contacted the first camp and asked questions about the child’s history at the previous camp and the level of support that the child required as a camper. The exchange came to light when the prospective camp allegedly refused the child’s application on the basis that the child could not be supported at the camp and that the “child’s disabilities would not be fair to other campers.”

Although the camps claimed that sharing of information about children was commonplace in order to assure that campers have a successful summer, the camps were members of the Ontario Camps Association, which adheres to a Code of Professional Ethics, requiring camps to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The previous camp did not obtain any form of consent to the disclosure of a child’s application history or experience at the camp. This was a fairly open and shut violation of the requirement of PIPEDA to obtain consent to the disclosure of personal information.

However, the prospective camp defended against the complaint on the basis that the legal guardian had consented to the collection, use and disclosure of personal information about the child when the legal guardian accepted the “Additional Agreement”.

Not so, found the OPC.  The “Additional Agreement” was too general and overly broad to obtain meaningful consent to the collection, use and disclosure of personal information.

“This Office does not share the view of the first camp’s director that the complainant’s consent was obtained by her agreeing to the terms of the application she submitted, including the terms of the application’s “Additional Agreement”. We examined the application as well as that organization’s privacy policy and believe that the general statements regarding how the information supplied is to be used are overly broad and not sufficient to obtain consent to collect personal information from a third party as part of the enrolment process.”

The prospective camp made four errors:

• The prospective camp used information in the application to conduct a background check on the child by contacting the previous camp.

• The prospective camp disclosed information to the previous camp in order to elicit information about the child.

• The prospective camp collected information from the previous camp.

• The prospective camp used the information from the previous camp in order to evaluate the child’s application.

The OPC findings with respect to the previous camp, can be found here. The OPC findings with respect to the prospective camp can be found here.

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings in connection with a complaint that an employee at a mobile phone company improperly altered a phone contract of a customer at the direction of an unauthorized party.

The facts of the case, as reported by the OPC, were relatively straightforward. The stepson of a customer was authorized to use a phone on his stepfather’s account. The stepson visited a mobile phone store and requested changes to his services. The stepson impersonated his stepfather. Bad on the stepson, perhaps, but the OPC concluded that the employee did not follow the mobile phone store’s customer validation process. In particular, the employee did not request identification to authenticate the customer by means of two pieces of identification. The changes requested by the stepson generated a new three year contract. Trouble was that the stepson was not authorized to make those changes and the stepfather was none too pleased.

The employee might have just been trying to be helpful, but the OPC found two violations of the federal privacy principles established by the Personal Information and Electronic Documents Act (PIPEDA).

• Principle 4.3: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”

The use of the real customer’s personal information to renew the contract was not done with that customer’s consent.

• Principle 4.7 and 4.7.1: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access disclosure, copying, use or modification.”

There were procedures in place but the employee violated them, thereby failing to protect the personal information from unauthorized use.

Are your employees aware of these principles and that they apply to them? Maybe understanding that these principles are not just the ravings of a compliance department but are also federal law might help convince them that these principles are important.

The Federal Trade Commission (FTC) released a Staff Report on February 1, 2013, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The FTC Staff Report follows on the heels of earlier recommendations by the California Attorney General (AG), released in January, in a report entitled “Privacy on the Go: Recommendations for the Mobile Ecosystem.”

The FTC Staff Report is particularly notable for articulating a gatekeeper function for platform providers in the mobile app ecosystem. The Staff Report and the California AG Recommendations recognize that there are distinct players in the mobile app market – platforms that provide the operating system and marketplaces; developers of the apps; and advertising networks. Each of the FTC Staff Report and the California AG Recommendations target these different players with recommendations.

However, it appears that FTC Staff see the platform providers as particularly amenable to regulation because they are the focal point for the interface between users and app developers.

“[…] platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving privacy disclosures.” (FTC Staff Report, p. 14)

FTC Staff asserted that the platforms “use the plethora of apps offered on their devices as a significant marketing tool” (p. 14). The inference appears to be that the platforms have fair trading obligations to ensure that the apps they distribute meet privacy standards.

As gatekeepers, FTC Staff want platform providers to:

• Require developers to make privacy disclosures;

• Enforce privacy disclosure standards;

• Educate developers on privacy issues;

• Be responsible for providing “just-in-time” disclosure for the collection of geolocation data and other sensitive data;

• Be responsible for obtaining consent for the collection of geolocation data and other sensitive data;

• Develop a “dashboard” to allow consumers to review what types of content is being accessed by Apps on their devices;

• Develop icons to notify the user of the transmission of user data;

• Establish a do-not-track (DNT) option at the platform level to allow consumers to make a one-time choice; and

• Provide consumers with disclosure regarding the extent of review that the platform undertakes prior to making the app available as well as any compliance checks or reviews after the app is made available on the platform’s market store.

The approach to platform providers as a potential gatekeeper and enforcer is different from that California AG’s report, which focused on the educational role that platform providers could play.

Other highlights from the FTC Staff Report and the earlier California AG Recommendations are:

• DNT or bust? FTC Staff continue to call on the industry to develop a “DNT mechanism that would prevent an entity from developing profiles about mobile users” (FTC, p. 21). The DNT mechanism must be (i) universal, (ii) easy to find and use, (iii) persistent, (iv) effective and enforceable, and (v) apply to more than just advertisements (FTC, p. 21).

• “Just-in-Time” and “Surprise Minimization”. The FTC Staff Report emphasizes “just-in-time” or contextual disclosure and obtaining express affirmative consent at the point in which it is going to matter to consumers – that is, just prior to collection (FTC, p. 15). The California AG’s basic approach is to “minimize surprises to users”. The emphasis is on clearer, shorter notices. Organizations should not rely on privacy policies alone but also supplement those notices with alerts delivered “in context and just in time” (AG, p. 5).

• Icons – but which ones? Privacy icons are the future; however, FTC Staff want to see consumer testing to ensure efficacy (FTC, p. 16).

• Privacy by Design. The California AG continues to emphasize privacy as the default and the limiting of collection, use and retention to what is necessary to complete the function for which the data was required (AG, p. 9).

On Data Privacy Day (January 28), the Canadian Radio-television and Telecommunications Commission (CRTC) amended its notice regarding a mandatory code for wireless services and invited Canadians to comment on the proposed provisions. A hearing on the wireless code is scheduled for February 11, 2013.

There are a number features of the wireless code that are particularly interesting from a privacy and data security perspective:

• The CRTC is suggesting that consumer be “provided with a personalized summary of how key terms and conditions” of a contract would apply to that consumer prior to the consumer entering into the agreement. In addition, the code would also mandate upfront, clear and concise disclosure privacy policies.

• The CRTC is also suggesting that the consumers would have recourse to make a complaint to the Commissioner for Complaints for Telecommunications Services (CCTS). It is unclear whether this might include complaints with respect to the privacy disclosures of the wireless services provider and, if so, whether the CCTS could order monetary compensation.

• The CRTC would mandate that consumers be offered an online tool to allow the consumer to monitor the balance of included usage allowances and any additional fees during a billing cycle. Consumers would also be entitled to obtain a usage alert at 50% and 100% of billing cycle limits, which would be an amount set by the consumer or $50.

In Kniss v. The Privacy Commissioner of Canada, the Federal Court concluded that an investigative decision by the Office of the Privacy Commissioner of Canada (OPC) should not be the subject of judicial review because the Personal Information Protection and Electronic Documents Act (PIPEDA) provides an adequate alternative remedy.

PIPEDA does not provide the OPC with the power to grant binding remedies. As the Federal Court reiterated, the OPC has extensive investigative powers; however, the role of the OPC is ultimately one that is comparable to an ombudsman.

PIPEDA provides a party who is not satisfied with the investigative decision by the OPC may apply to the Federal Court under section 14 of PIPEDA for a remedy, including an award of damages or a compliance order.

In Kniss, the applicant sought to judicially review two findings of the OPC rather than proceed by way of the statutory process under section 14 of PIPEDA. The court concluded that judicial review as not available for the following reasons:

• Parliament elaborated a clear process involving an investigative component before the OPC and a judicial one before the Federal Court.

• Judicial proceedings were only to be initiated following the completion of the investigative process before the OPC.

• The findings of the OPC were not binding on the parties, unlike the judicial process.

• The OPC must communicate the right of the parties to proceed to Federal Court following the investigative process, which the Court concluded signalled an intention that “applicants pursue this recourse first”.

• The scope of the recourse under section 14 of PIPEDA and the powers of the Court to make awards was broader under section 14 of PIPEDA than under judicial review.

The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

As I mentioned in an earlier post, the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) announced the results of their coordinated investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet.

In addition to the issue of the use of address book information, the OPC raised concerns regarding status update broadcasts.

The app requires a user to enter a status update. The OPC reported that standard messages include “available”, “busy”, “at school”, “at work”, “sleeping”, “in a meeting” and “urgent calls only”. Users may also personalize status updates using 139 characters. The status field must be populated. However, the user could use emoticons or meaningless combinations of characters.

The status update is visible to every other user with the user’s phone number in his or her address book. There is no method to limit broadcasts. As the OPC put it:

[51]. In contrast to some social networking platforms which allow an individual to limit or control the broadcast of status submissions to only certain people, status messages shared using the WhatsApp messenger service are, by design, broadcast to all WhatsApp users who have the broadcasting user’s telephone number in their contact list. As such, a sender may not have knowledge of the identity of all those application users who may be receiving or monitoring the sender’s status messages. Any individual, whether for friendly or nefarious purposes, may track a user’s status, so long as that individual has the message sender’s telephone number.

It should be noted, however, that the app did permit users to block other users. A status would not be seen by a blocked user.

The OPC concluded that the status information was personal information because the information might be used alone or in combination with other data to render an individual identifiable.

Notwithstanding that the status information was being broadcast within the app to other users of the app, as disclosed in the privacy policy, the OPC concluded that the app provider needed to obtain more meaningful consent to the collection, use and disclosure of that status information.

The OPC distinguished the app from micro-blogging platforms because unlike a micro-blogging platform, the the app was primarily marked as a SMS replacement. As the OPC put it, the app conveyed “the general impression that such messages are being shared only with those people the user knows”.

Given the lack of granular user controls to limit the sharing of the status update, the OPC recommended real-time notification. However, the OPC conceded that users should be given control over notification prompts.

This decision provides an illustration of the OPC’s concern that meaningful consent in the mobile environment may require notice and consent contemporaneous with collection and disclosure as well as in stand-alone privacy policies.

The Office of the Privacy Commissioner of Canada (OPC)  announced the results of an investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet. The OPC coordinated its investigation with the Dutch Data Protection Authority (DPA). Commissioner Stoddart has previously stated that coordinated enforcement is a priority of the OPC.

The OPC found that the mobile app was not compliant with the Personal Information Protection and Electronic Documents Act (Canada) in respect of how it handles address book information. Once a user consents to the app using the user’s address book information, telephone numbers are uploaded to the providers’ servers using SSL/TLS encryption. This may occur up to two times a day or when a manually refreshes. Telephone numbers that are correlated to other users are retained in clear text by the provider. These are “in network” numbers to which instant messages could be sent.  Telephone numbers that are not associated with other users of the app are not discarded. Instead they are retained in a hashed format. These are “out of network” numbers.

The OPC raised a number of concerns:

• Users could not (as a general rule) manually add and amend contacts. Instead, as a condition of using the service, a user had to provide access to his or her complete address book.

• The app retained out of network numbers (that is, information of non-users). The fact that the out of network numbers were hashed was not sufficient to justify the retention.

• The anonymization technique was not complete because “the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached.” In addition, the OPC found that the methodology applied by the provider meant that the hash was always the same for the same number. This meant that it was theoretically possible to search to see whether a number had been submitted before.

The OPC’s decision sets a high threshold for retaining information even in an anonymized form where the information is not needed for the operation of the service.

On December 18, 2012, the UK Information Commissioners’ Office (ICO) issued an enforcement report on compliance with the rules regarding obtaining consent to the use of cookies and similar technologies.

North Americans accessing UK-based websites that are not distinguishing between IP addresses of EU visitors and North American users, may have noticed “cookie banners” when they visit the UK website. These “cookie banners” respond to the requirements of the Privacy and Electronic Communications (EC Directive (Amendment) Regulations of 2011, which the UK Information Commissioner’s Office began to enforce in May 2012. Typically the banner will appear at the top of the web page or float semi-transparently on the web page until closed by the visitor. The banner provides information on the use of cookies on the website, links to further information, including methods of opting out.

The ICO has helpfully provided examples of cookie banners that it considers to be compliant with the cookie rules.

The Office of the Privacy Commissioner of Canada (OPC) has made it clear in recent decisions and in its guidance on behavioural advertising that organizations must be transparent about their use of cookies and should consider alternative methods than privacy policies for explaining that cookies are being used, the purpose for their use and the ability of the website user to opt-out of tracking cookies. Although not yet in force, Canada’s Anti-Spam Legislation (CASL) provides that an organization must have express consent to install a computer program on a person’s computer. A “computer program” has been defined broadly to include a cookie. An organization will be considered to have expressly consent if the person’s conduct “is such that it is reasonable to believe” that the person has consented to the installation of the cookie.

Although the UK cookie rules are not directly applicable in Canada, organizations may consider reviewing the ICO’s enforcement report when considering revising their cookie disclosure practices in light of the OPC’s guidance and the requirements in CASL.

On January 8, 2012, the U.S. District Court for the Western District of Texas issued a ruling denying a preliminary injunction in a case involving the use radio-frequency identification (RFID) tags embedded in name badges to track students (A.H. ex rel. Hernandez v. Northside Independent School District, 2013 WL 85604 (W.D. Tex.). Ultimately, the court concluded that the religious objections of the student’s family had been accommodated by permitting the student to use a badge that was identical to the badges of other students, except that the RFID tag and battery had been removed.

The court gave significant deference to the school district’s reasons for using the technology and concluded that the use of the RFID technology easily met the requirement that it be rationally connected to a legitimate government interest. Since the school was willing to accommodate the objection to the RFID tag, the issues were reduced to whether the required use of a badge that looked the same as the RFID badges was a form of forced expression in support of the program and whether the student was subjected to significant burdens in opting out of the use of the RFID tag.

Since the case turned on the question of religious accommodation, the court did not review the significant privacy issues in the case, which is unfortunate given the importance of those issues to the maturing legal and social debate regarding the use of geolocation tracking. In Canada, Privacy Commissioners have long been concerned about the use of RFID technology to track individuals. However, it is clear that RFID technology can be used in Canada, provided that an organization is able to justify that the use of RFID technology is reasonable using the Canadian four-part analysis discussed below.

Deployment of the RFID Technology

An RFID tag is a computer chip with a unique identification number. The RFID tag can be active or passive. An active RFID tag contains a power source and a micro antenna that actively transmits the RFID tag information without any user intervention. In this way, the active RFID tag operates differently than an identification card containing a passive RFID tag that must come into close contact with a reader (at least a few feet) in order to be scanned. Instead, the active RFID tag operates without any card holder intervention.

As widely reported, the controversy began when an active RFID tag was embedded into student name badges in a pilot program at a U.S. high school. Employees, students and visitors at the school already wear an identification badge. Schools and buses are equipped with digital cameras. The addition of RFID surveillance meant that the school could obtain geolocation information about the student while on campus. Among the other uses of the RFID tag, it provides for a method of determining daily student attendance, which affects state funding.

The Religious Objection and the Proposed Accommodation

The students’ family objected on religious grounds to wearing the RFID tag. When the student was offered accommodation by having the RFID tag removed, her parents refused on the basis the participation in the program by even wearing the badge without the RFID would run against their religious beliefs. The family argued that the student should be permitted to wear a different badge altogether so that she would not appear to be supporting the program. The family also argued that the proposed accommodation also imposed burdens on the student. In particular, the student was unable to pay for lunch, check out library books, or participate in school activities in the same manner as other students, who could do so using the RFID-enabled badge. This meant that she was singled out.

Rational Connection to a Legitimate Interest

The court agreed that the school district has “a legitimate need to easily identify its students for purposes of safety, security, attendance and funding”. The court held that the RFID badge was rationally connected to meet those needs and was also “a useful tool for the students because it serves as a convenient means of payment for lunch and extra-curricular activities and assists students in checking out library books.”

The court held that any burden imposed on the student was outweighed by the governmental interest “in providing a safe and secure environment for everyone on campus”. The court held:

“Even if Plaintiff could show a substantial burden, the District has a compelling governmental interest that outweighs such burden. In today’s climate, one would be hard pressed to argue that the safety and security of the children and educators in our public school system is not a compelling governmental interest. Mandatory identification badges issued to all students, staff, and visitors further the school’s interest in providing a safe and secure environment for everyone on campus. One could envision many different methods of ensuring safety and security in schools, and the requirement that high school students carry a uniform ID badge issued for those attending classes on campus is clearly one of the least restrictive means available.”

The Canadian Approach

The Office of the Privacy Commissioner of Canada (OPC) has long taken the position that the existence of a legitimate security objective does not automatically justify the use of a surveillance technology. In order to assess the appropriateness of RFID technologies, the OPC uses a four-part analysis:

1. Is the use of the RFID technology demonstrably necessary to meet a specific need?

2. Is the use of the RFID technology likely to be effective in meeting that need?

3. Is the loss of privacy proportional to the benefit gained?

4. Is there a less privacy-invasive way of achieving the same end?

When analysing whether the RFID technology is likely to be effective in meeting a need, the OPC requires that organizations provide an evidentiary basis for the assertion of effectiveness.

Privacy Issues Not Discussed

Although the court in the Texas case noted the efficiency and the convenience of the RFID tag, the privacy issues were largely ignored in the court’s assessment of whether the RFID tag was rationally connected and minimally impairing of the student’s rights to freedom of religious expression and freedom of speech. Among other issues, the court did not assess the following issues, which should be critically examined in any RFID application in Canada:

• Reliability of the Technology. Did the active RFID technology actually fulfil its security purpose? Does the mere fact that the student’s badge is on campus indicate that the student is on campus? Does the fact that the student’s badge is not read as being on campus mean that the student is not on campus? How does the potential for misinformation affect whether the use of the RFID tag is rationally connected to the security concern?

• Security of the School’s Readers. What administrative, technological and physical security systems have been deployed to protect the unauthorized access to and use of the information collected by the RFID system? Does the level of security of the information provided affect whether the system is rationally connected to a security purpose and minimally intrusive?

• Normalizing Tracking. Following previous jurisprudence, the court concluded that the constitutional rights of students in public schools may be different from those of adults in other settings. Does

   this necessarily mean greater tolerance for tracking? Or, might it mean the opposite? Is it important that the state not use the occasion of providing public education to normalize a culture of tracking of future adult citizens?

For information on RFID best practices in Canada, see the OPC’s Consultation Paper on RFID’s in teh Workplace and the Information and Privacy Commissioner of Ontario’s RFID Privacy Guidelines.

It is not too late to participate in a dialogue with the Office of the Information Commissioner of Canada regarding reform to Canada’s federal Access to Information Act. The deadline for comments and submissions has been extended to January 31, 2013.

To spark dialogue, the Information Commissioner has posted questions and topics for discussion.

The English site can be accessed here. The French site can be accessed here.

On December 13, 2012, the Office of the Privacy Commissioner of Canada released Report of Findings #2012-004 (August 22, 2012) relating to the unauthorized disclosure to an imposter of a cell phone customer’s account information. In addition, the Report of Findings addresses the scope of an individual’s access rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). It is this aspect of the decision that is the subject of this post.

PIPEDA Access Rights

Principle 4.9 of Schedule 1 to PIPEDA provides that “an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information”. Subsection 8(1) of PIPEDA requires that a request for access be made in writing. Pursuant to subsection 8(3) of PIPEDA, an organization must respond to the request within 30 days subject to certain exceptions. Notwithstanding an individual’s access right under Principle 4.9, an organization is prohibited under section 9(1) of PIPEDA from providing an individual access if it would reveal information about a third party. If the information about the third party can be severed, the organization should follow that procedure in providing access.

No Obligation to Provide Access in a Particular Medium

In Report of Findings #2012-004, the complainant sought a copy of the recording between the imposter and the customer service representative. The organization offered to permit the complainant an opportunity to listen to the recording at the company’s premises. The organization also provided a transcript of the call and deleted the customer service representative’s name. The complainant did not take up the offer to listen to the recording and complained to the OPC regarding the completeness of the transcript.

The OPC concluded as follows:

[35] Regarding the redactions that the company had made from the call transcript that it provided the complainant, we have reviewed those redactions and find them to be in compliance with subsection 9(1) of the Act, which requires an organization to sever personal information about a third party before allowing an individual access to their own personal information. The information redacted from the transcript (i.e., the CSR’s name) belongs to a third party.

[36] As for the issue raised by the complainant that he was not provided with an audio recording of the conversation which took place between the imposter and the CSR, the Act provides individuals with the right to access their personal information. The Act does not, however, require an organization to provide access in a particular medium. Only under section 10 of the Act must an organization give access to personal information in an “alternative format” to an individual with a sensory disability and who requests that their personal information be transmitted in the alternative format. The complainant’s case does not fall within these circumstances. Rather, the company did provide the complainant with the call transcript containing the personal information, and to which he was entitled under the Act. It is, therefore, not required to further provide him with a copy of the recording.

It should be noted that the OPC did not state that a transcript would always suffice. The organization provided the complainant with the opportunity to listen to the recording. A recording of a voice contains more information about the person than what would appear on a transcript. The OPC might conclude that an individual may have a right to listen to the audio recording. Factors that the OPC might consider to be relevant may include whether there is third party information in the recording that cannot be severed without significant and disproportionate cost.

On December 19, 2012, the Office of the Privacy Commissioner of Canada released Report of Findings #2012-005 (dated April 27, 2012) regarding obtaining meaningful consent to the use of information provided to credit reporting agencies. The complaint arose when an insurer increased the home insurance premiums for a couple based on a credit score.

Obtaining Meaningful Consent

In the OPC’s view, the insurance company made a number of errors in obtaining consent. Among the more interesting issues:

• “May” can be misleading. Organizations tend to “hedge” in their disclosure regarding their privacy practices with the liberal use of the word “may” in their privacy policies. In this case, the organization stated that it “may use the score as one of the rating factors”. In practice, however, the organization always used the score at the first renewal of all policyholders. The OPC stated:

“In our view, a customer reading the company’s notice could form the general impression that they are exempted from the practice, or that it applies only in a minority of cases (e.g., individuals with a consistently poor credit history). In actual fact, the company applies the practice broadly and consistently.”

• Transparency involves education. Part of obtaining meaningful consent involves educating the consumer on the use of his or her personal information. The OPC concluded it was unreasonable to expect that an individual would understand that information regarding credit worthiness in a loan or credit context would be used to establish the probability of an individual making an insurance claim. Indeed, the use of the credit scores to determine insurance risk may not be well-understood by Canadian consumers. The OPC cited a November 2010 survey commissioned by the Insurance Brokers Association of Ontario that reported, according to the OPC, that three out of every four consumers do not understand that their credit score is used to determine insurance risk and their premiums for insurance.

• After-the-fact notice does not equate to meaningful consent. The dissemination of more detailed information regarding the use of the credit score prior to the one-year anniversary of the policy was not adequate to obtain consent to the use of the credit score at renewal. The OPC concluded that the request for consent had occurred at the time of the application and this was the relevant point at which information regarding the purpose and sue of the credit score must be provided.

• If there is an industry code, you should follow it. The organization’s troubles were not assisted by the fact that it did not follow the industry code regarding obtaining consent. The OPC stated as follows:

“Moreover, we note that the company does not appear to be following the guidance provided by its own industry association with respect to consent. The Code provides detailed instructions for obtaining consent to the use of credit information and advocates for obtaining express and informed consent. While we acknowledge that the Code is voluntary, as noted above, our view is that its presence indicates that special considerations are warranted for the use of credit information. Accordingly, we find the Code to be informative with respect to the parameters it sets for obtaining appropriate consent in the context of using credit information in underwriting and rating activities for personal insurance.”

Reasonableness and Public Policy

Subsection 5(3) of the Personal Information Protection and Electronic Documents Act provides that an “organization may collect, use or disclose personal information only for purposes that are reasonable person would consider are appropriate in the circumstances.”

Although the OPC acknowledged that the Ontario Consumer Reporting Act permitted the use of consumer reporting agency information to assess insurance risk, the OPC was clearly troubled and has left open the possibility that the OPC might conclude that the use for insurance purposes is unreasonable. The OPC stated that “there is no obvious link between credit information and insurance premiums.”

As such, the OPC intends to continue to conduct research and monitor the public policy issues regarding the use of credit information for the purposes of assessing insurance risk. This statement is curious. Could it be that a practice expressly authorized by a Legislature could be found to fail the reasonableness standard in subsection 5(3) of PIPEDA? This would appear to raise significant constitutional issues entirely sidestepped by the OPC, at least for the moment.

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

• 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.

• 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.

• 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.

• 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

• Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.

• Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.

• New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

It is 2013, and time for a bit of tough love. Here are five data governance matters that need your attention as soon as possible.

1. Enough of the Unencrypted USB Keys. December 2012 ended with Human Resources and Skills Development Canada reporting that a USB key containing personal information of Canadians had gone missing. Just months before, Elections Ontario apparently lost USB keys containing unencrypted personal information of Ontarians. The use of unencrypted USB keys to store or transfer personal information or any confidential corporate information is the number one practice that organizations should address in 2013. The solution is not overly complex. Just stop it already! And, also make sure that subcontractors don’t use unencrypted USB devices when handling your data.

2. BYOD is Here to Stay; Stop Pretending Otherwise. Employees are coming to work with their own smart phones, laptops, tablets, and other devices. There is no point pretending that employees don’t have proprietary rights and privacy rights in these devices with heavy-handed and unworkable policies on their use. But turning a blind eye to the fact these devices may introduce security risks and can be used as unencrypted USB keys is also not an option. It is time to develop a workable policy. Be clear with employees regarding appropriate use. Audit compliance. If your organization is of sufficient size, it may be a wise investment to employ a “show me – don’t just tell me” policy. Invest in a video showing proper use of these devices and, perhaps more importantly, the cost and consequences of improper use. If it is a condition of BYOD that the organization be able to wipe the whole device remotely, consider illustrating what that is going to mean so that employees understand that they may lose data that they consider to be theirs and that is not backed-up.

3. End the Denial About Your Website Data Collection. You know that part of the website privacy policy that says the organization doesn’t share personal information with third parties? Or, the bit about how the organization only uses information for the purposes described in the privacy policy? Saying it doesn’t make it so. Chances are that even in an organization with very good privacy practices this statement is not 100% accurate, particularly if the organization is engaged in on-line advertising, uses third-party website analytics services, or has third-party content on its site. These activities may involve the transmission of personal information about the user without the knowledge and consent of the individual. If staff in the marketing and technology departments say there is no personal information being shared, ask whether any non-personal data is being shared. Ask what that that non-personal information is. There is a decent chance that some of the data being shared is data that a Canadian Privacy Commissioner would consider to be personal information.

4. Stop Ignoring Unstructured Data; It Might Be Your Achilles’ Heel. Data privacy policy? Check. Records retention policy? Check. Litigation hold procedure? Check. Wait, what’s that? Your organization is using social media. Employees are storing documents in electronic and physical files that are not saved in a centralized repository with pre-defined fields or labels. All of this unstructured data is probably falling outside of the organization’s procedures and policies for dealing with the collection, use, retention and destruction of information. Unstructured data doesn’t need to be the weak link, provided that it is not ignored. It is time to start tackling why employees are using unstructured files and responding with solutions that can address the usefulness of the unstructured data while managing its risks.

5. Really, Why is “That” Confidential? Yes, yes, everything about the organization’s business is confidential. Except that half of it is on the corporate website or in public filings and everyone in the organization with a user ID has access to the other half of it. Okay, I’m being deliberately provocative. However, this one also falls in the category of “saying it doesn’t make it so”. If information is confidential, then there should be many contextual clues so that employees are re-sensitized to the need to protect the information. Limiting access, requiring higher levels of clearance and training, using watermarks to establish the custodian of the information, having properly labelled and locked shredding containers, all contribute to better information security practices by providing employees with contextual reminders of the importance of information security and confidentiality.

The Conference Board and the Stanford University’s Rock Center for Corporate Governance recently published its 2012 Social Media Survey, entitled “What Do Corporate Directors and Senior Managers Know about Social Media?” What is the bottom line from the survey of 180 senior executives and corporate directors of North American public and private companies? Senior executives and directors appreciate the power and the risk of social media. But they are not engaged from a governance perspective. The majority of organizations do not monitor social media to detect risks. Only a minority receive reports containing summary reports and metrics from social media. More disturbingly, the majority of companies did not have social media policies in place.

In Canada, the Canadian Institute of Chartered Accountants’ Risk Oversight and Governance Board published a helpful Director Alert in January 2012 providing directors with some basic questions to ask. The publication is a helpful primer on the basic issues.

In addition, here are 10 topics that Directors may wish to review from a governance perspective:

1.  Social Media Plan. Does the organization have a social media plan identifying the purposes of the organization’s social media, the persons accountable for implementing the social media plan, and the metrics by which the time and effort spent on social media will be measured?

2.  Type of Social Media Strategy. Will the social media be simply one-way promotion of the organization or will it truly be “social” in the sense of engaging with stakeholders? How does the strategy fit with the organization’s social media plan and other public relations efforts?

3.  Choice of Platforms. What social media platforms will be used to implement the social media plan? How do those platforms match the goals of the social media plan and the strategy to achieve those goals? Have the terms of use and end user licence agreements for those platforms been reviewed?

4.  Advertising Compliance. Does the organization’s social media plan comply with the Competition Act (Canada), Competition Bureau Guidelines, the Canadian Code of Advertising Standards and other legal restrictions that may affect the use of social media to promote the organization? Is the organization providing benefits to “influencers” (persons who have large followings on social media and who influence people to take actions, such as clicking on a link or signing up for a promotion)? Is this appropriately disclosed?

5.  Contests. Will social media be used to engage in contests? How will the organization ensure compliance with the Criminal Code and the Competition Act in respect of those contests?

6.  Criticism. How will the organization respond to criticism in social media platforms? Does the organization have clear guidelines on how to handle a disgruntled stakeholder or a negative social media report? How will criticism be elevated within the organization?

7.  Confidentiality. How will the organization ensure that postings through social media do not result in the inadvertent disclosure of non-public material information, confidential information or trade secrets of the organization or a third party to whom the organization owes a duty of confidence, or personal information of employees, customers or others?

8. Employee Engagement. Does the organization have a social media policy in place for employees? Does the policy balance the right of employees to engage in free speech while educating employees and protecting the organization against activities that may contravene advertising laws or be considered to be defamatory or discriminatory? Do employees understand the consequences of breaching the social media policy?

9.  Monitoring. Who is responsible for surveillance of the reputation of the organization and competitors in social media? Who will receive reports of major events? How will the social media strategy be fine-tuned to respond to the information received through social media?

