the Office of the Privacy Commissioner of Canada (OPC) has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an “Internet Privacy Sweep“.

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.

Our New Look and International Legal Practice

Welcome to the new look for DataGovernanceLaw.com. Fraser Milner Casgrain (FMC) has become Dentons Canada LLP, and has joined Salans and SNR Denton to form Dentons, an international legal practice. For more on Dentons, visit www.dentons.com.

We are now working together with 2,500 talented lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.

Two Blogs!

This blog will continue to bring you developments in data governance law, including privacy, e-commerce and consumer protection topics that we think are interesting to you, with a Canadian spin.

We also invite you to visit our sister blog at www.privacydatasecurityblog.com, which will provide you with coverage and commentary from an international perspective on privacy and data security.

What does the future hold in store?

We have always covered international legal developments on this blog because e-commerce and m-commerce are not confined to geographical boundaries and because there is much to be learned from other jurisdictions in this evolving area of the law. I am personally delighted to join our colleagues from the former Salans and SNR Denton. Together, we will be able to provide you with insights regarding best practices in privacy and security and insights regarding data governance from around the world.

Over the coming months, we will be combining our blogs. These are exciting times. I look forward to sharing them with you.

The Federal Trade Commission (FTC) released a Staff Report on February 1, 2013, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The FTC Staff Report follows on the heels of earlier recommendations by the California Attorney General (AG), released in January, in a report entitled “Privacy on the Go: Recommendations for the Mobile Ecosystem.”

The FTC Staff Report is particularly notable for articulating a gatekeeper function for platform providers in the mobile app ecosystem. The Staff Report and the California AG Recommendations recognize that there are distinct players in the mobile app market – platforms that provide the operating system and marketplaces; developers of the apps; and advertising networks. Each of the FTC Staff Report and the California AG Recommendations target these different players with recommendations.

However, it appears that FTC Staff see the platform providers as particularly amenable to regulation because they are the focal point for the interface between users and app developers.

“[…] platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving privacy disclosures.” (FTC Staff Report, p. 14)

FTC Staff asserted that the platforms “use the plethora of apps offered on their devices as a significant marketing tool” (p. 14). The inference appears to be that the platforms have fair trading obligations to ensure that the apps they distribute meet privacy standards.

As gatekeepers, FTC Staff want platform providers to:

• Require developers to make privacy disclosures;

• Enforce privacy disclosure standards;

• Educate developers on privacy issues;

• Be responsible for providing “just-in-time” disclosure for the collection of geolocation data and other sensitive data;

• Be responsible for obtaining consent for the collection of geolocation data and other sensitive data;

• Develop a “dashboard” to allow consumers to review what types of content is being accessed by Apps on their devices;

• Develop icons to notify the user of the transmission of user data;

• Establish a do-not-track (DNT) option at the platform level to allow consumers to make a one-time choice; and

• Provide consumers with disclosure regarding the extent of review that the platform undertakes prior to making the app available as well as any compliance checks or reviews after the app is made available on the platform’s market store.

The approach to platform providers as a potential gatekeeper and enforcer is different from that California AG’s report, which focused on the educational role that platform providers could play.

Other highlights from the FTC Staff Report and the earlier California AG Recommendations are:

• DNT or bust? FTC Staff continue to call on the industry to develop a “DNT mechanism that would prevent an entity from developing profiles about mobile users” (FTC, p. 21). The DNT mechanism must be (i) universal, (ii) easy to find and use, (iii) persistent, (iv) effective and enforceable, and (v) apply to more than just advertisements (FTC, p. 21).

• “Just-in-Time” and “Surprise Minimization”. The FTC Staff Report emphasizes “just-in-time” or contextual disclosure and obtaining express affirmative consent at the point in which it is going to matter to consumers – that is, just prior to collection (FTC, p. 15). The California AG’s basic approach is to “minimize surprises to users”. The emphasis is on clearer, shorter notices. Organizations should not rely on privacy policies alone but also supplement those notices with alerts delivered “in context and just in time” (AG, p. 5).

• Icons – but which ones? Privacy icons are the future; however, FTC Staff want to see consumer testing to ensure efficacy (FTC, p. 16).

• Privacy by Design. The California AG continues to emphasize privacy as the default and the limiting of collection, use and retention to what is necessary to complete the function for which the data was required (AG, p. 9).

The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

On January 8, 2012, the U.S. District Court for the Western District of Texas issued a ruling denying a preliminary injunction in a case involving the use radio-frequency identification (RFID) tags embedded in name badges to track students (A.H. ex rel. Hernandez v. Northside Independent School District, 2013 WL 85604 (W.D. Tex.). Ultimately, the court concluded that the religious objections of the student’s family had been accommodated by permitting the student to use a badge that was identical to the badges of other students, except that the RFID tag and battery had been removed.

The court gave significant deference to the school district’s reasons for using the technology and concluded that the use of the RFID technology easily met the requirement that it be rationally connected to a legitimate government interest. Since the school was willing to accommodate the objection to the RFID tag, the issues were reduced to whether the required use of a badge that looked the same as the RFID badges was a form of forced expression in support of the program and whether the student was subjected to significant burdens in opting out of the use of the RFID tag.

Since the case turned on the question of religious accommodation, the court did not review the significant privacy issues in the case, which is unfortunate given the importance of those issues to the maturing legal and social debate regarding the use of geolocation tracking. In Canada, Privacy Commissioners have long been concerned about the use of RFID technology to track individuals. However, it is clear that RFID technology can be used in Canada, provided that an organization is able to justify that the use of RFID technology is reasonable using the Canadian four-part analysis discussed below.

Deployment of the RFID Technology

An RFID tag is a computer chip with a unique identification number. The RFID tag can be active or passive. An active RFID tag contains a power source and a micro antenna that actively transmits the RFID tag information without any user intervention. In this way, the active RFID tag operates differently than an identification card containing a passive RFID tag that must come into close contact with a reader (at least a few feet) in order to be scanned. Instead, the active RFID tag operates without any card holder intervention.

As widely reported, the controversy began when an active RFID tag was embedded into student name badges in a pilot program at a U.S. high school. Employees, students and visitors at the school already wear an identification badge. Schools and buses are equipped with digital cameras. The addition of RFID surveillance meant that the school could obtain geolocation information about the student while on campus. Among the other uses of the RFID tag, it provides for a method of determining daily student attendance, which affects state funding.

The Religious Objection and the Proposed Accommodation

The students’ family objected on religious grounds to wearing the RFID tag. When the student was offered accommodation by having the RFID tag removed, her parents refused on the basis the participation in the program by even wearing the badge without the RFID would run against their religious beliefs. The family argued that the student should be permitted to wear a different badge altogether so that she would not appear to be supporting the program. The family also argued that the proposed accommodation also imposed burdens on the student. In particular, the student was unable to pay for lunch, check out library books, or participate in school activities in the same manner as other students, who could do so using the RFID-enabled badge. This meant that she was singled out.

Rational Connection to a Legitimate Interest

The court agreed that the school district has “a legitimate need to easily identify its students for purposes of safety, security, attendance and funding”. The court held that the RFID badge was rationally connected to meet those needs and was also “a useful tool for the students because it serves as a convenient means of payment for lunch and extra-curricular activities and assists students in checking out library books.”

The court held that any burden imposed on the student was outweighed by the governmental interest “in providing a safe and secure environment for everyone on campus”. The court held:

“Even if Plaintiff could show a substantial burden, the District has a compelling governmental interest that outweighs such burden. In today’s climate, one would be hard pressed to argue that the safety and security of the children and educators in our public school system is not a compelling governmental interest. Mandatory identification badges issued to all students, staff, and visitors further the school’s interest in providing a safe and secure environment for everyone on campus. One could envision many different methods of ensuring safety and security in schools, and the requirement that high school students carry a uniform ID badge issued for those attending classes on campus is clearly one of the least restrictive means available.”

The Canadian Approach

The Office of the Privacy Commissioner of Canada (OPC) has long taken the position that the existence of a legitimate security objective does not automatically justify the use of a surveillance technology. In order to assess the appropriateness of RFID technologies, the OPC uses a four-part analysis:

1. Is the use of the RFID technology demonstrably necessary to meet a specific need?

2. Is the use of the RFID technology likely to be effective in meeting that need?

3. Is the loss of privacy proportional to the benefit gained?

4. Is there a less privacy-invasive way of achieving the same end?

When analysing whether the RFID technology is likely to be effective in meeting a need, the OPC requires that organizations provide an evidentiary basis for the assertion of effectiveness.

Privacy Issues Not Discussed

Although the court in the Texas case noted the efficiency and the convenience of the RFID tag, the privacy issues were largely ignored in the court’s assessment of whether the RFID tag was rationally connected and minimally impairing of the student’s rights to freedom of religious expression and freedom of speech. Among other issues, the court did not assess the following issues, which should be critically examined in any RFID application in Canada:

• Reliability of the Technology. Did the active RFID technology actually fulfil its security purpose? Does the mere fact that the student’s badge is on campus indicate that the student is on campus? Does the fact that the student’s badge is not read as being on campus mean that the student is not on campus? How does the potential for misinformation affect whether the use of the RFID tag is rationally connected to the security concern?

• Security of the School’s Readers. What administrative, technological and physical security systems have been deployed to protect the unauthorized access to and use of the information collected by the RFID system? Does the level of security of the information provided affect whether the system is rationally connected to a security purpose and minimally intrusive?

• Normalizing Tracking. Following previous jurisprudence, the court concluded that the constitutional rights of students in public schools may be different from those of adults in other settings. Does

   this necessarily mean greater tolerance for tracking? Or, might it mean the opposite? Is it important that the state not use the occasion of providing public education to normalize a culture of tracking of future adult citizens?

