The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, September 30, 2008
Today is the first day for consumers to add themselves to the Canadian Do Not Call List (https://www.lnnte-dncl.gc.ca/) but the online system has been overwhelmed with people looking to get added to the list.
If you want more info on the national DNCL, you can check out some past posts and these resources:
And if you're inclined to tell telemarketers not to call you, you should also take advantage of iOptOut, which also appears to be down.
Monday, September 29, 2008
The Open Rights Group in the UK is planning to crowdsource a photographic survey of the United Kingdom's surveillane aparatus on October 11. Participants are encouraged to:
- Spot something that embodies the UK’s wholesale transformation into the surveillance society/database state. Subjects might include your local CCTV camera(s), or fingerprinting equipment in your child’s school library
- Snap it
- Upload it to Flickr and tag it “FNFBigPicture” - please use an Attribution Creative Commons license*
Check out: The Open Rights Group : Blog Archive » Capturing the database state: community photocall. I'll post a selection of the photos on the blog. (Via the ever-vigilant Boing Boing.)
Sunday, September 28, 2008
A system designed to track motorists in the UK is being expanded to collect fifty million automobile movement records for five years, instead of the already intrusive two years originally announced. Alread pervasive CCTV cameras are being upgraded to capture license plates, adding to what is being said to be the largest oracle database in Europe.
Thanks to SpyBlog.org.uk for the link.
Wednesday, September 24, 2008
This recent case was brought to my attention today: R. v. Ward, 2008 ONCJ 355 (CanLII). The decision is a ruling on a charter motion on whether evidence in a child pornography investigation should be admissible after the police obtained the identity of an internet user from an ISP without a warrant. Acting on a pretty solid tip from Germany, police identified three IP addresses that were associated with dealing with child pornography. Instead of getting a warrant, the police when to the ISP, Bell Sympatico, and got the name and address of the subscriber associated with the IP address. (I have no doubt that the tip would be enough to get a warrant.)
Justice Lalande distinguished this case from R. v. Kwok, by pointing out that the user agreement with Bell Sympatico reduces if not destroys any reasonable expecation of privacy that the user may have. In order for a warrantless search to be reasonable, there has to be no reasonable expecation of privacy.
In this case, the conclusion seems to be that the customer has an expectation of privacy in their name and address unless the ISP has actively taken steps to remove it. Interesting.
For a flashback to 2006, check out
Thursday, September 18, 2008
Here's an interesting intersection of privacy and access to information.
There's been some buzz on the internets suggesting that Republican VP nominee Sarah Palin has been using personal e-mail accounts to thwart freedom of information legislation. But in the past days, someone has hacked into her Yahoo! mail account (email@example.com), which is an egregious invasion of her privacy but evidence that the accusations may be true. See: Sarah Palin Emails: Sarah Palin's Personal Emails.
Saturday, September 13, 2008
The US Department of Homeland Security is warning government types travelling internationally that their electronic devices may be subject to seizure or intereception. Oh noes! Imagine such a threat to privacy and security!
Thank goodness they've provided some tips on how to avoid the prying eyes of oppressive governments. Of course, these tips weren't provided to the unwashed masses, but wikileaks has a copy of the "FOR OFFICIAL USE ONLY" document. See: US DHS: Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities 2008 - Wikileaks.
I suggest reading it before travelilng into, out of, through, around or over the United States. Or any other intrusive country.
The Globe & Mail is running a series on privacy and social networking sites, particularly Facebook. I'm not sure that readers of this blog will be shocked at what's posted online but it's still an interesting read:
Friday, September 12, 2008: Faceless no more: Social networking comes with a price
On Monday, look for Part 2 of the series in Report on Business: Matt Hartley looks at how social networks have affected consumer privacy and reports on the federal privacy commissioner's plans to safeguard consumer information.
And on Tuesday, we'll run Part 3 — David Hutton reports on the efforts that one Canadian-based social network is making to root out underage users, who, studies show, can be far more revealing than older social networkers.
Friday, September 12, 2008
ITBusiness has an interesting article on the collaboration between the Ontario Privacy Commissioner and Facebook, including a video interview with the commissioner: Your privacy, your responsibility says Ontario Privacy Commissioner.
