The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, November 30, 2008
According to the Canadian Press, Ottawa has quietly shelved plans that would have provided American authorities with personal information in bulk about the holders of so-called secure (read: chipped) drivers' licenses. The MOU with the American authorities would allegedly limit them to using it for cross-border purposes, but there's no way of enforcing that once the info is in the hands of US officials. See: The Canadian Press: Canada backpedals on sharing personal database with U.S.
Today's New York Times has a very interesting article on "sensor data" (such as your cell phone, blackberry, GPS, etc) and privacy. It starts with a discussion about an experiment giong on at MIT were researchers are minutely tracking study participants and goes through a range of privacy issues about the digital data trail that we leave in our wake every day.
There's an interesting quote from the MIT researcher who suggests that wider access to telemetry data may be in the public good:
At the same time, he argued that individual privacy rights must also be weighed against the public good.
Citing the epidemic involving severe acute respiratory syndrome, or SARS, in recent years, he said technology would have helped health officials watch the movement of infected people as it happened, providing an opportunity to limit the spread of the disease.
“If I could have looked at the cellphone records, it could have been stopped that morning rather than a couple of weeks later,” he said. “I’m sorry, that trumps minute concerns about privacy.”
Saturday, November 29, 2008
A client company, Bastionhost Ltd., held a mini-summit earlier this week seeking to expand its vision of building data centres in Nova Scotia. A key part of its value proposition is the regulatory climate in Canada, paticularly its privacy laws that are deemed adequate under European Data Protection law and alow millisecond access to American markets without having the data accessible under laws like the USA Patriot Act.
Here's the press release for the event
PRESS RELEASE: FOR IMMEDIATE RELEASE Monday, December 1st, 2008
IT start-up Bastionhost announces initiative to attract business to Atlantic Canada Dataville, Canada
This economic downturn could provide an unprecedented opportunity for the Nova Scotia information technology sector, a technology entrepreneur told a Leadership and Innovation Mini-Summit held at the Halifax Club last week. The current economic crisis presents the Atlantic region with a unique business advantage, said Anton E. Self, founder and CEO of Halifax-based IT startup Bastionhost.
Self unveiled an ambitious strategy he calls "Creating Dataville" to develop a data centre industry in the province. Data centres are a fast-growing sector as corporations and governments struggle to store the massive amounts of information that underlie much of the economy.
"Massive losses stemming from the mortgage loan crisis have driven major financial institutions and enterprises with offices in both New York and London to look for ways to slash operating costs," said Self. "Their losses can be Nova Scotia's gain. Why pay millions to operate two backup data centres in North America and Europe, when one in Dataville will do?"
Self, announced his company's project to put Nova Scotia on the technological map by establishing a system of data centres and digital media storage facilities in the province.
"We can build a new billion dollar industry right here in Nova Scotia," he said, highlighting the region's dense and established infrastructure and relative affordability. "But we need to invest in improving and integrating our critical infrastructure here, now, if we are to seize the moment and realize our tremendous potential as a leading global data haven."
He said that Nova Scotia's location directly in-between New York City and London, England makes it an ideal location for catering to businesses on both continents from a single site, while taking advantage of multiple high speed fiber-optic cables already in place beneath the Atlantic Ocean.
The costs to build, maintain, and staff data centres in Nova Scotia are a fraction of those in most places in North America where this high-margin sector has taken hold, he said.
Nova Scotia's share of global ICT is about 0.3%, Jason Powell, Chairman of the Information Technology Association of Nova Scotia, told the gathering. He suggested that with more co-operation among companies, Nova Scotia could increase its share to 0.5% or even 1%, which would make a huge impact on the province's economy. "I know we've got the talent here," he said "Why can't our goal be to have IT be to Nova Scotia what energy is to Alberta?"
The province has all the tools to make this happen, he said, despite the fierce competition from low-cost countries such as India. "Innovation isn't about technology but about creativity mixed with business thinking," he said.
Privacy law expert David Fraser argued that Canada's and Nova Scotia's strong privacy laws offer another inherent advantage to the data centre sector, especially since the United States passed the USA Patriot Act in the wake of 9/11. He said, "we can become an information Switzerland."