For information on RFID best practices in Canada, see the OPC’s Consultation Paper on RFID’s in teh Workplace and the Information and Privacy Commissioner of Ontario’s RFID Privacy Guidelines.

Draft Regulations recognize CASL should not apply to ”regular business communications” 

Industry Canada has published long-awaited draft Regulations that would lessen the impact of Canada’s Anti-Spam Law (CASL) on businesses.  Or in the words of the Regulatory Impact Analysis Statement, to: 

provide relief to businesses through targeted exemptions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation.

Under the heading “Proposed exemptions to address stakeholder concerns”, the Statement explains:

Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.

The Canadian government has not issued a formal entry into force date for the Anti-Spam law, and the date has been a moving target since CASL was passed into law in December 2010.  Informally, CASL, the CRTC Regulations, and the proposed Industry Canada Regulations are expected to enter into force late in 2013.

Industry Canada’s Proposed Approach

Comments are due on February 4 on the proposed Regulations.  Here is a summary of Industry Canada’s proposed approach to clarify the application of the Act, and more importantly, to carve out “non-threatening” commercial electronic messaging.

1.  Limited Exemptions for Certain Types of Message

Exemptions are proposed for CEMs sent:

• within a business;
• between businesses already in a business relationship, sent by employee, representative, contractor or franchisee, where message is relevant to business, role, function or duties of recipient;
• by foreign businesses and accessed by a visitor to Canada;
• as a response to an inquiry; and
• due to a legal obligation, or to enforce a legal right.

2.  Third-Party Referrals

Existing business relationship (also non-business, personal or family relationship) would permit third-party referral. 

Example:  Client of Company and Potential Client of Company have a business, non-business, personal or family relationship.  Client refers Potential Client to Company.  Company sends a single consent request message to Potential Client, including name of Client and identification and unsubscribe requirements set out in the Act and CRTC Regulations.

3.  Clarifying What is Required where Sender is an “Unknown Third Party”

CASL permits consent to be obtained to receive messages from a third party unknown to the recipient, in certain circumstances.  The proposed Regulations specify that the recipient must have the ability to unsubscribe and alert the “original requester” that he has withdrawn his consent.  That “original requester” must notify each third party sender that the recipient’s consent has been withdrawn.

4.  Membership in a Club, Association or Voluntary Organization

The proposed Regulations clarify the definition and scope of these “non-business relationships”, and include references to the purpose and not-for-profit status of these organizations.

5.  Limited Exemptions for Protecting, Upgrading and Updating Computer Networks

The proposed Regulations include new definitions for computer programs that are to be excluded from the “installation consent” requirements:  those installed (i) to prevent illegal activites that present an imminent risk to network security; and (ii) to update and upgrade an entire network.

Certain Questions Clarified

The Regulatory Impact Statement clarifies that not all messages sent “in a commercial context” are necessarily CEMs.  For example, Industry Canada notes that:

• a CEM is a message that “encourages participation in a commercial activity”: therefore a message such as a courtesy SMS or an unsubscribe notification (without that encouragement) is not a CEM;
• a CEM is a message sent to an electronic address:  “…[t]he publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of the Act”.

What Industry Canada has Not Done

Industry Canada has rejected stakeholder requests to:

• “grandfather” consents obtained under PIPEDA (rejected as the CASL consent requirements are much more stringent than PIPEDA’s);
• send CEMs from Canada to recipients outside Canada on behalf of foreign companies (rejected as a potential loophole to be exploited by spammers);
• permit manufacturers to send CEMs to end-users of their products (rejected as potentially too broad);
• revise the “unknown third party” approach to make it less complex and burdensome (rejected as tracking and managing consents is not “unduly onerous”).

A growing number of businesses in Canada, the United States and elsewhere has become involved in weighing in on the proposed Regulations.  The outcome of the current regulatory review will be worth watching, for all those impacted by CASL. 

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

• 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.

• 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.

• 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.

• 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

• Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.

• Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.

• New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

The scope of an employer’s right to discipline and terminate an employee for indiscreet or inappropriate remarks in social media is far from settled. Given that an employee’s social media activities have the potential to “go viral” (or at least be seen by hundreds, if not thousands of people), organizations must assess whether the activities of employees outside of work have the potential to negatively affect, even transiently, the reputation and goodwill of the organization.

Currently, the legal battle over an employer’s legitimate interest in an employee’s use of social media is being played out among employees who are relatively junior within organizations and may, justifiably or unjustifiably, believe that their actions are not under the gaze of their employers.

This post compares two recent cases from the United States and the United Kingdom with an earlier case from Canada.

Don’t Make Fun of the Customers

In a recent U.S. National Labour Relations Board (NLRB) decision, Karl Knauz Motors, Inc. (Re), the NLRB considered whether a car dealership could terminate a salesperson for comments on Facebook about an accident that involved a customer of the dealership. The customer had driven into a pond and the salesperson posted photos on Facebook with sarcastic comments. The employer argued that the comments violated employee handbook rules that required employees to be “courteous, polite, and friendly to our customers, vendors and suppliers, as well as to their fellow employees” and which prohibited conduct that was “disrespectful” or involved the “use of profanity or other language which injures the image or reputation” of the employer. In addition, not long before the post about the customer, the same salesperson had posted photos and comments criticizing food that had been served at a sales event at the dealership. The tenor of the earlier post was that the dealership should have served better food given the profile of the sales event.

The salesperson claimed that he was terminated in violation of the protections afforded by section 7 of the National Labor Relations Act (NLRA), which, among other things, provides rights to participate in concerted activity for the purpose of collective bargaining or other mutual aid or protection. The NRLB has previously issued decisions and guidance documents this year warning that social media policies must not stifle workers from communicating about workplace conditions as this would offend section 7 of the NLRA.

An administrative law judge concluded that the postings about the car accident did not fall within section 7 of the NLRA because it was posted by the employee on his Facebook page and not discussion took place on Facebook about the post. By contrast, the comments about the food at the sales event were made in the context of an exchange among employees on Facebook. The administrative law judge concluded that the comments were related to the dealership’s image at the event and this could affect the working conditions of the employees by affecting sales.

In a split decision, the NLRB upheld the decision of the administrative law judge. The employee’s termination for the comments about the customer was not protected by the NLRA. However, the NLRB ordered that the employee handbook rules were overbroad and not enforceable.

The dissenting NLRB member concluded that the requirement to be courteous did not violate section 7 of the NLRA and held that:

“[r]easonable employees know that a work setting differs from a barroom, room and they recognize that employers have a genuine and legitimate interest in encouraging civil discourse and non-injurious and respectful speech.”

Say What You Will About Gay Marriage

In the Smith v. Trafford Housing Trust, a housing manager of the Trust read a news article online regarding gay marriage and posted the link to his Facebook account with the comment “an equality too far”. The manager’s Facebook privacy settings had been set so that his posting could be viewed by his “Friends” and also “Friends of Friends”. This prompted an exchange with one of the employee’s colleagues at work, which was quite tempered but suggested that those gays and lesbians “have no faith and don’t believe in Christ”. The employee was suspended and subjected to a disciplinary proceeding that resulted in a finding of gross misconduct. The employee was offered a demotion to a non-managerial position in view of the length of his service.

According to the decision of the English High Court of Justice (Chancery Division), the Trust had over 300 employees. The court found that at the material time, the employee listed that he was a manager at the Trust. His profile stated “What can I say – it’s a job and it pays the bills”. He described his religious views as “full on charismatic Christian.” His profile and wall pages also listed that he was a manager at the Trust. In putting the post into context, the court held that it was one of a number of posts about “sport, food, motorcycles and cars.”

The court concluded that a reasonable reader of the manager’s wall would not have understood him to be a spokesperson for the Trust. The court rejected that any loss of reputation by the Trust would arise in the mind of a reasonable reader. The manager’s Facebook wall “was primarily a virtual meeting place at which those who knew of him, whether his work colleagues or not, could at their choice attend to find out what he had to say about a diverse range of non-work related subjects.” The court minimized the broader access to his wall by “friends of friends” by stating that “actual access would still depend upon the persons in that wider circle taking the trouble to access it.” The court found that the manager did not thrust his views onto colleagues at the office. The medium and context was not “inherently” work related. In the result, the court concluded that the manager had been constructively dismissed.

Don’t Diss and Threaten Other Employees or Your Employer

The problems for the employees in Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 1518 started when one of the employees posted on Facebook a post that could be interpreted as threatening: “Sometimes ya have good smooth days when nobody’s [expletive] with your ability to earn a living … and sometimes accidents DO happen, its [sic] unfortunate but thats [sic] why there [sic] called accidents right?” Another employee also was posting derogatory comments about managers.

The employees had close to 100 and 377 “friends” respectively. Significantly, the posts were escalating in tone and extreme enough that one person “de-friended” and even the girlfriend of one of the employees commented that ”[s]omethings just shouldn’t be broadcasted on facebook, especially when you still work there.”

The employer terminated the employment of the two employees. The union grieved but lost. In an interesting counterpoint to the Trafford Housing Trust case, the British Columbia Labour Relations Board concluded that there the comments on Facebook had sufficient proximity to the employer’s business. The comments had been used as a “verbal weapon”. They went beyond shop floor comments to insubordination in front of employees who were friends of the employees by degrading a manager and referring to discipline. The comments also counselled Facebook friends not to shop at the employer. In the result, the termination was upheld.

Substance, Purpose and Context

One should be careful to draw conclusions from a handful of cases in multiple jurisdictions with different approaches to employment and privacy laws. However, one theme that emerges in all three cases is that, in addition to the substance of the social media posts, the purpose and context for those postings are important considerations in concluding whether the employer has a legitimate interest in the activity of the employee’s social media activities.

