The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, March 31, 2009
The LA Times' blog "Dish Rag" is reporting that fifteen employees of Kaiser Permanente have been fired and eight disciplined for looking at the medical records of Nadya Suleman (aka the Octomom).
Hospital staff fired for peeks at Nadya Suleman's files The Dish Rag Los Angeles Times.
"We always provide training on the importance of patient privacy and confidentiality," hospital rep Jim Anderson told Us Weekly. "We knew from the time she was admitted to the hospital in December, this case would attract attention. Numerous training sessions were held to remind people of the need to keep the information confidential."
Eight other employees at the hospital in Bellflower, Calif., also were disciplined.
While there's no reason to believe that any information was leaked to the media (oh,yeah, right ...), Anderson says to LA Now, "this was human nature and curiosity that got the best of people."
Octomom's hospital records accessed, 15 workers fired - SC Magazine US:
"Hospital officials told the Los Angeles Times that the breach was discovered during computer monitoring and the hospital was able to determine which employees had medical reason to access Suleman's files. Anderson did not indicate what type of hospital employees accessed the records but said there is no indication that the information was sold or accessed for any reason other than curiosity."
According to the New York Times, European consumer affairs regulators plan to go after internet companies for privacy practices, particularly the profiling and targeting of consumers. See: E.U. Warns Internet Companies on User Privacy - NYTimes.com.
Friday, March 27, 2009
In a Wired column, Bruce Schneier hits the nail on the head by calling for the end of the "expectation of privacy test". To put it simply: "The problem is, in today's information society, that definition test will rapidly leave us with no privacy at all." See: It's Time to Drop the 'Expectation of Privacy' Test.
Thursday, March 26, 2009
According to the CBC, an Alberta court has upheld Information and Privacy Commissioner Frank Work's order that prohibited the wholesale scanning of drivers licenses at a nightclub. See: Court upholds privacy ruling against nightclub scanning IDs.
Apparently Saskatchewan is planning to abandon using embedded RFIDs in licenses that can be read up to thirty feet away, while Ontario is trying to find a solution that allows individuals to turn off the broadcast of personal information. See: Saskatchewan cancels RFID licences while Ontario looks for off-switch.
Wednesday, March 25, 2009
With Google's recent launch of Street View in Europe and imminent photographing of Canadian cities, I thought I'd do some quick looking around at how effective their "face blurring" technology may be. It only took one minute of wandering around London and I was able to see where it might fall off the rails.
In this particular image, the anti-war protesters are recognizable but - THANKFULLY - the image of what's probably George W. Bush has been blurred out. But not blurred to the point of non-recognition.
Google: You've come a long way, baby, but there's work to be done.
Tuesday, March 24, 2009
Google Street View is coming to Canada. According to Google, the camera cars are going to be hitting the streets in major Canadian cities any time soon. They plan to blur faces and license plates and, one can infer, they think this is enough to deal with privacy issues here. See: Smile, you're on Google Street View - Digital Life.
According to CanWest, the Privacy Commissioner is taking Air Canada to court over access to customer information that the airline claims is covered by solicitor-client privilege:
Air Canada sued over passenger info case
OTTAWA — Canada's privacy commissioner is taking Air Canada to court to compel the airline to release records involving a so-called "unruly" customer, arguing passengers should be able to know the information air carriers are collecting about them.
In a newly filed affidavit, a senior official with the Office of the Privacy Commissioner of Canada sets out why the dispute has broad implications for air travellers. The document bolsters an application in Federal Court for an order requiring Air Canada to hand over the disputed documents about an incident on board a flight from Kamloops and Vancouver and to confirm the commissioner's right to ask for evidence in support of a claim of solicitor-client privilege.
"The ability to obtain access to one's personal information and to challenge its accuracy is a critically important means of holding an organization accountable for its personal information practices," according to Carman Baggaley, senior policy and research analyst at the commission.
The legal battle is heating up just as new regulations are "being finalized" by Transport Canada to "enhance the ability of air operators, private operators and their employees to deal with the growing problem of aviation passengers who are unruly and disruptive," the affidavit states.
This new system will "require air carriers to prepare reports on certain types of disruptive behaviour, to make these reports available to the Minister upon request and to provided statistics to the Minister on these incidents."
The backdrop of these coming changes are the rules governing Canada's "no-fly" list, which make it difficult for people to know why they are on the list and denied access to air travel, the affidavit states.
"In the current environment of heightened concerns about aviation security, information collected by air carriers about passengers can have a significant impact on individual travellers.
"In some cases, an air carrier may be required... to deny boarding to an individual who is on a Canadian or foreign no-fly list. Or, in some cases, an individual may experience delays or difficulties boarding a flight. In addition, a Canadian air carrier can deny boarding to individuals based on the carrier's assessment that an individual may pose a risk to a flight. This authority will be enhanced with the adoption of the (new) regulations."
