the Office of the Privacy Commissioner of Canada (OPC) has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an “Internet Privacy Sweep“.

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.

The scourge of online defamation poses enforcement challenges for victims. So much so that there may be a temptation to begin looking for gatekeepers. The direction of the law appears to be ready to assist.

Consider, for example, the problem of the anonymous blogger. The path to justice requires a number of separate steps. Obtain an order requiring disclosure of subscriber information. Cajole the host of the blog to take down the content. Seek an order to validate service of proceedings on the blogger by email. Finally, pursue default judgment. In Manson v. John Doe, 2013 ONSC 628, the plaintiff followed that route and was awarded C$200,000 in damages and nearly C$50,000 in costs on a motion for default judgment. Whether the judgment will ever be satisfied is unknown.

A more direct route might be to seek compensation is to impose a gatekeeping function on the owner of the website. That route might just become easier. Last year, in Canoë inc c. Corriveau, 2012 QCCA 109, the Quebec Court of Appeal upheld an award of C$150,000 in damages and C$50,000 in punitive damages against the website owner who was found to have been grossly negligent in permitting defamatory statements to remain on the site. The hook was that the website owner failed to enforce promptly a website code of conduct.

More recently, in February, the English Court of Appeal, in Tamiz v. Google Inc., [2013] EWCA Civ 68, held that the host of a blog could be liable for defamatory material in circumstances where the host provided a platform, provided assistance and services relating to the platform, and imposed terms and conditions that enabled it to remove or block service in the event of a breach of the terms. The Court of Appeal held that such a host could become liable for allowing defamatory material to remain on the site once the host had been notified of the defamatory material and had a reasonable period of time to remove the material.

Of course national laws may differ with respect to what constitutes defamation and defences to defamation.  So, as always, it is necessary to seek local guidance before jumping to conclusions.

However, the risk management message is clear. If an organization is operating a platform or interactive site with a social media component where users may post comments, reviews and interact, that organization would do well to review its policies and whether it has the resources and compliance structure to ensure that it monitors the site or at least can respond quickly to complaints.

Our New Look and International Legal Practice

Welcome to the new look for DataGovernanceLaw.com. Fraser Milner Casgrain (FMC) has become Dentons Canada LLP, and has joined Salans and SNR Denton to form Dentons, an international legal practice. For more on Dentons, visit www.dentons.com.

We are now working together with 2,500 talented lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.

Two Blogs!

This blog will continue to bring you developments in data governance law, including privacy, e-commerce and consumer protection topics that we think are interesting to you, with a Canadian spin.

We also invite you to visit our sister blog at www.privacydatasecurityblog.com, which will provide you with coverage and commentary from an international perspective on privacy and data security.

What does the future hold in store?

We have always covered international legal developments on this blog because e-commerce and m-commerce are not confined to geographical boundaries and because there is much to be learned from other jurisdictions in this evolving area of the law. I am personally delighted to join our colleagues from the former Salans and SNR Denton. Together, we will be able to provide you with insights regarding best practices in privacy and security and insights regarding data governance from around the world.

Over the coming months, we will be combining our blogs. These are exciting times. I look forward to sharing them with you.

As I mentioned in an earlier post, the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) announced the results of their coordinated investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet.

In addition to the issue of the use of address book information, the OPC raised concerns regarding status update broadcasts.

The app requires a user to enter a status update. The OPC reported that standard messages include “available”, “busy”, “at school”, “at work”, “sleeping”, “in a meeting” and “urgent calls only”. Users may also personalize status updates using 139 characters. The status field must be populated. However, the user could use emoticons or meaningless combinations of characters.

The status update is visible to every other user with the user’s phone number in his or her address book. There is no method to limit broadcasts. As the OPC put it:

[51]. In contrast to some social networking platforms which allow an individual to limit or control the broadcast of status submissions to only certain people, status messages shared using the WhatsApp messenger service are, by design, broadcast to all WhatsApp users who have the broadcasting user’s telephone number in their contact list. As such, a sender may not have knowledge of the identity of all those application users who may be receiving or monitoring the sender’s status messages. Any individual, whether for friendly or nefarious purposes, may track a user’s status, so long as that individual has the message sender’s telephone number.

It should be noted, however, that the app did permit users to block other users. A status would not be seen by a blocked user.

The OPC concluded that the status information was personal information because the information might be used alone or in combination with other data to render an individual identifiable.

Notwithstanding that the status information was being broadcast within the app to other users of the app, as disclosed in the privacy policy, the OPC concluded that the app provider needed to obtain more meaningful consent to the collection, use and disclosure of that status information.