The 34th International Conference of Data Protection and Privacy Commissioners was held in Uruguay on October 23 and 24, 2012. The purpose of the International Conference is to bring together data protection and privacy commissioners around the world to discuss emerging issues, share knowledge and promote international cooperation on projects.

The closed session of data protection and privacy commissioners produced the “Uruguay Declaration on Profiling” dealing with the use of Big Data, and two resolutions – one dealing with cloud computing and the other dealing with “the future of privacy”.

Uruguay Declaration on Profiling (Big Data)

In the Uruguay Declaration, the International Conference recognized “the many useful applications of big data and the advantages large data collections could bring to, among others, healthcare, energy efficiency and public safety.” However, the International Conference also outlined the risks of profiling and the potential lack of accountability regarding the quality of data. The International Conference reaffirmed the principle of purpose limitation.

In addition, International Conference set out eight that data protection and privacy commissioners should consider when dealing with profiling activities:

1. Public and private entities must be transparent about profiling, the way profiles are assembled and the purposes for which they are being used.

2. Profiling operations should have three phases: (i) identification of the need; (ii) identification of the assumptions and data that will form the basis of the profile; and (iv) how the profile is to be applied in practice. Each phase should be subject to separate decisions and regulatory oversight.

3. Profiles and the underlying algorithms must be continuously validated.

4. Profiling operations should not be fully automated. Human interventions should be required to avoid injustice to individuals subject to fully automated false positive or false negative results.

5. The creator and user of the profile should not be the same.

6. Individuals should be permitted to challenge the profile.

7. Authorities should ensure that they have sufficient enforcement power and knowledge to supervise public and private sector profiling activities.

8. Privacy enforcement authorities should have the power to test and challenge government proposals given the government’s access to large public and private databases.

Cloud Computing Resolution

The International Conference also resolved to encourage efforts and reduce risks associated with cloud computing given its potential to create economic efficiency, lower environmental impact, simplify operation and increase user-friendliness. However, the International Conference recommended in its resolution that:

• Cloud computing should not result in a lowering of data protection standards;

• Organizations should carry out privacy impact and risk assessments prior to engaging in cloud computing;

• Cloud service providers should focus on transparency, security, accountability and trust, particularly regarding information on data breaches and contractual clauses that promote data portability and data control by cloud users;

• Continuing efforts should be made to develop standards and certifications and privacy by design in cloud computing architectures;

• Legislators should assess the adequacy and interoperability of legal frameworks to facilitate cross-border transfers of data; and

• Privacy and data protection authorities should continue to engage with stakeholders.

Future of Privacy Resolution

In recognition of globalization and cross-border transfers of information, the International Conference renewed calls for international cooperation and coordination on data protection and privacy rules to bring national laws into harmony.

In October, the U.S. Federal Trade Commission (FTC) issued a Staff Report, entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies”. Organizations operating in Canada and the U.S. should carefully consider the guidance in the FTC Staff Report.  They should also have regard to earlier guidance on the collection of biometric information, including facial information, issued by the Office of the Privacy Commissioner of Canada (OPC).

In this post, I examine some of the privacy issues that facial recognition technologies present and compare and contrast the U.S. and Canadian guidelines on the use of facial recognition technologies.

A question of liberty and control

The Supreme Court of Canada has said that privacy is at the heart of liberty. “[R]estraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state” (R. v. Dyment, 1988 CanLII 10 (SCC) at para. 17). Very recently, the Supreme Court of Canada reiterated that the underlying values of dignity, integrity and autonomy are fostered by protecting a biographical core of personal information from the state (R. v. Cole, 2012 SCC 53 at para 45, quoting R. v. Plant, 1993 CanLII 70 (SCC)).

Private sector privacy advocates may argue that those same values require that individuals have the right to protect (and control) a biographical core of personal information from private sector organizations, as well, should they choose to do so.

Facial recognition technologies create new challenges for privacy protection.  In public spaces, there is, of course, the possibility that people might recognize you.  However, one of the features of urban spaces is that an individual can often move around in a way that is relatively anonymous.

Advanced facial recognition technologies have the potential to match images across platforms. Pervasive private-sector passive security video surveillance, facial recognition in digital signage, and photos and videos uploaded to social media could, in theory, be combined and cross-matched.  The ability to move around in relative anonymity could, in theory, be lost, along with the ability to control the use of one’s own image. Moreover, the collection of this information could, in addition, be combined with public-sector data from government issued identification and licensing activities, leading to concerns of mass surveillance.

In Canada, we have already had some experience with the potential use of combining private sector data with public sector databases for law enforcement purposes.  Following a riot in Vancouver, the Insurance Corporation of British Columbia (ICBC) (a Crown corporation subject to private sector privacy legislation in British Columbia) offered its facial recognition technology to assist police in comparing images of individuals alleged to have participated in the riot with images in its database of drivers.  ICBC is the provincial insurers for drivers in British Columbia.  The plan was to take images contained on surveillance video and images uploaded to social media and compare them using facial recognition technology with those in ICBC’s database of driver photos. The Office of the Information and Privacy Commissioner of British Columbia (IPC) responded with an investigation that concluded that ICBC did not provide adequate notice of this potential use to citizens and that it must receive a warrant, subpoena or court order before using facial recognition software to assist law enforcement.

Notwithstanding the concerns raise by the IPC in British Columbia, it is easy to be drawn into being overly critical of the use of facial recognition. As the dissenting Commissioner, J. Thomas Rosch, stated in an appendix to the FTC Staff Report, there is, as yet, little evidence that facial recognition technologies is being systematically “misused”.  In Commissioner Rosch’s view, the Staff Report was, among other things, premature.

It is also important to acknowledge that reasonable people may disagree on a number of the values underlying suspicion of facial recognition technology.  Some may be sceptical as to whether facial recognition technologies present any material threat to liberty.  Others may be sceptical whether the relative anonymity that urban life affords has anything to do with liberty.  Reasonable people may also differ in the extent to which they are prepared to submit to surveillance for the purposes of public safety.

Moreover, when critiquing facial recognition technologies, it is important to acknowledge that not all facial recognition technologies are the same and not all uses have the same degree of intrusion on an individual’s ability to be “left alone” in relative anonymity.  As the FTC Staff Report notes, there is a spectrum of technological sophistication and a spectrum of uses. Facial recognition technologies may simply detect and locate a face in an image. Other technologies and uses may be to identify demographic characteristics or moods or emotions of the person to deliver targeted advertising.

FTC: technological neutrality but greater transparency and choice

For the most part, the FTC Staff Report is neutral with respect to the use of facial recognition technologies in consumer settings. The FTC acknowledges that facial recognition can be used “in ways that benefit consumers by providing them innovative products and services, such as the ability to try beauty products by uploading their faces to the Web, the ability to target search results, and the ability to organize and manage photos.” Facial recognition technology can also be used to enhance privacy protections. The technology can be used for authentication of mobile devices and to blur images of individuals captured in video.

However, the FTC is also concerned about potential erosions of privacy in ways that are unfair to consumers.  In providing guidance, the FTC has organized its analysis around three core principles:

1.  “Privacy by Design: Companies should build in privacy at every stage of product development.”

The FTC Staff Report states that the transmission of facial information should be encrypted or secured to protect against intrusion from a hacker who could view the images in real time. Organizations should also attempt to prevent unauthorized scraping of images. If images will be retained, there must be reasonable data security protections in place and the images should be subject to destruction once they are no longer necessary for the purpose for which they are collected.

2.  “Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.”

The FTC considers a consumer’s face to be a persistent identifier in the sense that it can’t simply be changed in the way that other identifiers can be such as a credit card number or a tracking cookie. Accordingly, it is critical that there be meaningful and informed choice.

The FTC Staff Report suggests that “walk-away choice” is sufficient if (a) the technology is being used to gather demographic information (age and gender), (b) images are not stored, and (c) the organization has been sufficiently transparent about its activities.

By contrast, using facial recognition technologies for identification purposes requires affirmative express consent. Similarly, using an image in a materially different way (for example, a new use) would require affirmative express consent.

3. “Transparency: Companies should make information collection and use practices transparent.”

The FTC is concerned that the public is not well-educated in the uses of facial recognition technology. For example, the FTC is of the view that facial recognition technologies in digital signage would not be consistent with reasonable consumer expectations. Therefore, it is important to provide prominent notice so that consumers have a meaningful choice as to whether they want to come into contact with these types of technologies.

The FTC Staff Report states that a notice should be prominently placed at the entrance to the store or at the entrance to the area of the store in which the technology is being used. When used with digital signage or other novel applications, a notice should be placed near the digital signage or area of novel use. The notice should state the purpose of the technology and how consumers can find out more information about the technology and the practices of the company operating the signs in that venue.

If facial recognition is used on image submitted in social media, the operators of those social networks should provide consumers with an easy to find, meaningful choice and the ability to turn off the feature and delete biometric data.

Canada’s focus on proportionality

The Canadian guidance from the OPC contains similar themes. Individuals should be informed that facial recognition is being collected. If facial information will be used for other purposes than those disclosed at collection, additional consent will be required.

However, unlike the U.S. approach, the Canadian approach by the OPC requires that organizations be prepared to justify the use of facial recognition. In part, this is probably because subsection 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA) provides that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” (emphasis added).

In determining what is reasonable, the OPC encourages organizations to apply a four-part test.