In this context, the privacy commission is arguing the right of passengers to access information about themselves is "critically important," especially in cases where they seek to correct the record.
"Given the confusion that may exist about why an individual has been denied boarding or is experiencing difficulties when trying to obtain a boarding pass, being able to obtain access to his or her personal information held by a carrier may help an individual understand why he or she is encountering problems, or in some cases, allow individuals to clear up any confusion, misunderstandings or incorrect information before boarding is denied," according to the affidavit.
In this specific case, Juergen Dankwort of Vancouver complained to the privacy commission after Air Canada refused to provide him copies of reports related to an incident involving him during a short-haul flight in May 2005; the airline argued the files were protected under solicitor-client privilege.
Air Canada cited solicitor-client privilege again when the commission's investigative unit requested the reports as part of its investigation into whether Air Canada contravened the Personal Information Protection and Electronic Documents Act when it denied the passenger access to his personal information contained in these reports.
Air Canada also refused to provide the commission a sworn affidavit outlining why the disputed documents are, in fact, privileged, according to court documents.
In correspondence filed in federal court, Air Canada says the commission "has no right to compel such evidence protected by law, and has no jurisdiction to assert whether or not (the) documents are solicitor-client privileged."
Air Canada declined to comment on the case because the matter is before the courts.
In an interview, Dankwort, a retired sociology instructor from Kwantlen Polytechnic University, says he's "concerned" and "frightened" by Air Canada's refusal to provide an explanation to the privacy commissioner.
"If Air Canada is saying that (the reports) are protected by solicitor-client privilege, they need to let our own appointed authority know on what basis they were making that claim, rather than using it as a carte-blanche response to any inquiry or request for any such reports."
Dankwort added this matter is particularly important in a post-9/11 world because airlines hold a lot of discretionary power over who can fly.
"I think any information that a corporation has on a consumer or a client, I think we, the public, have the right to know what's in the file, what's on record. One of the hallmarks of democracy is that we have access to this kind of information."
In a statement, a spokeswoman for the privacy commissioner's office said that while it recognizes the importance of solicitor-client privilege as a fundamental legal principle, the office also thinks it's important to test the claims of organizations that withhold information on that basis.
The incident arose after Dankwort and his travelling companion brought their own beer on board, not knowing this contravened the aeronautics act, according to correspondence filed with the court in which Dankwort alleges the fight attendant was rude and aggressive and his demeanour was "completely unwarranted, inappropriate and disturbing."
During the flight, the captain advised the RCMP that Dankwort was being unruly. He was detained at the end of the flight while the police investigated the allegations. Dankwort was released a few hours later, and no charges were laid.
From the Court's Docket here.
Sunday, March 22, 2009
Google Street View went live in the UK last week. Despite the prevalence of surveillance in Britain, complaints have rolled in and Google has taken down hundreds of pictures. See: Google forced to black out hundreds of Street View photos after privacy protests - but site gets record hits Mail Online.
Tuesday, March 17, 2009
Michael Geist's most recent Toronto Star Column addresses the fine print in ISP customer agreements that purport to permit the ISP to hand customer names and addresses to the police without a warrant.
Read Michael's column:
Michael Geist - Canadian Privacy Rights Buried in the Fine Print
Scott McNealy, the former CEO of Sun Microsystems, has achieved considerable notoriety for having warned Internet users ten years ago that "you have no privacy, get over it." Recent headlines suggest that the Ontario courts have adopted those sentiments, as two recent decisions involving the disclosure of subscriber information by Internet service providers confirmed that revealing personal information to law enforcement without a warrant is permitted under Canadian privacy law.
While some view these cases as providing conclusive evidence that Canadians enjoy little privacy in identifying data such as customer name and address information, a closer look at the decisions and industry practices reveal that the issue is not entirely settled.
In the second case, R. v. Vasic, the court arrived at a different conclusion on the sensitivity of the data. It ruled that combining customer name and address information with IP address data could render the information sensitive. Nevertheless, it upheld the disclosure of the information without a warrant, since the customer had consented to the Rogers Acceptable Use Policy, which warns of possible disclosure to law enforcement without a court order.
These decisions place the spotlight on the fact that customer privacy on the Internet is not guaranteed by national privacy law. Rather, the law actually leaves the disclosure decision in the hands of the organization that has collected the information, which can choose whether to turn over personal information in certain circumstances without a warrant.
Moreover, most Internet-focused organizations such as ISPs have drafted user agreements in which their customers have consented to such disclosure policies. These cases confirm that courts will typically enforce user agreements regardless of whether subscribers have taken the time to read them.