10.  Disaster Plan. Does the organization have a 24/7/365 disaster plan in place in the event that the organization is under attack on social media platforms or a social media effort backfires? Are the appropriate personnel and external advisers in place to assist?

The scope of an employer’s right to discipline and terminate an employee for indiscreet or inappropriate remarks in social media is far from settled. Given that an employee’s social media activities have the potential to “go viral” (or at least be seen by hundreds, if not thousands of people), organizations must assess whether the activities of employees outside of work have the potential to negatively affect, even transiently, the reputation and goodwill of the organization.

Currently, the legal battle over an employer’s legitimate interest in an employee’s use of social media is being played out among employees who are relatively junior within organizations and may, justifiably or unjustifiably, believe that their actions are not under the gaze of their employers.

This post compares two recent cases from the United States and the United Kingdom with an earlier case from Canada.

Don’t Make Fun of the Customers

In a recent U.S. National Labour Relations Board (NLRB) decision, Karl Knauz Motors, Inc. (Re), the NLRB considered whether a car dealership could terminate a salesperson for comments on Facebook about an accident that involved a customer of the dealership. The customer had driven into a pond and the salesperson posted photos on Facebook with sarcastic comments. The employer argued that the comments violated employee handbook rules that required employees to be “courteous, polite, and friendly to our customers, vendors and suppliers, as well as to their fellow employees” and which prohibited conduct that was “disrespectful” or involved the “use of profanity or other language which injures the image or reputation” of the employer. In addition, not long before the post about the customer, the same salesperson had posted photos and comments criticizing food that had been served at a sales event at the dealership. The tenor of the earlier post was that the dealership should have served better food given the profile of the sales event.

The salesperson claimed that he was terminated in violation of the protections afforded by section 7 of the National Labor Relations Act (NLRA), which, among other things, provides rights to participate in concerted activity for the purpose of collective bargaining or other mutual aid or protection. The NRLB has previously issued decisions and guidance documents this year warning that social media policies must not stifle workers from communicating about workplace conditions as this would offend section 7 of the NLRA.

An administrative law judge concluded that the postings about the car accident did not fall within section 7 of the NLRA because it was posted by the employee on his Facebook page and not discussion took place on Facebook about the post. By contrast, the comments about the food at the sales event were made in the context of an exchange among employees on Facebook. The administrative law judge concluded that the comments were related to the dealership’s image at the event and this could affect the working conditions of the employees by affecting sales.

In a split decision, the NLRB upheld the decision of the administrative law judge. The employee’s termination for the comments about the customer was not protected by the NLRA. However, the NLRB ordered that the employee handbook rules were overbroad and not enforceable.

The dissenting NLRB member concluded that the requirement to be courteous did not violate section 7 of the NLRA and held that:

“[r]easonable employees know that a work setting differs from a barroom, room and they recognize that employers have a genuine and legitimate interest in encouraging civil discourse and non-injurious and respectful speech.”

Say What You Will About Gay Marriage

In the Smith v. Trafford Housing Trust, a housing manager of the Trust read a news article online regarding gay marriage and posted the link to his Facebook account with the comment “an equality too far”. The manager’s Facebook privacy settings had been set so that his posting could be viewed by his “Friends” and also “Friends of Friends”. This prompted an exchange with one of the employee’s colleagues at work, which was quite tempered but suggested that those gays and lesbians “have no faith and don’t believe in Christ”. The employee was suspended and subjected to a disciplinary proceeding that resulted in a finding of gross misconduct. The employee was offered a demotion to a non-managerial position in view of the length of his service.

According to the decision of the English High Court of Justice (Chancery Division), the Trust had over 300 employees. The court found that at the material time, the employee listed that he was a manager at the Trust. His profile stated “What can I say – it’s a job and it pays the bills”. He described his religious views as “full on charismatic Christian.” His profile and wall pages also listed that he was a manager at the Trust. In putting the post into context, the court held that it was one of a number of posts about “sport, food, motorcycles and cars.”

The court concluded that a reasonable reader of the manager’s wall would not have understood him to be a spokesperson for the Trust. The court rejected that any loss of reputation by the Trust would arise in the mind of a reasonable reader. The manager’s Facebook wall “was primarily a virtual meeting place at which those who knew of him, whether his work colleagues or not, could at their choice attend to find out what he had to say about a diverse range of non-work related subjects.” The court minimized the broader access to his wall by “friends of friends” by stating that “actual access would still depend upon the persons in that wider circle taking the trouble to access it.” The court found that the manager did not thrust his views onto colleagues at the office. The medium and context was not “inherently” work related. In the result, the court concluded that the manager had been constructively dismissed.

Don’t Diss and Threaten Other Employees or Your Employer

The problems for the employees in Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 1518 started when one of the employees posted on Facebook a post that could be interpreted as threatening: “Sometimes ya have good smooth days when nobody’s [expletive] with your ability to earn a living … and sometimes accidents DO happen, its [sic] unfortunate but thats [sic] why there [sic] called accidents right?” Another employee also was posting derogatory comments about managers.

The employees had close to 100 and 377 “friends” respectively. Significantly, the posts were escalating in tone and extreme enough that one person “de-friended” and even the girlfriend of one of the employees commented that ”[s]omethings just shouldn’t be broadcasted on facebook, especially when you still work there.”

The employer terminated the employment of the two employees. The union grieved but lost. In an interesting counterpoint to the Trafford Housing Trust case, the British Columbia Labour Relations Board concluded that there the comments on Facebook had sufficient proximity to the employer’s business. The comments had been used as a “verbal weapon”. They went beyond shop floor comments to insubordination in front of employees who were friends of the employees by degrading a manager and referring to discipline. The comments also counselled Facebook friends not to shop at the employer. In the result, the termination was upheld.

Substance, Purpose and Context

One should be careful to draw conclusions from a handful of cases in multiple jurisdictions with different approaches to employment and privacy laws. However, one theme that emerges in all three cases is that, in addition to the substance of the social media posts, the purpose and context for those postings are important considerations in concluding whether the employer has a legitimate interest in the activity of the employee’s social media activities.

On November 20, 2012, the UK’s Information Commissioner’s Office (ICO) issued the Code of Practice on data anonymization, entitled “Anonymisation: managing data protection risk.” I discussed the draft Code and consultation in a previous post.

In addition, the ICO has announced an “Anonymisation Network” (www.ukanon.net – not yet up and running) to host detailed case studies and illustrations of good practice.

The Code is developed within the framework of the Data Protection Act, 1998 (UK), and, therefore, should not be considered to be directly applicable outside the UK. However, the case studies and discussion of data anonymization techniques are useful reading for all organizations considering the conversion of data sets to an anonymized form.

Some highlights from the ICO’s discussion of data anonymization are:

• If an organization converts personal data into an anonymized form, the resulting anonymized data will not constitute personal information. This will continue to be case even though the organization may be able to de-anonymize the information.

• A difficult technical issue for organizations will be whether the anonymized data could be combined with information by a third party to re-identify the individual. The ICO’s position, based on judicial precedent, is that the risk of identification must be greater than remote and reasonably like in order for the data to be considered to be personal data for the purpose of data protection legislation.

• In assessing the risk of re-identification, the ICO recommends using the “motivated intruder” test. In other words, would a person who starts without any prior knowledge but who wishes to identify and individual be able to access resources and investigative techniques to de-anonymize the data? The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills.

• Data that is from low sensitivity sources with a low risk of re-identification may be published by the organization as part of a commitment to open government. However, the ICO recommends that data from highly sensitive sources with a significant risk of re-identification should be made available under limited use restrictions in order to control through contractual terms the use to be made of the data.

• The ICO takes the position that in most cases anonymization does not require an individual’s consent under the Data Protection Act, 1998. However, organizations should address the possibility of anonymizing data through disclosure in privacy policies. By contrast, if an organization collects personal data through re-identification, the organization must have the individual’s knowledge and consent.

A summary document prepared by the ICO is available here.

On November 15, 2012, the Sexual Orientation and Gender Identity Conference (SOGIC) of the Ontario Bar Association (OBA) held a seminar on “Sexual Orientation & Gender Identity: Managing Personal Privacy and Reputational Risks in an Online Era“. I was invited to participate as a speaker. 

One of my (tongue-in-cheek) messages at the event was that you only have privacy rights for as long as no one is interested in what you are doing. It might be 45 years since the late Rt. Hon. Pierre Trudeau said that the State has no business in the bedrooms of the nation, but the continual parade of sex scandals demonstrates the State and the public still considers to what happens between consenting adults to be very interesting and worthy of opinion. Just open any North American daily newspaper this past week.

Certainly, there are numerous criminal and civil protections for privacy in Canada that Canadians and members of the LGBTQ community can rely on for privacy protections depending on the nature of the breach.  These include public and private sector privacy legislation, Criminal Code provisions (interception of private communications, harassing phone calls, spreading false messages and hate speech), the new tort of intrusion upon seclusion, statutory invasion of privacy torts (in some provinces), appropriation of personality, libel and defamation, nuisance and breach of confidence.

However, these remedies all have significant limitations. Private sector privacy legislation has no teeth when dealing with a non-commercial blogger. All of the court-based remedies require seeking vindication in a public forum. For defamation, the facts and photos might be embarrassing but if the defendant can prove they are true or part of responsible journalism or a qualified privilege defence applies, the subject of the facts and photos has no remedy. Even when privacy rights are vindicated, any monetary remedy is relatively small and the publicity and the digitized record of the event giving rise to the intrusion of privacy is likely, at least at the present time, to continue on with a life of its own unless publication of the intrusion was relatively contained and the operators of the site are willing to take the material down.

My colleagues on the panel were very thought-provoking. Here are some of my “take-aways” for further thinking and discussion:

• There is a gap in privacy protection for employees and job candidates (other than in British Columbia, Alberta and Quebec, public sector employees, and employees of federal undertakings). We are principally relying on Human Rights legislation for moral suasion.

• There is a gap in privacy protection with respect to electoral information gathered by political parties and information collected by elected officials. Can this be justified on the basis of promoting our democratic system of government? Or, do elected officials lose credibility when dealing with private sector privacy mistakes when they have exempted themselves from an obligation to protect the privacy of their constituents?

• We need to have a serious conversation about the “right to be forgotten”. A right of minors might be a useful starting point. Should an indiscreet photo or a story posted by a minor’s friend when the minor is 16 have an unlimited shelf-life on the Internet, or does this impinge too far on freedom of expression?

• The time may soon be ripe to recognize a tort of publication of embarrassing private facts based on the U.S. and New Zealand tort. What will it look like? How do we protect robust freedom of expression and at the same time provide individuals with protection from becoming the subject of targeted shaming by groups who do not share the same values as the target?

• Will the limit of $20,000 for general damages for the tort of intrusion upon seclusion be exceeded in the short-term? Or, will plaintiffs be able to demonstrate successfully to the court that the breach of privacy caused specific economic harm?

• Is the term “privacy” confusing the issue (except to privacy advocates)? Is the main issue systematic and unwelcome private-sector and public-sector surveillance? In other words, a question of control? Is a necessary ingredient of a free society, in the digital age, one in which individuals have protection from the unauthorized use of information that is public in a nominal sense?

Thank you SOGIC for putting on this timely seminar.

The 34th International Conference of Data Protection and Privacy Commissioners was held in Uruguay on October 23 and 24, 2012. The purpose of the International Conference is to bring together data protection and privacy commissioners around the world to discuss emerging issues, share knowledge and promote international cooperation on projects.

The closed session of data protection and privacy commissioners produced the “Uruguay Declaration on Profiling” dealing with the use of Big Data, and two resolutions – one dealing with cloud computing and the other dealing with “the future of privacy”.

Uruguay Declaration on Profiling (Big Data)

In the Uruguay Declaration, the International Conference recognized “the many useful applications of big data and the advantages large data collections could bring to, among others, healthcare, energy efficiency and public safety.” However, the International Conference also outlined the risks of profiling and the potential lack of accountability regarding the quality of data. The International Conference reaffirmed the principle of purpose limitation.

In addition, International Conference set out eight that data protection and privacy commissioners should consider when dealing with profiling activities:

1. Public and private entities must be transparent about profiling, the way profiles are assembled and the purposes for which they are being used.

2. Profiling operations should have three phases: (i) identification of the need; (ii) identification of the assumptions and data that will form the basis of the profile; and (iv) how the profile is to be applied in practice. Each phase should be subject to separate decisions and regulatory oversight.

3. Profiles and the underlying algorithms must be continuously validated.

4. Profiling operations should not be fully automated. Human interventions should be required to avoid injustice to individuals subject to fully automated false positive or false negative results.

5. The creator and user of the profile should not be the same.

6. Individuals should be permitted to challenge the profile.

7. Authorities should ensure that they have sufficient enforcement power and knowledge to supervise public and private sector profiling activities.

8. Privacy enforcement authorities should have the power to test and challenge government proposals given the government’s access to large public and private databases.

Cloud Computing Resolution

The International Conference also resolved to encourage efforts and reduce risks associated with cloud computing given its potential to create economic efficiency, lower environmental impact, simplify operation and increase user-friendliness. However, the International Conference recommended in its resolution that:

• Cloud computing should not result in a lowering of data protection standards;

• Organizations should carry out privacy impact and risk assessments prior to engaging in cloud computing;

• Cloud service providers should focus on transparency, security, accountability and trust, particularly regarding information on data breaches and contractual clauses that promote data portability and data control by cloud users;

• Continuing efforts should be made to develop standards and certifications and privacy by design in cloud computing architectures;

• Legislators should assess the adequacy and interoperability of legal frameworks to facilitate cross-border transfers of data; and

• Privacy and data protection authorities should continue to engage with stakeholders.

Future of Privacy Resolution

In recognition of globalization and cross-border transfers of information, the International Conference renewed calls for international cooperation and coordination on data protection and privacy rules to bring national laws into harmony.

Here’s a brain teaser. Who owns an e-mail? The sender? The recipient? Both? Typical e-mail footers seem to assert some type of ownership by the sender by directing that the e-mail is only for the attention of an intended recipient and that the sender prohibits retention and use by other persons. In the U.K, the answer to who owns an e-mail appears to be neither the sender nor the recipient.

In Fairstar Heavy Transport N.V. v. Adkins, [2012] EWHC 2952, decided by the Technology and Construction Court of the Queen’s Bench Division of the English High Court, the issue was whether the plaintiff company, “Fairstar” had a proprietary interest over e-mails held by the defendant “Adkins” who was formerly the CEO of Fairstar. Adkins was not directly employed by Fairstar. Instead, Fairstar contracted with Adkins’ company. The plaintiff had been taken over by a competitor in a hostile bid and Adkins had been terminated.

According the court decision, Adkin’s incoming emails while he was CEO would be automatically forwarded by Fairstar’s server to Adkin’s e-mail account hosted by a third party. Copies of the e-mails on Fairstar’s server were automatically deleted after being forwarded. Copies of e-mails sent by Adkins did not go through Fairstar’s server unless someone at Fairstar was copied.

Fairstar wanted access to the e-mails in relation to the construction of a vessel in a Chinese shipyard, which turned out to be a substantial liability for Fairstar and with respect to which Adkins was involved in the negotiations. Fairstar’s position was that, notwithstanding that it had no claim to the medium in which the e-mails were stored, it had a proprietary claim to the content of the e-mails.

In examining the possibility of a proprietary claim, the court considered five options:

1. Title to the e-mail remains with the creator (or his or her employer) irrespective of who receives the e-mail or how many times it is forwarded.

2. Title to the e-mail passes to the recipient (or his or her employer).

3. In the alternative to (1), even though title to the e-mail remains with the creator, the recipient has a licence to use the content for any legitimate purpose consistent with the circumstances in which the e-mail was sent.

4. In the alternative to (3), even though title has passed to the recipient, the creator continues to have a licence to retain the content and to use it for any legitimate purpose.

5. In the alternative to each of the foregoing, title is shared between the sender and recipient and anyone else to whom the e-mail is sent.

The court concluded that options (1) and (2) were not workable. Indeed, either option would lead to the possibility of a party having the right to demand that an e-mail (subsequently regretted) be returned or destroyed.

The court held that options (3) and (4), which involve one party retaining ownership and the other party a licence (presumably irrevocable) to use the e-mail, effectively left the concept of ownership devoid of any real meaning because only illegitimate uses could be precluded. If a breach of copyright or confidentiality was not in issue, there would be very little, if any use, left to restrain as being illegitimate.

The court also rejected option (5). The court hypothesized that the result of a joint proprietary might mean presumably that if a supplier lost its database of e-mails, it could demand all of its correspondents to deliver up a copy of the e-mail in order to reconstitute the database.

In the case of a letter, the recipient of the letter “owns” the letter in the sense of the tangible thing.  Of course, the owner’s right to reproduce the content of the letter is subject to copyright just as I might own the book on my bookshelf but my entitlement to reproduce the book or passages from it are subject to applicable copyright laws.

The question of who owns an e-mail is of course more complex since it is not a tangible thing in the same way as a letter or book.  However, might it not be analogous to the author making a copy of a letter and sending the original or the copy or the author of book retaining a copy of the manuscript.  Author and recipient each are entitled to own and use their own copy subject to copyright laws. No one would suggest that the author could demand return of the copy of the letter or book, subject, of course, to duties of confidence or other equitable rights and obligations. Might the reason why the options discussed by the court don’t make sense have to do with thinking about an e-mail as a single thing, whereas an e-mail is a message transmitted electronically and always already involves a copy (perhaps many times over) once created and even more so when sent.  Thoughts?

In October, the U.S. Federal Trade Commission (FTC) issued a Staff Report, entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies”. Organizations operating in Canada and the U.S. should carefully consider the guidance in the FTC Staff Report.  They should also have regard to earlier guidance on the collection of biometric information, including facial information, issued by the Office of the Privacy Commissioner of Canada (OPC).

In this post, I examine some of the privacy issues that facial recognition technologies present and compare and contrast the U.S. and Canadian guidelines on the use of facial recognition technologies.

A question of liberty and control

The Supreme Court of Canada has said that privacy is at the heart of liberty. “[R]estraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state” (R. v. Dyment, 1988 CanLII 10 (SCC) at para. 17). Very recently, the Supreme Court of Canada reiterated that the underlying values of dignity, integrity and autonomy are fostered by protecting a biographical core of personal information from the state (R. v. Cole, 2012 SCC 53 at para 45, quoting R. v. Plant, 1993 CanLII 70 (SCC)).

Private sector privacy advocates may argue that those same values require that individuals have the right to protect (and control) a biographical core of personal information from private sector organizations, as well, should they choose to do so.

Facial recognition technologies create new challenges for privacy protection.  In public spaces, there is, of course, the possibility that people might recognize you.  However, one of the features of urban spaces is that an individual can often move around in a way that is relatively anonymous.

Advanced facial recognition technologies have the potential to match images across platforms. Pervasive private-sector passive security video surveillance, facial recognition in digital signage, and photos and videos uploaded to social media could, in theory, be combined and cross-matched.  The ability to move around in relative anonymity could, in theory, be lost, along with the ability to control the use of one’s own image. Moreover, the collection of this information could, in addition, be combined with public-sector data from government issued identification and licensing activities, leading to concerns of mass surveillance.

In Canada, we have already had some experience with the potential use of combining private sector data with public sector databases for law enforcement purposes.  Following a riot in Vancouver, the Insurance Corporation of British Columbia (ICBC) (a Crown corporation subject to private sector privacy legislation in British Columbia) offered its facial recognition technology to assist police in comparing images of individuals alleged to have participated in the riot with images in its database of drivers.  ICBC is the provincial insurers for drivers in British Columbia.  The plan was to take images contained on surveillance video and images uploaded to social media and compare them using facial recognition technology with those in ICBC’s database of driver photos. The Office of the Information and Privacy Commissioner of British Columbia (IPC) responded with an investigation that concluded that ICBC did not provide adequate notice of this potential use to citizens and that it must receive a warrant, subpoena or court order before using facial recognition software to assist law enforcement.

Notwithstanding the concerns raise by the IPC in British Columbia, it is easy to be drawn into being overly critical of the use of facial recognition. As the dissenting Commissioner, J. Thomas Rosch, stated in an appendix to the FTC Staff Report, there is, as yet, little evidence that facial recognition technologies is being systematically “misused”.  In Commissioner Rosch’s view, the Staff Report was, among other things, premature.

It is also important to acknowledge that reasonable people may disagree on a number of the values underlying suspicion of facial recognition technology.  Some may be sceptical as to whether facial recognition technologies present any material threat to liberty.  Others may be sceptical whether the relative anonymity that urban life affords has anything to do with liberty.  Reasonable people may also differ in the extent to which they are prepared to submit to surveillance for the purposes of public safety.

Moreover, when critiquing facial recognition technologies, it is important to acknowledge that not all facial recognition technologies are the same and not all uses have the same degree of intrusion on an individual’s ability to be “left alone” in relative anonymity.  As the FTC Staff Report notes, there is a spectrum of technological sophistication and a spectrum of uses. Facial recognition technologies may simply detect and locate a face in an image. Other technologies and uses may be to identify demographic characteristics or moods or emotions of the person to deliver targeted advertising.

FTC: technological neutrality but greater transparency and choice

For the most part, the FTC Staff Report is neutral with respect to the use of facial recognition technologies in consumer settings. The FTC acknowledges that facial recognition can be used “in ways that benefit consumers by providing them innovative products and services, such as the ability to try beauty products by uploading their faces to the Web, the ability to target search results, and the ability to organize and manage photos.” Facial recognition technology can also be used to enhance privacy protections. The technology can be used for authentication of mobile devices and to blur images of individuals captured in video.

However, the FTC is also concerned about potential erosions of privacy in ways that are unfair to consumers.  In providing guidance, the FTC has organized its analysis around three core principles:

1.  “Privacy by Design: Companies should build in privacy at every stage of product development.”

The FTC Staff Report states that the transmission of facial information should be encrypted or secured to protect against intrusion from a hacker who could view the images in real time. Organizations should also attempt to prevent unauthorized scraping of images. If images will be retained, there must be reasonable data security protections in place and the images should be subject to destruction once they are no longer necessary for the purpose for which they are collected.

2.  “Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.”

The FTC considers a consumer’s face to be a persistent identifier in the sense that it can’t simply be changed in the way that other identifiers can be such as a credit card number or a tracking cookie. Accordingly, it is critical that there be meaningful and informed choice.

The FTC Staff Report suggests that “walk-away choice” is sufficient if (a) the technology is being used to gather demographic information (age and gender), (b) images are not stored, and (c) the organization has been sufficiently transparent about its activities.

By contrast, using facial recognition technologies for identification purposes requires affirmative express consent. Similarly, using an image in a materially different way (for example, a new use) would require affirmative express consent.

3. “Transparency: Companies should make information collection and use practices transparent.”

The FTC is concerned that the public is not well-educated in the uses of facial recognition technology. For example, the FTC is of the view that facial recognition technologies in digital signage would not be consistent with reasonable consumer expectations. Therefore, it is important to provide prominent notice so that consumers have a meaningful choice as to whether they want to come into contact with these types of technologies.

The FTC Staff Report states that a notice should be prominently placed at the entrance to the store or at the entrance to the area of the store in which the technology is being used. When used with digital signage or other novel applications, a notice should be placed near the digital signage or area of novel use. The notice should state the purpose of the technology and how consumers can find out more information about the technology and the practices of the company operating the signs in that venue.

If facial recognition is used on image submitted in social media, the operators of those social networks should provide consumers with an easy to find, meaningful choice and the ability to turn off the feature and delete biometric data.

Canada’s focus on proportionality

The Canadian guidance from the OPC contains similar themes. Individuals should be informed that facial recognition is being collected. If facial information will be used for other purposes than those disclosed at collection, additional consent will be required.

However, unlike the U.S. approach, the Canadian approach by the OPC requires that organizations be prepared to justify the use of facial recognition. In part, this is probably because subsection 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA) provides that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” (emphasis added).

In determining what is reasonable, the OPC encourages organizations to apply a four-part test.

1. Is the use of the technology demonstrably necessary to meet a specific need?

2. Is the use of the technology likely to be effective in meeting that need?

3. Would the loss of privacy be proportionate to the benefit gained?

4. Is there are less privacy-invasive way of achieving the same end?

The application of this test means that technologies such as facial recognition are not to be employed simply because they are efficient, convenient or cost-effective. Instead, the OPC suggests that facial recognition should be “essential for satisfying a particular need”. Any loss of privacy must be proportional to the benefit obtained from the technology. If the benefit to the organization of using facial recognition is minor, then it will be difficult to justify the loss of privacy from technologies that may be used to identify individuals. By contrast, technologies that are being deployed for privacy enhancing purposes (such as blurring faces in photos) or that are based simply on sensing that there is a person facing a digital signage may be much easier to justify in the cost to privacy / benefit to the organization calculus.

Implications of the Philosophical Difference

The Canadian focus on the contextual reasonableness of facial recognition technologies is an important philosophical difference in approach, with practical implications. In particular, it may be necessary in Canada to more carefully calibrate the use of facial recognition technologies in consumer settings to a clearly defined need.

Although the use of facial recognition technologies may be more restricted in Canada, they can be used in privacy enhancing ways, as demonstrated by the experience in Ontario casinos.

The Ontario Lottery and Gaming Authority (OLG) facial recognition program is instructive.  OLG maintains a voluntary self-exclusion program for persons who do not want to be admitted to gaming sites. In collaboration with the Information and Privacy Commissioner and the University of Toronto, the OLG developed a facial recognition program that uses biometric encryption. A biometric pointer key is created from a sample image. The sample is then discarded. The identity of the person can only be unlocked by the biometrically encrypted pointer key derived from a person’s live image. Images that do not unlock a self-excluded gambler’s photograph are discarded, thereby protecting the privacy of the general public visiting the casino. If a likely match is identified, staff will check identification, which eliminates false positives. The Ontario Information and Privacy Commissioner has authored a paper describing the project and has presented on the topic recently.

Facial recognition technologies won’t be going away.  They are novel, useful, and fun for consumers.  However, developers should consider engaging in a privacy impact assessment with respect to any deployment of these technologies for new uses and applications.

Today, the Supreme Court of Canada granted leave to appeal from a decision of the Alberta Court of Appeal declaring the application of Alberta’s Personal Information Protection Act to certain union activities during a strike to be unconstitutional. This case may prove to be pivotal for the interpretation and constitutional validity of private sector privacy laws in Canada.

The case, now titled Information and Privacy Commissioner v. United Food and Commercial Workers, Local 401, involves a union videotaping people crossing a picket line.  The union had also threatened to post the images to an Internet website.  One of the images was used for posters, leaflets and a newsletter. If PIPA applied, the union would need to find an exception to the collection and use of that personal information without reasonable consent.

The union’s initial argument before the Alberta Court of Appeal was that its collection and use of the personal information (the images of people crossing the picket line) was exempt from the requirement for reasonable consent by virtue of the exception for journalistic purposes.

The Court of Appeal concluded that the union’s activities did not fall within the exemption for journalism. However, the court went on to assess whether PIPA unreasonably restricted the union’s right  to freedom of thought, belief, opinion and expression under section 2(b) of Canada’s Charter of Rights and Freedoms. 

The court accepted that the union was engaged in expressive activities in support of labour relations and collective bargaining activities by the union in mid strike. PIPA restricted that right if there were no exemption available.  So, the question for the court was whether the restrictions imposed by PIPA were justifiable in a free and democratic society. In other words, were the restrictions proportional to the harm being regulated by PIPA (the harm being the potential misuse of personal information and the interest of protecting reasonable expectations of privacy)?

The court concluded that the restrictions were overbroad. In particular, the court identified the following concerns (at para. 77):

• [The Act] covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.

• The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.

• The definition of “publicly available information” is artificially narrow.

• There is no general exemption for information collected and used for free expression.

• There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

The court did not strike down any particular portion of the statute because there was “no obvious way to prune this statute so as to make it constitutional”. Instead, the court declared that the application of PIPA to the union’s activities was unconstitutional.

The Supreme Court of Canada has now granted leave. It is expected that there will be a number of parties seeking leave to intervene in the appeal.

On October 24, 2012, the Privacy Commissioners of Canada, Alberta and British Columbia issued a joint guidance document on mobile applications, titled Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps. The guidance conveniently summarizes general private sector privacy principles under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Acts of Alberta and British Columbia in one document, with specific application to the development of mobile applications (Apps).

The Privacy Commissioners provide tips on making consent more meaningful in the mobile App environment. Suggestions include:

• Layering Information. The first layer of privacy disclosure could be icons, labels and images that lead to more detail through hyperlinks.

• Privacy Dashboards. Provide tools to display privacy settings in a way that encourages user action and also explains the consequence of making a choice.

• Colour and sound. Scale colour and sound and their intensity to the importance of the decision or sensitivity of the information.

• Timing of user notice and consent.  Users should not have to search for an Apps privacy policy. Instead, users should be provided without clear and accessible information prior to download. However, disclosure before download may not be sufficient. Further disclosure to obtain consent should occur in real time as the information is being collected so that the user can make a timely choice. For example, if location information is being collected, a symbol could be used to indicate to users that this is happening.

The Privacy Commissioners also provide specific guidance with respect to the collection and use of certain types of personal information. For example:

• Sound, Location and Movement. Collection of sound and data from the device’s location and movement sensors requires informed consent and must be directly related to the functionality of the App.

• Cameras. Activation of the device camera requires specific permission of the user.

• Device Identifiers. Apps should be designed in a way that that do not require collection of unique device identifiers unless that is “essential” to the functioning of the App.

• Third parties.  Information about third parties (e.g. from a contact list) should not be collected without consent. The Privacy Commissioners do not specify whose consent.

The Privacy Commissioners also state that data should not be associated across Apps unless it is “necessary” to do so and “obvious” to the user.

In addition to this latest guidance, Apps developers may wish to consult The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers and Users, which was co-authored by the Information and Privacy Commissioner of Ontario and the Arizona State University Privacy by Design Research Lab and published in December 2010.

Cyber security month continues in Canada with the release of the Auditor General’s Fall 2012 Report. Chapter 3 evaluates the federal government’s progress on protecting Canadian critical infrastructure against cyber threats. As the Auditor General noted, the federal government is uniquely positioned to protect Canadians because of its access to foreign intelligence and other information sources that are not available to other stakeholders.

What is the Auditor General’s assessment? The federal government has been stating its commitment to address cyber security threats to critical infrastructure since 2001. However, “[d]espite several past strategies and funding, […] progress in achieving these commitments has been slow.” It appears that that the government’s focus has been on policy development (and, perhaps, redevelopment) rather than monitoring threats and building sectoral partnerships.