1. Is the use of the technology demonstrably necessary to meet a specific need?

2. Is the use of the technology likely to be effective in meeting that need?

3. Would the loss of privacy be proportionate to the benefit gained?

4. Is there are less privacy-invasive way of achieving the same end?

The application of this test means that technologies such as facial recognition are not to be employed simply because they are efficient, convenient or cost-effective. Instead, the OPC suggests that facial recognition should be “essential for satisfying a particular need”. Any loss of privacy must be proportional to the benefit obtained from the technology. If the benefit to the organization of using facial recognition is minor, then it will be difficult to justify the loss of privacy from technologies that may be used to identify individuals. By contrast, technologies that are being deployed for privacy enhancing purposes (such as blurring faces in photos) or that are based simply on sensing that there is a person facing a digital signage may be much easier to justify in the cost to privacy / benefit to the organization calculus.

Implications of the Philosophical Difference

The Canadian focus on the contextual reasonableness of facial recognition technologies is an important philosophical difference in approach, with practical implications. In particular, it may be necessary in Canada to more carefully calibrate the use of facial recognition technologies in consumer settings to a clearly defined need.

Although the use of facial recognition technologies may be more restricted in Canada, they can be used in privacy enhancing ways, as demonstrated by the experience in Ontario casinos.

The Ontario Lottery and Gaming Authority (OLG) facial recognition program is instructive.  OLG maintains a voluntary self-exclusion program for persons who do not want to be admitted to gaming sites. In collaboration with the Information and Privacy Commissioner and the University of Toronto, the OLG developed a facial recognition program that uses biometric encryption. A biometric pointer key is created from a sample image. The sample is then discarded. The identity of the person can only be unlocked by the biometrically encrypted pointer key derived from a person’s live image. Images that do not unlock a self-excluded gambler’s photograph are discarded, thereby protecting the privacy of the general public visiting the casino. If a likely match is identified, staff will check identification, which eliminates false positives. The Ontario Information and Privacy Commissioner has authored a paper describing the project and has presented on the topic recently.

Facial recognition technologies won’t be going away.  They are novel, useful, and fun for consumers.  However, developers should consider engaging in a privacy impact assessment with respect to any deployment of these technologies for new uses and applications.

The Supreme Court of Canada determined yesterday, in A.B. v. Bragg Communications, that a 15-year old can proceed anonymously to pursue the identity of her Facebook cyberbully. 

The 15-year old, A.B., found out that someone had posted a face Facebook profile with her picture, a modified version of her name, and other identifying particulars.  The profile also included demeaning comments about A.B.’s appearance, and sexually explicit references.  

Facebook provided the IP address associated with the Nova Scotia account holder.  The Internet provider, Eastlink, agreed to provide more specific information about the address – if a court authorized it to do so.  A.B. brought an application for such an order, and along with the application requested (i) permission to seek the identity of the Facebook cyberbully anonymously (the “anonymity request”), and (ii) a publication ban on the content of the fake Facebook profile. 

While Eastlink did not oppose the privacy requests, the Halifax Herald and Global Television did.  The Nova Scotia court granted the order requiring Eastlink disclose the information about the identity of the cyberbully.  However, it denied A.B.’s anonymity request and the publication ban, on the basis that she had not proved specific harm to her that would outweigh restricting access to the media.  Put simply, the media’s right to access and report on the facts of the case outweighed A.B.’s right to privacy.  This was upheld at the Court of Appeal.

A unanimous Supreme Court overturned this, stating that:

If we value the right of children to protect themselves from bullying, cyber or otherwise, if common sense and the evidence persuade us that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and if we accept that the right to protection will disappear for most children without the further protection of anonymity, we are compellingly drawn in this case to allowing A.B.’s anonymous legal pursuit of the identity of her cyberbully.

The Supreme Court noted that the Canadian Newspapers decision had established that the limits imposed by prohibiting identity disclosure [in a criminal sexual assault case] on the media’s right to freedom of the press are minimal: the media can be present at the hearing, and report facts and the conduct of the trial, without revealing the complainant’s identity. 

In yesterday’s A.B. decision, the Supreme Court placed great emphasis on the inherent vulnerability of children, and the importance of protecting their privacy in the context of cyberbullying.  In the view of the Supreme Court, if we accept that, then surely we must accept the need to prohibit identity disclosure in this case, just as the Court did in the criminal context in Canadian Newspapers.

The Supreme Court allowed A.B.’s appeal in part:  her identity would be protected, and the identifying information in the fake Facebook profile.  The non-identifying information in the profile could be disclosed. 

This decision provides further direction for those conscious of the protection of the privacy of children, and wondering about the specific content of those obligations.  Unlike the United States, Canada has no Children’s Online Privacy Protection Act (COPPA), and while there are set age and child-specific standards in Canadian criminal laws, we have no set age or child-specific standards in our federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The Supreme Court noted that:

Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law.  This results in protection for young people’s privacy under the Criminal Code, R.S.C., [...] the Youth Criminal Justice Act [...], and child welfare legislation, not to mention international protections such as the Convention on the Rights of the Child [...], all based on age, not the sensitivity of the particular child.  

The Supreme Court has sent a message that in contexts where children may be particularly vulnerable – even when the child is 15 years old, and the context is Facebook – the law will protect their privacy on an objective basis based on age, not individual maturity or temperament.

Lookout Canada and the U.S.: European regulators are working to give Europe a head-start as a safe jurisdiction for cloud computing.

European Commission Supports Cloud Computing

The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. The Commission wishes to address the “perception” that cloud computing may bring additional risks by making it easier to signal and verify compliance (though standards and certification) and by developing legal frameworks, such as an initiative on cyber security. The Commission summarized the business case for devoting Commission resources to cloud computing as follows:

Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe’s businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe’s traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.

The Commission identified several barriers to an accelerated adoption for cloud computing, including:

• Contractual standards regarding data access, portability, change of control, ownership of data and dispute resolution processes.

• Regulatory fragmentation due to differing national legal frameworks and uncertainties over applicable laws, given that cloud services may span multiple jurisdictions.

• Proliferation of security standards and uncertainty by organizations regarding the security of those standards and the interoperability of data formats to permit portability.

Among the Commission’s activities for 2013:

• The Commission has challenged itself to develop model terms for cloud computing service level agreements for professional cloud users by the end of 2013. The Commission will also review clauses that could be used in contracts involving the transfer of personal data to countries outside of the EU.

• The Commission will also develop standardized contract terms for consumer agreements for cloud computing.

• The Commission supports the development of uniform standards and the certification of organizations providing cloud computing services. The Commission will be tasking the European Telecommunications Standards Institute with developing a set of necessary standards for security, interoperability, data portability and reversibility. The Commission will also assist in the development of an EU-wide voluntary certification scheme.

UK Information Commissioner Provides Constructive Guidance

In other developments, the U.K. Information Commissioner’s Office (ICO) has issued “Guidance on Cloud Computing”, which should prove to be a useful resource for privacy professionals and counsel who are beginning to grapple with cloud computing technologies and mandatory reading for Canadian companies operating in the U.K. Although there are significant differences between Canadian and U.K. privacy laws, this ICO resource is a useful starting point because of the clear and practical approach to decoding the “lingo” of cloud computing and describing the privacy issues. In-house counsel may especially appreciate the use of specific short examples to illustrate concepts.

Among the points covered in the ICO booklet are:

• Assess the risk of processing highly sensitive data in the cloud. The ICO does not, however, put any types of data off-limits. The ICO states: “Often, the question may not be whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated.”

• Consider that moving data to the cloud may create additional types of data. Metadata regarding usage statistics or transaction histories of users may be recorded and should be covered by the organization’s privacy policy.

• Privacy impact assessments should be considered before engaging in large or complex cloud services.

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event. Organizations should engage in a “continual cycle of monitoring, review and assessment”. Furthermore, organizations should ensure that they are notified of any changes to subcontractors and those subcontractors are approved.

• Use third-party audits and certifications. The ICO supports the use of third party audits and industry certifications to assist organizations assessing the physical, technical and administrative security measures of the cloud service provider. Responsibility remains, however, with the organization to satisfy itself that the cloud service provider has adequate security measures in place to maintain data security.

The ICO states that technical security measures of a cloud computing program should include:

• Access control through the use of a robust authentication program involving individual username and strong passwords and an administrative program to create, update, suspend and delete user accounts.

• Encryption of data while in transit and, if possible, at rest (i.e. when stored) should be considered. It is important, however, to ensure that the encryption process also contains a “robust key management arrangement”. This is because access to the decryption key means access to the data and, in addition, inadvertent loss of the key would result in the loss of data.

• Data retention and destruction procedures to provide for the overwriting and destruction of data consistent with the organization’s document retention protocol and following a transfer to another cloud service provider or discontinuance of the use of the cloud service provider’s services.

• Limits on the cloud service provider’s access to the organization’s data and controls on whether and how the cloud service provider may use the organization’s data. There should be “an audit process that will alert the cloud customer if unauthorised access, deletion or modification occurs.”

On the thorny subject of international transfers of data becoming subject to the laws of the organization to which the data transfer is made, the ICO joined the trend towards international comity by stating as follows:

If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

Movement to cloud computing appears inexorable.  Jurisdictions that are first movers to develop standards and to facilitate the advantages of the cloud computing industry may have the advantage in the long-run.  Digital strategy, anyone?

Last month the Bureau of Consumer Protection of the U.S. Federal Trade Commission (FTC) issued guidance regarding the marketing of mobile Apps.  The guidance should be of interest to companies engaged in cross-border e-commerce activities.  It should be noted, however, that minimum compliance with the FTC guidance may not result in a App marketer being fully compliant in Canada.

Among the key points in the FTC’s guidance document, entitled “Marketing Your Mobile App: Get It Right from the Start” are:

• Advertising has a broad compass.  The FTC reminds developers that advertising isn’t just a traditional advertisement but includes a range of representations made expressly or by implication about what the product does.  The FTC cautions that App marketers require competent and reliable evidence to support objective claims and may require competent and reliable scientific evidence to support health claims.