Self also said that as the local financial services and IT sectors grow, companies are having trouble finding up-to-date data centres in this region. "There's a backlog of demand for adequate facilities, which is necessary infrastructure for attracting and retaining world-class companies. When our policymakers talk about the need to invest in Atlantic Gateway infrastructure, they mean transportation and shipping. But our most valuable commodity is data. To become a more significant global player we must integrate our technology assets and human resources and get the word out to our markets."
Also speaking as part of the mini-summit was April MacLeod, a student employment and placement expert. All four spoke of the advantages of doing business in the Atlantic region, and highlighting niche technology skills, a large student population and potential workforce, and top-notch privacy laws not available in the US, vital to international data storage.
The crowd of more than 60 people who gathered for the talk included prominent business people from the Butterfield Fulcrum Group, Flagstone, Nova Scotia Business Inc, Halifax Finance, The Greater Halifax Partnership, Eastlink, Aliant, Armour Group, McInnes Cooper and Nicom IT Solutions, among many others. Allan Shaw, of The Shaw Group and former Premier, now Senator, John Buchanan were also in the audience.
Self invited attendees to "create Dataville with us" by joining forces to develop business in cities like New York and London. "Working together as partners, allies and friends we can win some serious business," he said. "As one Anton, I can only do so much heavy-lifting. But collaboratively, like 50 ants carrying a coconut, we can raise Nova Scotia to new heights."
Anton E. Self
Founder and Chief Executive, Bastionhost Ltd.
Anton.self (at) bastionhost.com
Chairman, Information Technology Association of Nova Scotia
jkpowell (at) usa.net
David T. S. Fraser
Chair, Privacy Law Practice Group, McInnes Cooper
David.fraser (at) mcinnescooper.com
Secretary of the Board, Bastionhost, Ltd.
David.holt (at) bastionhost.com
Friday, November 28, 2008
Just posted on Slaw.ca:
Slaw: New US air security rules may cause problems for Canadian passengers
The Canadian Press is reporting that the planned extension of US passenger screening is going ahead next year. Unlike existing rules, which require airlines to provide passenger information for flights headed to the US, the new rules will require them to provide this information even if the flight is only traversing US airspace. (See: The Canadian Press: New U.S. air security rules create turbulence in Canada.)
This raises a whole host of issues, particularly on the privacy front. The names are being scrubbed against the US no-fly list, which is notoriously of dubious quality. It has interfered with the travel plans of infants and a US Senators. It also includes the name of a certain Canadian who has been proven by a public inquiry to not be a terrorist. How many Canadians will be prevented from completing their travels to non-US destinations because they have a name similar to one on the no-fly list? I guarantee that no Canadian airline will change their route to avoid American airspace so that a passenger can be accommodated.
In addition, how is the information going to be used? Will it go into a massive database to be mined for future uses? Will US authorities force aircraft to land to arrest a passenger who is not a terrorist threat, but is otherwise wanted? Will there be a list of Canadians who regularly (and completely lawfully) travel to the embargoed island of Cuba?
This is a real conundrum. One can wave one’s arms in the air and yell about privacy, but the fact remains that the United States has sovereignty over its airspace and can refuse access for whatever reason it wants. It can put conditions on that access. At the end of the day, if you want to travel and your flight takes you through their airspace, this is one of those conditions.
Wednesday, November 26, 2008
In Febrauary of '06, I linked to a post by Jim Calloway on Metadata (Jim Calloway's Law Practice Tips Blog: The Mysteries (and Magic) of Metadata). Jim just wrote to tell me he's posted an update with more recent authority on legal ethics and metadata: Jim Calloway's Law Practice Tips Blog: The Ethics of Metadata 2008. Check it out.
While my blog was down, I wrote on slaw.ca about an interesting story from Nova Scotia that made national news. For those who missed it on slaw, here it is:
Slaw: Pre-employment screening
A recent story from Nova Scotia has focused a lot of attention on pre-employment screening and the use of polygraphs. Hopefully, it will encourage a larger discussion on both sides of the issue.
According to media reports, anybody applying for a job that falls within the purview of the Halifax Police Service and Fire Service is required to pay for a polygraph examination that includes a range of questions, some of which have been considered to be objectionable. (See the full questionnaire here (pdf).)
Others have objected to the use of a polygraph, as many assert it is not a reliable indicator of
truthinesstruthfulness. (If you want a refresher on how Canadian courts are to treat polygraphs, check out R. v. Béland, 1987 CanLII 27 (S.C.C.)).