The OPC distinguished the app from micro-blogging platforms because unlike a micro-blogging platform, the the app was primarily marked as a SMS replacement. As the OPC put it, the app conveyed “the general impression that such messages are being shared only with those people the user knows”.

Given the lack of granular user controls to limit the sharing of the status update, the OPC recommended real-time notification. However, the OPC conceded that users should be given control over notification prompts.

This decision provides an illustration of the OPC’s concern that meaningful consent in the mobile environment may require notice and consent contemporaneous with collection and disclosure as well as in stand-alone privacy policies.

The Office of the Privacy Commissioner of Canada (OPC)  announced the results of an investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet. The OPC coordinated its investigation with the Dutch Data Protection Authority (DPA). Commissioner Stoddart has previously stated that coordinated enforcement is a priority of the OPC.

The OPC found that the mobile app was not compliant with the Personal Information Protection and Electronic Documents Act (Canada) in respect of how it handles address book information. Once a user consents to the app using the user’s address book information, telephone numbers are uploaded to the providers’ servers using SSL/TLS encryption. This may occur up to two times a day or when a manually refreshes. Telephone numbers that are correlated to other users are retained in clear text by the provider. These are “in network” numbers to which instant messages could be sent.  Telephone numbers that are not associated with other users of the app are not discarded. Instead they are retained in a hashed format. These are “out of network” numbers.

The OPC raised a number of concerns:

• Users could not (as a general rule) manually add and amend contacts. Instead, as a condition of using the service, a user had to provide access to his or her complete address book.

• The app retained out of network numbers (that is, information of non-users). The fact that the out of network numbers were hashed was not sufficient to justify the retention.

• The anonymization technique was not complete because “the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached.” In addition, the OPC found that the methodology applied by the provider meant that the hash was always the same for the same number. This meant that it was theoretically possible to search to see whether a number had been submitted before.

The OPC’s decision sets a high threshold for retaining information even in an anonymized form where the information is not needed for the operation of the service.

On December 18, 2012, the UK Information Commissioners’ Office (ICO) issued an enforcement report on compliance with the rules regarding obtaining consent to the use of cookies and similar technologies.

North Americans accessing UK-based websites that are not distinguishing between IP addresses of EU visitors and North American users, may have noticed “cookie banners” when they visit the UK website. These “cookie banners” respond to the requirements of the Privacy and Electronic Communications (EC Directive (Amendment) Regulations of 2011, which the UK Information Commissioner’s Office began to enforce in May 2012. Typically the banner will appear at the top of the web page or float semi-transparently on the web page until closed by the visitor. The banner provides information on the use of cookies on the website, links to further information, including methods of opting out.

The ICO has helpfully provided examples of cookie banners that it considers to be compliant with the cookie rules.

The Office of the Privacy Commissioner of Canada (OPC) has made it clear in recent decisions and in its guidance on behavioural advertising that organizations must be transparent about their use of cookies and should consider alternative methods than privacy policies for explaining that cookies are being used, the purpose for their use and the ability of the website user to opt-out of tracking cookies. Although not yet in force, Canada’s Anti-Spam Legislation (CASL) provides that an organization must have express consent to install a computer program on a person’s computer. A “computer program” has been defined broadly to include a cookie. An organization will be considered to have expressly consent if the person’s conduct “is such that it is reasonable to believe” that the person has consented to the installation of the cookie.

Although the UK cookie rules are not directly applicable in Canada, organizations may consider reviewing the ICO’s enforcement report when considering revising their cookie disclosure practices in light of the OPC’s guidance and the requirements in CASL.

The scope of an employer’s right to discipline and terminate an employee for indiscreet or inappropriate remarks in social media is far from settled. Given that an employee’s social media activities have the potential to “go viral” (or at least be seen by hundreds, if not thousands of people), organizations must assess whether the activities of employees outside of work have the potential to negatively affect, even transiently, the reputation and goodwill of the organization.

Currently, the legal battle over an employer’s legitimate interest in an employee’s use of social media is being played out among employees who are relatively junior within organizations and may, justifiably or unjustifiably, believe that their actions are not under the gaze of their employers.

This post compares two recent cases from the United States and the United Kingdom with an earlier case from Canada.

Don’t Make Fun of the Customers

In a recent U.S. National Labour Relations Board (NLRB) decision, Karl Knauz Motors, Inc. (Re), the NLRB considered whether a car dealership could terminate a salesperson for comments on Facebook about an accident that involved a customer of the dealership. The customer had driven into a pond and the salesperson posted photos on Facebook with sarcastic comments. The employer argued that the comments violated employee handbook rules that required employees to be “courteous, polite, and friendly to our customers, vendors and suppliers, as well as to their fellow employees” and which prohibited conduct that was “disrespectful” or involved the “use of profanity or other language which injures the image or reputation” of the employer. In addition, not long before the post about the customer, the same salesperson had posted photos and comments criticizing food that had been served at a sales event at the dealership. The tenor of the earlier post was that the dealership should have served better food given the profile of the sales event.