• Key information must be clear and conspicuous.  This isn’t just a matter of the size and readability (although those are obviously important).  It also includes the way in which information is layered.  Layering information isn’t a licence to hide information behind vague hyperlinks.

• Engage in “privacy by design”.  The Ontario Information and Privacy Commissioner’s “privacy by design” approach should be followed.  This includes the principles of limiting collection, secure storage and safe destruction.  Although the FTC did not emphasize the “privacy by design” principle of privacy as the default, the FTC did note that sharing of data that would not be expected by an average consumer should only be done with express consent.  The FTC also states that sensitive information should only be collected and used with express consent.  In addition, mobile Apps should offer consumers choices and control over their personal information.

• Honour the promises, including privacy promises, made to consumers.  The FTC cautioned that “[c]hances are you make assurance to users about the security standards you apply or what you do with their personal information.”  Systemic failure to honour these promises or take reasonable steps to protect personal information may lead to FTC enforcement action.

• Apps designed for children under the age of 13 must comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  This will involve additional disclosures and consent requirements.

With permission of the publisher of E-Commerce Law Reports, here is a link to my recent article examining three cases decided in Canada, the U.K. and the U.S. in which the Statute of Frauds was pleaded as a defence to the enforceability of contracts created by conversational email.

The U.S. Federal Trade Commission (FTC) is proposing new rules under the Children’s Online Privacy Protection Act (COPPA).  The current COPPA Rules date to 1999, long before the proliferation of advertising networks and plug-ins.

Given the fluid nature of the Canada-U.S. border when it comes to e-commerce activities, Canadian companies should pay attention to the proposed rule changes.  The FTC is seeking comments until September 10, 2012. [UPDATE: The deadline for comments has been extended to September 24, 2012.]

Key amendments involve changes to the definition of “personal information”, “website or online service directed to children” and “operator”.

Personal Information

The definition of “personal information” would expressly include persistent identifiers. These are identifiers that can be used to recognize a user over different websites or online services, provided that it is used for functions other than the internal operations of the website or online services. This could include Cookies, Internet Protocol addresses, Media Access Control addresses, or any Unique Device Identifier. This is a very interesting amendment that could begin to decouple our understanding of what “personal information” is and focus the policy conversation more properly on the limits of surveillance.

Website or Online Service Directed to Children

The FTC proposes amending the definition of “website or online service directed to children” to include any operator who “knows or has reason to know” that it is collecting personal information from children. The FTC does not believe that this requires ad networks or the suppliers of plug-ins to monitor or to investigate websites and online services. However, the FTC states that this will prevent willful blindness to credible information that their services are being used in respect of children.

Operator

The FTC proposes amendments to the definition of “operator” to make the owner of the website or online service responsible for the activities of the network advertiser or plug-in. The rationale for this amendment is that even though the owner of the website or online service may not have direct access to the personal information collected by the third-party advertising network or plug-in, it is benefiting from that collection because those third-party services provide content, functionality or advertising revenue. Accordingly, these activities should be treated as being integrated with the website or online services being directed to children. The FTC considers the operator of the website or online service to be in the best position to control what advertising networks and plug-ins are integrated into its website or online service and to give notice and obtain appropriate consent.

A minor kerfuffle broke out at a recent (May 30, 2012) U.S. Federal Trade Commission workshop, “In Short: Advertising and Privacy Disclosures in a Digital World.”  During a discussion of a privacy and advertising on mobile platforms, Sara Kloek, Director of Outreach for the Association for Competitive Technology, stated that a MAC address was information about a device and not personal information. Pam Dixon, founder and executive director of the World Privacy Forum, was quick to snap back stating that a MAC address was personal information.

Who is right?  Why is it that we are still debating this fundamental issue?  And is the answer different for IP addresses?  This post is a bit longer than most here on www.datagovernancelaw.com but I’ll try to unpack these issues in the context of Canadian privacy laws and principles.

What’s a MAC address?

A Media Access Control address is an alpha-numeric number that is assigned to a hardware device that connects to a computer network. In simple terms, a MAC address is part of the addressing system that will allow one device to route packets of information to another device.  I’m a lawyer and not a technologist but I think it is fair to say that the MAC address for my smart phone will, for example, be visible to a retailer operating a wireless network when I come within range of that network.  The MAC address will be used by that wireless network when I connect to access the Internet or network services of that retailer.

Each device has a unique MAC address (leaving aside counterfeiting and spoofing).  Therefore, the MAC address for the device may be harnessed as a unique identifier for more than network functionality when it is visible or when an application installed on my device inspects and relays the MAC address. So, a MAC address could be a potential gateway to collecting information on the activities of users of that device when connected to the Internet.  (I wrote “users” deliberately because although there is probably only one user of my smart-phone, the same may or may not be true for any family’s laptop and other devices.)

A MAC address can also be used as a tool in tracking the movements of the device.  For example, Wi-Fi access points will have a MAC address that can be mapped geographically.  When a device (such as a smart-phone, tablet or laptop) interacts with a Wi-Fi network, the MAC address for that device will also be visible, thereby permitting anyone interacting with the device to determine the location of the device, provided that that person (a) knows the location of the Wi-Fi access point and (b) can see the MAC addresses of the access point and the device.

What’s an IP address?

An Internet Protocol address is a numerical label that is assigned to an addressable connection to the Internet. The IP address is also part of the addressing system (at a higher level than the MAC address).  It is used in routing packets of information over the Internet.  Again, I am not a technologist but my understanding is that, for most consumers, the IP address is probably not static or permanently assigned to their device.  Instead, the IP address will be dynamic.  The consumer’s Internet service provider will assign an IP address for a period of time, which might be reassigned to someone else after the consumer disconnects. However, an Internet service provider is able to correlate the IP address at a specific date and time to a subscriber to whom it is providing Internet service access, assuming it retains that information.

The issue gets a bit tricky when a wireless network router is involved.  Take my home wireless network as an example.  The router gateway to the Internet service provider may be assigned an IP address by the Internet service provider.  That IP address may be changed from time to time. Each device connected to the home network will each have an individual IP address internally to the network system.

What’s personal information?

Personal information is defined in Canadian private sector privacy legislation as information about an identifiable individual.  There are some exceptions, but that is the basic definition.

Although reasonable people can debate the point, one justification of privacy legislation – whether applicable to the private sector or the public sector – is that it is necessary to protect individuals from unreasonable surveillance.  Indeed, there was a telling exchange at the FCC workshop mentioned at the outset of this post, when Pam Dixon said that the MAC address was personal information since, after all, it could be correlated to an individual and be subject to a subpoena.

Unreasonable surveillance may be viewed as inimical to personal liberty and potentially used as a tool of manipulation or, in its worst form, oppression.  Even when an organization engages in surveillance for public good or passively without seeking to manipulate, some view this as a significant intrusion since the information obtained through that surveillance may be conscripted by the power of the state for other purposes.

The problem that privacy advocates face is that the gateway concept of “personal information”as currently drafted in Canadian privacy legislation is probably too amorphous in many cases to constrain systematic surveillance in a coherent way.

Thus, in a recent appellate case last year, theAlberta Court of Appeal concluded that in order for information to be about an “identifiable individual”, the person must be identifiable, the information must have a precise connection to an individual.  In order to be “personal” the information must be about the individual–that is, directly related to the individual.  Information did not become personal information simply by being associated indirectly with an individual through ownership.  Without that limit, “virtually every object or property is connected in some way with an individual” and would become personal information.

So, a driver’s licence is personal information in Alberta but a licence plate is not.  The driver’s licence is uniquely connected to a person. Indeed, the driver’s licence card functions in Canada as an identification card – that is, government issued identification.  On the other hand, in Alberta, at least, a licence plate is connected to the vehicle and only linked through a database to an individual. Reasonable people can debate the Alberta decision and whether other appellate courts should follow when the issue arises.

So what’s the answer?

In one sense, the answer is easy.  The Office of the Privacy Commissioner of Canada considers that an IP address may constitute personal information if the IP address is associated with or linked to an identifiable individual.

Similarly, in a commendable and comprehensive study of the issues, the Information and Privacy Commissioner of Ontario and Kim Cameron argue that MAC addresses, as unique identifiers, may be linked to individuals and, therefore, may constitute personal information.

The precautionary principle suggests that organizations should treat MAC and IP addresses as personal information.  However, in many (most?) cases, MAC and IP addresses may not be directly linked to individuals.  An Internet service provider will be able to associate the IP address to a home or business account but not (at least in the ordinary course) to any particular person using a device linked to the Internet, particularly if we are talking about my access to the Internet through a WiFi system at a coffee shop.  A MAC address does not disclose who actually has possession of the device.  However, there is a greater probability of correlation between the owner of the device and the MAC address than there is of an IP address and an individual.

So we are back to where we always are with personal information.  A MAC address or an IP address information is rarely going to be in and of itself information about an identifiable individual in the sense of having a precise connection and being directly related to an identifiable individual.  It is the context of how the MAC address or IP address is combined with other information (or could be reasonably be combined with other information) that has privacy advocates concerned.  In each case, of course, if you knew and combined enough on-line and off-line information you might have enough data to make a highly probably guess about who was doing what and where.  But the same could be said about a licence plate number.

So who was correct (from a Canadian perspective) at the FTC workshop?  Both.  In and of itself, a MAC address (and an IP address) are likely not personal information but they are rich gateways to the collection and the accumulation of data points that can transform them into personal information if privacy (anti-surveillance) measures are not built into the technologies using these addresses.  Ultimately, what is personal information is fundamentally determined by context.  The debate will continue.

The U.S. Senate is considering a new U.S. federal privacy breach notification law, entitled The Data Security and Breach Notification Act of 2012.  The Bill is currently before the Committee on Commerce, Science and Transportation.