For example, the federal government announced the creation of the Canadian Cyber Incident Response Centre (CCIRC) in 2005 to serve as a national readiness and response team for cyber threats. The CCIRC still does not operate 24 hours a day, 7 days a week and there are no plans for it to do so. Instead, it operates Monday to Friday, from 8 a.m. to 4 p.m. Eastern Time. The government plans to extend the operational hours, but not provide 24/7 coverage. Cyber threats or attacks outside of those hours are reported to the Government Operations Centre, which then pages an employee at CCIRC.

There are concerns that the CCIRC is not included early enough when incidents do occur. In part, this is because it is not the initial point of contact for sectoral incidents; however, there also appears to be interdepartmental confusion. For example, CCIRC was not notified of an attack on government systems until more than a week after the intrusion was discovered.

Given that critical infrastructure is owned by the private sector or managed through provincial, territorial or municipal governments, partnerships with the federal government on national cyber security is critical. However, with the exception of the energy and utilities sector network managed by National Resources Canada, partnerships with within other sectors are only now starting to be developed and are not in complete coverage.

Public Safety Canada has, for the most part, agreed with the Auditor General’s recommendations.

A 2011 report for the Pew Research Center’s Internet and American Life Project found that Americans between the ages of 18 and 24 exchanged on average nearly 110 text messages on a normal day and that an average of 109.5 messages on a normal day with a median user exchanging approximately 50 text messages a month. Even those in an older age group – 30 to 49 – were texting in significant numbers at an average of 27 texts per day.

Text messages are not confined to personal use, although that is likely still the most pervasive use of text messaging. Close-knit team members may use text messages to convey brief information or simply to prompt a call or attention to email. Text messages may also be used more nefariously as a means to communicate information in an attempt to avoid detection by an employer, particularly when sent and received from employee-owned mobile phones.

In the public sector environment, there may be a duty to produce text messages in response to access to information requests if those text messages are under the “control” of a public institution subject to access to information legislation. Access to information legislation typically defines “records” broadly in a technologically neutral way. The issue, however, is whether text messages are under the “control” of the institution. The answer is straightforward with respect to employer-owned mobile devices. However, the answer is more complex when dealing with employee-owned devices. The Supreme Court of Canada has endorsed an understanding of “control” that would include some power of direction over the record. Whether a policy on employee text messaging would be sufficient to establish control is uncertain.

In response to the possibility that records are falling outside of the access to information system, the Information Commissioner of Canada recently initiated an investigation into the use of text messages and similar forms of communication in the Federal public sector. The Commissioner noted that there is no government-wide policy on text messaging. Her investigation appears, however, to be limited to government-issued wireless devices.

In the private sector, the issue is equally complex. Leaving aside privacy issues relating to non-work-related texts on employer-owned devices, it is impractical for an employer to control the use of text messaging on personal devices. What is clear, however, is that inappropriate use of text messaging may pose a significant record-keeping and compliance challenge for organizations. My colleagues have posted about harassment complaints involving text messages sent and perhaps not sent. More broadly, however, text messages pose challenges for managing communications regarding matters that may be highly regulated or potentially litigious. If a regulatory investigation is commenced or litigation reasonably anticipated, the organization may need to take steps to direct employees to preserve relevant text messages.

There is no easy answer to the issue of text messages. However, like Canada’s Information Commissioner, it may be time to consider whether your organization’s policy and employee training is up to the challenge.

To what extent are device ownership and acceptable use policies determinative of an employee’s expectation of privacy?

Many employers attempt to diminish the expectations of privacy of employees in work-supplied electronic devices through “computer use” policies that state explicitly that these devices are to be used solely for work purposes and that employers may monitor the use of these devices. These policies are perhaps honoured more in their breach. Moreover, the “bring-your-own-device” (BYOD) movement is rapidly eroding the black-and-white nature of these policies. With BYOD, the employee will own the laptop or smartphone. This limits the employer’s legal and practical ability to control the employee’s use of the device. Nevertheless, the employer has an interest in ensuring that the device is secure and may install software or applications onto the device. Indeed, the employer’s IT department may provide support for this software and applications.

On October 19, 2012, the Supreme Court of Canada released its much anticipated decision in R. v. Cole. The case involved whether an employee had a reasonable expectation of privacy in material on a work-issued laptop such that the computer could not be searched by the police without a warrant even if the employer handed the computer over to the police. A majority of the court concluded that the employee had a reasonable expectation of privacy and that a warrant would ordinarily be required. However, in the circumstances of the case, the remedy for the breach of the employee’s constitutional rights would not be exclusion of the evidence.

The court’s reasons establish the following important privacy principles:

• In assessing the privacy interest, the focus is on the informational content of the device and not the device itself. Ownership of the device is a relevant factor but not determinative in determining whether an expectation of privacy is reasonable.

• Computers used by employees may “contain information that is meaningful, intimate, and touching on the user’s biographical core.” The information may expose biographical information regarding “the likes, interests, thoughts, activities, ideas and searches for information of the user.”

• Everyone in Canada has the constitutional right to privacy from the state (law enforcement) with respect to this type of biographical personal information of on workplace computers provided that it would be reasonable to expect the computer to be used for personal purposes.

• Workplace acceptable use policies may diminish an employee’s reasonable expectation of privacy but will not, on their own, remove the expectation entirely. The operational context will also include the practices and customs of the employment context will also be relevant, which may include the reality that workplace-issued devices are permitted to be used by employees for incidental personal use.

R. v. Cole was decided in the criminal law context in a situation in which the employer was a public body that was conceded to be subject to Canada’ Charter of Rights and Freedoms. Caution should be exercised, therefore, in extrapolating the principles in R. v. Cole to the private sector and non-criminal contexts. Indeed, the majority of the court expressly stated that it would “leave for another day the finer points of an employer’s right to monitor computers issued to employees.”

However, one point is clear: the court concluded that even if the employer has lawful possession of a device for the employer’s own administrative purposes, this does not mean that the employer can waive the reasonable expectation of privacy of the employee by turning the device over to the police, nor does it vest the police with lawful authority to search the device for the purposes of a criminal investigation. This does not mean that the employer cannot tell the police what it has found, which would permit the police to obtain a warrant.

R. v. Cole demonstrates that ownership and acceptable use policies will not be determinative in assessing whether employees have a reasonable privacy interest in information stored on device used for employment. Ownership and acceptable use polices are, however, relevant as part of the totality of circumstances that the employer (and the state) must take into consideration.

It should be obvious, therefore, that in a BYOD environment, the privacy interest may be even greater.  If an individual may have a reasonable expectation of privacy in the information stored on a workplace-issued device, it is likely a shorter step to concluding that an individual has a reasonable expectation of privacy in the context of a BYOD program. Furthermore, employers should consider whether their administrative policies and practices are appropriately tailored to the operational reality that employees are using workplace-issued devices and BYODs for personal use and how that may affect their ability to monitor employees, particularly where that monitoring is surreptitious.  An overreaching policy will not provide comfort to an employer if it is out of step with the practical reality of the workplace.

For more views on this case and employee privacy issues, be sure to visit my colleagues; Employment & Labour Blog.

October is Cyber Security Awareness Month.

Canada’s Auditor-General is expected to release a report on Canada’s Cyber Security Strategy. The report is expected to be an important assessment of Canada’s preparedness for further cybersecurity attacks.

In the meantime, and perhaps pre-emptively, the Government of Canada announced, on October 17, 2012, an investment of CAD$155 million over five years to improve the detection of, and response to, continually evolving cyber threats to government systems and services.

A portion of the funding will be invested in the Canadian Cyber Incident Response Centre (CCIRC). The purpose of the funding for CCIRC will be to:

• Improve incident response across Canada, and enhance the ability of government and its partners to maintain awareness of the cyber environment; and

• Strengthen analytical capability to improve mitigation advice and incident response.

Cybersecurity is not formally a part of Canada’s Open Government strategy,  However, the security of electronic government information and digital government services is critical to the success and effectiveness of that strategy and should be considered a “fourth pillar”. The other pillars of the Open Government strategy are:

• Open Data: Offering government data in useful formats for the use of private sectors and non-governmental organizations

• Open Information: Pro-actively release information to Canadians rather than to wait for access to information requests.

• Open Dialogue: Use web-based technologies to engage with Canadians on government policies and priorities.

Few dispute that the law should protect the privacy of children. In a recent decision of the Supreme Court of Canada, the court held that the “[r]ecognition of the inherent vulnerability of children has consistent and deep roots in Canadian law” and that “[t]his results in protection for young people’s privacy” in several legislative areas.

This post doesn’t address what is socially acceptable or appropriate in terms of the collection of personal information from children or the use of that information for marketing. Instead, it focusses on some of the practical legal issues when dealing with children, personal information and marketing in Canada.

“We do not knowingly collect personal information from children under the age of 13.”

It has become boilerplate for organizations in Canada to deny that they knowingly solicit, collect or use personal information from children under 13. Why? The focus on the age of 13 is probably a product of two statutes:

COPPA. Canada’s southern neighbour has a lot of influence, particularly in respect of e-commerce. The Children’s Online Privacy Protection Act (United States) requires verifiable parental consent to the collection of children under the age of 13.

Quebec. COPPA isn’t the only reason to focus on the age of 13. Section 248 of the Consumer Protection Act (Quebec) prohibits commercial advertising directed at persons under 13 years of age. The Office de la protection du consommateur takes the position that this applies to websites as well.

Special Advertising Regulations

Marketers must also be aware of special advertising rules for children even where advertising is permitted.

Broadcast Code Regulations. Television and radio broadcasters in Canada agree to adhere to the Broadcast Code for Advertising to Children (under the age of 12) as a condition of Canadian Radio-television and Telecommunications Commission licences. This requires pre-clearing of the children’s advertising.

Advertising Standards Canada Requirements. In the online world, the Canadian Code of Advertising Standards applies. The Code provides that advertising that is directed to children “must not exploit their credulity, lack of experience or their sense of loyalty, and must not present information or illustrations that might result in their physical, emotional or moral harm.”

Identifying Children and Obtaining Consent

Modulating information and consent mechanisms is difficult enough.  However, it is complicated by the fact that the application of privacy principles tend to discourage the most obvious tool to identify children – asking the user for his or her age.

Difficulty in Obtaining Consent. In Canada, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and its provincial counterparts requires meaningful consent to the collection, use, retention and disclosure of personal information. In order to obtain consent, the information must be presented and modulated in complexity to the developmental level of the child.

Identification Problem. Privacy advocates do not want to encourage the collection of dates of birth. However, without information on a year of birth, it is not possible to screen out the collection of personal information from children. In one case, a parent enrolled a child in a loyalty program. When the child started to receive credit card marketing materials, the parent complained but there was no practical way for the loyalty program to know the age of the person enrolling without asking.

There is no prefect solution. Instead the organization must carefully consider the target audience and modulate consent and the use of personal information based on reasonable expectations about the demographics of that target audience.

Binding Terms of Use and Contracting with Minors

In many cases, organizations attempt to incorporate consent to the collection, use, retention and disclosure of personal information into the terms of use of the website or mobile application. However, the law is complex relating to the capacity of a minor to enter into a contract and that law varies among Canadian provinces. In Ontario, for example, a person who is 18 years of age or more is presumed to be capable of entering into a contract (s. 2(1) of the Substitute Decisions Act, 1992). However, there is no presumption that a person under the age of 18 is capable of contracting. On the other hand, if necessaries are sold and delivered to a minor, the minor is required to pay a reasonable price (s. 3(1) of the Sale of Goods Act). “Necessaries” are vaguely defined as goods suitable to the minor’s condition and his or her actual requirements. Even in the case of non-necessaries, the contract with a minor may not be voidable if the minor has already received the benefit of the contract.

In British Columbia, a person is an “infant” until reaching the age of majority of 19 years (s. 1(2) of the Age of Majority Act). Section 19 of the British Columbia Infants Act, provides that a contract with an infant is not enforceable unless, among other things, it is affirmed on reaching the age of majority. However, that rule is not as blunt as it sounds, since the court may take into account the surrounding circumstances of the contract and whether any party has changed its position before fashioning a remedy.

Obtaining consent from a parent or requiring acceptance of terms of use from a parent is not necessarily the solution. In Ontario (and other common law provinces), a contract entered into by a parent on behalf of a minor may not be enforceable against the minor.

Helping Parents and Children

The Canadian Marketing Association has tips for helping parents with children’s marketing.  The Office of the Privacy Commissioner of Canada also has a great website for youth and parents.

The Office of the Information Commission of Canada (OIC) has commenced a public consultation regarding the modernization of the Access to Information Act (Canada). The consultation period commenced on September 28, 2012 and will continue until December 21, 2012.

Individuals and organizations interested in participating in the public consultation may do so electronically. The OIC has dedicated webpages to submit feedback. The General Questions tab provides space for an online forum regarding five themes:

Right of Access. The OIC asks whether only persons who are citizens or physically present in Canada should be able to obtain government held records.

Coverage of the Act. The OIC asks what criteria should determine whether a federal entity that spends taxpayer money or performs public functions is or is not subject to access to information legislation.

Limitation on the Right of Access. The OIC asks whether the categorical approach to certain exemptions from disclosure should be eliminated and replaced with a case by case approach requiring the federal institution to establish that injury, harm or prejudice would result. The OIC also asks what role the public interest should play.

Cabinet Confidences. The OIC asks whether Cabinet deliberative secrecy should continue to be invoked to prevent disclosure of records that directly inform Cabinet decisions. If the exclusion is to be maintained, the OIC asks on what basis and whether the Commissioner should be able to review those documents.

Awareness and Education. The OIC notes that the Commissioner has not education and awareness mandate and asks whether this should change.

In addition to the General Questions, the OIC has prepared specific, more detailed questions to which it invites submissions.

As the OIC states, “[a]ccess to information underpins many of our most cherished rights and freedoms such as the freedom of expression the freedom of the press and the right to vote.” It is to be hoped that Commissioner Legault is successful in sparking an organized discussion on reform.

Lookout Canada and the U.S.: European regulators are working to give Europe a head-start as a safe jurisdiction for cloud computing.

European Commission Supports Cloud Computing

The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. The Commission wishes to address the “perception” that cloud computing may bring additional risks by making it easier to signal and verify compliance (though standards and certification) and by developing legal frameworks, such as an initiative on cyber security. The Commission summarized the business case for devoting Commission resources to cloud computing as follows:

Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe’s businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe’s traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.

The Commission identified several barriers to an accelerated adoption for cloud computing, including:

• Contractual standards regarding data access, portability, change of control, ownership of data and dispute resolution processes.

• Regulatory fragmentation due to differing national legal frameworks and uncertainties over applicable laws, given that cloud services may span multiple jurisdictions.

• Proliferation of security standards and uncertainty by organizations regarding the security of those standards and the interoperability of data formats to permit portability.

Among the Commission’s activities for 2013:

• The Commission has challenged itself to develop model terms for cloud computing service level agreements for professional cloud users by the end of 2013. The Commission will also review clauses that could be used in contracts involving the transfer of personal data to countries outside of the EU.

• The Commission will also develop standardized contract terms for consumer agreements for cloud computing.

• The Commission supports the development of uniform standards and the certification of organizations providing cloud computing services. The Commission will be tasking the European Telecommunications Standards Institute with developing a set of necessary standards for security, interoperability, data portability and reversibility. The Commission will also assist in the development of an EU-wide voluntary certification scheme.

UK Information Commissioner Provides Constructive Guidance

In other developments, the U.K. Information Commissioner’s Office (ICO) has issued “Guidance on Cloud Computing”, which should prove to be a useful resource for privacy professionals and counsel who are beginning to grapple with cloud computing technologies and mandatory reading for Canadian companies operating in the U.K. Although there are significant differences between Canadian and U.K. privacy laws, this ICO resource is a useful starting point because of the clear and practical approach to decoding the “lingo” of cloud computing and describing the privacy issues. In-house counsel may especially appreciate the use of specific short examples to illustrate concepts.

Among the points covered in the ICO booklet are:

• Assess the risk of processing highly sensitive data in the cloud. The ICO does not, however, put any types of data off-limits. The ICO states: “Often, the question may not be whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated.”

• Consider that moving data to the cloud may create additional types of data. Metadata regarding usage statistics or transaction histories of users may be recorded and should be covered by the organization’s privacy policy.

• Privacy impact assessments should be considered before engaging in large or complex cloud services.

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event. Organizations should engage in a “continual cycle of monitoring, review and assessment”. Furthermore, organizations should ensure that they are notified of any changes to subcontractors and those subcontractors are approved.

• Use third-party audits and certifications. The ICO supports the use of third party audits and industry certifications to assist organizations assessing the physical, technical and administrative security measures of the cloud service provider. Responsibility remains, however, with the organization to satisfy itself that the cloud service provider has adequate security measures in place to maintain data security.

The ICO states that technical security measures of a cloud computing program should include:

• Access control through the use of a robust authentication program involving individual username and strong passwords and an administrative program to create, update, suspend and delete user accounts.

• Encryption of data while in transit and, if possible, at rest (i.e. when stored) should be considered. It is important, however, to ensure that the encryption process also contains a “robust key management arrangement”. This is because access to the decryption key means access to the data and, in addition, inadvertent loss of the key would result in the loss of data.

• Data retention and destruction procedures to provide for the overwriting and destruction of data consistent with the organization’s document retention protocol and following a transfer to another cloud service provider or discontinuance of the use of the cloud service provider’s services.

• Limits on the cloud service provider’s access to the organization’s data and controls on whether and how the cloud service provider may use the organization’s data. There should be “an audit process that will alert the cloud customer if unauthorised access, deletion or modification occurs.”

On the thorny subject of international transfers of data becoming subject to the laws of the organization to which the data transfer is made, the ICO joined the trend towards international comity by stating as follows:

If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

Movement to cloud computing appears inexorable.  Jurisdictions that are first movers to develop standards and to facilitate the advantages of the cloud computing industry may have the advantage in the long-run.  Digital strategy, anyone?

It’s “Right to Know” week in Canada. It is off to an interesting start.   Canada’s Information Commissioner, Suzanne Legault, announcement in her Annual Report that she will be engaging in a public dialogue as she prepares to make recommendations to Parliament to revise Canada’s access to information laws (even as the budget for her office has been slashed).

The federal Access to Information Act is 30 years old. Nova Scotia and New Brunswick can claim bragging rights to the oldest access to information legislation in Canada, dating from 1977 and 1978 respectively. In most jurisdictions in Canada, there have been no major revisions to access to information laws (1) to account for the volumes of electronic data, public-private partnerships, and Crown and shared governance corporations that have burgeoned in the decades that have followed or (2) to account for the opportunities that information technologies present for sharing that data with citizens.

However, governments across Canada are increasingly embracing the concept of “Open Government”.  Open Government is an initiative to leverage information collected by governments by making it available to citizens and businesses in a proactive way. At the federal level, Open Government involves three main “streams”: (1) Disclosing information in readily useable formats (Open Data). (2) Proactively releasing information (Open Information); and (3) Engaging Canadians directly in policy development through Web 2.0 technologies (Open Dialogue).

British Columbia may be the furthest ahead in embracing Open Government. British Columbia is already proactively releasing information that is commonly requested. In addition, British Columbia has committed to releasing the results of individual access to information requests. However, it has been a bumpy ride with allegations by the B.C. Freedom of Information and Privacy Association, that British Columbia is failing to electronically post about 67% of completed access requests.

Meanwhile, in Ontario, the Information and Privacy Commissioner, Dr. Anne Cavoukian, held a conference last week regarding Open Data. Key to the Ontario Commissioner’s initiative is her “Access by Design” principles. These principles are to inform new government initiatives so that information is “pushed out” to the public more proactively to avoid the overburdened and inefficient access to information process.

Could we be seeing some traction for reform?

One of the hot topics in privacy policy at the moment is the question of whether there should be a right to be forgotten. Should, for example, an indiscretion captured in a photo and shared via social media be purged?

The Canadian Civil Liberties Association (CCLA) has weighed into the debate by tackling a specific and pressing issue: The retention and disclosure of non-conviction records in police background checks. The CCLA’s recent report is provocatively titled “Presumption of Guilt?”

The CCLA notes that most people who interact with police will never be convicted of a crime. These people may be victims of crime, be witnesses, or be targets of an investigation or a “person of interest”. In some cases, a person is simply has an undiagnosed or untreated mental health need and law enforcement officers are first responders. Records of these interactions may be created in each of these cases. In addition, of course, records will be created in situations where the police lay charges that are subsequently withdrawn or individuals are acquitted of an offence.

In the case of adults, these varied “non-conviction” records are not subject to legal requirements for destruction. CCLA comments that Criminal Records Act provides for removal of records of absolute and conditional discharges from RCMP databases within relatively short time frames. However, there is no requirement with respect to other types of non-conviction records. Moreover, CCLA concludes in its Alberta investigation that records of absolute and conditional discharges of adults as well as other non-conviction records of adults may continue to be maintained in provincial databases for lengthy periods of time and possibly indefinitely. (There are greater restrictions on the retention of youth criminal records.)

The CCLA is calling for reform given the increasing use of criminal background checks in employment. The CCLA is concerned that these records may be misleading without sufficient context and be unfair to the subject of the records who may not be in a position to refuse to disclose those records.  To address these concerns, the CCLA has outlined seven recommendations which are reproduced below:

1.  Non-conviction records should be regularly reviewed and destroyed in the overwhelming majority of cases.

2.  Non-conviction records should be retained for inclusion in a police background check only in exceptional cases where police believe that doing so is necessary to reduce immediate public safety threats. The decision to treat a case as an exceptional one should be done at the time that the non-conviction record is created; i.e., immediately after the charge is dismissed, withdrawn or otherwise resolved by way of a non-conviction.

3.  Where the government requests that a decision be made whether to retain a non-conviction record, the affected individual should be notified and provided with a right to make submissions.

4.  If it is decided that retention is appropriate in a given case, the affected individual should have a right of appeal in front of an independent adjudicator.

5.  Where non-conviction records are retained, they should be disclosed only in relation to certain employment or volunteer positions.

6.  Proper monitoring mechanisms regarding the use and impact of all forms of police background checks should be put in place, including adequate data collection and public reporting.

7.  Provincial human rights legislation should protect individuals from unwarranted discrimination on the basis of non-conviction disposition records.

 In the meantime, employers should be cautious in their use of background checks to ensure that they are adhering to their legal obligations.  For more information regarding the law related to the use of background checks in employment, readers might consider checking out “The HR Manager’s Guide to Background Checks and Pre-Employment Testing” authored by Adrian Miedema (FMC lawyer) and Christina Hall.

A recent Order (MO-2786) of a Senior Adjudicator of the Office of the Ontario Information and Privacy Commissioner provides a useful guide for organizations wishing to protect confidential and financial information submitted in response to requests for proposals issued by a City.

The dispute involved the decision by a City to disclose a bidders’ RFP response (apart from severing personal information) in response to an access to information request under the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”). The bidder sought to protect details of its software solutions and it pricing under subsection 10(1) of MFIPPA. This provision permits withholding of records that would disclose “a trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence implicitly or explicitly” provided that the disclosure would reasonably be expected to cause the bidder certain types of specified harm. One of the specified harms would be significant prejudice to the competitive position of the bidder.

Lessons from the Senior Adjudicator’s Order:

• Whether information has been made public by the bidder is not relevant to the initial determination of whether the information is “commercial information” or “financial information” under subsection 10(1) of MFIPPA.

• The fact that the RFP states that all bid responses will be subject to MFIPPA does not displace a reasonable expectation of confidentiality if (a) the bidder marks the response “Confidential to the City” and (b) there is no indication that the bidder has disseminated the information more broadly.

• If the bidder has published information on its website, there is no expectation of confidentiality for that information in its bid.

• If the total bid price (or, arguably, other information) is disclosed publicly in a City council meeting or documents for the City council meeting, the information will not be protected in an access request.

• “The failure of a party resisting disclosure to provide detailed and convincing evidence will not necessarily defeat the claim for exemption where harm can be inferred from other circumstances.”

• Public policy may permit losing bids greater scope for protection than winning bids. In the Senior Adjudicator’s view, the issue of transparency and accountability in spending taxpayer money are not as engaged as with a winning bid.

In the result, the Senior Adjudicator accepted that the information contained in the RFP response would be expected to cause harm to the bidder (apart from information already disclosed by the bidder on its website, which was not confidential). Although the bidder did not submit detailed evidence regarding potential harm, the Senior Adjudicator accepted that the particular circumstances permitted an inference of harm:

I accept the appellant’s assertion that it markets its products exclusively to municipalities and that, within this market, there is a limited number of competitors. The appellant has identified the bases on which these competitors distinguish themselves in RFP processes, including the detailed pricing structure and detailed explanations of how the functional requirements will be met.

The Government of Ontario has commenced a consultation on a new proposed Unclaimed Intangible Property Program. The possibility of this new program for unclaimed property was mentioned in the 2012 Budget and reported on in a previous post. The Government has released a consultation paper, which includes a series of questions. The deadline for submissions is October 12, 2012. Given the additional burden this may pose for businesses, it is to be hoped that the consultation period is extended.

Ontario previously enacted an Unclaimed Intangible Property Act in 1989. However, this legislation was never proclaimed into force and ultimate was repealed as of December 31, 2011, by the operation of the Legislation Act, 2006.

The Government of Ontario is proposing that the new program for unclaimed intangible property would be based on the Uniform Unclaimed Intangible Property Act, which was developed by the Uniform Law Conference of Canada. This form of legislation would impose upon Ontario business the obligation to take prescribed steps to notify owners of abandoned unclaimed property. If the property remains unclaimed, holders must file a report and transfer the property to the Government of Ontario, which then can use the property until it is claimed (if ever). There would be fines for non-compliance. The Government of Ontario would maintain a publicly searchable registry of the property it has received. Owners may file a claim for the property.

What constitutes “property” for the purposes of the new program is up for grabs. The breadth of that definition will directly affect the number and types of business that will face additional administrative burdens. If, for example, Ontario were to include gift certificates and gift cards, this would have significant implications for Ontario retailers.

Another issue that is open for debate is the time period after which property should be considered to be abandoned. The general period of time is five years. Thus far, there has been insufficient consideration given to the interaction between Ontario’s Limitations Act, 2002 and an unclaimed property program. Legislation tends to ignore the effect of limitation periods on the enforceability of intangible property rights and, therefore, the issue of whether the property should be considered abandoned or the property rights considered unenforceable. In Ontario, the basic limitation period is two years from the date of discovery of the claim or the date on which a reasonable person with abilities and in the circumstances of the person could have discovered the claim.  However, the limitation period for demand obligations does not commence until a demand for performance is made.

The issue of limitation periods is also relevant to the transitional provisions of for an unclaimed intangible property program. Ontario is proposing not to enact a transitional period that would have exempted property that became unclaimed more than five years before the coming into force of the legislation. The effect of this is uncertain. Apart from the problem that businesses may have records for the past seven years, some businesses may have considered the rights of the property holders unenforceable for accounting purposes, provided the obligation was not a demand obligation.

During the consultation period, the Government is asking:

1. Whether any modifications to the Uniform Unclaimed Intangible Property Act should be made?
2. What types of property should be included or excluded? Do certain types of property present unique challenges?
3. Are the time periods for considering property abandoned in the Uniform Unclaimed Intangible Property Act appropriate?
4. What are the challenges for businesses in transitioning into the new program?
5. Are there additional issues that the Government should be aware of?
6. How should the Government continue the consultation as the new program is developed?

The consultation document is available here. Remember, the consultation deadline is October 12, 2012.

Last month the Bureau of Consumer Protection of the U.S. Federal Trade Commission (FTC) issued guidance regarding the marketing of mobile Apps.  The guidance should be of interest to companies engaged in cross-border e-commerce activities.  It should be noted, however, that minimum compliance with the FTC guidance may not result in a App marketer being fully compliant in Canada.

Among the key points in the FTC’s guidance document, entitled “Marketing Your Mobile App: Get It Right from the Start” are:

• Advertising has a broad compass.  The FTC reminds developers that advertising isn’t just a traditional advertisement but includes a range of representations made expressly or by implication about what the product does.  The FTC cautions that App marketers require competent and reliable evidence to support objective claims and may require competent and reliable scientific evidence to support health claims.

• Key information must be clear and conspicuous.  This isn’t just a matter of the size and readability (although those are obviously important).  It also includes the way in which information is layered.  Layering information isn’t a licence to hide information behind vague hyperlinks.

• Engage in “privacy by design”.  The Ontario Information and Privacy Commissioner’s “privacy by design” approach should be followed.  This includes the principles of limiting collection, secure storage and safe destruction.  Although the FTC did not emphasize the “privacy by design” principle of privacy as the default, the FTC did note that sharing of data that would not be expected by an average consumer should only be done with express consent.  The FTC also states that sensitive information should only be collected and used with express consent.  In addition, mobile Apps should offer consumers choices and control over their personal information.

• Honour the promises, including privacy promises, made to consumers.  The FTC cautioned that “[c]hances are you make assurance to users about the security standards you apply or what you do with their personal information.”  Systemic failure to honour these promises or take reasonable steps to protect personal information may lead to FTC enforcement action.

• Apps designed for children under the age of 13 must comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  This will involve additional disclosures and consent requirements.

With permission of the publisher of E-Commerce Law Reports, here is a link to my recent article examining three cases decided in Canada, the U.K. and the U.S. in which the Statute of Frauds was pleaded as a defence to the enforceability of contracts created by conversational email.

On September 5, 2012, the Information and Privacy Commissioner of Ontario (“IPC”) released a new guidance paper, entitled “A Policy is Not Enough: It Must be Reflected in Concrete Practices”.  This guidance paper will be particularly useful for organizations seeking preliminary guidance on implementing the “privacy by design” principles developed by Commissioner Cavoukian.

The IPC outlines 7-steps for implementing privacy policies.  Sensibly, the Commissioner acknowledges that there are no “one-size-fits-all” approaches for embedding privacy-by-design practices.  Nevertheless, Commissioner Cavoukian notes that there are are common steps to implementing a course of action.  These steps are applicable to organizations of all sizes and complexity.

The following is a brief run-down on the steps and a few comments from my experience:

Step One:  The organization should develop and implement a privacy policy that is compliant with privacy laws and is tailored to the needs and risks of the organization.  As the Commissioner notes, “a generic policy, which does not consider the particular challenges of a given organization” is “not sufficient.”

Too often, organizations simply copy the basic privacy principles from applicable privacy legislation without attempting to describe those principles in a concrete way in their organizational environment.  The IPC recommends that if the organization deals with sensitive data, the organization should conduct a privacy impact assessment (“PIA”).  Arguably, however, a PIA is useful whenever the organization is developing or revising a privacy policy or engaging in a new initiative.  From my perspective, the PIA is particularly useful in (a) identifying practices that may create legal risks regarding an organization’s data governance practices, (b) organizing conversations about the extent of collection, use and retention of personal information that is necessary to the success of particular initiatives, (c) identifying stakeholders within the organization that should be accountable for the protection of personal information collected and used in connection with the initiative, and (d) assessing the administrative, technical and physical procedures necessary to provide adequate protection of that personal information.