The salesperson claimed that he was terminated in violation of the protections afforded by section 7 of the National Labor Relations Act (NLRA), which, among other things, provides rights to participate in concerted activity for the purpose of collective bargaining or other mutual aid or protection. The NRLB has previously issued decisions and guidance documents this year warning that social media policies must not stifle workers from communicating about workplace conditions as this would offend section 7 of the NLRA.

An administrative law judge concluded that the postings about the car accident did not fall within section 7 of the NLRA because it was posted by the employee on his Facebook page and not discussion took place on Facebook about the post. By contrast, the comments about the food at the sales event were made in the context of an exchange among employees on Facebook. The administrative law judge concluded that the comments were related to the dealership’s image at the event and this could affect the working conditions of the employees by affecting sales.

In a split decision, the NLRB upheld the decision of the administrative law judge. The employee’s termination for the comments about the customer was not protected by the NLRA. However, the NLRB ordered that the employee handbook rules were overbroad and not enforceable.

The dissenting NLRB member concluded that the requirement to be courteous did not violate section 7 of the NLRA and held that:

“[r]easonable employees know that a work setting differs from a barroom, room and they recognize that employers have a genuine and legitimate interest in encouraging civil discourse and non-injurious and respectful speech.”

Say What You Will About Gay Marriage

In the Smith v. Trafford Housing Trust, a housing manager of the Trust read a news article online regarding gay marriage and posted the link to his Facebook account with the comment “an equality too far”. The manager’s Facebook privacy settings had been set so that his posting could be viewed by his “Friends” and also “Friends of Friends”. This prompted an exchange with one of the employee’s colleagues at work, which was quite tempered but suggested that those gays and lesbians “have no faith and don’t believe in Christ”. The employee was suspended and subjected to a disciplinary proceeding that resulted in a finding of gross misconduct. The employee was offered a demotion to a non-managerial position in view of the length of his service.

According to the decision of the English High Court of Justice (Chancery Division), the Trust had over 300 employees. The court found that at the material time, the employee listed that he was a manager at the Trust. His profile stated “What can I say – it’s a job and it pays the bills”. He described his religious views as “full on charismatic Christian.” His profile and wall pages also listed that he was a manager at the Trust. In putting the post into context, the court held that it was one of a number of posts about “sport, food, motorcycles and cars.”

The court concluded that a reasonable reader of the manager’s wall would not have understood him to be a spokesperson for the Trust. The court rejected that any loss of reputation by the Trust would arise in the mind of a reasonable reader. The manager’s Facebook wall “was primarily a virtual meeting place at which those who knew of him, whether his work colleagues or not, could at their choice attend to find out what he had to say about a diverse range of non-work related subjects.” The court minimized the broader access to his wall by “friends of friends” by stating that “actual access would still depend upon the persons in that wider circle taking the trouble to access it.” The court found that the manager did not thrust his views onto colleagues at the office. The medium and context was not “inherently” work related. In the result, the court concluded that the manager had been constructively dismissed.

Don’t Diss and Threaten Other Employees or Your Employer

The problems for the employees in Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 1518 started when one of the employees posted on Facebook a post that could be interpreted as threatening: “Sometimes ya have good smooth days when nobody’s [expletive] with your ability to earn a living … and sometimes accidents DO happen, its [sic] unfortunate but thats [sic] why there [sic] called accidents right?” Another employee also was posting derogatory comments about managers.

The employees had close to 100 and 377 “friends” respectively. Significantly, the posts were escalating in tone and extreme enough that one person “de-friended” and even the girlfriend of one of the employees commented that ”[s]omethings just shouldn’t be broadcasted on facebook, especially when you still work there.”

The employer terminated the employment of the two employees. The union grieved but lost. In an interesting counterpoint to the Trafford Housing Trust case, the British Columbia Labour Relations Board concluded that there the comments on Facebook had sufficient proximity to the employer’s business. The comments had been used as a “verbal weapon”. They went beyond shop floor comments to insubordination in front of employees who were friends of the employees by degrading a manager and referring to discipline. The comments also counselled Facebook friends not to shop at the employer. In the result, the termination was upheld.

Substance, Purpose and Context

One should be careful to draw conclusions from a handful of cases in multiple jurisdictions with different approaches to employment and privacy laws. However, one theme that emerges in all three cases is that, in addition to the substance of the social media posts, the purpose and context for those postings are important considerations in concluding whether the employer has a legitimate interest in the activity of the employee’s social media activities.