If enacted, the Bill would apply to organizations over which the U.S. Federal Trade Commission has authority (“covered entities”).  For these organizations, the Bill’s provisions would pre-empt a patch-work of state laws dealing with privacy breach notification.  It would not regulate financial institutions or certain health care institutions that are governed by other U.S. federal legislation.

Notably, the Bill recognizes the reality of the outsourcing of data processing and integrates that into a hierarchy of responsibilities so that data breach notification can be implemented in an organized way.  The following are some of the highlights of the Bill:

• Covered entities who own or licence data in electronic form must provide notification to citizens or residents of the United States whose personal information may have been “accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause, identity theft or other financial harm.”

• If the number of individuals involved in the data breach exceeds 10,000, then the covered entity must also notify the U.S. Secret Service or the U.S. Federal Bureau of Investigation.

• Third parties who are contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity are required to notify covered entities of security breaches.  At that point, the covered entity is responsible for notification to individuals.

• Internet service providers and other service providers who route data are required to notify covered entities of security breaches affecting the covered entities’ data if those covered entities can be reasonably identified. Once notified, the covered entities are responsible for notification to individuals.

• Notification to individuals is to be made “as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.”  However, notification may be delayed in the interests of a criminal investigation or national security.

• Generally, notification will be direct notification and may be made by mail, telephone or electronic means. The content of the notice is specific: the date, estimated date, or estimated date range of the breach of security; a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and contact information to find out more about the breach and the information that the covered entity maintains about the individual. If the covered entity does not have sufficient contact information or the cost would be excessive, the covered entity may provide notice by certain substitute means.

The proposed U.S. Bill has a limited reach.  It is focused on personal information that is highly sensitive in terms of identity theft and fraud.  The definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with any one or more of the following:  (a) social security number; (b) driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; or (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

Meanwhile, in Canada, amendments to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) remain stalled.  The amendments would introduce privacy breach notification to provinces other than British Columbia, Alberta (which already has privacy breach notification) and Quebec.  See my post for a run-down.

When comparing the proposed U.S. and Canadian legislation, one issue that jumps out is that the Canadian Bill is concerned with a broader array of data security breaches.  This is not necessarily a good thing.  

First, the Canadian amendments do not clearly distinguish organizations that are primarily accountable for personal information from outsourcing companies who may process or store the information and service providers who may route data.  Instead any organization who “controls” the data is responsible for data breach notification.  ”Control” is not defined.  Previously, the Office of the Privacy Commissioner of Canada has concluded that information may still be controlled by an organization even though not in its possession.  This makes sense and is consistent with the law in other areas, such as discovery obligations in litigation.  However, it is possible that more than one organization may “control” the information.  We might productively debate whether a hierarchy of responsibility, such as in the U.S. proposed Bill, would provide clarity and make breach notification more manageable as well as more clearly define who is accountable for the implementation of breach notification.

Second, the Canadian amendments apply to all types of personal information. It will be up to organizations to determine whether the breach is “material” based on assessments of the sensitivity of the personal information. No legislative guideposts are provided with respect to sensitivity. Furthermore, the standard for individual breach notification rests on whether the individual might suffer a real risk of significant harm. The types of harm are broad. If the Alberta experience is indicative of the approach that might be taken federally, the result will be an expansive interpretation of what might constitute a real risk of significant harm. Although the individual breach notification requirement in the proposed U.S. Bill is also related to harm, it is more narrowly focused to identity theft and financial harm. While we might debate whether these protected interests are too narrow, there may be utility in revisiting whether the Canadian law is too vague too provide organizations with meaningful guidance.

The American Bar Association has more on the U.S. Bill here.

As Canadians were getting ready to head off for a long-weekend, Canada and the U.S. released a Statement of Privacy Principles intended to govern sharing of information between the two countries in connection with the Canada-U.S. Security Perimeter agreement.

Canada and the U.S. have expressly declared that the Statement of Privacy Principles is non-binding and does not create any rights or obligations under domestic or international law.  Accordingly, its utility appears to be limited to a guiding statement of intentions.

There are twelve principles.  Three are particular worthy of noting:

• Permission for Onward Transfers to Third Countries. Information shared by Canada with the United States (or by the United States with Canada) may be shared with third countries.  For example, data shared by Canada with the U.S. may be shared with a third country if onward sharing would be consistent with the domestic law of the United States and any sharing conforms to international agreements and arrangements between the United States and third countries.  If there are no applicable international agreements, the originating country (in our example, Canada) is supposed to be notified of the information transfer.
• Redress.  Canada and the United States are supposed to provide for remedies where a person’s privacy has been infringed by international sharing or where there has been a violation of data protection rules with respect to that individual.
• Individual Access and Rectification.  Canada and the United States are supposed to provide individuals with access to personal information as well as the ability to seek rectification and/or expungement of their personal information.  If access is to be limited, the country restricting access is supposed to provide specific grounds consistent with domestic law.

Ontario’s Information and Privacy Commissioner, Anne Cavoukian, and IBM Fellow, Jeff Jonas, have released a very interesting paper entitled “Privacy by Design in the Age of Big Data“.

“Big Data” is the buzz word used to describe the latest frontier in data analysis.  In very simple terms, we are producing huge quantities of structured and unstructured data through our electronic activities.  Organizations are now able to “crunch” extremely large data sets involving disperse data from various aspects of those digital footprints that we leave behind through our activities.  Moreover, the increased sophistication of technologists in developing algorithms and the increasing processing power of technology means that the analysis of extremely large data sets may take place almost in real time, thereby permitting organizations to act or react to opportunities as they present themselves.

The size of the data sets, the combining of data about individuals from multiple sources or interactions, and the risk of inadvertent disclosure or unauthorized access creates significant privacy risks.  However, there is also a significant risk that a lack of understanding by the public and legislatures or a significant privacy breach at this critical stage of development of Big Data analysis could produce a knee-jerk legislative or policy reaction.  We only need to recall how justified and unjustified fear of “Big Brother” databases have entrenched privacy legislation that has historically prevented sharing of information across government departments and agencies.

Ontario’s Information and Privacy Commissioner, Dr. Cavoukian, and IBM Fellow, Mr. Jonas, demonstrate that privacy and “Big Data” can co-exist.  We can have the benefits of both.  Their paper outline seven technical principles employed in Mr. Jonas’ “next generation” systems, which balance the utility of Big Data with privacy principles by embedding those principles in a very sophisticated way into the systems employed by the technology.  Of course, the technology itself is not the complete answer to privacy issues.  The point is that by embedding privacy principles into the technology, the technology will not frustrate an organization’s adherence to privacy principles.

For example, accountability and transparency are embedded into the feature of “full attribution” — that is, all data can be traced back to its source and changes accounted for in real time.  However, by using sophisticated technologies to de-identify data on transfer, the data sets will be anonymous when placed into the Big Data database used for deployment of the Big Data analytics.

If you are interested in “Big Data”, be sure to join me, Nathalie Des Rosiers (General Counsel, Canadian Civil Liberties Association) and Colin McKay (Manager, Global Public Policy, Google Canada) at the Canadian Institute’s Forum on Privacy Law and Compliance (September 20-21, 2012) where we will be presenting on this topic.

A perennial issue in Canadian privacy law is what to do about the USA Patriot Act.  Just when we think we have things reasonably sorted out, the issues pop up again in a new context.  This time it is cloud computing.

What’s the USA Patriot Act?

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (usually referred to as the “USA Patriot Act” or just the “Patriot Act”) is US legislation that was passed following the September 11, 2001 attacks on the World Trade Centre in New York City.  Among other things, the Patriot Act made it easier for US law enforcement officials to intercept electronic communications and business records.  One of the controversial measures was that officials were granted the power to issue a National Security Letter to electronic communication service providers requiring them to hand over information without informing the affected parties (in some cases without any judicial oversight).

For the purposes of this discussion of cloud computing, however, one of the most important provisions is section 215, which deals with access to business records.  Section 215 repealed and re-enacted provisions of the Foreign Intelligence Surveillance Act (USA).  Pursuant to section 215 of the Patriot Act, the FBI may apply to a federal judge for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.   US commentators agree that this definition covers electronic business records.

What’s cloud computing?

In its most complete form, cloud computing involves outsourcing applications (e.g. email, customer relationship management, and accounting software), platforms (e.g. database architecture) and infrastructure (e.g. servers).  All of these IT functions are offered as a service to organizations either independently or as a package.  An organization’s data (e.g. its emails) may be stored in segregated servers or intermingled with the data of other organizations and segregated through the functionality of the service provider’s information technology.  The organization accesses its data through Internet portals.

Where’s the Cloud?

The cloud isn’t in the sky.  Data sent over the Internet in a cloud computing arrangement may be (and often will be) stored outside of Canada and may be intermingled with data from other organizations.  In many cases, the cloud computing service provider may subcontract the storage of data to one or more organizations operating data centres.  If these data centres are in the US, well, therein lies the rub.  The data is going to be subject to the laws of the United States, including the Patriot Act.  Actually, if the data is even accessible from the US or by an organization subject to the jurisdiction of the US, the data is likely to be subject to the laws of the United States.

Okay, so the USA Patriot Act may apply, do I have a Canadian privacy problem?

Transfers create legal issues. Organizations have a privacy “problem” every time they transfer data.  This is because under Canadian federal and provincial private sector privacy laws, the organization that collected and is entitled to use the personal information remains responsible for its security throughout its life-cycle.  Indeed, in many cases organizations will have created a contractual obligation with individuals by incorporating the organization’s privacy policy (and privacy commitments) into terms of service or use or other customer e-commerce contracts.  Organizations may wish to consider legal advice to understand how commencing cloud service transfers of personal information will affect existing legal commitments.  It may be necessary, for example, to give special notice to individuals and to provide them with opt-out or termination opportunities.