The development of an organization’s privacy policy is not a “one-time” event.  The IPC recommends at a minimum an annual review to determine the evolving legal and industry practice environment as well as whether there privacy policy of the organization the procedures of the organization are consistent.

Step Two: The organization should link each policy item to a specific action item. For example, if a privacy policy provides that personal information will not be transferred in an unencrypted form over the Internet, then the organization must consider how to implement that policy to prevent data transfers that are not encrypted.  This may mean changes to the IT infrastructure to ensure encryption by default.

Step Three:  The organization should establish how the organization will demonstrate that the action items have been implemented.  Commissioner Cavoukian notes that effective change requires “buy in” from senior management and the demonstrable adherence to the policy by those who are accountable for the action item.

Step Four:  The organization should develop an education and awareness training program that is tailored to the working environment of the organization both in structure and content.  Initial training for employees on the organization’s privacy practices is critical, but so is on-going education and awareness so that the organizations privacy practices are integrated into the employee’s duties.  The IPC recommends at least annual refreshers or certifications.  There are diverse methods of education and awareness training.  However, to be effective, they must be directly relevant to the employee’s duties.

Step Five: The Commissioner recommends the designation of a “Go to” person.  Employees should have a person that can address privacy concerns raised by employees and to assist them in assessing the implications of particular privacy practices.

Step Six: Organizations must audit compliance: “Trust, but verify”.  An organization should have a policy on the types of compliance audits that will be conducted and the procedures for those audits.  The audit process should be documented.

Step Seven: The last step is to prepare for a privacy breach.  Too often organizations are unprepared to handle a serious privacy breach.  The Commissioner states that “[i]t is increasingly important that organizations of all sizes be prepare to react to data security incidents”.  An organization should have a data breach protocol so that the organization is able to react quickly and effectively.  Privacy breach protocols assist in identifying the initial steps and persons accountable for reporting the breach, containing the breach, notifying affected individuals, investigating the causes and recommending remediation actions.

Ontario’s Information and Privacy Commissioner (IPC) is a prolific author of timely and interesting commentary on pressing privacy issues. Earlier this month, the IPC released a new paper on “drones” or unmanned aerial vehicles (UAVs) entitled, “Privacy and Drones: Unmanned Aerial Vehicles“.

The privacy issues relating to drones differ from typical video surveillance. Typically, video surveillance involves mounted cameras that record activities in a single location or that must be moved on the ground from location to location. By contrast, drone technology permits users to gather information from unique vantage points in the air and offer greater dynamic-gathering capability. Drones have become increasingly powerful with the ability to sharper video images at greater distances and with infrared and thermal imaging capability. As the IPC notes, the combination of UAV technology and facial recognition programs means that drones could be used to continuously track individuals when “in public” and when “in private”.

UAV technology is deployed not only for military and law enforcement purposes, but also in many civilian applications. As the IPC notes, drones operate in such diverse applications as atmospheric research, mineral exploration, survey and inspection of remotely installed equipment (e.g. pipelines), and emergency monitoring.

The IPC is calling for greater public debate and consultation in Canada. In particular, the IPC would like public debate regarding the necessity of any proposed UAV program and the policies required to ensure that the program is acceptable to Canadians. The IPC’s view is that the use of drones by the state (including law enforcement) should require a warrant if it will involve “sustained surreptitious surveillance”.

Beyond debate, the IPC has suggested that in most applications, it may be appropriate to employ IPC recommends anonymous video analytics software, loaded on the device, processes the video feed to detect facial patterns in data being recorded by UAVs. This technology can be deployed to screen video feeds in real time to obscure permanently images that resemble faces.

In addition, the IPC advocates federal amendments to Transport Canada aviation regulations to require drone operators to obtain a special flight operations certificate that would involve a privacy protection program.

The U.S. Federal Trade Commission (FTC) is proposing new rules under the Children’s Online Privacy Protection Act (COPPA).  The current COPPA Rules date to 1999, long before the proliferation of advertising networks and plug-ins.

Given the fluid nature of the Canada-U.S. border when it comes to e-commerce activities, Canadian companies should pay attention to the proposed rule changes.  The FTC is seeking comments until September 10, 2012. [UPDATE: The deadline for comments has been extended to September 24, 2012.]

Key amendments involve changes to the definition of “personal information”, “website or online service directed to children” and “operator”.

Personal Information

The definition of “personal information” would expressly include persistent identifiers. These are identifiers that can be used to recognize a user over different websites or online services, provided that it is used for functions other than the internal operations of the website or online services. This could include Cookies, Internet Protocol addresses, Media Access Control addresses, or any Unique Device Identifier. This is a very interesting amendment that could begin to decouple our understanding of what “personal information” is and focus the policy conversation more properly on the limits of surveillance.

Website or Online Service Directed to Children

The FTC proposes amending the definition of “website or online service directed to children” to include any operator who “knows or has reason to know” that it is collecting personal information from children. The FTC does not believe that this requires ad networks or the suppliers of plug-ins to monitor or to investigate websites and online services. However, the FTC states that this will prevent willful blindness to credible information that their services are being used in respect of children.

Operator

The FTC proposes amendments to the definition of “operator” to make the owner of the website or online service responsible for the activities of the network advertiser or plug-in. The rationale for this amendment is that even though the owner of the website or online service may not have direct access to the personal information collected by the third-party advertising network or plug-in, it is benefiting from that collection because those third-party services provide content, functionality or advertising revenue. Accordingly, these activities should be treated as being integrated with the website or online services being directed to children. The FTC considers the operator of the website or online service to be in the best position to control what advertising networks and plug-ins are integrated into its website or online service and to give notice and obtain appropriate consent.

A minor kerfuffle broke out at a recent (May 30, 2012) U.S. Federal Trade Commission workshop, “In Short: Advertising and Privacy Disclosures in a Digital World.”  During a discussion of a privacy and advertising on mobile platforms, Sara Kloek, Director of Outreach for the Association for Competitive Technology, stated that a MAC address was information about a device and not personal information. Pam Dixon, founder and executive director of the World Privacy Forum, was quick to snap back stating that a MAC address was personal information.

Who is right?  Why is it that we are still debating this fundamental issue?  And is the answer different for IP addresses?  This post is a bit longer than most here on www.datagovernancelaw.com but I’ll try to unpack these issues in the context of Canadian privacy laws and principles.

What’s a MAC address?

A Media Access Control address is an alpha-numeric number that is assigned to a hardware device that connects to a computer network. In simple terms, a MAC address is part of the addressing system that will allow one device to route packets of information to another device.  I’m a lawyer and not a technologist but I think it is fair to say that the MAC address for my smart phone will, for example, be visible to a retailer operating a wireless network when I come within range of that network.  The MAC address will be used by that wireless network when I connect to access the Internet or network services of that retailer.

Each device has a unique MAC address (leaving aside counterfeiting and spoofing).  Therefore, the MAC address for the device may be harnessed as a unique identifier for more than network functionality when it is visible or when an application installed on my device inspects and relays the MAC address. So, a MAC address could be a potential gateway to collecting information on the activities of users of that device when connected to the Internet.  (I wrote “users” deliberately because although there is probably only one user of my smart-phone, the same may or may not be true for any family’s laptop and other devices.)

A MAC address can also be used as a tool in tracking the movements of the device.  For example, Wi-Fi access points will have a MAC address that can be mapped geographically.  When a device (such as a smart-phone, tablet or laptop) interacts with a Wi-Fi network, the MAC address for that device will also be visible, thereby permitting anyone interacting with the device to determine the location of the device, provided that that person (a) knows the location of the Wi-Fi access point and (b) can see the MAC addresses of the access point and the device.

What’s an IP address?

An Internet Protocol address is a numerical label that is assigned to an addressable connection to the Internet. The IP address is also part of the addressing system (at a higher level than the MAC address).  It is used in routing packets of information over the Internet.  Again, I am not a technologist but my understanding is that, for most consumers, the IP address is probably not static or permanently assigned to their device.  Instead, the IP address will be dynamic.  The consumer’s Internet service provider will assign an IP address for a period of time, which might be reassigned to someone else after the consumer disconnects. However, an Internet service provider is able to correlate the IP address at a specific date and time to a subscriber to whom it is providing Internet service access, assuming it retains that information.

The issue gets a bit tricky when a wireless network router is involved.  Take my home wireless network as an example.  The router gateway to the Internet service provider may be assigned an IP address by the Internet service provider.  That IP address may be changed from time to time. Each device connected to the home network will each have an individual IP address internally to the network system.

What’s personal information?

Personal information is defined in Canadian private sector privacy legislation as information about an identifiable individual.  There are some exceptions, but that is the basic definition.

Although reasonable people can debate the point, one justification of privacy legislation – whether applicable to the private sector or the public sector – is that it is necessary to protect individuals from unreasonable surveillance.  Indeed, there was a telling exchange at the FCC workshop mentioned at the outset of this post, when Pam Dixon said that the MAC address was personal information since, after all, it could be correlated to an individual and be subject to a subpoena.

Unreasonable surveillance may be viewed as inimical to personal liberty and potentially used as a tool of manipulation or, in its worst form, oppression.  Even when an organization engages in surveillance for public good or passively without seeking to manipulate, some view this as a significant intrusion since the information obtained through that surveillance may be conscripted by the power of the state for other purposes.

The problem that privacy advocates face is that the gateway concept of “personal information”as currently drafted in Canadian privacy legislation is probably too amorphous in many cases to constrain systematic surveillance in a coherent way.

Thus, in a recent appellate case last year, theAlberta Court of Appeal concluded that in order for information to be about an “identifiable individual”, the person must be identifiable, the information must have a precise connection to an individual.  In order to be “personal” the information must be about the individual–that is, directly related to the individual.  Information did not become personal information simply by being associated indirectly with an individual through ownership.  Without that limit, “virtually every object or property is connected in some way with an individual” and would become personal information.

So, a driver’s licence is personal information in Alberta but a licence plate is not.  The driver’s licence is uniquely connected to a person. Indeed, the driver’s licence card functions in Canada as an identification card – that is, government issued identification.  On the other hand, in Alberta, at least, a licence plate is connected to the vehicle and only linked through a database to an individual. Reasonable people can debate the Alberta decision and whether other appellate courts should follow when the issue arises.

So what’s the answer?

In one sense, the answer is easy.  The Office of the Privacy Commissioner of Canada considers that an IP address may constitute personal information if the IP address is associated with or linked to an identifiable individual.

Similarly, in a commendable and comprehensive study of the issues, the Information and Privacy Commissioner of Ontario and Kim Cameron argue that MAC addresses, as unique identifiers, may be linked to individuals and, therefore, may constitute personal information.

The precautionary principle suggests that organizations should treat MAC and IP addresses as personal information.  However, in many (most?) cases, MAC and IP addresses may not be directly linked to individuals.  An Internet service provider will be able to associate the IP address to a home or business account but not (at least in the ordinary course) to any particular person using a device linked to the Internet, particularly if we are talking about my access to the Internet through a WiFi system at a coffee shop.  A MAC address does not disclose who actually has possession of the device.  However, there is a greater probability of correlation between the owner of the device and the MAC address than there is of an IP address and an individual.

So we are back to where we always are with personal information.  A MAC address or an IP address information is rarely going to be in and of itself information about an identifiable individual in the sense of having a precise connection and being directly related to an identifiable individual.  It is the context of how the MAC address or IP address is combined with other information (or could be reasonably be combined with other information) that has privacy advocates concerned.  In each case, of course, if you knew and combined enough on-line and off-line information you might have enough data to make a highly probably guess about who was doing what and where.  But the same could be said about a licence plate number.

So who was correct (from a Canadian perspective) at the FTC workshop?  Both.  In and of itself, a MAC address (and an IP address) are likely not personal information but they are rich gateways to the collection and the accumulation of data points that can transform them into personal information if privacy (anti-surveillance) measures are not built into the technologies using these addresses.  Ultimately, what is personal information is fundamentally determined by context.  The debate will continue.

The U.S. Senate is considering a new U.S. federal privacy breach notification law, entitled The Data Security and Breach Notification Act of 2012.  The Bill is currently before the Committee on Commerce, Science and Transportation.

If enacted, the Bill would apply to organizations over which the U.S. Federal Trade Commission has authority (“covered entities”).  For these organizations, the Bill’s provisions would pre-empt a patch-work of state laws dealing with privacy breach notification.  It would not regulate financial institutions or certain health care institutions that are governed by other U.S. federal legislation.

Notably, the Bill recognizes the reality of the outsourcing of data processing and integrates that into a hierarchy of responsibilities so that data breach notification can be implemented in an organized way.  The following are some of the highlights of the Bill:

• Covered entities who own or licence data in electronic form must provide notification to citizens or residents of the United States whose personal information may have been “accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause, identity theft or other financial harm.”

• If the number of individuals involved in the data breach exceeds 10,000, then the covered entity must also notify the U.S. Secret Service or the U.S. Federal Bureau of Investigation.

• Third parties who are contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity are required to notify covered entities of security breaches.  At that point, the covered entity is responsible for notification to individuals.

• Internet service providers and other service providers who route data are required to notify covered entities of security breaches affecting the covered entities’ data if those covered entities can be reasonably identified. Once notified, the covered entities are responsible for notification to individuals.

• Notification to individuals is to be made “as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.”  However, notification may be delayed in the interests of a criminal investigation or national security.

• Generally, notification will be direct notification and may be made by mail, telephone or electronic means. The content of the notice is specific: the date, estimated date, or estimated date range of the breach of security; a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and contact information to find out more about the breach and the information that the covered entity maintains about the individual. If the covered entity does not have sufficient contact information or the cost would be excessive, the covered entity may provide notice by certain substitute means.

The proposed U.S. Bill has a limited reach.  It is focused on personal information that is highly sensitive in terms of identity theft and fraud.  The definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with any one or more of the following:  (a) social security number; (b) driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; or (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

Meanwhile, in Canada, amendments to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) remain stalled.  The amendments would introduce privacy breach notification to provinces other than British Columbia, Alberta (which already has privacy breach notification) and Quebec.  See my post for a run-down.

When comparing the proposed U.S. and Canadian legislation, one issue that jumps out is that the Canadian Bill is concerned with a broader array of data security breaches.  This is not necessarily a good thing.  

First, the Canadian amendments do not clearly distinguish organizations that are primarily accountable for personal information from outsourcing companies who may process or store the information and service providers who may route data.  Instead any organization who “controls” the data is responsible for data breach notification.  ”Control” is not defined.  Previously, the Office of the Privacy Commissioner of Canada has concluded that information may still be controlled by an organization even though not in its possession.  This makes sense and is consistent with the law in other areas, such as discovery obligations in litigation.  However, it is possible that more than one organization may “control” the information.  We might productively debate whether a hierarchy of responsibility, such as in the U.S. proposed Bill, would provide clarity and make breach notification more manageable as well as more clearly define who is accountable for the implementation of breach notification.

Second, the Canadian amendments apply to all types of personal information. It will be up to organizations to determine whether the breach is “material” based on assessments of the sensitivity of the personal information. No legislative guideposts are provided with respect to sensitivity. Furthermore, the standard for individual breach notification rests on whether the individual might suffer a real risk of significant harm. The types of harm are broad. If the Alberta experience is indicative of the approach that might be taken federally, the result will be an expansive interpretation of what might constitute a real risk of significant harm. Although the individual breach notification requirement in the proposed U.S. Bill is also related to harm, it is more narrowly focused to identity theft and financial harm. While we might debate whether these protected interests are too narrow, there may be utility in revisiting whether the Canadian law is too vague too provide organizations with meaningful guidance.

The American Bar Association has more on the U.S. Bill here.

Canada’s Federal Court of Appeal released an interesting decision on the obligations of individuals using on-line resources to determine their eligibility for government programs.  The upshot – a reasonably diligent individual must ask questions about his or her own particular situation and cannot simply stop with broad statements on a website.

The claimant quit his job to move to a new city where his wife had accepted employment.  The claimant looked at a government website and concluded that he was not eligible for employment insurance  (EI) benefits.  The claimant was wrong in coming this conclusion but did not find out about his error until it was too late for him to apply for benefits.  He sought administrative relief on the basis that he had good cause for the delay in applying for benefits. The basis for his position was that the “the principal message initially conveyed to the reader of the website was that only those who lose employment through no fault of their own are eligible, and he did not regard voluntarily leaving his job as “losing” his employment.”

Initially his application was refused.  However, he was successful before the Board of Referees. The Board held that it was reasonable for the claimant to rely on the website (not least because of the claimant’s information technology background and previous experience as a claimant of EI benefits).  This decision was reversed on appeal to an Umpire.  The Umpire found that if the website was too complex or confusing, then a reasonable claimant would make further inquiries. The claimant appealed to the Federal Court of Appeal.

The court agreed that the Umpire overturned the Board’s decision on the wrong basis.  The Board never found (and the claimant did not argue) that the website was too complex or confusing.  On the contrary, the Board found (and the claimant argued) that the main message of the website was clear.  The allegation was that the main message of the website was that the claimant was not eligible.

However, the court also concluded that the Board was incorrect about whether the claimant could rely on that message.  The court held as follows with respect to the duties of an individual looking at websites for information:

[13] [...] A reasonable person who relies on the website for information must do more thorough research than [the claimant] apparently undertook. A reasonable person would not have been so misled by its initial general statements about eligibility as to be deterred from looking for more specific information relevant to his or her situation. The statements early in the website that EI is for those who lose employment through no fault of their own are general enough to include those who are longer employed because they voluntarily quit their job with just cause.

[14] In my view, the website contained enough information to have alerted a reasonable person in [the claimant's] position to wonder whether he or she might be eligible for benefits and to contact the Commission to find out or to make an application for benefits. The question is not whether a particular claimant found the information clear and unambiguous, and decided that further search of the website was pointless, but whether a reasonable person would have so regarded it. It is not alleged that the website contained erroneous material.

[15] Since the website does not purport to deal with the specifics of every person’s particular situation, claimants cannot reasonably treat information on it as if it were personally provided to them by an agent in response to an inquiry about their eligibility on given facts. That it can now take several days to speak with a Commission agent by telephone does not justify [the claimant's] delay.

Last month’s U.S. Federal Trade Commission’s U.S.$800,000 settlement with Spokeo, Inc. concerns an issue that I have posted about before: When is a data broker a consumer or credit reporting agency?  As discussed below, the quantum of potential exposure for violating Ontario law relating to consumer reporting may be lower than in the U.S.; however, data brokers should seek legal advice to ensure that they are compliant.

In the recent U.S. case involving Spokeo, Inc., the FTC alleged that the organization was a data broker which collected personal information about consumers from on-line and off-line sources and then created data profiles for consumers to which it sold access. The FTC also alleged that the organization failed to ensure that it was complying with the U.S. Fair Credit Reporting Act (FCRA).  In particular, the FTC alleged that the organization did not ensure that (a) the information was used for the limited purposes permitted by the FCRA, (b) the information was accurate, and (c) users of the data understood that the they were required to notify a consumer if the user of the data took an adverse action against the consumer based on the data in the report.

Ontario (and other jurisdictions in Canada) have legislation that is similar to the FCRA.  The Consumer Reporting Act (Ontario) prohibits any person from conducting or acting as a consumer reporting agency or as a personal information investigator unless registered with the Ontario Registrar of Consumer Reporting Agencies. The potential monetary liability in Ontario may be smaller than in the U.S., but it remains serious.  Violating the Consumer Reporting Act is a provincial offence. Corporations may be subject to fines of up to Cdn. $100,000 and officers and directors of those corporations may be subject to fines of up to Cdn. $25,000 (or in extreme cases, jail terms of up to 1 year or fines and jail terms).

In Ontario, a “consumer reporting agency” is a person or organization who furnishes consumer reports for gain or profit or on a regular co-operative non-profit basis. “Consumer reports” are written, oral or other communication of credit information or personal information which may be used for limited purposes.  Those purposes include:

• the extension of credit to or the purchase or collection of a debt of the consumer to whom the information pertains;
• in connection with the entering into or renewal of a tenancy agreement;
• employment purposes;
• underwriting of insurance involving the consumer; and
• a business or credit transaction involving the consumer.

A “personal information investigator” is a person who gathers personal information for consumer reporting agencies.

Consumer reporting agencies are prohibited from providing information from their files unless they have reason to believe it will be used for purposes permitted by the Consumer Reporting Act.  The Consumer Reporting Act also prohibits certain types of data from forming part of the consumer report, including among other things:

• any credit information based on evidence that is not the best evidence reasonably available;
• any unfavourable personal information unless it has made reasonable efforts to corroborate the evidence on which the personal information is based, and the lack of corroboration is noted with and accompanies the information;
• information regarding any criminal charges against the consumer where the charges have been dismissed, set aside or withdrawn; and
• information as to race, creed, colour, sex, ancestry, ethnic origin, or political affiliation.

Like the FCRA, the Consumer Reporting Act requires disclosure to a consumer if a benefit is denied or a charge to a consumer is increased because of information from a consumer reporting agency.  Consumers have the right to obtain access to their consumer reports.

Depending on its target market, a data broker may cross the line into  consumer reporting.  Organizations that are in the business of providing identity verification or background checking services or who gather data for those purposes should be particularly careful to seek legal advice to determine whether their business model has crossed the line into consumer reporting.

Canada’s House of Commons has recessed.  Members of Parliament aren’t scheduled to return until September 17, 2012.  By then, Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act (short title: Safeguarding Canadians’ Personal Information Act) will have been on the order paper for almost a year, having been introduced in the House of Commons on September 29, 2011.  The Bill doesn’t appear to be moving any quicker than its predecessor, which died when Parliament was dissolved in March 2011.

Bill C-12 would give effect some of the legislative reforms recommended following the last 5-year review of PIPEDA (which happened more than 5 years ago!).  If the Bill could ever get some traction and make it into force, it would (among other things):

• Create a new definition of “business contact information“.  “Business contact information” is defined as an individual’s name, position or title, work address, work telephone number, work facsimile number, work e-mail address and any similar information about the individual.  This information would not be subject to PIPEDA if the business contact information is collected, used or disclosed solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.  Although still an important reform, the regulation of the use of this information (particularly e-mail addresses) may be overtaken for practical purposes by Canada’s Anti-Spam Legislation (CASL) when that legislation comes into force.  My colleague, Margot Patterson, has some excellent explanations of CASL on this blog.

• Specify that consent means informed consent.  Consent to collection, use or disclosure of their personal information is valid only if “it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting”.

• Provide for broader disclosure exceptions for law enforcement purposes. Organizations would be permitted to disclose personal information without consent where the disclosure is requested “for the purpose of performing policing services”.  ”Policing services” is undefined.   Organizations would also be permitted to disclose information to other organizations (not just government institutions) to investigate a breach of an agreement or the laws of Canada or province or, in certain circumstances, to prevent, detect or suppress fraud.

•  Add a prospective business transaction exception.  Businesses could disclose personal information to determine whether to proceed with a business transaction (such as a merger or asset sale) and then to complete it.

• Enact breach notification provisions.  Organizations would be required to notify the Privacy Commissioner of a material breach of security of personal information.  In addition, organizations would be required to notify the affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual.

As Canadians were getting ready to head off for a long-weekend, Canada and the U.S. released a Statement of Privacy Principles intended to govern sharing of information between the two countries in connection with the Canada-U.S. Security Perimeter agreement.

Canada and the U.S. have expressly declared that the Statement of Privacy Principles is non-binding and does not create any rights or obligations under domestic or international law.  Accordingly, its utility appears to be limited to a guiding statement of intentions.

There are twelve principles.  Three are particular worthy of noting:

• Permission for Onward Transfers to Third Countries. Information shared by Canada with the United States (or by the United States with Canada) may be shared with third countries.  For example, data shared by Canada with the U.S. may be shared with a third country if onward sharing would be consistent with the domestic law of the United States and any sharing conforms to international agreements and arrangements between the United States and third countries.  If there are no applicable international agreements, the originating country (in our example, Canada) is supposed to be notified of the information transfer.
• Redress.  Canada and the United States are supposed to provide for remedies where a person’s privacy has been infringed by international sharing or where there has been a violation of data protection rules with respect to that individual.
• Individual Access and Rectification.  Canada and the United States are supposed to provide individuals with access to personal information as well as the ability to seek rectification and/or expungement of their personal information.  If access is to be limited, the country restricting access is supposed to provide specific grounds consistent with domestic law.

The old style privacy policy brought up by clicking on a hyper link usually found in a footer of a web page or grouped with other “legal notices” is manifestly unworkable in the mobile environment.  A contribution to re-thinking the delivery of privacy information and control over personal information has recently been released by the Ontario Information and Privacy Commissioner, Anne Cavoukian, and Yahoo!’s Senior Director, International Privacy and Policy.  Their paper, entitled “Privacy by Design and User Interfaces: Emerging Design Criteria – Keep it User-Centric“, discuss how the design of user interfaces may increase the “privacy experience” of mobile technologies.

Here are some of the points made in the paper:

•  Context. User interfaces should take into account the limits and the uses of the devices.  Small screens mean that users should not have to resize or endless scroll to access and understand privacy policies.  User interfaces should provide the context for the value proposition to the user for the collection of the personal information.  If the photo just taken is going to be shared on another platform, notify the user.  If geo-location data is being collected, why is that beneficial for the user?
• Awareness.  Although terms of use (which may include acceptance of privacy policies) are likely here to stay, user interfaces should be designed to permit interactive delivery of privacy information “at the time, in the place and in the manner that is meaningful for users.”  Users should be offered privacy choices as they take actions within a website or application, which would assist users in understanding the range of their choices and the implications of those choices.
• Discoverability.  User interfaces should be interactive and contain navigational aids. The functionality of websites and applications should be harnessed to deliver information in a way that is important as is already done for advertising and other important content.
• Comprehension.  Layered privacy notices that deliver subsets of policy information and navigate to information that is important to the user should be considered. In addition, organizations should be considering “Privacy Centres” which bring together information on privacy practices and the tools to manage privacy setting.

This post is co-authored by Saba Zia.

Social media is great “word of mouth” advertising when things go right. It can also be a nightmare in damage control when things go wrong. Sometimes the unsatisfied customer just lets it rip fairly or unfairly.

In a recent Ontario case, 2964376 Canada Inc. (Ameublement Prestige Furniture) v. Bisaillon, a retailer was awarded Cdn. $15,000 in damages for defamation after the daughter of an unsatisfied customer began an e-mail campaign. Although the case deals with e-mail, there is no reason why it would not apply to social media.

The facts of the alleged unsatisfactory customer service were not unusual.  The customer had purchased a dining room table. It was damaged. There were attempts to fix it. The company offered to rebuild the table. The customer wanted a refund. When the customer didn’t get the refund, the customer’s daughter began an email campaign.

The daughter e-mailed 38 of her contacts using her work address. She inserted a logo that looked like the retailer’s and asked that the recipients to forward the email along to others. The email stated that the company was “an untrustworthy company and I strongly advise you to think twice before putting your trust and money in their hands!” and “We are all consumers and deserve to be made aware of deceitful companies who do not honour their Consumer’s Guarantee. BUYERS BEWARE!”

The Ontario court concluded that the daughter had gone too far and awarded the retailer Cdn. $15,000. E-mailing 38 people and asking them to pass it along constituted publication. Accusing the company of being untrustworthy and deceitful would clearly affect its reputation, character and business. The defence of fair comment was not available. The defamatory statements were not based on fact (at least not all of the available facts) and, in any event, the statements were based on malice. She openly stated that she wanted revenge.

Although there are other means for managing a company’s reputation, this recent case suggests that courts will take seriously an action in defamation as a last resort for dealing with a customer who goes too far.

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation.  The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data.  Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act.  This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected.  The exemption from the need to obtain consent is subject to a number of provisos:

• the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
• the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
• there are no detrimental effects on particular individuals;
• the organization’s privacy policy or some other form of notification explains the anonymization process; and
• there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set.  An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual.  If so, then this would be a disclosure of personal information.  The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”.  In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess.  In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

In a previous post, I discussed British Columbia’s proposed Civil Resolution Tribunal Act.  Bill 44 was introduced on May 7, 2012 and sped through the Legislature receiving Royal Assent on May 31, 2012.  It provides for on-line non-facilitated and facilitated dispute resolution with the final stage being a tribunal hearing, which could take place on-line.  One of the controversial aspects of the Bill is that it precludes representation by lawyers except in specific circumstances, such as where the person has impaired capacity or it is in the “interests of justice.”

It is expected that it will be at least several months before the new tribunal is up and running.  The President of the Law Society of British Columbia stated in a press release that:

“While our review of the Civil Resolution Tribunal Act raised some concerns,” said Bruce LeRose, QC, president of the Society, “we hope that the participation of the legal community in the implementation working group will ensure that the promise of a voluntary dispute resolution process is fulfilled without compromising the integrity of the justice system and the rule of law.”

Ontario’s Information and Privacy Commissioner, Anne Cavoukian, and IBM Fellow, Jeff Jonas, have released a very interesting paper entitled “Privacy by Design in the Age of Big Data“.

“Big Data” is the buzz word used to describe the latest frontier in data analysis.  In very simple terms, we are producing huge quantities of structured and unstructured data through our electronic activities.  Organizations are now able to “crunch” extremely large data sets involving disperse data from various aspects of those digital footprints that we leave behind through our activities.  Moreover, the increased sophistication of technologists in developing algorithms and the increasing processing power of technology means that the analysis of extremely large data sets may take place almost in real time, thereby permitting organizations to act or react to opportunities as they present themselves.

The size of the data sets, the combining of data about individuals from multiple sources or interactions, and the risk of inadvertent disclosure or unauthorized access creates significant privacy risks.  However, there is also a significant risk that a lack of understanding by the public and legislatures or a significant privacy breach at this critical stage of development of Big Data analysis could produce a knee-jerk legislative or policy reaction.  We only need to recall how justified and unjustified fear of “Big Brother” databases have entrenched privacy legislation that has historically prevented sharing of information across government departments and agencies.

Ontario’s Information and Privacy Commissioner, Dr. Cavoukian, and IBM Fellow, Mr. Jonas, demonstrate that privacy and “Big Data” can co-exist.  We can have the benefits of both.  Their paper outline seven technical principles employed in Mr. Jonas’ “next generation” systems, which balance the utility of Big Data with privacy principles by embedding those principles in a very sophisticated way into the systems employed by the technology.  Of course, the technology itself is not the complete answer to privacy issues.  The point is that by embedding privacy principles into the technology, the technology will not frustrate an organization’s adherence to privacy principles.

For example, accountability and transparency are embedded into the feature of “full attribution” — that is, all data can be traced back to its source and changes accounted for in real time.  However, by using sophisticated technologies to de-identify data on transfer, the data sets will be anonymous when placed into the Big Data database used for deployment of the Big Data analytics.