On November 20, 2012, the UK’s Information Commissioner’s Office (ICO) issued the Code of Practice on data anonymization, entitled “Anonymisation: managing data protection risk.” I discussed the draft Code and consultation in a previous post.

In addition, the ICO has announced an “Anonymisation Network” (www.ukanon.net – not yet up and running) to host detailed case studies and illustrations of good practice.

The Code is developed within the framework of the Data Protection Act, 1998 (UK), and, therefore, should not be considered to be directly applicable outside the UK. However, the case studies and discussion of data anonymization techniques are useful reading for all organizations considering the conversion of data sets to an anonymized form.

Some highlights from the ICO’s discussion of data anonymization are:

• If an organization converts personal data into an anonymized form, the resulting anonymized data will not constitute personal information. This will continue to be case even though the organization may be able to de-anonymize the information.

• A difficult technical issue for organizations will be whether the anonymized data could be combined with information by a third party to re-identify the individual. The ICO’s position, based on judicial precedent, is that the risk of identification must be greater than remote and reasonably like in order for the data to be considered to be personal data for the purpose of data protection legislation.

• In assessing the risk of re-identification, the ICO recommends using the “motivated intruder” test. In other words, would a person who starts without any prior knowledge but who wishes to identify and individual be able to access resources and investigative techniques to de-anonymize the data? The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills.

• Data that is from low sensitivity sources with a low risk of re-identification may be published by the organization as part of a commitment to open government. However, the ICO recommends that data from highly sensitive sources with a significant risk of re-identification should be made available under limited use restrictions in order to control through contractual terms the use to be made of the data.

• The ICO takes the position that in most cases anonymization does not require an individual’s consent under the Data Protection Act, 1998. However, organizations should address the possibility of anonymizing data through disclosure in privacy policies. By contrast, if an organization collects personal data through re-identification, the organization must have the individual’s knowledge and consent.

A summary document prepared by the ICO is available here.

The 34th International Conference of Data Protection and Privacy Commissioners was held in Uruguay on October 23 and 24, 2012. The purpose of the International Conference is to bring together data protection and privacy commissioners around the world to discuss emerging issues, share knowledge and promote international cooperation on projects.

The closed session of data protection and privacy commissioners produced the “Uruguay Declaration on Profiling” dealing with the use of Big Data, and two resolutions – one dealing with cloud computing and the other dealing with “the future of privacy”.

Uruguay Declaration on Profiling (Big Data)

In the Uruguay Declaration, the International Conference recognized “the many useful applications of big data and the advantages large data collections could bring to, among others, healthcare, energy efficiency and public safety.” However, the International Conference also outlined the risks of profiling and the potential lack of accountability regarding the quality of data. The International Conference reaffirmed the principle of purpose limitation.

In addition, International Conference set out eight that data protection and privacy commissioners should consider when dealing with profiling activities:

1. Public and private entities must be transparent about profiling, the way profiles are assembled and the purposes for which they are being used.

2. Profiling operations should have three phases: (i) identification of the need; (ii) identification of the assumptions and data that will form the basis of the profile; and (iv) how the profile is to be applied in practice. Each phase should be subject to separate decisions and regulatory oversight.

3. Profiles and the underlying algorithms must be continuously validated.

4. Profiling operations should not be fully automated. Human interventions should be required to avoid injustice to individuals subject to fully automated false positive or false negative results.

5. The creator and user of the profile should not be the same.

6. Individuals should be permitted to challenge the profile.

7. Authorities should ensure that they have sufficient enforcement power and knowledge to supervise public and private sector profiling activities.

8. Privacy enforcement authorities should have the power to test and challenge government proposals given the government’s access to large public and private databases.

Cloud Computing Resolution

The International Conference also resolved to encourage efforts and reduce risks associated with cloud computing given its potential to create economic efficiency, lower environmental impact, simplify operation and increase user-friendliness. However, the International Conference recommended in its resolution that:

• Cloud computing should not result in a lowering of data protection standards;

• Organizations should carry out privacy impact and risk assessments prior to engaging in cloud computing;

• Cloud service providers should focus on transparency, security, accountability and trust, particularly regarding information on data breaches and contractual clauses that promote data portability and data control by cloud users;

• Continuing efforts should be made to develop standards and certifications and privacy by design in cloud computing architectures;

• Legislators should assess the adequacy and interoperability of legal frameworks to facilitate cross-border transfers of data; and

• Privacy and data protection authorities should continue to engage with stakeholders.

Future of Privacy Resolution

In recognition of globalization and cross-border transfers of information, the International Conference renewed calls for international cooperation and coordination on data protection and privacy rules to bring national laws into harmony.