Wednesday, September 10, 2008
Earlier today, the Nova Scotia government came under fire for introducing a new form for driver's licence renewals that asked applicants to say whether they had any kind of mental illness. (Critics: Don’t tie driver’s licence renewal to psychiatric history) Too much information, I say. So says the FOIPOP Review Officer, Dulcie McCallum.
Apparently anyone who checks off affirmatively will be required to provide a medical report detailing their mental illnesses, which may be referred to a medical panel to determine fitness to drive.
The question is so broad that it would capture loads of irrelevant information, including a bout of post-partum depression twenty years previously. Of course, many people will lie to keep their licences.
The form was introduced to replace a form that many called confusing.
What's most interesting is that the government promptly pulled the form and went back to the old one.
Backlash forces N.S. to drop new driver's licence form
“They should not be collecting personal information on this basis,” Dulcie McCallum, the province’s Freedom of Information and Protection of Privacy review officer, said.
“It’s completely unnecessary.”
That kind of information has historically been used against people, she said.
“It goes kind of to the heart of things that are most intimate and that people want most protected,” Ms. McCallum said. “You can’t make any assumptions about people. You can’t have a policy that automatically creates a different standard for people.
“There’s no evidence to support that somehow psychiatric challenges make you more or less of a bad driver.”
It would be more appropriate to ask if people were taking any prescription medication that could affect their driving, she said.
“That doesn’t connect it to any particular illness or disability or historically disadvantaged group and it may be a bona fide question,” she said.
David Fraser, a Halifax lawyer who specializes in privacy law, said the province deserves credit for acting quickly to fix its error but questioned whether reverting to the old form would solve the problem.
“It sounds to me like an interesting response,” he said. “I’m not sure if it’s to everybody’s benefit if they’re going back to a form that had previously been confusing.
Tuesday, September 09, 2008
Google has just announced that they are cutting their log retention period in half: from 18 monts to 9 months.
From the Official Google Blog:
Official Google Blog: Another step to protect user privacy
Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.
Back in March 2007, Google became the first leading search engine to announce a policy to anonymize our search server logs in the interests of privacy. And many others in the industry quickly followed our lead. Although that was good for privacy, it was a difficult decision because the routine server log data we collect has always been a critical ingredient of innovation. We have published a series of blog posts explaining how we use logs data for the benefit of our users: to make improvements to search quality, improve security, fight fraud and reduce spam.
Over the last two years, policymakers and regulators -- especially in Europe and the U.S. -- have continued to ask us (and others in the industry) to explain and justify this shortened logs retention policy. We responded by open letter to explain how we were trying to strike the right balance between sometimes conflicting factors like privacy, security, and innovation. Some in the community of EU data protection regulators continued to be skeptical of the legitimacy of logs retention and demanded detailed justifications for this retention. Many of these privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit.
Today, we are filing this response (PDF file) to the EU privacy regulators. Since we announced our original logs anonymization policy, we have had literally hundreds of discussions with data protection officials, government leaders and privacy advocates around the world to explain our privacy practices and to work together to develop ways to improve privacy. When we began anonymizing after 18 months, we knew it meant sacrifices in future innovations in all of these areas. We believed further reducing the period before anonymizing would degrade the utility of the data too much and outweigh the incremental privacy benefit for users.
We didn't stop working on this computer science problem, though. The problem is difficult to solve because the characteristics of the data that make it useful to prevent fraud, for example, are the very characteristics that also introduce some privacy risk. After months of work our engineers developed methods for preserving more of the data's utility while also anonymizing IP addresses sooner. We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work.
While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data. As the period prior to anonymization gets shorter, the added privacy benefits are less significant and the utility lost from the data grows. So, it's difficult to find the perfect equilibrium between privacy on the one hand, and other factors, such as innovation and security, on the other. Technology will certainly evolve, and we will always be working on ways to improve privacy for our users, seeking new innovations, and also finding the right balance between the benefits of data and advancement of privacy.
Wednesday, September 03, 2008
Just in time for Privacy Awareness Week (last week), the Privacy Commissioner has released a PIPEDA Self-Assessment Tool which is worth checking out.