If you are interested in “Big Data”, be sure to join me, Nathalie Des Rosiers (General Counsel, Canadian Civil Liberties Association) and Colin McKay (Manager, Global Public Policy, Google Canada) at the Canadian Institute’s Forum on Privacy Law and Compliance (September 20-21, 2012) where we will be presenting on this topic.

The Office of the Privacy Commissioner of Canada (OPC) has released a more detailed policy position regarding on-line behavioural advertising.  This is a must-read for companies conducting on-line behavioural advertising strategies in Canada.

The OPC defines on-line behavioural advertising as advertising that uses information regarding the multiple websites that a person has visited and will usually involve advertisements on multiple websites.  The OPC gives the following example: “a user has visited websites about pets in the past, then ads related to pets might be shown on various web sites, even sites that are not related to pets (e.g., an online newspaper).” On-line behavioural advertising differs from 1st party advertising where the organization’s advertising is based solely on the profile of an individual with whom that organization has a relationship and is not based on tracking the individual across websites.

Some highlights from the position paper:

• The OPC will generally consider information collected during on-line behavioural advertising to be personal information.  The OPC acknowledges that some information does not appear at first glance to be personal information when segmented.  Nevertheless, the OPC reaches the default position that the information that is collected is personal information on the basis that (1) “the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads” and (2) the nature of on-line behaviour advertising is such that it involves “powerful means [...] for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals”; and, perhaps circularly, (3) the result of on-line behavioural advertising is “highly personalized”.

• On-line behavioural advertising is not an unreasonable use of personal information.  The OPC acknowledges that the model for the commercial websites requires, in many cases, consumers accept advertising in return for access to free websites.  However, the OPC also states that submission to on-line behavioural advertising is not a term or condition of use of the Internet.  Advertisers must obtain meaningful consent, limit collection and safeguard information in accordance with Canadian privacy legislation.

• Opt-out consent may be acceptable.  In order to rely on opt-out consent, advertisers should meet what are essentially three conditions.
1. Clear, upfront disclosure of the purposes of on-line behavioural tracking. The disclosure cannot be “buried” in a privacy policy.  The OPC is encouraging use of the functionality of websites to deliver information in layered disclosure, interactive media or through banners.
2. Individuals must have the ability to easily op-out of the practice.  Ideally this is to occur before or at the time the information begins to be collected.  The opt-out technology must permit the opt-out to be immediate and persistent.  Consumers can’t be required to send an e-mail or snail mail request that will be dealt with in days.
3. The information collected should be limited and should be destroyed or de-identified as soon as possible.  The OPC wants to put sensitive information (examples include health/medical information) off-limits.  Information should not be kept indefinitely but have a time-horizon and destroyed or de-identified.

• Technologies that do not permit an individual to opt-out easily cannot be used.   If an individual cannot control the technology by opting-out easily or would have to take extraordinary measures, then the OPC’s position is that they should not be used.  Essentially, these technologies do not offer any meaningful way to withdraw consent as is required by Canadian privacy laws.

• Personal information from young children should not be collected through on-line behavioural advertising.  Older children’s consent must be meaningful although the OPC recommends against on-line behavioural tracking of all children. The OPC’s position is that it is difficult to obtain meaningful consent for young children (even from their parents).  In terms of older children, the OPC’s position is that the disclosure and manner in which consent is obtained must be meaningful for the targeted age-group and the context.

You’ve heard reports that your social or professional networking service provider’s systems or your e-mail service provider’s systems may have had a security breach allowing hackers to see your password.

What do you do?  You might change your password for that account, right?  Sure, but you probably won’t be able to stop there if you want to protect yourself.  You need to develop a more complete response.  First, you need to map the extent of the risk.  Here are a few ideas:

1. Make a list of all accounts where you use the same User ID as the potentially compromised account. If you are very active on-line, this could be a very long list. Quite often your e-mail address will be your user ID for multiple accounts. For example, LinkedIn, Facebook, Google, online shopping accounts, professional association websites, online access to employment benefits providers, and applications at the office might use the same email address as the User ID for the application.  If you ever wondered why Canadian Privacy Commissioners think your e-mail address is personal information, here’s why!

2. Now make a list of all User IDs that are visible on the compromised account or are connected with the compromised account. What do I mean by this? You might have listed your Twitter address on a social or professional networking page. Is that Twitter address your User ID to log into Twitter? If so, add it to the list. Have you entered other email addresses? If so, add them to the list as well as all the other accounts that use these same credentials as User IDs.

3. Now put a mark beside every account that shares the same password with the compromised account or uses a variation on the password used for the potentially compromised account. Yes, you are supposed to have a unique password for each account but we all know that most of you don’t. You have a few that you rotate or use as variations of one another.

4. Here’s your last preparatory step: make a list of all applications that are launched from accounts listed in #3 and that store your passwords for other applications if they are not already on your lists. Put a mark beside those too because they may have been compromised.  For example, does the application you use for Twitter also store the password for and post to Facebook on your behalf?

Now you have a map of the potential problem.  It is probably much bigger than just changing the password for the potentially compromised account. If a hacker knows the password that is associated with a User ID or group of User IDs, the hacker has a starting point to hack your other accounts that you have helpfully listed or connected for the world (or at least the hacker) to see! If you only change the account that has been potentially compromised, you have locked the front door but left the windows and side door open. If you want to increase your protection, you should be thinking about changing all of these passwords.

Notice that I have not mentioned the potentially compromised account yet? That’s because you should consider doing something different for that account. If you are not yet certain whether the alleged security breach has been fixed, you should chose a password that you will not use for any of the other accounts – not even a variation on what you will use for any other accounts.  Otherwise, you might have to go through this all again in short order once the breach has been fixed.  You might also wish to temporarily suspend any permissions you have given to the potentially compromised account to access your other accounts (for example, if you aggregate social networks or you use one account to post into another account).

Last step: You should monitor your accounts closely, particularly if they contained sensitive personal information (such as financial information) that could be used for identity theft.  If you are a consumer and you have questions about identity theft, you may also wish to start with the Ontario Government’s pamphlet on protecting your identity.

The Office of the Privacy Commissioner of Canada recently released a fact sheet entitled, “Accessing Personal Information under the Personal Information Protection and Electronic Documents Act” along with an FAQ for individuals and a guide for businesses as to their responsibilities.

With some exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to provide individuals with a method of requesting disclosure regarding the personal information collected about those individuals as well as a means for correcting that information.

Subject to certain exceptions:

• Access requests must be responded to within 30 days.
• Individuals must be told what information has been collected, how it has been used and to whom it has been disclosed.
• Individuals must be provided with the opportunity to review the personal information collected about them at minimal or no cost.
• Records must be corrected if it is factually inaccurate or incomplete.

It is critically important that staff are trained to recognize personal information access requests.  These requests do not always come through the “official channels” that have been set up by organizations, such as an address for the Privacy Officer.  Although the request will be made in writing, it may come to front-line staff.  In addition, organizations should consider developing a protocol for responding to these requests with a check-list for ensuring that all relevant sources of data are reviewed.  Access is not limited to documents such as printed records or electronic word-based files.  Personal information can include photographs and videos as well as electronic information that is held in multiple locations.  A robust records retention policy can assist organizations in locating records as well as ensuring that they are appropriately destroyed to limit retention and, therefore, burdensome access requests.

It is the season of annual reports (on Tuesday, the Ontario Information and Privacy Commissioner released her report).  On Wednesday, the Privacy Commissioner of Canada released her Annual Report to Parliament, as well as a graphic novel for youth, and five new decisions on formal complaints.  More on the formal complaints in future posts.

The theme of the Office of the Privacy Commissioner (OPC) was youth issues.  In her message, the Commissioner stated:

Teenagers are expected to make mistakes – it’s a natural part of growing up.

The fact that electronic records of many of the mistakes of today’s youth will persist for decades to come is cause for deep concern.

Indeed, a host of perils threaten the privacy and personal information of children and youth – one of the reasons that we have made them a key focus of this report.

Not only are the young usually the first to embrace any new kind of digital communication, they are also often unsuspecting about the potential privacy intrusions that can accompany such novel technologies.

Other highlights of the report are:

• Breakdown of Complaints. As in the previous three years, the leading complaints to the OPC involve allegations of inappropriate use or disclosure of personal information.  This category comprised 32% of complaints.  Consistent with prior years, complaints about gaining access were the next largest category at 26%.  This is an area that is completely avoidable with appropriate procedures to inform individuals of their rights and quickly identify when someone is making an access request.
• Mandatory Breach Notification. The OPC called pending, proposed data breach notification amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) out of date (before even being passed).  I discussed these amendments previously here. The OPC is calling for strengthened enforcement options.  The OPC did not comment on how this can be reconciled with the ombudsman model of the OPC or whether this could lead to judicial challenges of OPC decisions, thereby taxing the OPC’s resources.
• Youth Social Networking. The OPC discussed the major findings in the investigation into a youth social networking site, which I previously posted about here, and discussed the importance of youth outreach.  The OPC continued the sustained attempts of privacy commissioners across Canada to debunk the myth that youth do not care about privacy (their understanding of privacy issues might be different but they care about data use).
• Surveillance and Options. The OPC discussed an investigation into a childcare program, which allowed parents to watch the children in the program via a webcam.  The OPC expressed concern regarding the indiscriminate surveillance of children and the potential effects (although poorly researched) that it may have on children’s development. Importantly, even though the OPC had reservations regarding the appropriateness of the webcam, the fact that the complainant had options to find spaces at other local daycares meant that the use of the webcam was not without consent (once the organization improved its security practices and manner of obtaining consent).
•  Digital Literacy. The OPC continued lamented that Canada does not have a digital literacy strategy, unlike other countries.  The OPC is doing its part with youth outreach and the new graphic novel. Although, you gotta feel sorry for the poor phone; for all his teaching effort, he gets powered-off!

On June 4, 2012, the Information and Privacy Commissioner of Ontario (“IPC”) released her 2011 Annual Report.  The theme of the report “Ever Vigilant” was chosen because, according the IPC’s press release, the reintroduction of “lawful access” legislation (discussed in my previous posts here, here and here) “represented one of the most invasive threats to our privacy and freedom” that the IPC has encountered and represent, in her words, what she is calling “Surveillance by Design.”

Here are some highlights relating to access to government-held information from the Annual Report and accompanying material.

• A record number (45,159) of access to government-held information requests were filed in Ontario in 2011 (up 16% year over year).
• A record number of appeals (1,214) appeals were issued regarding government responses to those access to government-held information requests.
• The dramatic increases in public demand for government-held information reflects the role of the Internet and accompanying technologies and provides the opportunity for greater civic participation but requires proactive rather than reactive approaches to information disclosure.
• The IPC has developed 7 principles to guide “Access by Design” to guide government and public sector organizations in re-thinking access to government-held information.
• The IPC calls on the Government of Ontario to develop an “Open Data” portal by the end of 2012.  The IPC is setting an example by making raw statistics available along with its report.

A perennial issue in Canadian privacy law is what to do about the USA Patriot Act.  Just when we think we have things reasonably sorted out, the issues pop up again in a new context.  This time it is cloud computing.

What’s the USA Patriot Act?

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (usually referred to as the “USA Patriot Act” or just the “Patriot Act”) is US legislation that was passed following the September 11, 2001 attacks on the World Trade Centre in New York City.  Among other things, the Patriot Act made it easier for US law enforcement officials to intercept electronic communications and business records.  One of the controversial measures was that officials were granted the power to issue a National Security Letter to electronic communication service providers requiring them to hand over information without informing the affected parties (in some cases without any judicial oversight).

For the purposes of this discussion of cloud computing, however, one of the most important provisions is section 215, which deals with access to business records.  Section 215 repealed and re-enacted provisions of the Foreign Intelligence Surveillance Act (USA).  Pursuant to section 215 of the Patriot Act, the FBI may apply to a federal judge for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.   US commentators agree that this definition covers electronic business records.

What’s cloud computing?

In its most complete form, cloud computing involves outsourcing applications (e.g. email, customer relationship management, and accounting software), platforms (e.g. database architecture) and infrastructure (e.g. servers).  All of these IT functions are offered as a service to organizations either independently or as a package.  An organization’s data (e.g. its emails) may be stored in segregated servers or intermingled with the data of other organizations and segregated through the functionality of the service provider’s information technology.  The organization accesses its data through Internet portals.

Where’s the Cloud?

The cloud isn’t in the sky.  Data sent over the Internet in a cloud computing arrangement may be (and often will be) stored outside of Canada and may be intermingled with data from other organizations.  In many cases, the cloud computing service provider may subcontract the storage of data to one or more organizations operating data centres.  If these data centres are in the US, well, therein lies the rub.  The data is going to be subject to the laws of the United States, including the Patriot Act.  Actually, if the data is even accessible from the US or by an organization subject to the jurisdiction of the US, the data is likely to be subject to the laws of the United States.

Okay, so the USA Patriot Act may apply, do I have a Canadian privacy problem?

Transfers create legal issues. Organizations have a privacy “problem” every time they transfer data.  This is because under Canadian federal and provincial private sector privacy laws, the organization that collected and is entitled to use the personal information remains responsible for its security throughout its life-cycle.  Indeed, in many cases organizations will have created a contractual obligation with individuals by incorporating the organization’s privacy policy (and privacy commitments) into terms of service or use or other customer e-commerce contracts.  Organizations may wish to consider legal advice to understand how commencing cloud service transfers of personal information will affect existing legal commitments.  It may be necessary, for example, to give special notice to individuals and to provide them with opt-out or termination opportunities.

But organizations aren’t prohibited from using US-based cloud services, if they are only operating in the private sector.  Federal and provincial private sector privacy legislation does not prohibit the transfer of personal information to an organization in another jurisdiction for processing and storage, provided that:

• The transfer does not entitle the receiving the personal information to use that information for purposes other than those for which individuals expressly or impliedly consented.
• The transferring organization remains accountable for the protection of the personal information that has been transferred.
• The organization receiving the personal information provides a comparable level of data security as would be required under Canadian law and the terms on which the collecting organization collected the information.
• Disclosure is made to individuals.  As a general rule, this disclosure to individuals should include notice that (1) their personal information will be transferred outside of Canada for processing and storage, (2) their personal information will be subject to the laws of the foreign jurisdiction and (3) the laws of the foreign jurisdiction may be different (and less protective) than those of Canada.

The transferring organizations will wish to consider obtaining meaningful contractual commitments to administrative, technological and physical security protections from the organization to which the personal information is being transferred. The transferring organizations will also wish to consider audit or other rights that would permit ongoing diligence of these security protections as well as the use being made of the personal information.

The Patriot Act provisions do not (on their own) mean that personal information will not be subject to a comparable level of security. An interesting survey and comparison of surveillance laws in Canada, the US, the UK and France was conducted by the Office of the Privacy Commissioner of Canada in 2009, which remains an important reference.  Since 1990, Canada and the US have had Treaty on Mutual Legal Assistance in Criminal Matters in which each country has agreed to assist the other with the investigation, including seizure of records, of criminal activity. The Canadian Security and Intelligence Service Act (Canada) provides for secret warrants for the interception and seizure of, among other things, electronic data.  The National Defence Act (Canada) permits the Minister of Defence (without judicial supervision) to authorize the Canadian Communications Security Establishment to intercept communications relating to foreign entities under certain circumstances.  In addition, the Criminal Code (Canada) permits seizures of electronic data.  The combination of this legislation has led the Office of the Privacy Commissioner of Canada to conclude in three decisions (here , here, and here) not only that Canadians are at risk of personal information being seized by Canadian governmental authorities (including without the knowledge of the target) but also that there is already a risk of that information being shared with US authorities.  (This is not to say that reasonable people cannot still differ as to whether they wish to have their personal information stored outside of Canada.)

But if you are a public sector organization or contracting with a public sector organization in British Columbia or Nova Scotia (and probably Alberta), you need legal advice.  Cloud-based services get a bit trickier when dealing with public sector organizations.  British Columbia, Nova Scotia and Alberta each have legislation the prohibits or, in the case of Alberta, potentially prohibits the storage of data outside of Canada.  In these cases, organizations would be prudent to obtain legal advice.

Many types of business records do not have a prescribed statutory or regulatory retention periods.  In some cases, organizations may use limitation periods for lawsuits to inform the choice for a retention period.  There is nothing objectionable to this practice but it can be too simplistic.

Consider the record retention policy of hypothetical company ABC Co. located in Ontario.  Let’s assume ABC Co. produces widgets.  Although this discussion applies equally to the services industry, it is easier to illustrate with products. Let’s also assume that the record retention policy states that design and production records are to be kept for 2 years after the year in which the last shipment of its widgets were produced.  ABC Co. chose this retention period because it understands that the limitation period for bringing a claim in Ontario is 2 years.

There are a number of problems with the way in which ABC Co. chose the retention period.

First, the retention period assumes that the only applicable limitation period is the one in Ontario.  That might be a fine assumption if ABC Co.’s products were only sold and used in Ontario.  If not, then the applicable limitation period for negligence might be the limitation period in another jurisdiction, depending on conflict of laws rules.

Second, the retention period assumes nearly immediate discovery of any problems with the widgets and does not take into account the possibility of a latent defect.  But what if the defect is hidden and isn’t discovered for several years?  In Ontario, the basic limitation period under the Limitations Act, 2002 is 2 years from the date the claim is discovered.  In simple terms, a claim is discovered on the day on which the person knew or ought to have known that (i) that the injury, loss or damage had occurred (ii) that the injury, loss or damage was caused by or contributed to by the faulty widget (iii) that the act or omission was that of ABC Co., and (iv) that, having regard to the nature of the injury, loss or damage, a proceeding would be an appropriate means to seek to remedy it. If the defect in ABC Co.’s widgets take a few years to discover, then the limitation period won’t start running until that time.

Third, the chosen retention period does not take into consideration of the useful life of the product or the probability of the defect occurring at different points over that useful life.  Let’s assume that the useful life of the widget it 20 years and let’s assume that the probability of the defect going undetected for 10 years is high.  In this fact scenario, the records might be relevant between 10 and 15 years from distribution.  The ultimate limitation period based on the “act or omission” of ABC Co. (rather than discoverability) is 15 years under the Limitations Act, 2002.  Therefore, a person who has a claim because of the defective widget might have up to 15 years to discover the defect.      

Finally, the chosen retention period does not take into account whether the records are likely to be useful to ABC Co. with respect to the most likely types of risks of dispute.  Quality control records and records regarding tests performed on the widgets might be very useful.  Design documents may also be useful, particularly if the widgets were designed by others.  But daily run records may not be of high value.

So, ABC Co.’s 2-year retention period would not be “wrong” but it may not be the most useful for its business.  Instead, ABC Co. will want to look at a mix of factors.  What is the useful life of the product? Where is it distributed? What is the potential for latent defects in the product lingering fro years unnoticed?  What is the potential scope of injury, damage or loss that could be caused by the product? How useful are the records in assisting the organization in dealing with any litigation that could arise? What are limitation periods for claims based on the potential for latent problems?

In a recent order of the Office of the Information and Privacy Commissioner of Ontario, an adjudicator concluded that confidential information included in a contract was not “supplied” to the municipality and, therefore, must be disclosed in response to an access to information request.

Subsection 10(1) of the Municipal Freedom of Information and Protection of Privacy Act (Ontario) protects informational assets of third parties contracting with municipalities in Ontario. Subsection 10(1) provides, among other things, that a record that reveals technical, commercial, or financial information of a third party is exempt from disclosure under an access to information request under certain circumstances.  The information will be exempt from disclosure if the information is supplied in confidence by the third party and could reasonably be expected to prejudice significantly the competitive position or interfere significantly with the contractual negotiations of a person or organization.

In MO-2738, the requester sought access to information in a contract between the municipality and a third party.  The information in the contract included maintenance information regarding equipment that was subject to the contract, a detailed code for the supply of the services under the contract, and a summary of financial incentives and disincentives and the third party’s rates.  The adjudicator accepted that this was technical, commercial and financial information.

However, relying on prior precedent, the adjudicator concluded that the information was not “supplied” to the municipality by the third party.  Instead, it was part of a negotiated contract and, therefore, was “mutually generated”.  Accordingly, it was required to be disclosed.

Organizations entering into agreements with municipal and other governmental entities that are subject to access to information laws should take note.  Although there are no solutions that offer “bullet proof” protection for confidential information in government contracts, there are a variety of strategies for disclosure and contract negotiation that may be used to enhance the likelihood of protection by taking into account the strict requirements of the Act.

 In December 2011, the Office of the Privacy Commissioner of Canada (OPC) issued guidance in December 2011 stating that “collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent” and that there must be an “opt-out” mechanism if the technology is being used for on-line behavioural advertising.  However, organizations in Canada have been short on tools for complying with the OPC’s guidance and have been slow to increase the prominence of their disclosure regarding cookie use.

In the United States, as I reported in a previous post, the FTC has called for the advertising industry to make “Do Not Track” initiatives fully operational by the end of 2012.  Advertisers must be transparent about their deployment of cookies and other on-line tracking technologies and provide people with a method of opting out.  The Digital Advertising Alliance in the U.S. has continued to promote an advertising opt out tool (AdChoices), which is beginning to appear on web sites (often near the link to organization’s privacy policy).  The Network Advertising Initiative also offers an opt-out tool and organizations have been including links to the tool for users to opt-out.

In the UK, new “cookie” rules came into force on May 26, 2012.  Organizations must now obtain consent to the use of cookies and provide a method for subscribers and users to opt-out of cookies (with some exceptions). The UK Information Commissioner’s Office has issued a guidance document to assist organizations with compliance efforts.  The examples provided for increasing the prominence of disclosure of cookie use and how to obtain consent is particularly helpful.

Meanwhile, Canada has lagged behind on practical advice from the Federal and Provincial Privacy Commissioners and tools for assisting Internet users to opt-out of tracking technologies.  On the “tools” front, this may change.  In a preface to an article reporting on an interview with outgoing IAB Canada president Paula Gignac, Marketing Magazine reports that IAB Canada is in negotiations to bring the AdChoices program to Canada.  Some Canadian organizations aren’t waiting for a Canadian solution.  The AdChoices icon has begun popping up on websites of Canadian-based organizations.

News media have paid significant attention to court orders requiring production of relevant documents from Facebook and social media sites in the course of litigation.  As described in my recent post, the Ontario Information and Privacy Commissioner has recently published a booklet on privacy and reference checks.

From the Canadian litigator’s perspective, all the fuss might be difficult to appreciate.  In Ontario, for example, the Rules of Civil Procedure require that litigants must disclose to all of the parties to the litigation the existence of every relevant document in their possession, power or control and must produce to the other parties all of those relevant documents that are not privileged.

A document is defined by the Ontario Rules of Civil Procedure to include data and information in electronic form.  Electronic information will be in the power of a party if that party could obtain a copy of it.  So, pictures and posts accessible through your social media account are documents and within your power to produce. The only question is whether those posts are relevant.

Photographs and posts to social media accounts may be relevant to litigation in a number of ways.  In a personal injury or long-term disability case, they may suggest that claims of being unable to enjoy life or to work are exaggerated or false.  They may suggest that a  litigant was in a location or with people as alleged and contrary to protestations otherwise.  They may contain evidence of defamation or the truth of what might otherwise be defamatory statements.

Once litigation has been commenced or is contemplated, litigants and potential litigants should be careful, however, that they do not take steps to “cleanse” their social media accounts.  It often comes as a surprise to litigants that they are required to preserve physical and electronic documents – even if that material might be unhelpful to their case.  However, the preservation obligation will often begin even before litigation has been commenced.  Once a demand letter is drafted or received, or legal advice is sought with respect to potential litigation, a potential litigant may be required to preserve evidence.  Therefore, individuals involved in litigation or where litigation is a reasonable possibility should seek legal advice on their obligations.

Intentionally destroying evidence is called spoliation.  Spoliation occurs where a party (the spoliator) has intentionally destroyed evidence relevant to ongoing or contemplated litigation in circumstances where a reasonable inference can be drawn that the evidence was destroyed to affect the litigation.  In Canada, spoliation usually produces an adverse inference that the evidence would have been unhelpful to the spoliator and may result in sanctions.

A recent U.S. case illustrates some of the pitfalls and, in the U.S. sanctions, for spoliation and social media (Lester v. Allied Concrete Co., Case No. CL09‐223 (Va. Cir. Ct. Sep. 1, 2011), and Lester v. Allied Concrete Co., Case Nos. CL08‐150, CL09‐223 (Va. Cir. Ct. Oct. 21, 2011):

•  The plaintiff was the husband of a woman who was killed in an automobile accident.  He sued the truck driver and the driver’s employer and initially won a substantial damage award.
• During the discovery process for his trial, he was asked about his Facebook account.  The defendants had produced a photo justifying the request that was apparently taken after his wife’s death and showed him holding a beer can and wearing a “I [heart] hot moms” t-shirt.
• The plaintiff, with the lawyer’s advice, deleted the Facebook account and responded that he did not have a Facebook account at the time of responding to the discovery requests.

The Virginia court was not impressed. It cut the damages award to the plaintiff in half and awarded cost sanctions against both the plaintiff and his lawyer.

In Canada, courts are reluctant to make similar awards preferring to remedy the wrong in other ways, such as providing procedural remedies for additional discovery and drawing adverse inferences that the destroyed documents would have been unhelpful to the party who destroyed them.  Courts can also award cost sanctions.  To date, however, courts have not awarded damages against the spoliator.  Nevertheless, once litigation is contemplated – resist the urge to press delete!

.

When a government employee uses workplace email to send and receive personal email, are those emails subject to disclosure under access to information laws?

What about when a government employee uses a personal email account to send and receive emails relating to government business?

Two recent cases – one in Alberta and one in Ontario, answer the first question in the negative.

A recent case in England answers the second question in the affirmative – and a similar result might be expected in Canada based on recent Supreme Court of Canada jurisprudence.

1. Personal email may not be in the custody or control of the public authority

In City of Ottawa v. Ontario, the information requester sought production of communications between an employee of the City and an organization where the employee volunteered.  Subsection 4(1) of the Municipal Freedom and Protection of Privacy Act (“MFIPPA”) provides that a requester is entitled to access to records if it is in the custody or under the control of the City, unless an exemption applies or the request for access is frivolous or vexatious.

The employee used his work email address to receive emails related to his volunteer work.  This was permitted by the City.  However, the City reserved the right to monitor email without notice.  All email was property of the City, but employees were not required to retain personal email under any record-keeping policy.

Initially, the adjudicator concluded that the email was in the custody or control of the City.  After all, the City had physical possession of the emails on its server and had the authority to regulate them.  On judicial review, however, the Ontario Divisional Court concluded that the documents were not in the custody or control of the City.  In order to be in the custody or control of the City, two criteria must be satisfied.  The City must be entitled to obtain a copy of the emails and the emails had to concern a City matter.  However, if personal email was sufficiently intermingled with email relating to City matters, then it would have to be produced.

In University of Alberta v. Alberta (Information and Privacy Commissioner), the requester sought access to emails between an academic at the University and a government grant agency relating to the review of a grant application.  Like the Ontario case, the adjudicator had taken a straight-forward approach: the emails passed through the University’s servers and the University had some right to deal with the emails; therefore, the University must have had custody or control.

The Alberta Court of Queen’s Bench rejected the adjudicator’s approach and adopted the Ontario Divisional Court’s interpretation of the meaning of “custody or control”.  Analogizing the emails to the situation of paper records, the court held that employees may keep private items at an employer’s place of work but that does not bring them within the meaning of custody or control for the purpose of access to information legislation.  The emails in this case were only remotely related to the University’s business and need not be disclosed.

2. Personal email may be producible under access to information requests if related to government business

In order to understand the next two cases, a bit of legislative background is required.  The scope of the Freedom of Information Act 2000 (UK) is somewhat different from federal Canadian access to information legislation.  In the UK, it seems that there is no specific exemption from production for records in a Minister’s Office.  Under the federal Access to Information Act (Canada), the Minister’s Office is not a government institution that is subject to the Act.

In a recent UK decision of the Information Commissioner’s Office (FS50422276), the issue was whether email sent from the Secretary of Education’s personal email address to two special advisors were subject to production under the UK Act.  One of the emails was characterized by the Information Commissioner’s Office as “essentially an action plan and a list of key events or issues in the work of the department for the month of January 2011.”  This characterization was “supported by the fact that much of what was discussed in the email subsequently resulted in official departmental announcements.”

The Information Commissioner’s Office concluded the fact that the email was sent from the Secretary of Education’s personal email address was not determinative of the requirement to produce the email (although this practice was frowned upon for record-keeping purposes).  The relevant question was whether the majority of the email had to do with the business of the department.  In analysing this question, it would be relevant to consider who the sender and recipients were and their roles, if any, within the civil service or the party machine, as well as the substance of the email and how it was used.

Last year, the Supreme Court of Canada considered whether records held by Minister’s Offices were required to be disclosed under the federal Access to Information Act.  The fact that a Minister’s Office was not a governmental institution for the purposes of the federal Access to Information Act did preclude documents held there from being in the “control” of the department and, therefore, producible.  The court held that consideration had to be given as to whether the record related to a departmental matter and, if so, whether there are factors that suggest that the government institution could reasonably expect to obtain a copy of the record.  The court held that some of the factors to consider include the substance of the record, the circumstances in which it was created and the legal relationship between the government institution and the record holder.

The Office of the Privacy Commissioner of Canada (“OPC”) has released an interpretation guide with respect to the concept of “commercial activity” in the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”).

“Commercial activity” is a key concept under PIPEDA. The private sector privacy obligations under PIPEDA apply to to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities”.

So, what is a “commercial activity”?   PIPEDA provides that commercial activity includes “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” What is a transaction, act or conduct that is of a “commercial character”?  A good litmus test is to ask whether you are receiving monetary or non-monetary consideration for your activities or whether you are providing a service to an organization engaged in commercial activity?  If so, you may be involved in “commercial activity”.

The OPC provides illustrative examples.  A doctor is engaged in a commercial activity when he or she conducts a medical examination on behalf of an insurance company for the purpose of processing a benefits claim.  A non-profit organization is engaged in a commercial activity when administering entrance exams as a service to its members.  An on-line social network is engaged in commercial activity when it uses personal information to enhance user experience in order to succeed as a commercial enterprise.

So, what can Canada do to become a leader in e-commerce? Canada’s House of Commons Standing Committee on Industry, Science and Technology would like to offer some suggestions for how the Government can help and Industry Canada has released its 2012-2013 Plans and Priorities.  There is not much in the way of innovation in these documents but one recurring issue is the fragmentation of consumer protection legislation.  Might the future bring greater harmonization?

Standing Committee Report

Recently, the Standing Committee released its report entitled “E-Commerce in Canada: Pursuing the Promise” in which it summarized its investigation into the market for e-commerce market in Canada and what the Government can do to assist to overcome some of the challenges to the e-commerce market.