Here’s a brain teaser. Who owns an e-mail? The sender? The recipient? Both? Typical e-mail footers seem to assert some type of ownership by the sender by directing that the e-mail is only for the attention of an intended recipient and that the sender prohibits retention and use by other persons. In the U.K, the answer to who owns an e-mail appears to be neither the sender nor the recipient.

In Fairstar Heavy Transport N.V. v. Adkins, [2012] EWHC 2952, decided by the Technology and Construction Court of the Queen’s Bench Division of the English High Court, the issue was whether the plaintiff company, “Fairstar” had a proprietary interest over e-mails held by the defendant “Adkins” who was formerly the CEO of Fairstar. Adkins was not directly employed by Fairstar. Instead, Fairstar contracted with Adkins’ company. The plaintiff had been taken over by a competitor in a hostile bid and Adkins had been terminated.

According the court decision, Adkin’s incoming emails while he was CEO would be automatically forwarded by Fairstar’s server to Adkin’s e-mail account hosted by a third party. Copies of the e-mails on Fairstar’s server were automatically deleted after being forwarded. Copies of e-mails sent by Adkins did not go through Fairstar’s server unless someone at Fairstar was copied.

Fairstar wanted access to the e-mails in relation to the construction of a vessel in a Chinese shipyard, which turned out to be a substantial liability for Fairstar and with respect to which Adkins was involved in the negotiations. Fairstar’s position was that, notwithstanding that it had no claim to the medium in which the e-mails were stored, it had a proprietary claim to the content of the e-mails.

In examining the possibility of a proprietary claim, the court considered five options:

1. Title to the e-mail remains with the creator (or his or her employer) irrespective of who receives the e-mail or how many times it is forwarded.

2. Title to the e-mail passes to the recipient (or his or her employer).

3. In the alternative to (1), even though title to the e-mail remains with the creator, the recipient has a licence to use the content for any legitimate purpose consistent with the circumstances in which the e-mail was sent.

4. In the alternative to (3), even though title has passed to the recipient, the creator continues to have a licence to retain the content and to use it for any legitimate purpose.

5. In the alternative to each of the foregoing, title is shared between the sender and recipient and anyone else to whom the e-mail is sent.

The court concluded that options (1) and (2) were not workable. Indeed, either option would lead to the possibility of a party having the right to demand that an e-mail (subsequently regretted) be returned or destroyed.

The court held that options (3) and (4), which involve one party retaining ownership and the other party a licence (presumably irrevocable) to use the e-mail, effectively left the concept of ownership devoid of any real meaning because only illegitimate uses could be precluded. If a breach of copyright or confidentiality was not in issue, there would be very little, if any use, left to restrain as being illegitimate.

The court also rejected option (5). The court hypothesized that the result of a joint proprietary might mean presumably that if a supplier lost its database of e-mails, it could demand all of its correspondents to deliver up a copy of the e-mail in order to reconstitute the database.

In the case of a letter, the recipient of the letter “owns” the letter in the sense of the tangible thing.  Of course, the owner’s right to reproduce the content of the letter is subject to copyright just as I might own the book on my bookshelf but my entitlement to reproduce the book or passages from it are subject to applicable copyright laws.

The question of who owns an e-mail is of course more complex since it is not a tangible thing in the same way as a letter or book.  However, might it not be analogous to the author making a copy of a letter and sending the original or the copy or the author of book retaining a copy of the manuscript.  Author and recipient each are entitled to own and use their own copy subject to copyright laws. No one would suggest that the author could demand return of the copy of the letter or book, subject, of course, to duties of confidence or other equitable rights and obligations. Might the reason why the options discussed by the court don’t make sense have to do with thinking about an e-mail as a single thing, whereas an e-mail is a message transmitted electronically and always already involves a copy (perhaps many times over) once created and even more so when sent.  Thoughts?

Lookout Canada and the U.S.: European regulators are working to give Europe a head-start as a safe jurisdiction for cloud computing.

European Commission Supports Cloud Computing

The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. The Commission wishes to address the “perception” that cloud computing may bring additional risks by making it easier to signal and verify compliance (though standards and certification) and by developing legal frameworks, such as an initiative on cyber security. The Commission summarized the business case for devoting Commission resources to cloud computing as follows:

Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe’s businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe’s traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.

The Commission identified several barriers to an accelerated adoption for cloud computing, including:

• Contractual standards regarding data access, portability, change of control, ownership of data and dispute resolution processes.

• Regulatory fragmentation due to differing national legal frameworks and uncertainties over applicable laws, given that cloud services may span multiple jurisdictions.

• Proliferation of security standards and uncertainty by organizations regarding the security of those standards and the interoperability of data formats to permit portability.

