The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, June 26, 2009
Clear, the for profit company that did pre-screening of travelers so they could breeze through security, recently went out of business. Now there's a suggestion that the personal information they've compiled may be put up for sale. According to the release (below), it would be to a company that would provide a similar business and would be approved by the Transportation Security Administration.
Out of business, Clear may sell customer data ITworld
by Robert McMillan
June 26, 2009, 08:18 AM — IDG News Service — Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.
Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear's security checkpoints instead of the TSA's. Clear was run by New York's Verified Identity Pass, which also shut down on Monday.
Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors -- it has not yet declared bankruptcy -- some worried that this data could fall into the wrong hands.
"They had your social security information, credit information, where you lived, employment history, fingerprint information," said Clear customer David Maynor, who is chief technical officer with Errata Security in Atlanta. "They should be the only ones who have access to that information."
Maynor wants Clear to delete his information, but that isn't happening, the company said in a note posted to its Web site Thursday.
Clear's IT partner, Lockheed Martin, is working with the company "to ensure an orderly shutdown as the program closes," Clear said. But in a section of the note entitled, "Will personally identifiable information be sold?" Clear acknowledged that it could be used by someone else, presumably if Clear's assets were sold. "If the information is not used for a Registered Traveler program, it will be deleted," Clear said.
Boasting more than 260,000 customers, Clear was the largest private company authorized to provide airport security services, under a TSA program called Registered Traveler. Other providers, who may now be interested in purchasing Clear's assets, include Flo and Preferred Traveler.
Until Clear's demise, Registered Traveler companies operated in about 20 airports nationwide. Once a traveller has registered with any one of these companies, he is given a travel card that can be used for security screening by any company in the Registered Traveler program.
Last year the TSA temporarily yanked Clear's Registered Traveler status after the company lost an unencrypted laptop containing data on 33,000 customers at San Francisco International Airport. A few days later, Clear was allowed back into the program after the laptop mysteriously reappeared and the TSA determined that Clear was properly encrypting data.
Although it appears to be retaining information on its central databases, Clear said it has erased PC hard drives at its airport screening kiosks, and it is wiping employee computers as well, using what it calls a "triple wipe process." This technique, used by the U.S. Department of Defense, is considered to be a reliable way of erasing data.
"Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process," the company said.
Customers will be notified via e-mail when their information is deleted.
That wasn't good enough for Maynor. "How about the opposite? Where if they sell my information, they send me an e-mail," he said.
I can just imagine Frank Work's expression of exaperation in uttering the quote attributed to him in the following media release:
Level of security on stolen laptops simply not acceptable, says Commissioner
June 24, 2009
Level of security on stolen laptops simply not acceptable, says Commissioner
Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me...I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”
Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.
The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”
Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”
The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.
I pity the (next) fool who loses an unencrypted laptop in Alberta.
Tuesday, June 23, 2009
The Japanese Communications Ministry has concluded that Google's Street View complies with Japan's data protection laws provided it continues to blur individual faces. It appears to be a preliminary opinion as more public input is being sought over the coming months.
The Hindu News Update Service
Japan says 'Ok' to Google's Street View service
Tokyo (PTI): Japan's government has concluded that Google's popular Street View service does not violate the country's privacy laws if the search engine giant takes safeguards like blurring people's faces.
An advisory panel of the communications ministry has determined that Google's Street View service would be consistent with Japan's personal information protection law if the US-based firm takes appropriate measures such as blurring identifiable images, such as faces, ministry officials said.
The pronouncement marks the first time that the Internal Affairs and Communications Ministry has expressed an opinion on the legality of the Google service, which provides close-up, 360-degree colour views of city streets, as they were caught by Google's Street View cameras installed on vehicles.
It amounted to turning down requests by dozens of city Assemblies across Japan -- including Tokyo's Machida city Assembly and Nara Prefecture's Ikoma city Assembly -- which adopted resolutions calling on the government to place curbs on the service, Kyodo news agency reported.
The ministry will release its final conclusion possibly in August after soliciting views from citizens.
Google launched its Street View service for 12 Japanese cities in August last year.
Monday, June 22, 2009
This was a bit unexpected. From David Akin, via @michaelgeist: Info Commish Marleau quits - not good for ATI reform - On the Hill.
Here's the media release:
Ottawa, June 22, 2009 — Canada's fourth and current Information Commissioner, Robert Marleau, announced today his retirement from public life effective June 29, 2009. In a letter to notify the Governor in Council of his decision, he explained that his reasons for doing so are entirely personal and of a private nature.
Mr. Marleau began his term on January 15, 2007. Before taking up the position, Mr. Marleau served Parliament for 31 years, 13 of them as Clerk of the House of Commons. He was interim Privacy Commissioner in 2003.