Canadians are on-line.  Using information gathered by Statistics Canada, the Report states that 79% of Canadians had Internet access in 2010 and 74% of those with Internet access used the Internet for “window shopping” or “comparison shopping”.  E-commerce is also growing in Canada; however, the Report suggests that Canadian businesses may be under-investing in this retail channel and consumers are purchasing from U.S.-based Internet retail channels.

The Report acknowledges several barriers to e-commerce in Canada, particularly for small and medium sized enterprises (SMEs).  These include the cost of investment and access to capital.  However, they also include the fact that Canada has a huge geography and low population density.  The Report states that logistics and shipping costs in Canada are larger (even for domestic shipping) than in the United States. Furthermore, the Report notes the lack of uniformity in consumer protection laws across Canada.

The Standing Committee made 16 recommendations for the Government of Canada.  They are:

1. Place an emphasis on e-commerce in its forthcoming digital economy strategy.

2. Work with the payments industry to modernize payments systems to ensure an efficient, fair, safe, competitive and world-leading payments system in Canada.

3. Work with industry to increase the affordability, reliability and speed of broadband Internet available to Canadians.

4. Reduce “red tape” and costs of cross-border business and shipping for businesses and consumers.

5. Examine disclosure and transparency rules so that businesses and consumers are aware of the total costs of e-commerce transactions prior to purchase.

6. The Business Development Bank of Canada make information and communications technology adoption a strategic focus.

7. Bring Canada’s Anti-Spam Legislation into force to help to increase consumer confidence in the e-marketplace.

8. Work with the provinces and industry to develop strategies to meet the skilled workers shortage in information and communication technology industries.

9. Provide an easily accessible directory or service containing all government programs related to innovation and R&D to help firms access the tools and support they need to increase innovation and adopt information and communications technologies (ITC).

10. Work with Internet service providers to ensure and promote the availability of 24/7 technical support to their clients to ensure their services are functioning as required, and to ensure that clients have transparent and up-to-date access to their account information.

11. Examine ways to increase the quality of information available regarding adoption and use by Canadian SMEs, and the business impact of such adoption and use.

12. Consumers and retailers should be protected by a code of conduct applicable to on-line, mobile, and other emerging transaction technologies.

13. The Government should become a “model user” of e-commerce and on-line solutions in its procurement practices and delivery of services to Canadians.

14. Ensure Government systems are secure from potential security threats to avoid lengthy shut-downs of Government of Canada on-line services.

15. Work with industry and consumer groups to increase digital literacy and simplify terms and conditions of e-commerce transactions.

16. View financial literacy and digital literacy as being intertwined due to the widespread adoption of electronic and mobile payments systems.

 Industry Canada Plans and Priorities

Industry Canada has also released its 2012-2013 Estimates — Report on Plans and Priorities.  If you believe the government should be facilitating the building of e-commerce capacity, it might be criticized for lack of ambition (University of Ottawa Professor Michael Geist is a critic).  Some highlights are:

• Industry Canada will participate on a federal-provincial-territorial Consumer Measures Committee to examine best practices in achieving compliance with consumer protection laws.
• Industry Canada will also participate in developing or updating consumer information.
• Industry Canada will review consumer issues in cross-border transactions through participation in three projects: (1) the Organisation for Economic Co-operation and Development (OECD) review of the Guidelines for Consumer Protection in the Context of Electronic Commerce; (2) the development of an International Organization for Standardization (ISO) standard for business to consumer electronic commerce, and (3) related projects regarding on-line dispute resolution and redress.
• Industry Canada has set performance targets for its activities.  These include: (1) 86% of Canadians using the Internet; (2) 65% of Canadian businesses understanding their privacy obligations; and (3) 43% for Canadians purchasing goods and services on-line.

On May 7, 2012, the Ministry of Justice for British Columbia announced the introduction of Bill 44, the Civil Resolution Tribunal Act.  If enacted, British Columbia would become the first jurisdiction in Canada to create a tribunal to provide on-line dispute resolution services. Use of the tribunal’s services would be voluntary, except for strata corporations (condos).

Some things to note:

• Lawyers aren’t welcome.  Parties are to represent themselves unless they are a minor or a person with impaired capacity.  There are other exceptions such as if the rules for the Tribunal (to be drafted) permit representation or the tribunal finds it is in the interests of justice to permit the party to be represented.  The Trial Lawyers Association of British Columbia has already responded negatively as has the Canadian Bar Association British Columbia Branch.
• Tribunal will vet its jurisdiction. A party will make a request to the tribunal to resolve a dispute. The tribunal’s jurisdiction has not been fully described but it appears to intended for simple legal matters involving small claims.  As a prerequisite, the tribunal may require the parties to agree to on-line dispute resolution services.
• Limitation period suspension. Making a request for resolution by the tribunal will suspend the limitation period until the tribunal decides to refuse to consider the case or the parties agree to cease the process.
• Not clear whether jurisdiction can be agreed to in advance. Although the process is voluntary, it is not clear whether the process can be agreed to in advance in a consumer sales contract.  Once agreed to, the process is mandatory unless the tribunal dismisses the proceeding or the parties consent to the termination of the process.
• Staged process of dispute resolution. The intention appears to be that each case would proceed through four phases.  The first phase would be self-help dispute resolution using on-line, interactive tools.  If that did not result in resolution, the second phase would be on-line, supervised negotiations. Assuming no resolution, the third phase would involve direct intervention by a case manager to attempt to facilitate a settlement.  The final stage would be a tribunal hearing, which could take place on-line.
• Tribunal orders can be filed with the court. Final decisions of the tribunal may be filed with the British Columbia Supreme Court (or, in some cases the Provincial Court) and enforced as court orders.
• Limited judicial review. In its current form, the Bill has limited scope for judicial review of tribunal decisions. The Bill states that the standard of review is correctness but then exempts from that standard findings of fact, the exercise of discretion and the common law rules of natural justice and procedural fairness. A finding of fact can only be set aside if there is no evidence to support the finding or the finding is otherwise unreasonable. Discretionary decisions can only be set aside if the discretion is exercised arbitrarily or in bad faith, is exercised for an improper purpose, is based entirely or predominantly on irrelevant factors, or fails to take statutory requirements into account. Issues of natural justice and procedural fairness are to be reviewed taking into account the mandate of the tribunal.

One business wants to buy the assets of another business.  Assume that the consent obtained to the collection, use and disclosure of personal information from the customers of the seller did not include consent to disclose personal information on the sale of the assets of the credit union.  What to do?

In a recent case, the Ontario Superior Court of Justice granted an order that the seller could disclose all personal information in its possession in order to complete and implement the purchase and sale transaction.  The court further ordered that the purchaser was entitled to continue to use the personal information provided to it in a manner identical to the prior use by the seller. 

The court made the order pursuant to section 7(3)(c) of the Personal Information Protection and Electronic Documents Act, 2000, c. 5 (“PIPEDA”) which states that disclosure may be made without consent in order to comply with an order.

Justice P.D. Lauwers stated that he joined in “urging that a route be provided that will permit the disclosure of the necessary personal information in such circumstances as these to avoid wasting the court’s time and the parties’ funds.”

Unlike the Alberta Personal Information Protection Act and the British Columbia Personal Information Protection Act, PIPEDA does not have a scheme to facilitate transfers of personal information in the course of completing the sale of a business.

Nova Scotia’s proposed Bill 65, which involves amendments to consumer protection legislation to “Ensure Fairness in Cellular Telephone Contracts” passed second reading on May 2, 2012 and is now in committee.

The proposed Bill follows the same theme as recent legislation enacted in Manitoba (discussed here) and proposed in Ontario (discussed here).

Manitoba has proclaimed into force the Consumer Protection Amendment Act (Cell Phone Contracts).  

The Act applies to contracts for cell phone services with consumers in Manitoba.  Cell phone services include wireless communication services, including voice and data.  As mentioned, the Act only applies to agreements with consumers, who are those who purchase the goods and services primarily for personal, family or household purposes.  The Act will not apply if the subscriber purchases the services primarily for business use.

Among the highlights:

• Advertisements and contracts must set out the minimum monthly cost of the services.
• The minimum monthly cost must be set out as an “all-inclusive” price.
• Consumers may cancel a cell phone contract at any time for any reason.
• Cancellation fees are limited to the prorated value of any cellphone provided to the consumer for free or at a reduced cost as an incentive for signing the contract.
• Before selling the consumer an extended warranty, the supplier must explain any other warranties that automatically apply.

The Ontario Minister of Consumer Services introduced the Wireless Services Agreements Act, 2012 on May 3, 2012.

The Bill only applies to agreements with consumers.  Consumers are those acting for personal, family or household purposes.  Accordingly, the Act will not apply to those who are self-employed and purchase smart phones for business use.  The proposed legislation will only apply prospectively to agreements entered into after the date the legislation comes into force where either the consumer or the person entering into the agreement with the consumer is located in Ontario.

Here are some of the highlights:

• The legislation will apply to wireless agreements, which are agreements with a consumer in which the supplier agrees to provide wireless services that the consumer is able to access from a mobile device such as a smart phone or cell phone.
• The legislation will apply even if the supplier does not sell the consumer the mobile device.
• Advertising must show all-inclusive costs, which must be the most prominent cost information in the advertising.
• Wireless services agreement must meet the prescribed disclosure obligations or they will not be enforceable.  Among the disclosure obligations are:
• Minimum cost obligations described on a periodic basis (e.g. monthly);
• Maximum usage of each service before the consumer will trigger additional costs not included in the minimum cost obligations; and
• Cost of optional services and any restrictions that will cause those costs to increase.
• Suppliers of wireless services must provide advance notice to the consumer if the consumer accesses a service that will result in additional costs.
• Consumers may cancel an agreement at any time for any reason.
• There are limits on cancellation fees based on prorating the economic inducements (such as discounted handsets) over the term of the contract or, for agreements of no fixed term, 48 months.

The Ontario Information & Privacy Commissioner (OIPC) has published booklet regarding social media and reference checks, entitled “Reference Check: Is Your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile“.

The booklet warns employees and job-hunters of the perils of indiscreet postings on social media sites.  The booklet is directed at educating Ontarians about what the OIPC describes as intrusive background checking activities.  However, the booklet is also an excellent HR resource for educating employees regarding social media best practices.

For more on this subject, see my previous post.

This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user’s address book for the purpose of sending an e-mail invitation to a contact of the user.  In the first post, I discussed the privacy by design principle.  In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user. 

As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada’s Anti-Spam Legislation is in-force.  Legal advice should be sought for these types of promotion to ensure compliance.

So the invitation has gone out to the non-user.  Now what? 

Resist the urge to build a profile for the non-user.

The user has not yet agreed to join.  Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join.  If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user’s street address or telephone number.

There may be more subtle ways of building a profile, such as by cross-referencing the user’s e-mail address against other users’s address books or searching out other available information on the Internet.  If the website or mobile application’s design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid “using” the non-user’s personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.

In a recent decision of the Office of the Privacy Commissioner of Canada (“OPC”), the OPC considered Facebook’s practices with respect to generating friend suggestions for non-users in invitations.  At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user.  The OPC found it significant that by doing so Facebook had already “used” the non-users’ e-mail address to generate friend suggestions without providing any information on how the non-user’s personal information was being used and any opt-out mechanism. 

During the investigation, Facebook changed its practices to something more acceptable to the OPC.  No additional friend suggestions were made in the initial invitation.  There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions.  The non-user’s e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.

Destroy the e-mail address once the purpose for the collection has been fulfilled.

Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out.  Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled.  If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user’s contact information. 

There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user.  However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user’s contact information.

On April 23, 2012, Nova Scotia Liberal MLA Andrew Younger introduced Bill 40, which would amend the Labour Standards Code (Nova Scotia) to prohibit an employer from requiring an employee or prospective employee to provide access to the employee or job candidate’s social networking account or discriminating against the employee or job candidate for refusing to provide such access.  The Nova Scotia NDP government is reported to be considering the Bill.

If the Bill were to pass, it would be the first legislation to pass in Canada specifically addressing the practice of employers requiring employees or job candidates to provide access to social networking accounts.  Last week, Maryland became the first state in the United States to pass legislation prohibiting an employer from requesting or requiring that an employee or job candidate disclose passwords (among other things) for accessing personal accounts or social networking services and disciplining any employee who refused to release such information. The bill has not yet been signed into law.  California Senate Bill 1349 would go further and prohibit a post-secondary institution or an employer from requiring a student, employee or prospective student or employee, to provide access to that persona’s personal social media account.

It is questionable whether such specific legislation is required in Canada.  In a recent post on Employment and Labour Law, my colleague, Naomi Horrox, wrote about the practice of accessing personal information about job candidates by asking candidates for their passwords to social networking sites that they use.  Naomi reported in her article that the Ontario Human Rights commission warned that doing so could lead to claims against the employer of discrimination allegations.

In addition, any employer who seeks access to social networking sites should obtain legal advice regarding Canadian privacy obligations as the employer who logs on as the job candidate will have access to and may be accessing and collecting personal information about third parties (the candidate’s contacts) by reviewing and copying any information on the site.  Employers should seek legal advice regarding whether such access and collection might be contrary to the third parties’ reasonable expectations and whether consent of those third parties is required in the circumstances, depending on the third parties’ privacy settings.

In the written text of a speech given yesterday by Canada’s Minister of Industry on Canada’s digital economy, the Minister stated that Canada’s Anti-Spam Legislation (CASL) is expected to take effect next year.

For more on CASL, please see Margot Patterson’s previous posts here and here and here.

On April 4, 2012, the Chairman of Working Party 29 (a committee of data protection authorities from European Union member states) expressed concern regarding the potential costs of the proposed European Union privacy reforms.

In a letter to the Commissioner for Justice, Human Rights and Citizenship, the Chairman of Working Party 29, wrote that it “strongly suggests and in-depth assessment of the increased costs”.  The Chairman wrote:

If the cost of providing [adequate human, technical and financial resources, premises and infrastructure to data protection authorities] exceeds the financial commitment that Member States and the Commission are prepared to make, then priorities should be set, with those duties that do not provide the best ‘value for money’ in terms of privacy protection being scaled back.

More on the EU Proposals can be found in my January 2012 post.

On April 17, 2012, the Office of the Privacy Commissioner of Canada and its counterparts in the provinces of British Columbia and Alberta announced a new guidance document on accountability, entitled, “Getting Accountability Right with a Privacy Management Program“.

The accountability guidance assists organizations in considering the following essential elements of demonstrating accountability under privacy legislation in Canada.  In particular, privacy legislation in Canada is typically interpreted as requiring:

• Privacy Officer. The appointment of a designated person to oversee compliance with Canadian privacy legislation.  In larger organizations, this may require a privacy group or office.
• Policies & Education. The establishment of privacy policies and processes for training and on-going training of employees with respect to those policies.
• Governance of Third-Party Processors. The inclusion of privacy guarantees and audit rights with respect to the organization’s third-party processors of personal information.
• Inquiries & Complaints. Systems to identify requests for access and correction of personal information or complaints regarding the collection, use, retention or disclosure of personal information and trained staff to respond to those requests and complaints. This also requires organizations to understand what personal information they have collected and who has custody of it.
• Risk Assessment. Organizations are responsible for engaging in risk assessment in all aspects of the life-cycle of personal information – collection, uses, new uses, retention, disclosure and destruction of information – and to demonstrate risk-minimization strategies through administrative, physical and technological procedures.
• Breach Response Procedures. Organizations should have breach detection and response protocols that are compliant with general privacy principles and any applicable mandatory breach notification requirements.

Whatever you may think of the patriation of Canada’s Constitution and the the Charter of Rights and Freedoms, it marked a milestone in Canada’s legal history.  In honour of the 30th Anniversary of the Charter here are excerpts from three Supreme Court of Canada decisions relating to the protection of privacy and the Charter.  As the blog posts on this site attest, we continue to struggle with these issues.

R. v. O’Connor

In a case involving the non-disclosure of alleged victim of sexual abuse’s entire medical, counseling and school records, Justice L’Heureux-Dubé held (at para 119):

The essence of privacy, however, is that once invaded, it can seldom be regained. For this reason, it is all the more important for reasonable expectations of privacy to be protected at the point of disclosure. As La Forest J. observed […]:

…if the privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. This is inherent in the notion of being secure against unreasonable searches and seizures. Invasions of privacy must be prevented, and where privacy is outweighed by other societal claims, there must be clear rules setting forth the conditions in which it can be violated.

In the same way that our constitution generally requires that a search be premised upon a pre-authorization which is of a nature and manner that is proportionate to the reasonable expectation of privacy at issue […], s. 7 of the Charter requires a reasonable system of “pre-authorization” to justify court-sanctioned intrusions into the private records of witnesses in legal proceedings. Although it may appear trite to say so, I underline that when a private document or record is revealed and the reasonable expectation of privacy therein is thereby displaced, the invasion is not with respect to the particular document or record in question. Rather, it is an invasion of the dignity and self-worth of the individual, who enjoys the right to privacy as an essential aspect of his or her liberty in a free and democratic society.

R. v. Gomboc

In a case in which a majority of the court concluded that there was no reasonable expectation of privacy regarding in information regarding the consumption of electricity in a house, McLachlin C.J. and Fish J. stated in dissent (at paras. 100 to 104):

Every day, we allow access to information about the activities taking place inside our homes by a number of people, including those who deliver our mail, or repair things when they break, or supply us with fuel and electricity, or provide television, Internet, and telephone services. Our consent to these “intrusions” into our privacy, and into our homes, is both necessary and conditional: necessary, because we would otherwise deprive ourselves of services nowadays considered essential; and conditional, because we permit access to our private information for the sole, specific, and limited purpose of receiving those services.

A necessary and conditional consent of this sort does not trump our reasonable expectation of privacy in the information to which access is afforded for such a limited and well-understood purpose. When we subscribe for cable services, we do not surrender our expectation of privacy in respect of what we access on the Internet, what we watch on our television sets, what we listen to on our radios, or what we send and receive by e-mail on our computers.

Likewise, when we subscribe for public services, we do not authorize the police to conscript the utilities concerned to enter our homes, physically or electronically, for the purpose of pursuing their criminal investigations without prior judicial authorization. We authorize neither undercover officers nor utility employees acting as their proxies to do so.

This case concerns a police operation that co-opted an electric utility [...] to install a digital recording ammeter (“DRA”) on its power line in order to generate, record and disclose to the police otherwise non-existent data for the purposes of an ongoing criminal investigation.

Such actions go beyond the voluntary cooperation of a private actor with the police. In our view, they constitute a search that infringes s. 8 of the Charter.

R. v. Kang-Brown; R. v. A.M.

In these cases involving the use of sniffer dogs to conduct searches, the court was divided on the common law authority to use sniffer dogs to conduct searches without statutory authority. The judges who found that there was common law authority agreed that it is constrained to situations in which there is “reasonable suspicion”. In a spirited dissent, however, LeBel J. stated in R. v. Kang-Brown (at paras. 5 to 12):

Section 8 of the Charter expresses one of the core values of our society: respect for personal privacy and autonomy. A significant proportion of Charter decisions have concerned the interpretation and application of s. 8. [...] Although the word “privacy” does not appear in the Charter, from the first days of its application, s. 8 evolved into a shield against unjustified state intrusions on personal privacy [...].

Even before the Charter came into force, the courts were protective of privacy rights, although they tended to ground that protection in the notions of territoriality and of the relative sanctity of property interests [...]. They modified this approach under the Charter, defining privacy interests as personal rights [...]. This shift underscores the crucial importance of privacy interests in the interpretation of s. 8 [...].

The protection of privacy interests rests on the constraints, like the requirements of prior authorization and reasonableness, imposed on those conducting searches and seizures by the wording of s. 8 and by the courts in applying that section. The needs of law enforcement have to be taken into consideration and to be balanced with reasonable expectations of privacy. Nevertheless, in the leading cases on s. 8, the courts imposed significant constraints on intrusions on personal privacy by state agents. These constraints were found necessary because [...] “to determine the balance of the competing interests after the search had been conducted” amounts to an “[ex] post facto analysis [that] would . . . be seriously at odds with the purpose of s. 8”. That purpose, our Court then emphasized, “requires a means of preventing unjustified searches before they happen, not simply of determining, after the fact, whether they ought to have occurred in the first place” [...]. Those constraints were — and in general still are, since this Court has never resiled from them — that there be a legal basis for the search or seizure in a statute or at common law, prior judicial authorization, and reasonable and probable cause. Departures from that constitutional framework had to be justified by the state. [...].

These considerations lead me back to the central question in the present appeal: the proper performance of the courts’ lawmaking function. In my opinion, the jurisprudence-based solutions advanced in the reasons of certain of my colleagues, who openly or implicitly advocate the creation of new common law rules reducing the standard of scrutiny of state intrusion into privacy, do not represent an appropriate exercise of judicial power in the circumstances of this appeal and of the companion appeal in A.M.

The common law has long been viewed as a law of liberty. Should we move away from that tradition, which is still part of the ethos of our legal system and of our democracy? This case is about the freedom of individuals and the proper function of the courts as guardians of the Constitution. I doubt that it should lead us to depart from the common law tradition of freedom by changing the common law itself to restrict the freedoms protected by the Constitution under s. 8 of the Charter.

 One thing seems safe to predict: the debate will continue.

On March 24, 2012, the Canadian federal government published draft regulations for comment relating to the imposition of administrative monetary penalties for certain violations of Canada’s new Consumer Product Safety Act.

The Administrative Monetary Penalties (Consumer Products) Regulations relate to violations of ministerial orders relating to the recall or taking measures (such as to stop importing or selling) consumer products.  Using a system of points to assess the gravity of the violation of the ministerial order and the number of violations, the regulations would establish penalty ranges of Cdn. $10,000 to Cdn. $25,000 for commercial organizations.

It should be noted, however, that these are not the only potential penalties for organizations in the supply-chain of consumer products in Canada.  All organizations in the supply chain have day-to-day responsibilities under Canada’s Consumer Product Safety Act.  In particular, from a data governance perspective, organizations should be aware that if they are engaged in the manufacture, importation, advertising, sale (distribution and retail) or testing of consumer products, they have specific record-keeping and reporting obligations.

Section 13 of the Consumer Product Safety Act requires retailers to maintain records of the name and address of the person from whom they obtained a consumer product and the location and period during which the product was sold.  Other organizations must maintain records containing the name and address of the person from whom they obtained the product or to whom they sold it, or both.  These records must be kept for 6 years after the end of the year to which they relate (accordingly, most organizations will likely use a 7-year retention period subject to certain exceptions for longer retention).  These records must be kept in Canada unless an exemption is obtained.

Section 14 of the Consumer Product Safety Act requires manufacturers, importers and sellers of consumer products to make reports regarding any “incidents” relating to those products of which they become aware and to provide the Minister of Health with information regarding such incidents.  An “incident” includes among other things (a) an occurrence in Canada or elsewhere that resulted or may reasonably have been expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; (b) a defect or characteristic that may reasonably be expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; (c) incorrect or insufficient information on a label or in instructions — or the lack of a label or instructions — that may reasonably be expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; or (d) a recall or measure that is initiated for human health or safety reasons.

A person who contravenes these obligations may be prosecuted for a criminal offence and be liable to a maximum fine of Cdn. $5,000,000 or to imprisonment for a maximum term of two years or to both.  Directors and officers may be personally liable if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence.

Today the Supreme Court of Canada declared certain wiretap provisions of the Criminal Code (Canada) to be constitutionally invalid legislation but suspended the declaration of invalidity for 12 months to provide Parliament to address the deficiencies in the legislation.

The Supreme Court of Canada has previously stated that covert interceptions of private communications constitute serious intrusions into the privacy rights of those affected.  A legitimate exception is where there is a risk of serious and immediate harm.  Section 184.4 of the Criminal Code is an emergency wiretap provision.  It permits the police (among others) to intercept private communications without judicial authorization in certain circumstances.  In order to use this wiretap provision, the police must believe on reasonable grounds that (A) the interception is immediately necessary to prevent an unlawful act, (B) the unlawful act would cause serious harm to persons or property, (C) one of the persons whose communication is intercepted is the person who will commit the act (perpetrator or aiders and abetters) or is the potential victim, and (D) judicial authorization cannot be obtained with reasonable diligence.

The court concluded that section 184.4 did not strike a reasonable balance between an individual’s right to be free from unreasonable search and seizure under section 8 of the Charter of Rights and Freedoms and society’s interest in preventing serious harm.  In particular, the warrantless wiretap provision did not provide sufficient mechanisms to ensure accountability.  For example, there was no ”after the fact” notice to persons whose private communications were intercepted. 

On the issue of “after the fact” notice, the Supreme Court stated it agreed with the following submissions of the Ontario Criminal Lawyers’ Association:

. . notice is neither irrelevant to s. 8 protection, nor is it a “weak” way of protecting s. 8 rights, simply because it occurs after the invasion of privacy. A requirement of after-the-fact notice casts a constitutionally important light back on the statutorily authorised intrusion. The right to privacy implies not just freedom from unreasonable search and seizure, but also the ability to identify and challenge such invasions, and to seek a meaningful remedy. Notice would enhance all these interests. In the case of a secret warrantless wiretap, notice to intercepted person stands almost alone as an external safeguard.

The Ministry of Consumer Services (Ontario) today announced that it plans to introduce legislation that it proposes would make it easier for consumers “to understand the costs and terms of wireless services agreements for cell phones, smart phones, tablets and similar mobile devices.”

Last year, the Hon. David Orazietti introduced the Wireless Phone, Smart Phone and Data Service Transparency Act, 2011.  The proposed legislation, The Wireless Services Agreement Act, 2012, will adopt some of the measures proposed in Mr. Orazietti’s Bill.

The Wireless Services Agreement Act, 2012 will:

• Limit contract cancellation costs
• Require contracts to clearly explain what services are provided and what services would result in added costs
• Require express consent to the renewal, extension or amendment of fixed-term contracts
• Require all-inclusive price advertising
• Provide for enhanced remedies

The Government of Ontario’s FAQ can be found here.

This is the second in a series of posts on privacy and anti-spam implications of organizations engaging in promotional activities in which the user of a website or mobile app is asked to supply e-mail addresses of contacts in order to invite those contacts to the website or to download the mobile app.

In the last post, I wrote about building privacy into the design of the website or mobile app.  This post deals with a few considerations regarding consent.  Upcoming posts will deal with anti-spam and other issues.

Treat the contact information as the personal information of the user (owner of the address book).

Most organizations understand that it is necessary to obtain the consent of the owner of the address book to use contact information for the purposes of soliciting those contacts. Obtaining consent from the user is generally straightforward. In most contexts, there will be a transparent way for the organization to ask for permission to use the user’s contacts. If privacy considerations have been built into the promotional program, asking for permission to use contact information or asking the user to input the contact information for the purpose of “inviting a friend” to the site can be accompanied by disclosure of how the information is going to be used. If the user is going to be provided with the opportunity to customize the message to the recipient, the use will be transparent.

What might not be obvious is any on-going use that the organization may intend to make of the information that is supplied. Consideration should be given to providing relevant information about on-going uses, if any, at the point of request regarding the proposed use and direction to the organization’s more detailed data use policy governing the life-cycle of the requested information.

Treat the contact information as the personal information of the contact (the owner of the email address).

The personal information being collected through “Suggest to a Friend” promotions is also personal information of the non-user.  This is frequently overlooked in the design of these marketing initiatives.

The Office of the Privacy Commissioner of Canada has previously stated that organizations that actively solicit non-users’ e-mail addresses from users with the intention of using them for their own purposes must take some responsibility for obtaining consent of the non-users.

The requirement to obtain the recipient’s consent may not be obvious to an organization. The e-mail is, after all, being sent as an invitation from the user. However, in a “suggest a friend” promotion, the substance of the communication is a commercial.  The organization is processing the e-mail address for a promotional purpose to invite the recipient to sign-up or join the organization’s site. This use of the e-mail address is likely to be governed by Canadian privacy legislation.

How to Obtain Consent from the Recipient

An e-mail address, on its own, is generally not considered to be sensitive personal information. If the e-mail address will only be used for the purpose of sending an invitation by a user to a non-user who the user knows, the use of the e-mail address by the organization will not be considered to be sensitive. Leaving aside anti-spam legislation, which will be discussed in upcoming posts, the organization soliciting the e-mail addresses may rely on the users to obtain express or implied consent of the non-users.

However, the organization must demonstrate reasonable due diligence to ensure that non-user’s consent has been obtained. Reasonable due diligence varies in the circumstances.  In most contexts it will consist (at a minimum) of making sure that users are aware that they must not disclose the non-users’ e-mail address unless the user knows the non-user personally and the non-user would want to receive the e-mail.

If more than one e-mail will be generated (for example, reminder e-mails), that information must be disclosed to the user so that the user can consider whether that use of their contact’s e-mail address would be appropriate.  This information should also be disclosed to the recipient.

Due diligence also requires that the organization confirm whether the recipient has in fact expressly or impliedly consented to the use of his or her e-mail address in this manner. This is not an impossible task.  For example, when the e-mail is sent to the non-user, the organization could explain why the e-mail is being sent, what use will be made of the e-mail address (reminders, permanent links to the user who sent the message, etc.).

If the recipient objects to this use of the e-mail address (in effect, withdrawing the implied consent), the recipient non-user should be given a way of opting out of further communications. In other words, consideration should be given to allowing the recipient to put himself or herself on a “do not contact” list. In addition, or in the alternative, consideration might be given to permitting the recipient to request deletion from the organization’s system.

Issues relating to non-user consent can be tricky.  The organization should consider all uses of the e-mail address and the life-cycle of that use and consult a lawyer to ensure the promotion is compliant.

A not uncommon Web-based marketing tool is to invite users to suggest the website to their friends and family. The user inputs e-mail addresses or allows the website or mobile app to harvest the user’s address book information to generate a list of potential contacts. Organizations planning to implement this type of marketing program should seek legal advice to ensure that they remain on side privacy and anti-spam regulations. This is the first in a series of posts in which I will comment on a few notable issues relating to these types of promotional activities.

Employ the “privacy by design” principle.

The starting point when designing these types of promotions is to assess privacy implications of each aspect of the promotion and build privacy protections into the administrative and technological design of the promotion.

By assessing the privacy implications of the marketing program at the outset, the process of ensuring that the marketing tool will be privacy compliant will be simplified. Employees in the marketing group will know what questions to ask of vendors and IT professionals will be better positioned to implement systems to ensure privacy compliance.

To take a simple example, organizations should consider whether they have a legal obligation to provide the recipient of a promotional e-mail invitation a way of opting-out from further e-mail communications. The non-user may expect to be given the opportunity to permanently opt-out of further communications from not only the friend who sent the invitation that any other friends who may use the organization’s services. The technological ability to provide that permanent opt-out mechanism would need to be built into the design of the system.

Moreover, as will be discussed in subsequent posts, the organization will not have consent to send the recipient further promotional material other than perhaps a reminder e-mail, until the recipient takes a positive step to accept the invitation. This means that the organization must have the technological capability to prevent the non–user’s e-mail address from being mixed into the database for general promotional communications.