But organizations aren’t prohibited from using US-based cloud services, if they are only operating in the private sector.  Federal and provincial private sector privacy legislation does not prohibit the transfer of personal information to an organization in another jurisdiction for processing and storage, provided that:

• The transfer does not entitle the receiving the personal information to use that information for purposes other than those for which individuals expressly or impliedly consented.
• The transferring organization remains accountable for the protection of the personal information that has been transferred.
• The organization receiving the personal information provides a comparable level of data security as would be required under Canadian law and the terms on which the collecting organization collected the information.
• Disclosure is made to individuals.  As a general rule, this disclosure to individuals should include notice that (1) their personal information will be transferred outside of Canada for processing and storage, (2) their personal information will be subject to the laws of the foreign jurisdiction and (3) the laws of the foreign jurisdiction may be different (and less protective) than those of Canada.

The transferring organizations will wish to consider obtaining meaningful contractual commitments to administrative, technological and physical security protections from the organization to which the personal information is being transferred. The transferring organizations will also wish to consider audit or other rights that would permit ongoing diligence of these security protections as well as the use being made of the personal information.

The Patriot Act provisions do not (on their own) mean that personal information will not be subject to a comparable level of security. An interesting survey and comparison of surveillance laws in Canada, the US, the UK and France was conducted by the Office of the Privacy Commissioner of Canada in 2009, which remains an important reference.  Since 1990, Canada and the US have had Treaty on Mutual Legal Assistance in Criminal Matters in which each country has agreed to assist the other with the investigation, including seizure of records, of criminal activity. The Canadian Security and Intelligence Service Act (Canada) provides for secret warrants for the interception and seizure of, among other things, electronic data.  The National Defence Act (Canada) permits the Minister of Defence (without judicial supervision) to authorize the Canadian Communications Security Establishment to intercept communications relating to foreign entities under certain circumstances.  In addition, the Criminal Code (Canada) permits seizures of electronic data.  The combination of this legislation has led the Office of the Privacy Commissioner of Canada to conclude in three decisions (here , here, and here) not only that Canadians are at risk of personal information being seized by Canadian governmental authorities (including without the knowledge of the target) but also that there is already a risk of that information being shared with US authorities.  (This is not to say that reasonable people cannot still differ as to whether they wish to have their personal information stored outside of Canada.)

But if you are a public sector organization or contracting with a public sector organization in British Columbia or Nova Scotia (and probably Alberta), you need legal advice.  Cloud-based services get a bit trickier when dealing with public sector organizations.  British Columbia, Nova Scotia and Alberta each have legislation the prohibits or, in the case of Alberta, potentially prohibits the storage of data outside of Canada.  In these cases, organizations would be prudent to obtain legal advice.

 In December 2011, the Office of the Privacy Commissioner of Canada (OPC) issued guidance in December 2011 stating that “collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent” and that there must be an “opt-out” mechanism if the technology is being used for on-line behavioural advertising.  However, organizations in Canada have been short on tools for complying with the OPC’s guidance and have been slow to increase the prominence of their disclosure regarding cookie use.

In the United States, as I reported in a previous post, the FTC has called for the advertising industry to make “Do Not Track” initiatives fully operational by the end of 2012.  Advertisers must be transparent about their deployment of cookies and other on-line tracking technologies and provide people with a method of opting out.  The Digital Advertising Alliance in the U.S. has continued to promote an advertising opt out tool (AdChoices), which is beginning to appear on web sites (often near the link to organization’s privacy policy).  The Network Advertising Initiative also offers an opt-out tool and organizations have been including links to the tool for users to opt-out.

In the UK, new “cookie” rules came into force on May 26, 2012.  Organizations must now obtain consent to the use of cookies and provide a method for subscribers and users to opt-out of cookies (with some exceptions). The UK Information Commissioner’s Office has issued a guidance document to assist organizations with compliance efforts.  The examples provided for increasing the prominence of disclosure of cookie use and how to obtain consent is particularly helpful.

Meanwhile, Canada has lagged behind on practical advice from the Federal and Provincial Privacy Commissioners and tools for assisting Internet users to opt-out of tracking technologies.  On the “tools” front, this may change.  In a preface to an article reporting on an interview with outgoing IAB Canada president Paula Gignac, Marketing Magazine reports that IAB Canada is in negotiations to bring the AdChoices program to Canada.  Some Canadian organizations aren’t waiting for a Canadian solution.  The AdChoices icon has begun popping up on websites of Canadian-based organizations.

Today the Canadian Bar Association held an update session for members on Canada’s Anti-Spam Legislation (“CASL”).  An oral presentation was provided by Andy Kaplan-Myrth, a Policy Advisor in the Digital Policy Branch at Industry Canada and a member of the team that developed and is implementing CASL.

Here’s what we heard from the discussion.  [Please note that information and comments provided by Mr. Kaplan-Myrth and other participants are intermingled with my own below.  The following is not intended as a verbatim report on the presentation.]

• Industry Canada is targeting the release of further draft regulations for comment by the summer; however the ultimate timing depends in part on internal government processes including Treasury Board approval;
• The regulations will reflect some concerns heard during and since last year’s comment process on the last draft regulations.  As we noted in past posts, many industry stakeholder believed that the earlier draft regulations did not go far enough to clarify obligations and provide needed exemptions;
• Industry Canada is focusing on exempting activities that clearly do not constitute “spam”, where a line can clearly be drawn to define permitted activities and exclude others;
• Industry Canada welcomes comments on the regulations, and beyond that process, is also seeking input from stakeholders on what areas of CASL and definitions should be clarified in information bulletins;

More substantive questions discussed:

Q:  Does it make sense for the “form and content” (ie. contact information and unsubscribe) requirements to apply to messsages: sent within businesses, to their employees?  sent B2B, such as banking transactions? that must be sent by law?  that are responses to an inquiry?

A: In some cases…not really.  The forthcoming draft regulations may address these.

Q:  How do you set up third-party referrals under CASL?

A: Referral marketing can be done with appropriate consent, but don’t forget that consent must meet both CASL and PIPEDA requirements.

If it’s a “refer a friend” scenario, and the person is truly a friend or family under the law, then CASL will not apply.  (As some have suggested, CASL will legally define for us who our true friends are.)  Under regulations to come, the definition of a “friend” may be broadened to include virtual friends met online.

Q:  What’s required to get express consent, and document it?

A:  Oral consent, and even a check-box is acceptable (perhaps even pre-checked, if the request for consent is clearly conveyed).  Australia has provided some practical guidance for business under its Spam Act 2003 on obtaining consent, and a range of other topics.  Although Canada’s legislation is different from Australia’s, the CRTC may provide similar forms of guidance on practices to obtain consent and related issues.  As mentioned above, both Industry Canada and the CRTC are interested to hear from stakeholders on where guidance is most needed.

As for documenting consent:  this will be up to clear internal policies and practices.  These are intentionally not spelled out anywhere, to give organizations the latitude to find what works for them…while meeting the CASL requirements.

Q:  Can organizations rely on PIPEDA consents under CASL?

Remember that CASL “overrides” PIPEDA, to the extent of any conflict (s. 2 of CASL).  And that CASL expressly requires a high standard of consent to send commercial electronic messages.  Therefore organizations can’t rely on “grandfathering” PIPEDA consents under CASL, broadly speaking.

If however, existing PIPEDA consent also meets the CASL requirements for implied consent – for example an “existing business or non-business relationship” – then that is sufficient.  Many organizations can and will rely on implied consents to send many of their CEMs during the transition years, the first three years after CASL enters into force (see s. 66 of CASL).

What’s Next?

Although CASL won’t enter into force until 2013, there is a significant amount of preparation going on this year, as noted above, and here.

We have also heard reports that many organizations outside of Canada have not even heard of CASL, so clearly more needs to be done to raise awareness.  For those organizations that are familiar with the U.S. Can-Spam Act requirements, our comparison of CASL to CAN-SPAM may assist.

News media have paid significant attention to court orders requiring production of relevant documents from Facebook and social media sites in the course of litigation.  As described in my recent post, the Ontario Information and Privacy Commissioner has recently published a booklet on privacy and reference checks.

From the Canadian litigator’s perspective, all the fuss might be difficult to appreciate.  In Ontario, for example, the Rules of Civil Procedure require that litigants must disclose to all of the parties to the litigation the existence of every relevant document in their possession, power or control and must produce to the other parties all of those relevant documents that are not privileged.

A document is defined by the Ontario Rules of Civil Procedure to include data and information in electronic form.  Electronic information will be in the power of a party if that party could obtain a copy of it.  So, pictures and posts accessible through your social media account are documents and within your power to produce. The only question is whether those posts are relevant.

Photographs and posts to social media accounts may be relevant to litigation in a number of ways.  In a personal injury or long-term disability case, they may suggest that claims of being unable to enjoy life or to work are exaggerated or false.  They may suggest that a  litigant was in a location or with people as alleged and contrary to protestations otherwise.  They may contain evidence of defamation or the truth of what might otherwise be defamatory statements.

Once litigation has been commenced or is contemplated, litigants and potential litigants should be careful, however, that they do not take steps to “cleanse” their social media accounts.  It often comes as a surprise to litigants that they are required to preserve physical and electronic documents – even if that material might be unhelpful to their case.  However, the preservation obligation will often begin even before litigation has been commenced.  Once a demand letter is drafted or received, or legal advice is sought with respect to potential litigation, a potential litigant may be required to preserve evidence.  Therefore, individuals involved in litigation or where litigation is a reasonable possibility should seek legal advice on their obligations.