Among the Commission’s activities for 2013:

• The Commission has challenged itself to develop model terms for cloud computing service level agreements for professional cloud users by the end of 2013. The Commission will also review clauses that could be used in contracts involving the transfer of personal data to countries outside of the EU.

• The Commission will also develop standardized contract terms for consumer agreements for cloud computing.

• The Commission supports the development of uniform standards and the certification of organizations providing cloud computing services. The Commission will be tasking the European Telecommunications Standards Institute with developing a set of necessary standards for security, interoperability, data portability and reversibility. The Commission will also assist in the development of an EU-wide voluntary certification scheme.

UK Information Commissioner Provides Constructive Guidance

In other developments, the U.K. Information Commissioner’s Office (ICO) has issued “Guidance on Cloud Computing”, which should prove to be a useful resource for privacy professionals and counsel who are beginning to grapple with cloud computing technologies and mandatory reading for Canadian companies operating in the U.K. Although there are significant differences between Canadian and U.K. privacy laws, this ICO resource is a useful starting point because of the clear and practical approach to decoding the “lingo” of cloud computing and describing the privacy issues. In-house counsel may especially appreciate the use of specific short examples to illustrate concepts.

Among the points covered in the ICO booklet are:

• Assess the risk of processing highly sensitive data in the cloud. The ICO does not, however, put any types of data off-limits. The ICO states: “Often, the question may not be whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated.”

• Consider that moving data to the cloud may create additional types of data. Metadata regarding usage statistics or transaction histories of users may be recorded and should be covered by the organization’s privacy policy.

• Privacy impact assessments should be considered before engaging in large or complex cloud services.

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event. Organizations should engage in a “continual cycle of monitoring, review and assessment”. Furthermore, organizations should ensure that they are notified of any changes to subcontractors and those subcontractors are approved.

• Use third-party audits and certifications. The ICO supports the use of third party audits and industry certifications to assist organizations assessing the physical, technical and administrative security measures of the cloud service provider. Responsibility remains, however, with the organization to satisfy itself that the cloud service provider has adequate security measures in place to maintain data security.

The ICO states that technical security measures of a cloud computing program should include:

• Access control through the use of a robust authentication program involving individual username and strong passwords and an administrative program to create, update, suspend and delete user accounts.

• Encryption of data while in transit and, if possible, at rest (i.e. when stored) should be considered. It is important, however, to ensure that the encryption process also contains a “robust key management arrangement”. This is because access to the decryption key means access to the data and, in addition, inadvertent loss of the key would result in the loss of data.

• Data retention and destruction procedures to provide for the overwriting and destruction of data consistent with the organization’s document retention protocol and following a transfer to another cloud service provider or discontinuance of the use of the cloud service provider’s services.

• Limits on the cloud service provider’s access to the organization’s data and controls on whether and how the cloud service provider may use the organization’s data. There should be “an audit process that will alert the cloud customer if unauthorised access, deletion or modification occurs.”

On the thorny subject of international transfers of data becoming subject to the laws of the organization to which the data transfer is made, the ICO joined the trend towards international comity by stating as follows:

If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

Movement to cloud computing appears inexorable.  Jurisdictions that are first movers to develop standards and to facilitate the advantages of the cloud computing industry may have the advantage in the long-run.  Digital strategy, anyone?

With permission of the publisher of E-Commerce Law Reports, here is a link to my recent article examining three cases decided in Canada, the U.K. and the U.S. in which the Statute of Frauds was pleaded as a defence to the enforceability of contracts created by conversational email.

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation.  The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data.  Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act.  This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected.  The exemption from the need to obtain consent is subject to a number of provisos:

• the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
• the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
• there are no detrimental effects on particular individuals;
• the organization’s privacy policy or some other form of notification explains the anonymization process; and
• there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set.  An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual.  If so, then this would be a disclosure of personal information.  The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”.  In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess.  In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

 In December 2011, the Office of the Privacy Commissioner of Canada (OPC) issued guidance in December 2011 stating that “collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent” and that there must be an “opt-out” mechanism if the technology is being used for on-line behavioural advertising.  However, organizations in Canada have been short on tools for complying with the OPC’s guidance and have been slow to increase the prominence of their disclosure regarding cookie use.

In the United States, as I reported in a previous post, the FTC has called for the advertising industry to make “Do Not Track” initiatives fully operational by the end of 2012.  Advertisers must be transparent about their deployment of cookies and other on-line tracking technologies and provide people with a method of opting out.  The Digital Advertising Alliance in the U.S. has continued to promote an advertising opt out tool (AdChoices), which is beginning to appear on web sites (often near the link to organization’s privacy policy).  The Network Advertising Initiative also offers an opt-out tool and organizations have been including links to the tool for users to opt-out.