Earlier this month, the Canadian Radio-television and Telecommunications Commission (CRTC) announced that it had concluded a five-month investigation and has taken enforcement action against 85 companies for violating Unsolicited Telemarketing Rules.

In stepping-up its enforcement action, the CRTC issued citations to 74 companies who were engaged in telemarketing activity but who would fail to register with the National Do Not Call List operator or to subscribe to the National Do Not Call List.  The National Do Not Call List which allows Canadians to register their telephone and fax numbers in order to opt-out of being contacted by telemarketers.

Another 11 companies were assessed administrative monetary penalties for violating the Unsolicited Telemarketing Rules. The aggregate administrative monetary penalties assessed by the CRTC for these 11 companies was $41,000. The amount reflects that in each case the company that had failed to comply with the Unsolicited Telemarketing Rules appears to have been a relatively small business.

Small businesses should be aware that even though the costs of compliance with the Unsolicited Telemarketing Rules may be material; all telemarketers must exercise diligence in complying with and with demonstrating compliance with the Rules.  For example, if the company wishes to rely on the exemption that applies to telemarketing calls to a person with whom the company has an existing business relationship, the company must be able to demonstrate the one of the following: (i) a contract was concluded with person who was contacted or a contract with that person had expired in the 18-month period preceding the telecommunication; or (ii) the person who was contacted had made an inquiry of the company or an application within the six-month period preceding the telecommunication. In order to defend itself, therefore, the company must maintain accurate records that can be produced on demand to the CRTC.

If the existing business relationship exemption, or another exemption, does not apply to the telecommunication, the company must register with the Do Not Call List operator and download the Do Not Call List once every 31 days. All businesses engaged in telemarketing activity (including small businesses) must, therefore, invest in sufficient computer technology to be able to utilize the Do Not Call List to screen out persons who do not wish to receive unsolicited telecommunications.

The House of Commons Standing Committee on Justice and Human Rights recently released its report on the “The State of Organized Crime“.  Among the noteworthy recommendations of the Standing Committee relating to state surveillance powers in fighting organized crime are:

Requiring corporations to disclose information about ownership. The Standing Committee noted that corporations annually disclose the names of directors and officers, including home addresses for those individuals. However, no information is provided about ownership structure. The Standing Committee recommends that federal, provincial and territorial ministers of justice consider amending corporate statutes to require a Corporation to provide annual information regarding its ownership, including the names of shareholders and their addresses.

Expansion of the requirement to report large cash transactions to FINTRAC. In particular, the Standing Committee recommends that automobile dealers, companies operating private ATMs, construction and home renovation companies, race tracks, and law firms be required to report cash transactions of $7,500 or more to FINTRAC.

Requiring telecommunication service providers and device manufacturers to build electronic surveillance/interception capacity into their equipment and networks. The Standing Committee stated that the Criminal Code provisions relating to electronic eavesdropping have remained unchanged since 1974. The Standing Committee expressed concern that there is no Canadian law that requires all telecommunications service providers to use devices that allow for the interception of electronic communications. This capacity is, in the view of the Standing Committee, “essential in fighting organized crime.” The Standing Committee asserted that “when communications can be intercepted, not all telecommunications service providers release standardized information to law enforcement agencies.”

Requiring telecommunications service providers and device manufacturers to decrypt communications or to provide assistance to law enforcement agencies to decrypt electronic communications. Without discussion of the potential effects on citizen privacy rights and legal privileges (e.g. solicitor-client privilege), the Standing Committee recommended that telecommunication service providers be required to assist in the decryption of intercepted communications.

Extending the length of time that a GPS device may be installed on a vehicle. The Standing Committee noted that warrants for electronic surveillance could be extended, in the case of the investigation of organized crime offences, to one year. However, permission to install a GPS device on a vehicle (tracking warrant) could only be granted for a maximum of 60 days. The Standing Committee recommends extending the maximum to one year.

Today, Ontario’s Minister of Finance, Dwight Duncan, presented Ontario’s proposed budget, “Stronger Action for Ontario“. 

From a privacy and data governance perspective, here are a few things to note:

• Public-Private Partnership for ServiceOntario.  ServiceOntario operates a hub for government registrations, certifications and licensing.  The government is proposing to increase private sector involvement, including in the expansion of online services.
• Unclaimed Intangible Property. Ontario has unclaimed intangible property legislation that has not been proclaimed into force.  The government has indicated that it will move forward to establish and Unclaimed Intangible Property Program that would allow the government to take unclaimed intangible property and use it for government purposes until claimed by the owner of the property.  This will inevitably create data gathering, reporting and payment obligations for businesses operating in Ontario as well as the collection of further information about Ontarians by the government.
• Integration of Social Programs. As mentioned in our previous post, the Drummond Report suggested that there would be benefits to integrating social programs and centralizing data collection.  It appears that the government will move forward on some of these recommendations.
• Sharing Information for Tax Compliance. The Drummond Report also called for greater information sharing to combat the loss of tax revenue in the underground economy. The government is proposing to move forward with, among other things, enhanced information sharing across Ontario ministries, municipalities and with the Canada Revenue Agency. 

The government is also proposing amendments to the Freedom of Information and Protection of Privacy Act to accomplish some of its tax and revenue collection objectives.

At a press conference today, March 26, 2012, the U.S. Federal Trade Commission (FTC) released its final report on protecting consumer privacy, entitled “Protecting Consumer Privacy in an Era of Rapid Change“. 

FTC Chairman Jon Leibowitz began the press conference quoting former U.S. Supereme Court Justice Louis Brandeis, who wrote in dissent in a 1928 wire-tapping case, that the Fourth and Fifth Amendments to the U.S. Constitution recognized that the right to be let alone was ”the most comprehensive of rights and the right most valued by civilized men.”

The FTC outlined three over-arching principles for protecting consumer privacy at the beginning of the 21st Century:

1. Privacy by Design. Incoporate privacy in the developmental stages of projects.  This is the “privacy by design” principle the case for which has been convincingly made by the Ontario Information and Privacy Commissioner.
2. Simplified Consumer Choice. Consumers must have simplified choice with respect to how their personal data is used.  The FTC emphasized that non-one has the right to put anything on a consumer’s computer.  The FTC acknowledged the strides being made in Do Not Track initiatives.
3. Transparency. Data use practices must be transparent. The FTC suggests that privacy disclosures must be less onerous for consumers to navigate and read.

The FTC suggests that legislation may be required to regulate “data brokers”.  Data brokers may be engaged in types of activities that are similar to credit and consumer reporting agencies without coming within existing legislation governing consumer and credit reporting agencies. The FTC has called on data brokers to creating a centralized website where data brokers would “(1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”

On the issue of “Do Not Track”, the FTC acknowledged the strides that had been made stated that if “Do Not Track” was not fully operational by the end of 2012, the advertising industry should expect that there would be a “tsunami” of calls for legislation.

From time-to-time, I will comment on legal developments in consumer protection that have implications for the e-commerce environment. On March 15, 2012, the British Columbia Court of Appeal released its decision in Loychuk v. Cougar Mountain Adventures Ltd., which establishes that complete waivers of liability for personal injury in recreational activities may be enforceable under British Columbia’s Business Practices and Consumer Protection Act (“BPCPA”), even if the plaintiffs do not understand at the time of booking the activity that a waiver will be required.

Background

The plaintiffs reviewed the website of the defendant and booked a zip-line adventure. The plaintiffs were injured when they collided on a zip-line operated by the defendant.  According to the court’s reasons for judgment, the defendant admitted that its employees had been negligent (there had been miscommunication between the guides leading the zip-line tour).

The defendant relied on a waiver of liability that the plaintiffs signed prior to participating in the adventure. The waiver was a one-page document. It had a warning at the top indicating that by signing the document the plaintiffs would waive certain legal rights, including the right to sue or claim for compensation following an accident. In the body of the waiver, the plaintiffs released all claims for any loss, damage, expense or injury, including death, due to any cause whatsoever, including negligence, breach of contract, or breach of any statutory or other duty of care, and including the failure on the part of the releasees to take reasonable steps to safeguard or protect the plaintiffs from the risks, dangers and hazards of participating in the zip-line activities.

Each of the plaintiffs had had prior experience with signing releases in the context of recreational activities. One of the plaintiffs was the owner of a business that offered kickboxing programs for women in which waivers of liability were used. The other plaintiff had previously signed a waiver in connection with the renting a kayak.

Issues for the Court of Appeal

In the Court of Appeal, the plaintiffs argued:

1. The waiver was unconscionable at common law;
2. The waiver was unenforceable under the provisions of the BCPBCA; and
3. There was no consideration in exchange for the signing of the waver.

Unconscionability

The court, following the Supreme Court of Canada’s decision in Tercon Contractors Ltd. v. British Columbia (Transportation and Highways), held that whether the waiver of liability was enforceable depended upon it three-step analysis:

1. Did the release covered in the injury in issue? There was no debate that this step was satisfied.
2. Was the exclusion of liability was unconscionable at the time of the contract with the defendant was entered into?
3. Was there was any overriding public policy reason that would permit the plaintiff to avoid the exclusion of liability?

To succeed on the second step (unconscionability), the Court of Appeal held that the plaintiffs had to demonstrate that there was (1) inequality of the parties arising from the ignorance, need or distress of the weaker and (2) substantial unfairness. The court concluded that there is no power imbalance where a person wishes to engage in an inherently risky recreational activity, simply because that activity is controlled or operated by another person. Nor was it unfair for an operator to require a waiver as a condition of participation.

Regarding the third step (public policy), the court rejected the argument that the fact that the zip lining activity was totally within the control of the operator meant that the operator could not disclaim liability as a matter of public policy. The court held that if there were policy reasons why releases for injuries in recreational activities that are freely entered into should not be enforced that was a question for the Legislature. The relevant public policy issues for the court were whether the defendant knowingly placing the public in danger or was reckless as to whether it was doing so.  These factors didn’t apply.

Consumer Protection

For the purposes of the appeal, the court assumed that the BPCPA applied.

The plaintiffs argued that the defendant had engaged in unconscionable or deceptive acts and practices and for that reason the waiver was unenforceable. In particular, the plaintiffs relied on paragraph 8(3) of the BPCPA, which directs the court to consider whether “the terms or conditions on, or subject to, which the consumer entered into the transaction were so harsh or adverse to the consumer as to be inequitable”. The court held that this provision did not lower the standard to be met before a contract would be set aside on the basis of unconscionability. The court would not set aside the release merely because it was arguably “inequitable” – it had to be unconscionable.

The plaintiffs also alleged that there had been deceptive advertising, which rendered the waiver void. In particular, the plaintiffs relied on a statement from the “Frequently Asked Questions” page on the website. In response to the question about the safety of the zip line activity, the defendant describes the engineering construction and certification of the zip line and did not mention the risks inherent in its operation. The court rejected this argument. First, there was nothing to indicate that the plaintiffs were aware of or relied on the statement. Second, and more importantly, the court held that the website statement could not be inferred as representation of anything other than a statement of the infrastructure.

Lack of Consideration

The plaintiffs’ final argument was that the waivers lacked consideration. The plaintiffs argued that they had entered into their contracts prior to having signed the waivers. One of the plaintiffs argued that the contract was complete when she made the reservation using her husband’s credit card. The other plaintiff argued that the contract was entered into when her friend made the reservation for the group. The court held that it was bound by prior decisions of the court and found that permission to continue an activity or to commence an activity constituted immediate and fresh consideration capable of supporting the waiver. It was “immaterial” whether the plaintiffs had read the statement on the website that participants would be required to sign a waiver.

In a recently released access to information decision under Ontario’s Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), an adjudicator for the office of the Information and Privacy Commissioner of Ontario (“IPC”) confirmed that building plans are not personal information for the purpose of MFIPPA.

The requester in this access to information case sought disclosure of the building plans for a neighbouring property. The owners of the property objected. It appears that the owners conceded at the hearing that the building plans did not contain personal information. The opening words of the definition of “personal information” in subsection 2(1) of MFIPPA define “personal information” as “recorded information about an identifiable individual”.  The adjudicator followed a long line of decisions of the IPC in which the IPC has distinguished between information “about a property” and information “about an individual”.  The adjudicator concluded that the building plans contained no information other than the layout of the building and, therefore, was information that was solely “about the property”.

It should be noted, however, that the line between what constitutes information about a property and information about an individual for purposes of MFIPPA depends on the type of information at issue and how easy it may be to link to an individual.  For example, in other decisions, the IPC has concluded that appraisal information about a property is personal information.

The Ontario Information and Privacy Commissioner and San Diego Gas & Electric (“SDG&E”) have released a white paper on the collaboration of SDG&E and the Office of the Information and Privacy Commissioner regarding privacy issues in SDG&E’s dynamic pricing project.  The project makes use of technological capabilities of smart meters, to offer time-variable rates to home owners and tools to manage and understand energy consumption. The paper describes how SDG&E integrated privacy considerations during the development of the project.

Carnegie Mellon CyLab has released a summary of its third survey regarding corporate governance of the privacy and security of digital assets.  CyLab is a centre for cyber security research. The 2012 study was sponsored by RSA, the security division of the information infrastructure company EMC. A summary of the study is available on the RSA website.

The authors of the 2012 study state that less than one-third of Global Forbes 2000 companies who responded to the survey are undertaking basic responsibilities for cyber governance.  Among the key findings were that:

• 94% of respondents stated that they had a formal enterprise risk management program; however, half of the respondents reported that they do not have personnel in key privacy and security roles;
• at the board level, audit committee responsibility for technology risks has decreased in favour of risk committees;
• however, only one-third (approximately) of the respondents reported that their board of directors are focused on activities that would help protect against reputational or financial losses resulting from breaches of data security and the theft of confidential and proprietary information; and
• more than half of the respondents reported that their boards do not review insurance policies for protection against cyber risks.

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released its first  report of findings for 2012. This first report concerned a complaint regarding the privacy practices at a on-line “open community” social networking site popular with youth.

The original complaint against the social networking site was filed in January 2010 by a public interest advocacy group. According to the OPC, the social networking site described itself as an “open community” platform used primarily for youth to “show off to the world”.

The OPC report is lengthy.  In this summary, I focus on five areas.

1.  ”Visible to All” Privacy Settings

The OPC was concerned that default privacy settings were completely open — meaning that user profiles (containing what the OPC considers to be sensitive personal information) could show up in Internet search results.  Some data showed up even in higher privacy settings. In response, the social networking site appears to have argued that the privacy defaults were reasonable given that very few of its users change their privacy settings to a more restrictive setting. When certain blocks of information were given a more restrictive setting by default, 5% of users had lessened the privacy restrictions.

Notwithstanding that users generally did not make their settings more restrictive, the OPC concluded that youth have special vulnerabilities and, therefore, a “reasonable person” would not consider it appropriate for the social networking site to preselect a low privacy setting for users, such that personal information would show up in Internet search results.

2.  Meaningful Consent

The OPC also found that the site failed to get meaningful consent to the collection, use and disclosure of personal information. In this regard, the OPC was also influenced by the age of the typical users of the site. The OPC accepted that parental consent was not required. However, consent had to be obtained in a way that was meaningful given the demographics of the users.

The “take-away” on this point is that the standard privacy policy hyper-link at the bottom of a website may not always be adequate. Given the target audience, the OPC did not consider that the social networking site’s reliance on users to read a lengthy and formal privacy policy was a reasonable way to obtain consent. A more interactive privacy disclosure at point of click was better-suited to the audience. Nevertheless, the OPC accepted a process where a user had to review the privacy policy as part of the registration process.

3. Targeted / Behavioural Advertising

The OPC accepted that the nature of the free social networking service being offered meant that the use of personal information for the purposes of advertising was an acceptable  condition of service, provided there was proper disclosure of information use and sharing practices. The OPC wanted more robust disclosure. Although the OPC did not require the social networking site to permit users to opt-out of third-party tracking cookies, the OPC required enhanced disclosure of third-party cookies in the social networking site’s privacy policy.

4.  Sharing of User IDs for Rewards and Payment Processing

The social networking site disclosed user IDs to its third-party payment processor when users made purchases. In addition, the site disclosed user IDs, age and gender to a rewards company when users participated in certain offers. Apart from deficiencies in the privacy policy disclosure regarding these practices, the OPC had concerns that more information was being shared than was necessary. The OPC was not convinced that the user ID could not be linked back to a user profile. The OPC tested the site using a search function and was able to link to user profiles. Accordingly, OPC recommended that the social networking site use another unique code for payment processing. The social networking site discontinued the rewards program during the course of the investigation.

5.  Retention of Information in Declined Invitations and Deleted Accounts

The OPC also had two significant concerns regarding the retention of information. The first concern related to the use of non-user e-mail addresses. As is common, users of the social networking site could invite their friends to join. Users did not have to confirm that they had their friend’s consent to this use of the friend’s email address. If a non-user did not want to receive further invitations, the non-user could opt-out but the email address will be retained (not surprising if further invitations are to be blocked). The OPC stated that the user who provides the e-mail address should have to confirm that they have the prior consent of their friend. Moreover, the OPC stated that non-users should be given a choice between opting-out and having their e-mail deleted.

A more tricky issue was the issue of what happens with information for deleted accounts.  The OPC reported that when a user clicks the “Delete Account” option, they were informed that: “This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users’ in-boxes will remain.” However, in practice, only the user’s “shouts” were deleted. The user’s user-name, user ID, email address, IP address and log-in information, friends list, gallery pictures, profile contents, messages and comments, and profile photos were archived.

The OPC stated that there should be a true “Delete Account” function and that the disclosure was misleading. The OPC reports that the social networking site has stated that it refuses to implement this recommendation because of the costs of doing so. The position of the social networking site, as described by the OPC, is that the information is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.

As this issue is outstanding, the OPC is considering further action.

Last week, Ontario’s Information and Privacy Commissioner released a discussion paper on privacy in the design of electronic health records (EHRs).  The paper, entitled “Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities – Win/Win” was co-authored with the President and CEO of Canada Health Infoway. Canada Health Infoway is government-funded and was established to foster and accelerate the development and adoption of electronic health record systems.

There is significant potential for patient electronic health records to be used for important societal secondary uses such as improving clinical practice, facilitating health promotion and disease prevention, and allocating health resources. The authors argue that the “Big Data” potential in electronic health records should be matched with a rigorous de-identification process where that data may be used for secondary purposes, since in most cases the identity of the individual patient is not relevant.

Of particular note is that Ontario’s Information and Privacy Commissioner appears to accept that “contrary to detractors’ claims about the ease of re-identification, it has been shown that the re-identification of properly de-identified information is not an easy task”.  Moreover, the Information and Privacy Commissioner also appears to accept that even though “de-identification may not guarantee the total elimination of all privacy risks (as indeed, no tool can), de-identification remains the vital first step that drastically reduces the risk of personal information being used or disclosed for unauthorized purposes.”

The British Columbia Information and Privacy Commissioner (“IPC”) has released guidelines on cloud computing. The guidelines apply to the public sector bodies to which British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies.

Paragraph 30.1(a) of FIPPA restricts the ability of public bodies in British Columbia to transfer data outside of Canada.  Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with consent of the individual with respect to whom the information relates. The consent must be provided in writing and specify to whom the personal information may be disclosed.

The British Columbia IPC recognizes that some vendors are offering cloud computing services that store information solely within Canada. However, the IPC cautions that public bodies must make inquiries to determine whether they can rely on these representations. In addition, the IPC states that public bodies must consider whether there are reasonable security measures, such as:

• corporate policies, procedures and standards with respect to security and privacy;
• controls regarding access by authorized users;
• infrastructure security, including layered security controls and patch management;
• encrypted transmission and storage of personal information;
• contractual safeguards for the information to prevent unauthorized use, to require mandatory breach reporting and to permit audits.

The Ontario Divisional Court recently overturned a decision of the Ontario Licensing and Appeals Tribunal that had required the Travel Industry Council of Ontario (“TICO”) to compensate a loyalty program provider for the cost of travel services with bankrupt travel services provider.  The loyalty program provider paid for these travel services when its members redeemed points for travel services. The Divisional Court concluded that the loyalty program provider was not the “customer” who could make claims on the Travel Industry Compensation Fund because the loyalty program provider was not directly involved in the booking of the travel services and did not receive detailed invoices with respect to the travel services booked for by the members of the points program.

Overview

TICO administers the Travel Industry Compensation Fund.  The Compensation Fund provides reimbursement of last resort for travel services arranged by or through an Ontario registered travel agent are not provided due to the bankruptcy, insolvency or closure of an Ontario-registered travel agent or travel wholesaler or an end supplier airline or cruise line.

The issue in this case was whether a credit card issuer that offered loyalty points that could be redeemed for travel could make a claim on the Compensation Fund when the travel services provider made an assignment in bankruptcy. The CEO, President and Registrar of TICO had stated in writing that the credit card issuer was eligible to make a claim. The Licensing Appeals Tribunal also concluded that the credit card issuer was entitled to make a claim. The Divisional Court disagreed.

This case is of obvious importance to providers of loyalty programs in which points can be redeemed for travel. The case may also have broader implications for organizations that purchase travel on behalf of their members or employees. These organizations may wish to seek advice on the structure of their arrangements to ensure that they are not disqualified from making claims against the Compensation Fund.

This case is also interesting from a data governance perspective. The loyalty program permitted members to make travel arrangements directly with a registered travel agent. The loyalty program provider received data on the amount of points redeemed but apart from making payment was not otherwise involved in making the arrangements for the travel services. This has obvious advantages to the consumer and permits the loyalty program provider to control the amount of data it is receiving about the choices made by any particular member. However, the result was that the loyalty program provider ended up not being treated as the “customer” for the purposes of making a claim on the Travel Industry Compensation Fund and the member was also disqualified because the purchase was made with points.

Facts

The card issuer in this case maintained a points-based loyalty program for its card holders. Points could be redeemed for travel services. The card issuer entered into an agreement with an Ontario travel agent registered with TICO. The terms of that agreement provided that the card issuer would reimburse the travel agent for points redeemed with the travel agent for travel services at the actual cost of the travel services. In simple terms, the card holder arranged travel with the travel agent using the loyalty points and the card issuer paid for those travel services.

When the travel service provider went bankrupt, the card issuer reinstated all of the points that had been redeemed for pending travel services with the bankrupt provider. The card issuer then made a claim on the Compensation Fund.

Issue

The case turned on whether the credit card issuer was the “customer” who was eligible to make a claim on the Compensation Fund. “Customer” is not defined in the regulation governing the Compensation Fund.

Prior to the bankruptcy of the travel service provider, the card issuer had sought clarification from TICO regarding whether it would be covered in the event of the bankruptcy of the travel agent. The issue is important for any significant purchaser of travel services. If recourse to the Compensation Fund is not available, then the organization must self-insure or arrange for insurance. The President, CEO and Registrar of TICO advised the card issuer that the card issuer would be entitled to make claims from the Compensation Fund if it were the party purchasing the travel services.

However, when the card issuer made a claim, TICO took the position that it was the card holder that was purchasing the travel services and that the card issuer was not purchasing the travel services “on behalf” of the card holder when it reimbursed the travel agent.

If the credit card issuer was not eligible to make a claim then no claim could be made because the card holders were not eligible to make a claim. The regulations governing the Compensation Fund preclude reimbursement for travel services obtained with a voucher, certificate, or coupon.

Ontario Divisional Court Decision

The court reviewed how the term “customer” was used in various parts of the regulation governing the Compensation Fund. For example:

• Information about the total amount the customer will be required to pay for the travel services must be disclosed to the customer.
• Before entering into an agreement with the customer and taking payment, the travel agent must “disclose conditions related to the purchase of travel services, the total price, the travel dates and a fair and accurate description of the travel services to be provided, explain requirements or limitations relating to transfer or cancellation of travel services, advise the customer about the availability of trip cancellation insurance and out-of-province health insurance, and advise about travel documents for foreign travel, among other information.”
• The travel agent is obliged to advise customers of changes after the purchase of travel services.
• The travel agent must provide the customer with a statement or invoice that includes the name of the customer who purchased the travel service and whether the customer was offered trip cancellation insurance and whether it was purchased or declined.
• The travel agent must take reasonable measures to verify the condition of accommodation to ensure its quality at the time the customer uses the travel services.

Based on the foregoing, the Divisional Court concluded that the term “customer” meant a member of the travelling public “who deals with the travel agent to arrange the purchase of travel services, who is invoiced for the travel, and who will be affected by changes in prices or factors affecting the quality or availability of the services purchased.”

The Divisional Court concluded that the credit card issuer had no dealings with the travel agent to select and arrange the travel services for the card holders. The court characterized the card issuer as “simply a medium to a payment scheme whereby reward points were converted to cash.”

In a recent decision, the Ontario Court of Appeal has permitted Ontario’s Minister of Finance to withhold draft policy option memos from disclosure in response to an access to information request. The requester sought records relating to the decision of the Ministry of Finance to proposed amendments to section 2 of the Corporations Tax Act (Ontario) that were intended to be retroactive in effect. The result of the retroactive amendment was to close a perceived tax loophole.

Pursuant to subsection 13(1) of the Freedom of Information and Protection of Privacy Act (Ontario) (“FIPPA”), the Minister of Finance had discretion to refuse to disclose documents if (among other things) the disclosure would reveal advice or recommendations of a public servant.

The records in issue were prepared by civil servants and formed part of the internal budget briefing process of the Ministry of Finance at the level of the Assistant Deputy Minister, Deputy Minister and Minister of Finance. The adjudicator of the Information and Privacy Commissioner took the position that in order to qualify as advice or recommendations, a record must reveal a suggested course of action that will ultimately be accepted or rejected by the recipient of the record during a deliberative process. Under this formulation of the test for the application of subsection 13(1) of FIPPA, the advice must set out a course of action and be communicated to the person who is entitled to make the decision in the deliberative process. The Divisional Court found the adjudicator’s analysis was reasonable.

The Ontario Court of Appeal disagreed.  The court held that the adjudicator’s approach to subsection 13(1) of FIPPA was too narrow. In particular, the court held that in order for section 13(1) to apply:

• It is not necessary to demonstrate that the documents are final versions or that the documents were delivered to the final decision-maker.
• The discretion to withhold the record is available when the information would permit the drawing of accurate inferences regarding the nature of the advice and recommendations and the documents are part of the deliberative process.
• The records need not set out a single course of action that is to be adopted or rejected by the decision-maker.

Earlier this month, the Canadian Radio-television and Telecommunications Commission (“CRTC”) released three decisions imposing administrative monetary penalties (“AMP”).

In one case, the CRTC imposed an AMP of Cdn. $18,000 on a company for (a) sending telemarketing fax to consumers whose fax numbers should have been on the company’s internal do not call list and (b) telemarketing without being registered with the National Do Not Call List operator.  The CRTC rejected the company’s due diligence defence.  The company argued that its errors were not systemic.  However, the CRTC stated that the company did not submit evidence of steps it had taken or business practices it had adopted that would demonstrate due diligence in preventing calls to consumers whose numbers were or should have been on its internal do not call list.

In another case, the CRTC imposed an AMP of $8,000 for making telemarketing calls to consumers registered on the National Do-Not-Call List and for making telemarketing calls without having paid all applicable fees to the National Do-Not-Call List operator.  In rejecting the company’s due diligence defence, the CRTC noted that the company provided no evidence that it had developed a process to prevent unwanted calls.

In the final case, the CRTC affirmed a prior decision imposing an AMP of $6,000 for making telecommunications calls to consumers whose numbers were registered on the National Do-Not-Call List and for failing to register with and pay all fees to the National Do-Not-Call List operator.

These cases illustrate the importance of having a documented process for handling Do-Not-Call requests. Companies that do not use professional telemarketers may especially wish to review the CRTC Unsolicited Communications Rules.  The Rules state that company wishing to establish a due diligence defence should be able to demonstrate that:

• the company has established and implemented adequate written policies and procedures to comply with the Unsolicited Telecommunications Rules and to honour consumers’ requests that they not be contacted for telemarketing;
• staff are provided with adequate on-going training;
• the company is using a National Do-Not-Call List that is not more than 31 days old;
• the company is using an Internal Do-Not-Call List that is no more than 31 days old;
• the company has implemented a documented process to prevent telemarketing to a number that has been on the National or Internal Do-Not-Call List for more than 31 days;
• the company monitors and enforces compliance with the Unsolicited Telecommunications Rules and the company’s written policies and procedures; and
• in the case of a company that retains a third-party telemarketer, the company has entered into an agreement between itself and the telemarketer requiring the telemarketer to comply with the Unsolicited Telecommunications Rules.

Earlier this month, the Conference Board of Canada released a report analysing the economic costs and benefits of privacy regulation in Canada. The Conference Board’s report was prepared with financial support from Google Canada Inc.

The report is an attempt to frame the discussion relating to privacy regulation in terms of a cost-benefit analysis. The report is timely given that there are proposed legislative amendments to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) pending before Parliament and given that PIPEDA should be up for a legislated five-year review.

As the Conference Board report notes, the Federal Cabinet Directive on Streamlining Regulation requires (among other things) that policy options be evaluated on a cost-benefit basis and that proposed regulations must impose the least possible cost necessary to achieve the intended policy objectives. In assessing the costs of privacy regulation, the Conference Board stated that:

1. It estimated the total cost of administering privacy regulation in Canada is approximately Cdn. $3.8 billion annually (estimated using a privacy cost-to-revenue ratio derived from a U.S. study and a privacy sensitivity analysis by industry sector).
2. Most of these costs are “hidden in process and administration costs, changes to business processes, and impacts on innovation and market efficiency”.
3. Of the more transparent costs, the Conference Board estimated that federal and provincial privacy offices cost approximately Cdn. $40 million annually and many large Canadian companies have set up dedicated privacy offices that incur costs estimated by the Conference Board to be approximately Cdn. $67.5 million annually.

Earlier this week the Office of the Attorney General for the State of California announced an agreement with leading operators of app platforms to implement privacy principles in the app ecosystem. These principles would require mobile app privacy policies or statements to be presented to the consumer in a consistent way prior to the downloading of the app and would require app stores to create a complaints process.

The California agreement was overshadowed in the press by the White House’s announcement of  a Consumer Privacy Bill of Rights and the release of its report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” which I previously blogged about. However, the California agreement could result in significant changes to the way in which privacy policies are presented in the app ecosystem and the ability of consumers to navigate those data privacy policies and complain about privacy practices of apps.

The California Attorney General stated that the majority of mobile apps did not have a privacy policy and that the agreement would bring the industry in line with California law. The Attorney General cited the California Online Privacy Protection Act  (“OPPA”) which states that “[a]n operator of a commercial web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available” in accordance with the provisions of OPPA. The California Attorney General’s position appears to be that OPPA requires privacy policy disclosure regarding apps at the point of download.