“I have enjoyed my tenure as Information Commissioner of Canada and I am quite satisfied that I leave the OIC a much better organization,” said Mr. Marleau.
“From a management perspective,” he added, “the new team in place is implementing a new business model to better serve Canadians, the funding of the Office has almost doubled and the financial and human resources management practices are now in step with modern governance and accountability principles and policies”.
From a program perspective, Mr. Marleau is quite pleased to report that “the backlog inventory of cases in under control and will be eliminated by the end of the fiscal year; that the systemic report cards have been renewed and expended; and, that a strategy for legislative reform has been presented to the Standing Committee on Access, Privacy and Ethics and was largely supported by academics and professionals of access to information.” The Standing Committee on Access, Privacy and Ethics has also endorsed the OIC recommendations in its eleventh report to the House of Commons tabled June 18.
While the search for a new Commissioner is on-going, Mr. Marleau recommended to the Governor in Council that Suzanne Legault, Assistant Commissioner, responsible for Policy, Communications and Operation be appointed Interim Commissioner. The Governor in Council accepted his recommendation.
Suzanne Legault was appointed Assistant Commissioner for the Office of the Information Commissioner of Canada on June 18, 2007. Ms. Legault began her career in the Public Service in 1996 at the Competition Bureau, where she held increasingly senior positions, including Special Advisor to the Commissioner of Competition. She then served as Legal Counsel with the Department of Justice, before returning to the Competition Bureau where she was Assistant Deputy Commissioner, Legislative Affairs, then Deputy Commissioner, Legislative and Parliamentary Affairs. During her tenure at the Competition Bureau she developed significant experience in investigations and policy development in key industry sectors. Prior to joining the Public Service, Ms. Legault practised law as a criminal defense lawyer and Crown prosecutor from 1991 to 1996. Ms. Legault holds a Bachelor of Civil Law and a Bachelor of Common Law from McGill Law School, which she obtained in 1988.
Sunday, June 21, 2009
Friday, June 19, 2009
C-46 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act. First ReadingSUMMARYC-47 An Act regulating telecommunications facilities to support investigations aka Technical Assistance for Law Enforcement in the 21st Century Act. First Reading
The enactment amends the Criminal Code to add new investigative powers in relation to computer crime and the use of new technologies in the commission of crimes. It provides, among other things, for
(a) the power to make preservation demands and orders to compel the preservation of electronic evidence;
(b) new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;
(c) a warrant to obtain transmission data that will extend to all means of telecommunication the investigative powers that are currently restricted to data associated with telephones; and
(d) warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake.
The enactment amends offences in the Criminal Code relating to hate propaganda and its communication over the Internet, false information, indecent communications, harassing communications, devices used to obtain telecommunication services without payment and devices used to obtain the unauthorized use of computer systems or to commit mischief. It also creates an offence of agreeing or arranging with another person by a means of telecommunication to commit a sexual offence against a child.
The enactment amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.
The enactment also amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act.SUMMARY
This enactment requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a province.
Thursday, June 18, 2009
Applying for a job with the city of Bozeman, Montana? Check out what's on the application:
"Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.," the City form states. There are then three lines where applicants can list the Web sites, their user names and log-in information and their passwords.
The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.
Update: Here's the media release from the government:
Government Of Canada Introduces Legislation To Fight Crime In The 21st Century
OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.
“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.
“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”
The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.
“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”
The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.
An online version of the legislation will be available at http://www.parl.gc.ca/.
Darren Eke Press Secretary Office of the Minister of Justice 613-992-4621
Media Relations Department of Justice 613-957-4207
Media Relations Public Safety Canada 613-991-0657
Here is the government's summary of the warrantless access to customer information provisions:
Technical Assistance for Law Enforcement in the 21st Century Act
Subscriber Information Component
Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.
Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.
A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.
This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.
Yesterday, executives from Google Canada testified to the Parliamentary Standing Committee on Ethics, Privacy and Access to Information about their Street View product and how Google is addressing privacy concerns.
Here's some of the media coverage from the Ottawa Citizen, which I'll supplement with the actual testimony when it's posted on the Committee's site:
Google ‘Street View’ amended to allay privacy concerns, executive tells MPs
OTTAWA — Google’s controversial “Street View” feature won’t infringe on Canadians’ privacy rights, the company’s head of Canadian operations said Wednesday in advance of an appearance before a House of Commons committee.
Jonathan Lister, head of Google Canada, was to stand before a federal government committee Wednesday afternoon to defend Google’s Street View service.