Here's some backgound and further info from the Commissioner's website:
News Release: Canada celebrates Privacy Awareness Week by helping businesses improve privacy practices (August 27, 2008) - Privacy Commissioner of Canada
Canada celebrates Privacy Awareness Week by helping businesses improve privacy practices
Ottawa, August 27, 2008 —The Office of the Privacy Commissioner of Canada (OPC) today launched a new tool to help businesses evaluate their privacy practices and compliance with Canada’s private sector privacy law. The launch of the tool coincides with Privacy Awareness Week, which is organized by the Asia Pacific Privacy Authorities (APPA) and runs from August 24 to 30.
The OPC’s new Personal Information Protection and Electronics Documents Act (PIPEDA) Self-Assessment Tool is made up of two parts:
- A compliance guide, which informs organizations of their obligations under PIPEDA and outlines what organizations must do to meet these obligations; and
- A diagnostic tool, which gives organizations a series of checklists they can use to assess how compliant they are with the 10 Fair Information Principles of PIPEDA.
With the results of this self-assessment, organizations will be able determine the weaknesses in their privacy systems and understand the risks they pose for the business and customers. It will also help them ensure they dedicate the appropriate resources to ensuring privacy compliance.
“Good privacy practices are good for business,” says Privacy Commissioner of Canada, Jennifer Stoddart. “More and more, organizations are realizing this, and by giving them an efficient and effective means of evaluating and improving their privacy practices, they can develop a competitive advantage.”
The theme for this year’s Privacy Awareness Week is “Privacy is your business”. During the week, participating countries, such as Canada, which is a member of APPA, can promote privacy responsibilities within the public and private sectors, and raise awareness of the public's privacy rights.
The Office of the Privacy Commissioner of Canada recently launched two initiatives aimed at engaging Canadian youth in the privacy debate: an essay competition designed to encourage students in law schools and legal studies programs across Canada to explore privacy issues and a video public service announcement competition for students between the ages of 12 and 18. Information about these initiatives and the new PIPEDA Self-Assessment Tool, as well as other tools to help organizations comply with privacy law, such as a guide for businesses and organizations, an e-learning tool for retailers, fact sheets and a number of new case summaries, can be found at http://www.privcom.gc.ca/media/nr-c/2008/index_e.asp.
For more information on Privacy Awareness Week, visit http://www.privacyawarenessweek.org/.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
Tuesday, September 02, 2008
One of the most interesting phenomena (at least to me) is that privacy is not only being taken away on a number of fronts, the wider front is the mass surrender of privacy by the millions of people who put loads of personal data online.
Some people may think it's ironic that I'm on Facebook or Flickr, but I'm pretty mindful of what I put online and who is my "friend". When I was young and foolish, I posted stuff that's still to be found on the internet. Nothing scaldalous: stuff like a travelogue of a visit to Romania and contributions to listservs about academic freedom. But kids these days, armed with digital cameras, are posting vast quantities of personal information that will hang around for years. And is there for those who may not be their friends.
I happened upon an interesting illustration of this on MetaFilter today (It's not dead, it's just resting MetaFilter). Check out these two videos in which private investigator Steve Ramblan discusses his tradecraft:
Hope2604 – Privacy Is Dead – Get Over It In 2006, privacy expert Steven Rambam’s two hour panel was disrupted by federal authorities who arrested him at the conference just prior to its commencement. In the end, he was completely vindicated and went on to finally give his talk several months later to a packed house at a local university. This year, Steven will be on for three hours, in part to make up for what you may have missed last time, but mostly because what he says about the state of privacy in our society will captivate you. Since 1980, Pallorium's investigators have successfully closed more than 9,500 cases, ranging from homicide investigations to missing persons cases to the investigation of various types of sophisticated financial and insurance frauds. Steven Rambam has coordinated investigations in more than fifty (50) countries, and in nearly every U.S. State and Canadian province. Steven specializes in international and multi-jurisdictional investigations, and within the past few years he has conducted investigations in Israel, South Africa, Holland, France, England, India, Mexico, Guatemala, Spain, Portugal, Bulgaria, Germany, Abu Dhabi, China, Mongolia, the Philippines, Thailand, Laos, Jordan, Vietnam and Brazil, among other locations. For More Information Visit www.pallorium.com
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.