The media coverage has been plentiful, from the local papers to CBC's The National (Quicktime). The former FOIPOP Review Officer has made his thoughts known (Ex-watchdog: Ditch polygraphs) as has his successor Dulcie McCallum (Nova Scotians deserve same privacy protection as others).
Any debate and discussion is a good thing. It should, hopefully, focus the mind on one of the principes of privacy best practices that appears in almost every public and private sector privacy law: only collect information that's reasonably necessary for the (reasonable) purposes. If it's not necessary or not reasonable, don't collect it. Other important principles to consider: who has access to the information, how is it used and how long is it kept around?
And now for something
completely differentsomewhat relevant, yet inadmissible:
Here's CBC The National's report:
Tuesday, November 25, 2008
The Republican-American of Connecticut has an interesting story about a vigilant and diligent librarian who required a court order before handing over computer records after a complaint that a patron had been using a library computer to view child pornography. Her two reasons were (i) to protect the privacy of all library patrons and (ii) to make sure that if the patron had been using the computer unlawfully, the evidence would be admissible. See: The Republican-American Porn complaint hits Waterbury library.
According to the Internet News, Verizon employees who took a peek at Barak Obama's e-mails have been sent packing: InternetNews Realtime IT News - Verizon Staff Fired After Peek at Obama's Calls. Interestingly, Patrick Leahy (chair of the Senate Judiciary Committee) is using this to call upon the Justice Department to account for the efficacy of the Telephone Records and Privacy Protection Act of 2006.
There's a new privacy organization setting up shop in Washtington, DC. Initially funded by AT&T, the Future of Privacy Forum seems to be pushing for transparent consumer choice:
About the Future Privacy Forum : FUTURE OF PRIVACY FORUM
The Future of Privacy Forum (FPF) is a think tank led by privacy experts Jules Polonetsky and Christopher Wolf and includes an Advisory Board comprised of leading figures from industry, academia, law and advocacy groups. The Future of Privacy Forum’s initial underwriter is AT&T. We invite and welcome the support of other companies committed to advancing privacy practices.
FPF advocates for privacy advances that promote transparency and user control in a manner that is practical for business to implement to ensure personal autonomy for all who seek to embrace the benefits of our digital society.
Some additional coverage: A skeptical welcome for online privacy forum.
Facebook has just won a multi-multi-million dollar judgment against a Montreal residet under the American CAN-SPAM Act after the individual was accused of sending millions of unsolicited commercial e-mails to Facebook users. The company will never see most of the cash, but Facebook has said they'll go after all they can.
Hopefully, this will be a strong, visible deterrent.
Monday, November 24, 2008
A client pointed me to this great post, with which I couldn't agree more.
After discovering that, by default, friends of friends who comment on Facebook-posted pictures get access to the full album of photos, the author writes:
apophenia: Putting Privacy Settings in the Context of Use (in Facebook and elsewhere)
... Tech developers... I implore you... put privacy information into the context of the content itself. When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone's profile, let me see everyone else who can view that photo before I go to write a comment. You don't get people to understand the scale of visibility by tweetling a few privacy settings every few months and having no idea what "Friends of Friends" actually means. If you have that setting on and you go to post a photo and realize that it will be visible to 5,000 people included 10 ex-lovers, you're going to think twice. Or you're going to change your privacy settings....
Making people think? Good idea.
When privacy has been characterized as minimizing surprises, if you fully let people know what they're doing (particularly when it is somewhat behind the veil of not-well-understood technology) you're doing your job.
In September of last year, I blogged about a decision of the Federal Court of Canada that ordered eBay to hand over to the Canada Revenue Agency information about Canadian "power sellers". (See: Canadian Privacy Law Blog: Federal court orders disclosure of eBay PowerSeller records to Canada Revenue Agency.)
That decision was appealed to the Federal Court of Appeal, which upheld the decision on November 7, 2008:
 In order to induce compliance with a requirement, subsection 231.6(8) provides that a judge may prohibit a person who has failed to comply substantially with the requirement from relying on foreign-based information covered by it in a civil proceeding relating to the enforcement or administration of the Act.
 The scheme of section 231.6 suggests that Parliament was concerned that it could be unduly onerous for a person to be required to produce material located outside Canada and in the possession of another person, and that the section may operate in an unduly extraterritorial manner. While these concerns may be taken into account on a review by a judge for unreasonableness, they are largely irrelevant to the information (bulky as it may be) that is the subject of the requirement in the present case.