Intentionally destroying evidence is called spoliation.  Spoliation occurs where a party (the spoliator) has intentionally destroyed evidence relevant to ongoing or contemplated litigation in circumstances where a reasonable inference can be drawn that the evidence was destroyed to affect the litigation.  In Canada, spoliation usually produces an adverse inference that the evidence would have been unhelpful to the spoliator and may result in sanctions.

A recent U.S. case illustrates some of the pitfalls and, in the U.S. sanctions, for spoliation and social media (Lester v. Allied Concrete Co., Case No. CL09‐223 (Va. Cir. Ct. Sep. 1, 2011), and Lester v. Allied Concrete Co., Case Nos. CL08‐150, CL09‐223 (Va. Cir. Ct. Oct. 21, 2011):

•  The plaintiff was the husband of a woman who was killed in an automobile accident.  He sued the truck driver and the driver’s employer and initially won a substantial damage award.
• During the discovery process for his trial, he was asked about his Facebook account.  The defendants had produced a photo justifying the request that was apparently taken after his wife’s death and showed him holding a beer can and wearing a “I [heart] hot moms” t-shirt.
• The plaintiff, with the lawyer’s advice, deleted the Facebook account and responded that he did not have a Facebook account at the time of responding to the discovery requests.

The Virginia court was not impressed. It cut the damages award to the plaintiff in half and awarded cost sanctions against both the plaintiff and his lawyer.

In Canada, courts are reluctant to make similar awards preferring to remedy the wrong in other ways, such as providing procedural remedies for additional discovery and drawing adverse inferences that the destroyed documents would have been unhelpful to the party who destroyed them.  Courts can also award cost sanctions.  To date, however, courts have not awarded damages against the spoliator.  Nevertheless, once litigation is contemplated – resist the urge to press delete!

.

On April 23, 2012, Nova Scotia Liberal MLA Andrew Younger introduced Bill 40, which would amend the Labour Standards Code (Nova Scotia) to prohibit an employer from requiring an employee or prospective employee to provide access to the employee or job candidate’s social networking account or discriminating against the employee or job candidate for refusing to provide such access.  The Nova Scotia NDP government is reported to be considering the Bill.

If the Bill were to pass, it would be the first legislation to pass in Canada specifically addressing the practice of employers requiring employees or job candidates to provide access to social networking accounts.  Last week, Maryland became the first state in the United States to pass legislation prohibiting an employer from requesting or requiring that an employee or job candidate disclose passwords (among other things) for accessing personal accounts or social networking services and disciplining any employee who refused to release such information. The bill has not yet been signed into law.  California Senate Bill 1349 would go further and prohibit a post-secondary institution or an employer from requiring a student, employee or prospective student or employee, to provide access to that persona’s personal social media account.

It is questionable whether such specific legislation is required in Canada.  In a recent post on Employment and Labour Law, my colleague, Naomi Horrox, wrote about the practice of accessing personal information about job candidates by asking candidates for their passwords to social networking sites that they use.  Naomi reported in her article that the Ontario Human Rights commission warned that doing so could lead to claims against the employer of discrimination allegations.

In addition, any employer who seeks access to social networking sites should obtain legal advice regarding Canadian privacy obligations as the employer who logs on as the job candidate will have access to and may be accessing and collecting personal information about third parties (the candidate’s contacts) by reviewing and copying any information on the site.  Employers should seek legal advice regarding whether such access and collection might be contrary to the third parties’ reasonable expectations and whether consent of those third parties is required in the circumstances, depending on the third parties’ privacy settings.

Are you one of those who have been monitoring the progress of Canada’s Anti-Spam Law (CASL)?  

If so, you may also have given some thought to the difference between the existing U.S. rules under the CAN-SPAM Act, and the new Canadian rules under CASL coming into force in 2012.  After all, the CAN-SPAM rules have been in place for years, and have become accepted industry practice for marketers and others in the U.S., and to a certain extent, informally, in Canada. 

CASL and CAN-SPAM are similar in some basic respects, but they are very different in important ways.  As we’ve explained in earlier posts, CASL has broader application, a higher standard for consent, greater penalties, and a clearer out-of-country reach than the U.S. CAN-SPAM Act. 

Our SlideShare overview, Comparing CASL to CAN-SPAM, has received over 1,000 views to date.  We’ve just updated the overview to reflect the recently finalized CRTC regulations which set out requirements for consent and message content.  Take a look at the updated Comparing CASL to CAN-SPAM and let us know if it answers your questions.

At a press conference today, March 26, 2012, the U.S. Federal Trade Commission (FTC) released its final report on protecting consumer privacy, entitled “Protecting Consumer Privacy in an Era of Rapid Change“. 

FTC Chairman Jon Leibowitz began the press conference quoting former U.S. Supereme Court Justice Louis Brandeis, who wrote in dissent in a 1928 wire-tapping case, that the Fourth and Fifth Amendments to the U.S. Constitution recognized that the right to be let alone was ”the most comprehensive of rights and the right most valued by civilized men.”

The FTC outlined three over-arching principles for protecting consumer privacy at the beginning of the 21st Century:

1. Privacy by Design. Incoporate privacy in the developmental stages of projects.  This is the “privacy by design” principle the case for which has been convincingly made by the Ontario Information and Privacy Commissioner.
2. Simplified Consumer Choice. Consumers must have simplified choice with respect to how their personal data is used.  The FTC emphasized that non-one has the right to put anything on a consumer’s computer.  The FTC acknowledged the strides being made in Do Not Track initiatives.
3. Transparency. Data use practices must be transparent. The FTC suggests that privacy disclosures must be less onerous for consumers to navigate and read.

The FTC suggests that legislation may be required to regulate “data brokers”.  Data brokers may be engaged in types of activities that are similar to credit and consumer reporting agencies without coming within existing legislation governing consumer and credit reporting agencies. The FTC has called on data brokers to creating a centralized website where data brokers would “(1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”

On the issue of “Do Not Track”, the FTC acknowledged the strides that had been made stated that if “Do Not Track” was not fully operational by the end of 2012, the advertising industry should expect that there would be a “tsunami” of calls for legislation.

The Ontario Information and Privacy Commissioner and San Diego Gas & Electric (“SDG&E”) have released a white paper on the collaboration of SDG&E and the Office of the Information and Privacy Commissioner regarding privacy issues in SDG&E’s dynamic pricing project.  The project makes use of technological capabilities of smart meters, to offer time-variable rates to home owners and tools to manage and understand energy consumption. The paper describes how SDG&E integrated privacy considerations during the development of the project.

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL).  The regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

• businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
• CEMs are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

• simply include the name by which they carry on business (rather than both that and their legal name);
• include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
• include the information in the above point on a website that “is readily accessible” (rather than via a single click);
• use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
• simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

The U.S. White House has released a Consumer Privacy Bill of Rights and a report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”

The Consumer Privacy Bill of Rights, which is modeled on principles found in Canada’s Personal Information Protection and Electronic Documents Act and other similar legislation in other countries, is intended by the Obama Administration to be part of a larger privacy rights initiative to provide users more control over how their information is handled. Among the elements to the Obama Administration’s initiative will be enforceable industry codes of conduct and the potential for federal privacy legislation.

The White House also announced that many leading internet companies and online advertising networks have committed to make it easier for users to control online tracking.

Canadian Privacy Commissioners have expressed concerned regarding the collection and use of personal information from children.  In the Office of the Privacy Commissioner of Canada’s 2010 Report on Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing, released in May 2011, the Privacy Commissioner stated:

“[...] the OPC is of the view that baseline standards need to be developed to support parents and educators in terms of knowing that children’s personal information is being protected. A framework needs to be put in place that will better inform parents and educators and, ultimately, will better protect the personal information of children [...]“

South of the border, the United States Federal Trade Commission (FTC) recently issued a staff report regarding the adequacy of privacy practices disclosures in the mobile app market for kids.

Although the report was focused on disclosures of privacy practices, the FTC stated that it will be conducting additional investigations to determine whether any of the mobile apps violate the U.S. Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA regulates the collection, use, and disclosure of personal information from children and generally requires verifiable parental consent to the collection, use and disclosure of such personal information.

Regarding privacy practices disclosure, the FTC Staff report concluded that:

• there was insufficient disclosure of the data collection, data sharing and interconnectivity of mobile apps for children;
• parents should not have to navigate to lengthy privacy policies and terms of use to determine whether personal information is being collected and used;
• disclosure should be provided prior to downloading and use because by that point the child may already be using the app and the parent may have already been charged a fee; and
• icons and short disclosures should be used to alert parents if the mobile app (a) permits information to be shared with social media, (b) allows “in-app” advertising to occur, or (c) permits “in-app” purchases.

On the subject of “in-app” advertising, the FTC raised three concerns with what it assessed was an inadequate level of disclosure:

• parents may want to limit the data collected by advertisers and ad networks about their children;
• even if the advertising is not based on any information collected from the child, parents may want to limit their children’s exposure to ads; and
• parents may not want children to be able to call numbers or visit websites appearing on in-app advertisements.

In Canada, mobile app developers and marketers should seek legal advice regarding, among other things, the Quebec Consumer Protection Act restrictions on advertising to children.  With few exceptions, Quebec prohibits commercial advertising directed at persons under 13 years of age.

On February 15, 2012, the U.S. Federal Communications Commission approved new rules regarding auto-dialed or pre-recorded telemarketing calls to residential and mobile numbers.  Among the important changes are:

• express written consent will be required for auto-dialed telemarketing calls to residential lines and wireless numbers;
• the “established business relationship” exception to the consent requirements for auto-dialed telemarketing calls to residential lines will be eliminated; and
• auto-dialed pre-recorded messages must provide consumers with an automated, interactive opt-out mechanism to permit the consumer to opt-out of receiving further calls.