The agreement sets out five principles:

1. A privacy policy or statement regarding the app’s privacy practices must be conspicuous posted. The policy or statement must describe how personal data is collected, used and shared.
2. New and updated apps must have either (a) an optional data field for a hyperlink to the privacy policy or statement or (b) an optional data field for the text of the privacy policy or statement. Access to a hyper-linked privacy policy or statement must be available from the apps store.
3. Apps stores must have provide consumers with a means to report apps that do not comply with applicable terms of service and/or laws.
4. Apps stores must develop and implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws.
5. Within six months, the operators of apps platforms will reconvene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.

The U.S. White House has released a Consumer Privacy Bill of Rights and a report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”

The Consumer Privacy Bill of Rights, which is modeled on principles found in Canada’s Personal Information Protection and Electronic Documents Act and other similar legislation in other countries, is intended by the Obama Administration to be part of a larger privacy rights initiative to provide users more control over how their information is handled. Among the elements to the Obama Administration’s initiative will be enforceable industry codes of conduct and the potential for federal privacy legislation.

The White House also announced that many leading internet companies and online advertising networks have committed to make it easier for users to control online tracking.

Canadian Privacy Commissioners have expressed concerned regarding the collection and use of personal information from children.  In the Office of the Privacy Commissioner of Canada’s 2010 Report on Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing, released in May 2011, the Privacy Commissioner stated:

“[...] the OPC is of the view that baseline standards need to be developed to support parents and educators in terms of knowing that children’s personal information is being protected. A framework needs to be put in place that will better inform parents and educators and, ultimately, will better protect the personal information of children [...]“

South of the border, the United States Federal Trade Commission (FTC) recently issued a staff report regarding the adequacy of privacy practices disclosures in the mobile app market for kids.

Although the report was focused on disclosures of privacy practices, the FTC stated that it will be conducting additional investigations to determine whether any of the mobile apps violate the U.S. Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA regulates the collection, use, and disclosure of personal information from children and generally requires verifiable parental consent to the collection, use and disclosure of such personal information.

Regarding privacy practices disclosure, the FTC Staff report concluded that:

• there was insufficient disclosure of the data collection, data sharing and interconnectivity of mobile apps for children;
• parents should not have to navigate to lengthy privacy policies and terms of use to determine whether personal information is being collected and used;
• disclosure should be provided prior to downloading and use because by that point the child may already be using the app and the parent may have already been charged a fee; and
• icons and short disclosures should be used to alert parents if the mobile app (a) permits information to be shared with social media, (b) allows “in-app” advertising to occur, or (c) permits “in-app” purchases.

On the subject of “in-app” advertising, the FTC raised three concerns with what it assessed was an inadequate level of disclosure:

• parents may want to limit the data collected by advertisers and ad networks about their children;
• even if the advertising is not based on any information collected from the child, parents may want to limit their children’s exposure to ads; and
• parents may not want children to be able to call numbers or visit websites appearing on in-app advertisements.

In Canada, mobile app developers and marketers should seek legal advice regarding, among other things, the Quebec Consumer Protection Act restrictions on advertising to children.  With few exceptions, Quebec prohibits commercial advertising directed at persons under 13 years of age.

The Telegraph reported on Saturday, February 18, 2012 that phone and internet service providers in the United Kingdom may be ordered to store records of eletronic communications of subscribers for one year and make those records available to security services.  The Telegraph reports that the information would not include the contents of calls, texts or emails.  However the data would include numbers or email addresses of the sender and recipient.  The Telegraph reports that the information to be collected would also include direct messages between subscribers to websites such as Twitter, and Facebook, as well as communications between players in online video games.

The much anticipated “Drummond Report” of the Commission on the Reform of Ontario’s Public Services was released on February 15, 2012.  In broad terms, the Commission’s mandate was to find ways to make the Ontario government work better in light of the fiscal challenges facing Ontario.

Throughout the Drummond Report, the Commission recommended improvements in the collection of relevant data to imporve evidence-based policy development and program evaluation. From a data governance perspective, the following recommendations in the Drummond Report are noteworthy.

Linking Databases and Profiling for Tax Compliance Purposes. The Commission recommended linking more databases so as to detect and recover revenue from underground economic activity.  In particular, the Commission recommended:

• legislative changes to enable data sharing (such as permits, licenses and registration information) and database matching across ministries, municipalities and government departments;
• creating a “wealth indicator” database, which might estimate the expenditures made by a taxpayer to maintain his or her lifestyle to identify potential tax fraud;
• expanding reporting requirements for certain financial transactions;
• a federal-provincial agreement to share information and co-ordinate compliance efforts in the underground economy;

Integrating Social Benefit Programs and Better Data Collection. The Commission recommended fully integrating social benefit systems to centralize income testing, payment delivery, automate income verification and standarized eligibility criteria. Along with this integration and centralization, the Commission recommended better data collection to evaluate the programs in the integrated benefits system while respecting and protecting personal information and privacy.

The Commissioners were careful to note that there must be consultation with the Information and Privacy Commissioner of Ontario.

On February 15, 2012, the U.S. Federal Communications Commission approved new rules regarding auto-dialed or pre-recorded telemarketing calls to residential and mobile numbers.  Among the important changes are:

• express written consent will be required for auto-dialed telemarketing calls to residential lines and wireless numbers;
• the “established business relationship” exception to the consent requirements for auto-dialed telemarketing calls to residential lines will be eliminated; and
• auto-dialed pre-recorded messages must provide consumers with an automated, interactive opt-out mechanism to permit the consumer to opt-out of receiving further calls.

The Office of the Privacy Commissioner has posted an initial reaction to House of Commons Bill C-30. As previously reported, Bill C-30 would require telecommunications service providers to deploy surveillance technologies and would enhance the investigative powers of the police with respect to electronic communications. While acknowledging that modifications to earlier iterations to the proposed legislation had been made by the government, the Privacy Commissioner continues to express concern that the proposed legislation would grant a broad power to obtain subscriber information behind an internet protocol (IP) address without a warrant and without demonstrating reasonable grounds to suspect criminal activity or demonstrating the information is sought in respect of a criminal investigation.

Today, Canada’s Federal Minister of Public Safety introduced Bill C-30 in the House of Commons.  The proposed legislation’s short title is ”Protecting Children form Internet Predators Act”.  The proposed legislation is more broadly directed than its short title would suggest.  The main purposes of the Bill are to require telecommunications service providers to deploy surveillance technologies and to enhance the investigative powers of the police with respect to electronic communications. 

As noted in my previous post on this topic, the subject-matter of the Bill is controversial.  In upcoming posts, we will examine the surveillance obligations imposed on internet  and other telecommunication service providers and the enhanced powers of the police to conscript material from those service providers in an effort to fight crime.

The joint press release of the Minister of Public Safety and the Minister of Justice may be found here. The Ministry of Public Safety’s backgrounder on the legislation can be found here.

For a counterpoint, Ottawa University Professor Geist has prepared a FAQ dealing with prior iterations of the Bill, which can be found here.

In previous posts, I outlined the mandatory breach notification provisions under the Alberta Personal Information Protection Act (“PIPA”), I examined the test used by the Alberta Privacy Commissioner in determining whether to order individual breach notification and I described the consequences of failing to comply with the mandatory breach notification provisions of PIPA.

This post picks up from where I left off by describing the proposed amendments to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) introduced in September 2011 in Bill C-12, which has not yet progressed further than First Reading in the Canadian House of Commons.  In the next post in this series, I will compare these proposed amendments federal amendments to the existing Alberta provisions.  Future posts will track the progress of Bill C-12.

Test for notification to the federal Privacy Commissioner

The proposed amendments to PIPEDA require an organization to notify the Office of the Privacy Commissioner of Canada of a ”material breach of security safeguards” involving personal information under the control of the organization.  

What is a breach of security safeguards?

A “breach of security safeguards” is defined to mean the loss of, unauthorized access to, or unauthorized disclosure of personal information that results from either a breach of security safeguards described in the privacy principles in Schedule 1 to PIPEDA or the failure to establish safeguards in accordance with those privacy principles.

In summary, the security safeguard principles set out in Schedule 1 of PIPEDA are:

• personal information must be protected against loss, theft, and unauthorized access, disclosure, copying, use, or modification;
• sensitive information should be safeguarded by a higher level of protection;
• methods of protection should include: (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption; and
• disposal and destruction should be through secure methods.

What is a material breach?

Relevant factors for determining whether a breach of security safeguards is material include:

• the sensitivity of the personal information;
• the number of individuals whose personal information was involved; and
• an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.

Test for individual breach notification

An organization must make individual breach notification if:

• it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual; and
• there is no other law that would prohibit such disclosure.

What is significant harm?

“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Relevant factors for determining whether there is a “real risk” of significant harm include:

• the sensitivity of the personal information involved in the breach; and
• the probability that the personal information has been, is being or will be misused.

How quickly must notification occur?

Notification to the Privacy Commissioner must be made as soon as is feasible after discovering the breach. Notification to individuals must be made as soon as is feasible after concluding that the test for individual beach notification must be met.  Notification must occur in a prescribed form and must generally be direct notification.

Test for third party notification

The proposed amendments also require an organization that makes individual breach notification to notify other organizations or government institutions if the risk of the harm could be mitigated by doing so.  For example, this might include making a notification to credit reporting agencies in cases where there is a real risk of identity theft that could be ameliorated with cautions on credit reports.

Penalties for non-compliance

Complaints regarding non-compliance with the mandatory breach notification provisions may be made to the Privacy Commissioner. The Privacy Commissioner may investigate and make recommendations and findings.  Although the Privacy Commissioner does not have order-making powers, complainants may seek monetary damage awards before the Federal Court in certain circumstances.

The House of Commons Order Paper for February 13, 2012 includes the proposed introduction by the Minister of Public Safety of a Bill entitled “An Act to enact the Investigating and Preventing Criminal Electronic Communications act and to amend the Criminal Code and others [sic] Acts.” The Bill was not introduced on Monday, but may be introduced as early as Tuesday, February 14th.

The subject-matter of the proposed “lawful access” legislation is expected to be controversial.  Previous Bills regarding the same subject significantly enhanced the powers of the state to engage in lawful electronic surveillance of Canadians.  For example, previous proposed legislation required internet service providers to develop and use surveillance technologies to monitor and preserve data relating to the internet use of their customers. Police would be able to require internet service providers to preserve and produce certain information without a warrant. 

The Information and Privacy Commissioner of Ontario has launched an educational and advocacy website.  The Privacy Commissioner of Canada and her provincial and territorial counterparts have also previously expressed their concerns.

On February 7, 2012, the U.S. Federal Trade Commission (FTC) announced that it had warned marketers of six mobile applications that they may be violating the U.S. Fair Credit Reporting Act.  The FTC stated that the mobile applications provide background screening reports on individuals.  Although the FTC reached no conclusion regarding whether there was any violation by the marketers, the FTC requested that the marketers review the application of and their compliance with the Fair Credit Reporting Act.

The U.S. Fair Credit Reporting Act regulates the activities of consumer reporting agencies.  A “consumer reporting agency” is one that regularly assembles or evaluates information about a person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living and reports that information to third parties for the purpose of establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes or (2) employment purposes.

The FTC warned the marketers that they must comply with the Fair Credit Reporting Act if they have reason to believe the information provided through the apps is being used for employment, housing, credit or similar purposes. For example, the Fair Credit Reporting Act imposes obligations on credit reporting agencies with respect to ensuring the accuracy of information, providing mechanisms for consumer redress, and, in some circumstances, requiring consumer reporting agencies to notify users of consumer reports of their obligations under the Fair Credit Reporting Act. The FTC stated that a warning by the marketer that the app was not to be used for the purposes regulated by the Fair Credit Reporting Act did not protect the marketers if the marketers had reason to believe the apps were being used in decisions by third parties with respect to employment, housing, credit or similar purposes.

Developers and marketers of similar applications in Canada should be aware that Canadian provinces have similar laws regulating consumer reporting.  For example, in Ontario, the Consumer Reporting Act regulates persons or organizations that provide reports to third parties for use in relation to, among other things, (1) credit granting or debt collection, (2) entering into or a renewal of a tenancy agreement, (3) employment decisions, and (4) underwriting of insurance.

Among other things, consumer reporting agencies in Ontario (1) must be registered, (2) must follow prescribed practices with respect to the information that may be contained in a report, (3) must provide consumers with access to their consumer report, and (4) must have a process for the consumer to contest inaccurate information.

Failure to comply with the Consumer Reporting Act (Ontario) may result in a fine of not more than Cdn. $25,000 or to imprisonment for a term of not more than one year, or to both.  Accordingly, developers and marketers of background checking or screening apps in Canada may wish to obtain legal advice to ensure that they remain compliant with respect to Canadian provincial laws governing consumer reporting.

From time to time, we comment on developments outside of Canada that may be of interest or relevance to the topics discussed in this blog.

On February 7, 2012, the the Grand Chamber of the European Court of Human Rights issued two decisions (Axel Springer AG v Germany; von Hannover v Germany) involving the balancing of privacy interests and freedom of expression, each of which are protected under the European Convention on Human Rights (“ECHR”).

Article 8 of the ECHR provides that “Everyone has the right to respect for his private and family life …” Article 10 of the ECHR provides that “Everyone has the right to freedom of expression.” Article 10 further provides that freedom of expression includes the freedom “to receive and impart information and ideas.” However, freedom of expression is subject to responsibilities and, therefore, may be restricted “for the protection of the reputation or rights of others …”

The two cases before the European Court of Human Rights concerned well-known personalities who had argued that their privacy rights had been infringed by the publication of photographs and associated stories about them. In one case, the German court had prohibited publication. In the other case, the German court had not prohibited publication. The question for the European Court was whether Germany had fulfilled its obligations under the ECHR in protecting the interests of the parties.

Following previous jurisprudence, the European Court recognized that a person’s image constitutes personal information since it reveals the person’s unique characteristics. Therefore, Article 8 of the ECHR protects the right to control the use of a person’s image, including the right to refuse publication of that image. This right is not obliterated simply because the person is known to the public. Also following prior jurisprudence, the European Court held that freedom of expression is essential to a democratic society and protects information and ideas that may be offensive.

In assessing whether Germany had balanced these competing human rights, the European Court stated that the following factors are relevant. I have grouped related factors for convenience of exposition.

(1) Contribution to a public debate of general interest. A key factor in balancing the these human rights is whether the photograph or article contributes to a public debate of a matter of general interest. This factor is more easily met if the person that is the subject of the photo or article has a role or function that is appropriate for debate in a democratic society.  The European Court held that a private individual unknown to the public is more likely to have a claim protection of his or her right to private life.  By contrast, the role of the press as a “public watchdog” means that a public official will be exposed to scrutiny unless the material relates exclusively to details of the person’s private life and the publication of that material is simply to satisfy public curiosity.

(2) The conduct of the person with respect to protecting privacy.  The European Court concluded that an individual may have diminished expectations of privacy as a result of the individual’s own conduct.  The mere fact of having cooperated with the press on previous occasions will not result in the waiver of right to privacy.  However, the extent to which the person has willingly opened his or her life to public scrutiny will be a factor in assessing the person’s legitimate expectations of privacy.

(3) The context in which the photographs were taken and the content, form and consequences of publication. The European Court recognizes the importance of context.  Photos obtained by illicit activity may fair less well when balancing freedom of expression against privacy interests.  In addition, the manner in which the person is represented, the form of publication and the extent of circulation are relevant to balancing the two freedoms. As the European Court noted, a photograph of an otherwise unknown person may be more damaging than an article.

In the result, the European Court held that freedom of expression trumped the right to privacy of these personalities. In the Axel Springer AG case, the photograph and article were damaging but the information was already public and the person involved had previously spoken to the press about his private life.  In the von Hannover case, the photograph was not damaging and the accompanying articles contributed to a debate of general interest.

The New York Times has published an Associated Press report on the background facts underlying the cases.

On February 3, 2012, the Supreme Court of Canada provided guidance on the rights of third parties with respect to information that is the subject of a request under the Access to Information Act (Canada).  The court also dealt with, and was divided with respect to, the issue of the standard of review of access decisions. The standard of review issue will be discussed in a subsequent post.

Background

Merck Frosst Canada Ltd. v. Canada (Health) concerned the procedural rights and substantive protections afforded to persons who submit information to the government for regulatory purposes. In Merck Frosst‘s case, the information was submitted to Health Canada in connection with pharmaceutical drug approval submissions.

Information submitted to a government institution may be released to competitors (and others) under access to information requests unless a statutory exemption applies. Although the Merck Frosst case arose in the context of a regulatory approval, these issues also arise when organizations disclose information in connection with contracts with the federal Canadian government (and provincial and municipal governments under separate access to information legislation).

Procedural Protections

On the issue of procedural protections, the Supreme Court of Canada concluded that the right of a third party to receive notice that the third party’s information may be disclosed in response to an access to information request is not absolute.  However, a government institution must provide the third party with notice that the government proposes to release the third party’s information unless there is no reason to believe that any of the exemptions from disclosure apply.

The Supreme Court’s decision sets a high threshold for disclosure without notice. Therefore, a third party who is affected by the information request will have recourse to the procedural protections of the Access to Information Act except in situations where it is clear that no exemption could apply. As the majority of the Supreme Court stated, those responsible for administering the Access to Information Act ”must take their duty not to disclose exempt third party information as seriously as their duty to disclose information that the Act requires to be disclosed.”

Substantive Protections

Section 20 of the Access to Information Act provides a number of exemptions of which the following three were relevant in the proceeding.

• trade secrets of a third party;
• financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party and is treated consistently in a confidential manner by the third party; and
• information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party.

The court held that the threshold for a third party establishing a trade secret was high. A trade secret is a plan, process, tool, mechanism or compound that meets the following criteria:

• the information is secret in the sense of being known only by the third party or a relatively small group of persons;
• the third party must demonstrate an intention to treat the information as secret;
• the information has or is capable of having an industrial or commercial application; and
• the third party must have an interest worthy of legal protection (such as an economic interest).

In order to qualify as confidential information for the purposes of the second exemption, the following three criteria must be met:

• the information must be financial, commercial, scientific or technical information;
• the third party must have consistently treated it in a confidential manner; and
• the information must have been supplied to a government institution by the third party.

Information will not be confidential if it is available from public sources. Furthermore, except in unusual cases, a compilation of public sources will not be confidential. Nor will information be confidential if it could be obtained by another party by observation or independent study. Finally, the information will not qualify if it is information that is compiled by the government institution unless it is based on confidential information supplied by the third party.

The third exemption involves assessing the harm of disclosure. The harm-based exemption will be available if there is “a reasonable expectation of probable harm”. To establish a reasonable expectation of probable harm, the third party must demonstrate:

• the harm is more than merely possible;
• there is a direct link between the proposed disclosure and the apprehended harm; and
• the harm is of a type that would reasonably be expected to ensue from disclosure. 

The court held that non-public information that would be reasonably be expected to give competitors an advantage in future transactions or in the development of competing products may meet this threshold. The court did not rule out the possibility that publicly available information might also meet this threshold if the manner of presentation was unique. However, in general, the information must be confidential or at least not publicly available.

In two previous posts, I provided an outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta) and I discussed the factors that the Alberta Privacy Commissioner considers when deciding whether to make an order requiring an organization to notify individuals of a privacy breach. This post describes the consequences to an organization of failing to comply with privacy breach notifications under the Alberta Act.

An organization over which the Alberta Privacy Commissioner has jurisdiction must make a notification to the Alberta Privacy Commissioner of a breach that a reasonable person would consider to involve a real risk of significant harm.  The Canadian approach to jurisdiction requires that there be a real and substantial connection regarding the subject matter of the incident and Alberta before the Alberta Privacy Commissioner claims jurisdiction.

The outer limits of the real and substantial connection test in respect of privacy issues has not been fully developed.  The test will be satisfied where the organization (other than a federally regulated organization) has a place of business or registered office in Alberta. Federally regulated organizations are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

When dealing with foreign organizations, the real and substantial connection test is likely to be satisfied where a foreign organization has representatives in Alberta conducting business on its behalf collecting personal information of residents of Alberta even though that organization does not maintain an office in Alberta. The test may also be met if a foreign organization is engaged in non-trivial activities in Alberta through electronic means that involve the collection, use and disclosure of personal information of persons resident in Alberta even when the organization does not have representatives in Alberta. However, each situation involving foreign organizations must be assessed on a case by case basis.

If the Alberta Act applies, then it is an offence under paragraph 59(1)(e.1) of the Alberta Act to fail to provide the required notification to the Privacy Commissioner of a privacy breach that meets the harm-based threshold discussed in Wednesday’s post.

It is also an offence under paragraph 59(1)(f) not to comply with an order of the Privacy Commissioner to provide notification to affected individuals, which was discussed in Thursday’s post.

These offences are punishable by a fine of up to Cdn. $10,000 for an individual and Cdn. $100,000 for a corporation or other entity. There is a two-year limitation period on prosecutions.

In August 2011, the Alberta Privacy Commissioner reported that there had been 90 reported breaches in 16 months. Most of the breaches involved human error, including mundane email, fax or regular mail errors and stolen or lost unencrypted electronic devices, improper record and electronic media destruction.

In yesterday’s post, I provided a basic outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta). I explained that the Alberta Privacy Commissioner may order an organization to make individual privacy breach notification if there is a “real risk of significant harm” as a result of the loss of, unauthorized access to, or unauthorized disclosure of the individual’s personal information. 

In deciding whether there is a “real risk of significant harm,” the Alberta Privacy Commissioner will consider:

• whether there is some damage, detriment or injury that could be caused to an individual as a result of the privacy breach;
• whether this harm is important, meaningful and with non-trivial consequences or effects;
• whether the likelihood of this harm is more than mere speculation or conjecture; and
• whether there is a causal relationship between the privacy breach and the possible harm.

The Alberta Privacy Commissioner typically considers the loss of, or unauthorized access to, a social insurance number, driver’s licence number, or financial and credit card information to pose a real risk of significant harm to an affected individual.  This will be true even if the more sensitive information relates to expired credit cards or other potentially stale information because this information could still be used for identity theft and phishing purposes.  As a general observation, therefore, organizations should expect that if sensitive personal information is lost in an unencrypted form, the Alberta Privacy Commissioner will conclude that the loss poses a real and not speculative risk.  

The risk of identity theft is not the only type of harm that is of concern to the Alberta Privacy Commissioner.  Information as varied as background checks or a person’s designated beneficiaries to pension or insurance policies may give rise to hurt feelings, humiliation and damage to reputation and, therefore, pose a “real risk of signficant harm” to the affected individuals. 

In determing whether there is a “real risk of significant harm” the Alberta Privacy Comissioner employs a contextual analysis.  Personal information such as name and e-mail address are considered by the Alberta Privacy Commissioner to be of moderate sensitivity. However, this information may be combined with other information that would increase its sensitivity. For example, the Alberta Privacy Commissioner will consider whether the personal information might involve information regarding a customer-merchant relationship that could be used in a targetted phishing attempt.

As mentioned in my previous post, the Alberta Privcy Commissioner has discretion to permit general notification where individual notification would be unreasonable.  The Alberta Privacy Commissioner has permitted general notification, such as positings on websites and physical locations, in situations where the organization demonstrates that the contact information on file is “stale”and, therefore, individual notification attempts would be pointless.

In tomorrow’s post, I will describe the consequences for failing to comply with Alberta’s mandatory breach notification provisions.

In preparing compliance manuals, some foreign e-commerce businesses entering into Canada may ask about their mandatory privacy breach notification responsibilities.

So, what’s the situation in Canada? Today’s post will describe the mandatory breach notification provisions in the Personal Information Protection Act (Alberta).  Tomorrow’s post will describe the test used by the Alberta Privacy Commissioner for determining whether individual notification is required.  Friday’s post will describe the offences for failing to make the required notification. Future posts will outline the proposed mandatory breach notification provisions for the Personal Information Protection and Electronic Documents Act (Canada), compare these provisions with those in selected U.S. and European jurisdictions, describe mandatory breach notification provisions relating to personal health information, and comment on the legal case voluntary breach notification for all types of personal information in Canada.

Caution: This series of posts provides general information about the mandatory breach notification provisions. If your organization has had a privacy breach, you should seek legal advice about your situation to ensure you meet your legal responsibilities.

In May 2010, the Province of Alberta was the first jurisdiction in Canada to enact mandatory breach notification provisions. As of February 1, 2012, Alberta remains the only jurisdiction in Canada that has enacted mandatory breach notification provisions governing personal information (leaving aside special legislation governing personal health information). 

The Personal Information Protection Act (Alberta) uses a harm-based threshold for determining whether privacy breach disclosure is required. Pursuant to subsection 34.1(1) of the Alberta Act, an organization must provide notice to the Alberta Privacy Commissioner of any incident involving (i) the loss of or (ii) the unauthorized access to or (iii) the disclosure of personal information if a “reasonable person” would consider that there exists a “real risk of significant harm” to an individual as a result of the privacy breach.

If the harm-based threshold is met, the Alberta Privacy Regulations provide that the organization must advise the Alberta Privacy Commissioner in writing of the following information:

• a description of the circumstances of the loss or unauthorized access or disclosure;
• the date on which or the time period during which the loss or unauthorized access or disclosure occurred;
• a description of the personal information involved in the loss or unauthorized access or disclosure;
• an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
• an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
• a description of any steps the organization has taken to reduce the risk of harm to individuals;
• a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
• the name of and contact information for a person who can answer the Alberta Privacy Commissioner’s questions about the loss or unauthorized access or disclosure.

Following notification, the Alberta Privacy Commissioner may require that the organization notify an individual who may be subject to a real risk of significant harm as a result of the privacy breach. If notification is required, the notification must generally be direct (as opposed to indirectly through news releases or other general communications).  However, the Alberta Privacy Commissioner may permit indirect notification if direct notification would be unreasonable.  

The Alberta Privacy Regulations provide that the notice to individuals must include the following information:

• a description of the circumstances of the loss or unauthorized access or disclosure,
• the date on which or the time period during which the loss or unauthorized access or disclosure occurred,
• a description of the personal information involved in the loss or unauthorized access or disclosure,
• a description of any steps the organization has taken to reduce the risk of harm, and
• contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized access or disclosure.

In my next post in this series, I’ll discuss the factors that the Alberta Privacy Commissioner considers in evaluating whether notification is required.

From time to time, we will post on this blog about developments in other areas of the law that may relate to privacy and data governance in a general way.

One such interesting development is the January 23, 2012 decision of the U.S. Supreme Court in United States v. Jones.  The decision was widely reported.  If you missed it, the gist is that (in the United States) the police may not attach a GPS device to a car for the purposes of tracking the movements of the driver over a lengthy period without a warrant. (As an aside, for an interesting article on the use of such devices for private/commercial purposes see Erik Eckholm’s article in The New York Times (January 29, 2012).  The Information and Privacy Commissioner of Ontario’s views on related state-surveillance issues is found on her “Real Privacy” website.)

In the U.S., the Fourth Amendment to the U.S. Constitution protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The majority of the U.S. Supreme Court focused on whether attaching the GPS device was a trespass to the property of the owner of the vehicle and not on a “reasonable expectation of privacy” analysis. However, in concurring opinions, Justices Alito and Sotomayor observed that the Fourth Amendment also protects a subjective expectation of privacy that society recognizes as reasonable even absent a formal trespass to property.  Justice Sotomayor also questioned whether a reasonable expectation of privacy depends upon a finding that the information or data is “secret”.  She observed (at pp. 5 to 6):

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. [...] This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” [...] and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

Lodged in Justice Sotomayor’s observation is a fundamental question:  Should we conceive of privacy expectations as invoking fundamental and unalterable rights, or are expectations fluid – destined to change as technology changes and perceptions of technology change? Or, is the issue more nuanced and situational, as Justice Sotomayor hints.  Professor Barry Friedman of the New York University School of Law has an insightful op-ed piece in the New York Times (January 29, 2012) on this issue and the paradoxes of United States v. Jones .

On April 11, 2011, FMC Partners Anneli LeGault and Catherine Coulter presented a round-up of 10 things you need to know about Canadian privacy laws.

One often overlooked aspect of Canadian privacy compliance that they addressed is particularly relevant to e-commerce businesses offering goods or services across Canada.  E-commerce businesses should be aware that some Canadian provinces have private sector privacy legislation.  British Columbia, Alberta and Quebec each have their own private sector privacy legislation.  Although these laws are substantially similar to Canada’s federal legislation (known by its acronymn PIPEDA), they are not identical. We’ll touch on some of the differences in up-coming posts.

As an example of differences, compare the order making powers of the provincial privacy commissioners and the range of fines that might be levied. Click here for a link to Anneli and Catherine’s slide show used at their presentation and jump to slide 8!

On January 25, 2011, EU Justice Commissioner Reding announced proposals for new data privacy rules for members of the European Union. The proposed rules include:

• An expanded “right to be forgotten”. Not only would an organization have to delete personal information that it could not demonstrate any legitimate need to retain, the organization may be required to inform third parties to facilitate the erasure of links to or replication of the personal information.
• Explicit consent for data use. If consent is required for data processing, the consent will have to be explicit (not implied).
• Breach notification. National data protection authorities must be notified of serious data breaches within 24 hours (if feasible) or as soon as possible.
• Extra-territorial reach. EU rules would apply to any organization active in the EU market even if the data is processed elsewhere.
• Expanded jurisdiction to investigate. National data protection authorities would be able to investigate complaints even though the complainant’s data is processed by an organization outside of the EU.
• Enhanced penalties. Organizations may be subject to fines for non-compliance of up to €1 million (approx. Cdn. $1.3 million Jan 27/12) or up to 2% of the global annual turnover of a company.

These proposed changes are relevant to Canadians. The outcome of this regulatory reform may affect Canadian firms processing data collected in EU member states or marketing to residents of EU member states. But more broadly, these are all issues that Canadian privacy regulators are examining.

Data Privacy Day is observed annually on January 28th in a number of jurisdictions with varying formality and support by government officials.  Privacy professionals and consumers use this day annually to raise awareness regarding best privacy practices, to educate consumers and to reflect on the complexity of privacy issues in our global and electronically interconnected economy. 

To learn more about Data Privacy Day, a great strating point with a collection of resources is the Privacy Commissioner of Canada’s website.  Also, check out the U.S. National Cyber Security Alliance website.

January 28, 2012 is World Data Privacy Day. Privacy is interconnected with anti-spam, data management and records retention issues for many industries, particularly those operating in the e-commerce environment.  

To mark this year’s World Data Privacy Day, Fraser Milner Casgrain LLP (FMC) is launching this new blog on data governance.  FMC is a national Canadian law firm with offices in the principal economic centres of Canada.  Our focus in this blog will be to provide interested followers with information on how privacy, anti-spam, records management and e-commerce interact in the Canadian legal environment.  Along the way, we will provide updates on worldwide developments that we think may be of particular interest to businesses operating in Canada with global e-commerce connectivity.

Please check back frequently.  Or better yet, subscribe!