 This is because, with the click of a mouse, the appellants make the information appear on the screens on their desks in Toronto and Vancouver, or anywhere else in Canada. It is as easily accessible as documents in their filing cabinets in their Canadian offices. Hence, it makes no sense in my view to insist that information stored on servers outside Canada is as a matter of law located outside Canada for the purpose of section 231.6 because it has not been downloaded. Who, after all, goes to the site of servers in order to read the information stored on them?
 Nor is the extraterritorial application of the Act a significant issue on the present facts. For example, the agreements with eBay Canada expressly provide that they may disclose confidential “eBay System Information” (which the appellants say includes information about PowerSellers) which “is required to be disclosed by order of any court”: Appeal Book, vol. II, pp. 295-96. Nor does the requirement oblige a person outside Canada to do anything.
 Counsel concedes that the information identifying PowerSellers registered as having an address in Canada would be located in Canada if the appellants had downloaded it to their computers. In my view, it is formalistic in the extreme for the appellants to say that, until this simple operation is performed, the information which they lawfully retrieve in Canada from the servers, and read on their computer screens in Canada, is not located in Canada.
 I would only add that, although Justice Hughes does not frame his reasons by reference to the statutory definition of “foreign-based information” in subsection 231.6(1), he clearly meant that the information in question could be “located” at places other than the site of the servers where it is stored. For example, he stated 2007 FC 930 (CanLII), (2007 FC 930 at para. 23) that information stored electronically outside Canada “cannot truly be said to ‘reside’ only in one place”, and (supra at para. 25) the information required by the Minister “is not foreign but within Canada” for present purposes.
 Having concluded that information in electronic form stored on servers outside Canada is in law capable of being located in Canada for the purpose of section 231.6, I now consider whether Justice Hughes’s application of the law to the particular facts of this case was vitiated by palpable and overriding error. In my view, it was not. In finding that the information in question was located in Canada within the meaning of section 231.6, Justice Hughes properly took into consideration the fact that eBay US and eBay International had granted the appellants access to information about Canadian PowerSellers for the purpose of their business, and that they indeed used it for this purpose. The facts support the following conclusion by Justice Hughes (supra at para. 25):For perhaps corporate efficiency the information is stored elsewhere, but its purpose is in respect of Canadian business. The information is not foreign but within Canada for the purposes of section 231.2 of the Income Tax Act.
 Since the facts of this case do not engage section 231.6, it is not necessary to consider whether the presence of that section in the statutory scheme reduces the Minister’s powers under section 231.2 when the requirement relates to “foreign-based information”.
Thursday, November 13, 2008
Thursday, November 06, 2008
Last weekend, after a day of meetings, I wandered around downtown Ottawa. When I lived there in 1999-2000, I noticed that a number of light poles in the downtown area have directional antennas on top of them. I had only seen them in the vicitinty of Parliament Hill. Being paranoid, I wondered what they were. I even called the city and asked what they were and whose they are. The city was not able to answer my question, though they acknowledged that the poles are theirs and putting anything on them would require the city's ok.
You can read the text on the label on the back, which says it's made by TIL-TEK, model TA-2408. The TIL-TEK brochure describes it as:
The TA-2408 is a vertically or horizontally polarized panel antenna. The antenna consists of a printed broadband dipole array enclosed in an aluminum cavity with a UV stabilized ASA radome for superior weatherability. It is designed for wireless data in the ISM band and is at DC ground to aid in lightning protection.
Here are two other pictures:
If anyone knows anything about these, please help satisfy my curiosity ... Email me or put something in the comments.
Wednesday, November 05, 2008
The good news: Toronto police are removing the CCTV cameras that have kept an eye on people at Queen Street West and Bathurst.
The bad news: Apparenly they're just being moved. Where to? I do not know.
See: Torontoist: Smile! You're Not on the Police Camera, via the eagle-eyed, ever-vigilant, but never intrusive Rob Hyndman.
Tuesday, November 04, 2008
Rather than outrageous, it should be filed under stupid and pointless: Outrage over 'chastity belt' lingerie fitted with GPS tracking system Mail Online. Nothing covert here, if you take a close look at the photo. But if it was actually miniature, there may be some cause for concern.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.