While most companies are reluctant to publicize their disclosure practices, according to government documents recently obtained under the Access to Information Act, the RCMP estimates that 30 percent of Canadian organizations do not reveal personal information to law enforcement without a warrant.
The RCMP estimates did not include specific data on ISPs, but their estimates are borne out by current practices. Bell and Rogers chose to reveal customer information in the Wilson and Vasic cases, however, not all Canadian ISPs would have followed suit. For example, in Atlantic Canada, Bell Aliant requires law enforcement to obtain a warrant in an all non-emergency situations.
The disclosure issue is not limited to ISPs. Similar questions arose last year when the Canadian Internet Registration Authority crafted its whois policy, which governs public access to domain name registrant information. CIRA initially adopted a position that would have required a warrant for all access to such personal information, but intense pressure from the RCMP and Industry Canada led to an exception for law enforcement access without court oversight.
Few Canadians will have any sympathy for the privacy rights of those facing child pornography allegations. Yet these cases provide an important reminder about the limits of Canadian privacy law, which invariably leaves privacy subject to policies that subscribers rarely bother to read.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at firstname.lastname@example.org or online at http://www.michaelgeist.ca/.
Saturday, March 14, 2009
Google has just sent webmasters who use Google's AdSense a notice suggesting that privacy policies need to be updated because the ad service is going to be much more targeted. Here's what landed in my inbox:
We're writing to let you know about the upcoming launch of interest-based advertising, which will require you to review and make any necessary changes to your site's privacy policies. You'll also see some new options on your Account Settings page.
Interest-based advertising will allow advertisers to show ads based on a user's previous interactions with them, such as visits to advertiser website and also to reach users based on their interests (e.g. "sports enthusiast"). To develop interest categories, we will recognize the types of web pages users visit throughout the Google content network. As an example, if they visit a number of sports pages, we will add them to the "sports enthusiast" interest category. To learn more about your associated account settings, please visit the AdSense Help Center at http://www.google.com/adsense/support/bin/topic.py?topic=20310.
For more information about interest-based advertising, you can also visit the Inside AdSense Blog at http://adsense.blogspot.com/2009/03/driving-monetization-with-ads-that.html.
We appreciate your participation and look forward to this upcoming enhancement.
The Google AdSense Team
Here's more information, from Google, about the AdSense and privacy: Google Advertising Cookie and Privacy Policies - AdSense Help.
Thursday, March 12, 2009
The Information and Privacy Commissioner of Ontario is calling for implementing privacy filters to mitigate part of the damage to privacy caused by whole body scanners that are appearing soon in an airport near you.
IPC - Office of the Information and Privacy Commissioner/Ontario Whats New Summary
Whole Body Imaging (WBI) technologies – which have been described in the media as “naked scanners” – raise significant privacy concerns that must to be addressed, says Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian. “These technologies, which are being deployed as a voluntary passenger-scanning security measure in a growing number of airports around the world, pose a serious threat to privacy since they produce high-quality images of an essentially naked body beneath a passenger’s clothes.” But the risk to privacy can easily be mitigated through the use of a strong “privacy filter.”
The Commissioner released a white paper entitled, Whole Body Imaging in Airport Scanners: Activate Privacy Filters to Achieve Security and Privacy, which outlines how the activation of privacy (or modesty) filters can reduce the amount of unnecessary personal details captured by WBI technologies.
Friday, March 06, 2009
In this story from the New York Times, the headline says it all:
Chicago Links Street Cameras to Its 911 Network - NYTimes.com
CHICAGO — At first glance, Chicago’s latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller’s location is beamed onto a dispatcher’s computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest.
That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications.
“We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive,” Mr. Orozco said....
I don't think it'll be long before we see this adopted more widely.
Sunday, March 01, 2009
An amusement park in the UK (no surprise) has found a way to try to commercialize CCTV. Slap on an RFID bracelet and their cameras will track you all day. Then, at the end of the day, you can get your own DVD souvenir of your time at the watch-iest place on Earth! Odd but innovative. See: It's YourDay and you're the star.
To be fair, it's not regular CCTV footage. It's CCTV-Plus!
What did we do to create YourDay at Alton Towers?
Firstly, we dug 6 km of trenches to hold 24 strands of fibre optic cable...
We installed and linked up 140 computer servers, 36 cameras and over 100 RFID antennae to create a data network across the 550 acre park - a big place to wire up!
After storyboards and scripts, we spent 13 days filming a huge cast of actors, including 80 extras, on the big rides and attractions, smiling and screaming in all the right places.
Plus we spent the equivalent of 3 'man' years to develop all the YourDay software.
Pull all these together and you get YourDay at Alton Towers!
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.