In the UK, new “cookie” rules came into force on May 26, 2012.  Organizations must now obtain consent to the use of cookies and provide a method for subscribers and users to opt-out of cookies (with some exceptions). The UK Information Commissioner’s Office has issued a guidance document to assist organizations with compliance efforts.  The examples provided for increasing the prominence of disclosure of cookie use and how to obtain consent is particularly helpful.

Meanwhile, Canada has lagged behind on practical advice from the Federal and Provincial Privacy Commissioners and tools for assisting Internet users to opt-out of tracking technologies.  On the “tools” front, this may change.  In a preface to an article reporting on an interview with outgoing IAB Canada president Paula Gignac, Marketing Magazine reports that IAB Canada is in negotiations to bring the AdChoices program to Canada.  Some Canadian organizations aren’t waiting for a Canadian solution.  The AdChoices icon has begun popping up on websites of Canadian-based organizations.

When a government employee uses workplace email to send and receive personal email, are those emails subject to disclosure under access to information laws?

What about when a government employee uses a personal email account to send and receive emails relating to government business?

Two recent cases – one in Alberta and one in Ontario, answer the first question in the negative.

A recent case in England answers the second question in the affirmative – and a similar result might be expected in Canada based on recent Supreme Court of Canada jurisprudence.

1. Personal email may not be in the custody or control of the public authority

In City of Ottawa v. Ontario, the information requester sought production of communications between an employee of the City and an organization where the employee volunteered.  Subsection 4(1) of the Municipal Freedom and Protection of Privacy Act (“MFIPPA”) provides that a requester is entitled to access to records if it is in the custody or under the control of the City, unless an exemption applies or the request for access is frivolous or vexatious.

The employee used his work email address to receive emails related to his volunteer work.  This was permitted by the City.  However, the City reserved the right to monitor email without notice.  All email was property of the City, but employees were not required to retain personal email under any record-keeping policy.

Initially, the adjudicator concluded that the email was in the custody or control of the City.  After all, the City had physical possession of the emails on its server and had the authority to regulate them.  On judicial review, however, the Ontario Divisional Court concluded that the documents were not in the custody or control of the City.  In order to be in the custody or control of the City, two criteria must be satisfied.  The City must be entitled to obtain a copy of the emails and the emails had to concern a City matter.  However, if personal email was sufficiently intermingled with email relating to City matters, then it would have to be produced.

In University of Alberta v. Alberta (Information and Privacy Commissioner), the requester sought access to emails between an academic at the University and a government grant agency relating to the review of a grant application.  Like the Ontario case, the adjudicator had taken a straight-forward approach: the emails passed through the University’s servers and the University had some right to deal with the emails; therefore, the University must have had custody or control.

The Alberta Court of Queen’s Bench rejected the adjudicator’s approach and adopted the Ontario Divisional Court’s interpretation of the meaning of “custody or control”.  Analogizing the emails to the situation of paper records, the court held that employees may keep private items at an employer’s place of work but that does not bring them within the meaning of custody or control for the purpose of access to information legislation.  The emails in this case were only remotely related to the University’s business and need not be disclosed.

2. Personal email may be producible under access to information requests if related to government business

In order to understand the next two cases, a bit of legislative background is required.  The scope of the Freedom of Information Act 2000 (UK) is somewhat different from federal Canadian access to information legislation.  In the UK, it seems that there is no specific exemption from production for records in a Minister’s Office.  Under the federal Access to Information Act (Canada), the Minister’s Office is not a government institution that is subject to the Act.

In a recent UK decision of the Information Commissioner’s Office (FS50422276), the issue was whether email sent from the Secretary of Education’s personal email address to two special advisors were subject to production under the UK Act.  One of the emails was characterized by the Information Commissioner’s Office as “essentially an action plan and a list of key events or issues in the work of the department for the month of January 2011.”  This characterization was “supported by the fact that much of what was discussed in the email subsequently resulted in official departmental announcements.”

The Information Commissioner’s Office concluded the fact that the email was sent from the Secretary of Education’s personal email address was not determinative of the requirement to produce the email (although this practice was frowned upon for record-keeping purposes).  The relevant question was whether the majority of the email had to do with the business of the department.  In analysing this question, it would be relevant to consider who the sender and recipients were and their roles, if any, within the civil service or the party machine, as well as the substance of the email and how it was used.

Last year, the Supreme Court of Canada considered whether records held by Minister’s Offices were required to be disclosed under the federal Access to Information Act.  The fact that a Minister’s Office was not a governmental institution for the purposes of the federal Access to Information Act did preclude documents held there from being in the “control” of the department and, therefore, producible.  The court held that consideration had to be given as to whether the record related to a departmental matter and, if so, whether there are factors that suggest that the government institution could reasonably expect to obtain a copy of the record.  The court held that some of the factors to consider include the substance of the record, the circumstances in which it was created and the legal relationship between the government institution and the record holder.

On April 4, 2012, the Chairman of Working Party 29 (a committee of data protection authorities from European Union member states) expressed concern regarding the potential costs of the proposed European Union privacy reforms.

In a letter to the Commissioner for Justice, Human Rights and Citizenship, the Chairman of Working Party 29, wrote that it “strongly suggests and in-depth assessment of the increased costs”.  The Chairman wrote:

If the cost of providing [adequate human, technical and financial resources, premises and infrastructure to data protection authorities] exceeds the financial commitment that Member States and the Commission are prepared to make, then priorities should be set, with those duties that do not provide the best ‘value for money’ in terms of privacy protection being scaled back.

More on the EU Proposals can be found in my January 2012 post.

The Telegraph reported on Saturday, February 18, 2012 that phone and internet service providers in the United Kingdom may be ordered to store records of eletronic communications of subscribers for one year and make those records available to security services.  The Telegraph reports that the information would not include the contents of calls, texts or emails.  However the data would include numbers or email addresses of the sender and recipient.  The Telegraph reports that the information to be collected would also include direct messages between subscribers to websites such as Twitter, and Facebook, as well as communications between players in online video games.

From time to time, we comment on developments outside of Canada that may be of interest or relevance to the topics discussed in this blog.

On February 7, 2012, the the Grand Chamber of the European Court of Human Rights issued two decisions (Axel Springer AG v Germany; von Hannover v Germany) involving the balancing of privacy interests and freedom of expression, each of which are protected under the European Convention on Human Rights (“ECHR”).

Article 8 of the ECHR provides that “Everyone has the right to respect for his private and family life …” Article 10 of the ECHR provides that “Everyone has the right to freedom of expression.” Article 10 further provides that freedom of expression includes the freedom “to receive and impart information and ideas.” However, freedom of expression is subject to responsibilities and, therefore, may be restricted “for the protection of the reputation or rights of others …”

The two cases before the European Court of Human Rights concerned well-known personalities who had argued that their privacy rights had been infringed by the publication of photographs and associated stories about them. In one case, the German court had prohibited publication. In the other case, the German court had not prohibited publication. The question for the European Court was whether Germany had fulfilled its obligations under the ECHR in protecting the interests of the parties.

Following previous jurisprudence, the European Court recognized that a person’s image constitutes personal information since it reveals the person’s unique characteristics. Therefore, Article 8 of the ECHR protects the right to control the use of a person’s image, including the right to refuse publication of that image. This right is not obliterated simply because the person is known to the public. Also following prior jurisprudence, the European Court held that freedom of expression is essential to a democratic society and protects information and ideas that may be offensive.

In assessing whether Germany had balanced these competing human rights, the European Court stated that the following factors are relevant. I have grouped related factors for convenience of exposition.

(1) Contribution to a public debate of general interest. A key factor in balancing the these human rights is whether the photograph or article contributes to a public debate of a matter of general interest. This factor is more easily met if the person that is the subject of the photo or article has a role or function that is appropriate for debate in a democratic society.  The European Court held that a private individual unknown to the public is more likely to have a claim protection of his or her right to private life.  By contrast, the role of the press as a “public watchdog” means that a public official will be exposed to scrutiny unless the material relates exclusively to details of the person’s private life and the publication of that material is simply to satisfy public curiosity.

(2) The conduct of the person with respect to protecting privacy.  The European Court concluded that an individual may have diminished expectations of privacy as a result of the individual’s own conduct.  The mere fact of having cooperated with the press on previous occasions will not result in the waiver of right to privacy.  However, the extent to which the person has willingly opened his or her life to public scrutiny will be a factor in assessing the person’s legitimate expectations of privacy.

(3) The context in which the photographs were taken and the content, form and consequences of publication. The European Court recognizes the importance of context.  Photos obtained by illicit activity may fair less well when balancing freedom of expression against privacy interests.  In addition, the manner in which the person is represented, the form of publication and the extent of circulation are relevant to balancing the two freedoms. As the European Court noted, a photograph of an otherwise unknown person may be more damaging than an article.

In the result, the European Court held that freedom of expression trumped the right to privacy of these personalities. In the Axel Springer AG case, the photograph and article were damaging but the information was already public and the person involved had previously spoken to the press about his private life.  In the von Hannover case, the photograph was not damaging and the accompanying articles contributed to a debate of general interest.

The New York Times has published an Associated Press report on the background facts underlying the cases.