Lister came to Ottawa equipped with testimonials from Street View users all over the world — including Boris Johnson, mayor of London. He also offered data that suggest Canadians might be eager to see their home country represented on the new service, as more than 100 million Street View images from other countries have been pulled up by Canadians.
“It has been extremely well received and as people use it, they find more uses for it,” said Lister. “We’re getting indications that it’s going to be popular in Canada. We’ve got testimonials and accolades from tourism officials, the mayor of London, and Australian tourism officials that support the fact that it’s been widely well received.”
Lister was being brought before the access to information, privacy and ethics committee after the committee passed a motion demanding Google explain any impact its new Street View service may have on Canadians’ privacy rights.
The feature allows someone using Google Maps or Google Earth to click on a street or a building and see a picture of the area. The cameras used to capture the picture allow onlookers to swivel 360 degrees within the image and even allows Internet users the ability to take a virtual stroll through neighbourhoods.
Google has been preparing for the roll-out of Street View in Canada since March. The Internet search giant has also been in intense discussions with the federal privacy commissioner’s office since that time, trying to negotiate a solution that would allow Google to offer Street View images from Canada to the rest of the world without contravening Canadian privacy law.
“We think the product is compliant, but we are certainly not going to launch it until we have satisfied our concerns,” said Lister. “We continue to work with the commissioner’s office. As we get closer to rolling the product out we plan on working with local law enforcement officials and stakeholder groups.”
Lister said Google has recently revamped its internal policies to cut the amount of time the company will archive Street View pictures. The move addresses one of the privacy commissioner’s biggest concerns.
“Recently we’ve revised our retention policy such that we have made a decision to only retain these images for an adequate but not-excessive period of time, after which they will be deleted,” said Lister.
Street View also automatically blurs the faces and identifying features of people or licence plates caught by Street View’s cameras and anyone who sees their picture, or a picture of their home or vehicle can ask Google to remove the image.
Lister would not define how long an “adequate” period of time will be. He also refused to commit to a date for the official launch of Street View in Canada. Vehicles having been cruising Canadian streets and suburbs in 32 cities taking pictures for the new service over the past two months.
The access to information, privacy and ethics committee is reviewing Canada’s privacy laws to determine whether they need to be updated. The committee will roll Lister’s comments into a final report on the state of Canadian privacy legislation, which is due later this year.
Monday, June 15, 2009
Forbes has an interesting article on The Hidden Cost of Privacy which suggests that the costs of complying with privacy laws outweigh the benefits gained. Bruce Schneier has a good counterpoint here: The "hidden cost" of privacy and suggests the following points:
Friday, June 12, 2009
The Parliamentary Standing Committee on Access to Information, Privacy and Ethics has released its long-awaited report on proposed reforms to the Privacy Act. I appeared before the committee on behalf of the Canadian Bar Association and was pleased to see that many of our recommendations to the Committee are also recommendations made by the Committee to the government.
The report is available here.
Tuesday, June 09, 2009
I can't comment on this as I represented a party to the proceeding, but this is highly relevant to readers of this blog:
Judge dismisses bid for injunction - Nova Scotia News - TheChronicleHerald.ca
A judge refused to grant an injunction against The Chronicle Herald on Monday, clearing the way for the newspaper to publish a story on the contents of a digital recorder that a former federal political aide left in an Ottawa washroom this winter.
... Ms. MacDonnell’s lawyers argued that allowing the Herald to run the story by Stephen Maher, chief of the newspaper’s Ottawa bureau, would be an invasion of her privacy and would cause the 26-year-old irreparable harm.
But Justice Gerald Moir, after deliberating through the supper hour, dismissed the application Monday evening.
"I allow that the harms of publication to Ms. MacDonnell are difficult to define and may be significant, however I would have to weigh that against the public interest in reporting on government and the specific public interest in the story Mr. Maher is following," Justice Moir said.
The judge said he agreed with the Herald’s submission that the taped conversation between Ms. MacDonnell and Ms. Raitt on Jan. 30 was not private because a third person — the driver of the government vehicle in which they were riding — would have heard it.
"I have difficulty seeing Mr. Maher’s June 2009 use of the recording as an intentional invasion of privacy," Justice Moir said.
"Privacy was invaded when a conversation was recorded, when a record was left in a press washroom and when it was not retrieved. Ms. MacDonnell’s lack of knowledge that her recording device contained a record of the conversation cannot, to my mind, put Mr. Maher in the position of an intentional invader.
"It is wrong to deprive the press and the public it serves of remarks made privately but not confidentially, in the sense of trade secrets or privileged communication, after those remarks became available because of poor record keeping or management," the judge said.
"Mr. Maher owes no duty of confidentiality to Ms. MacDonnell."
Wednesday, June 03, 2009
The thing speaks for itself:
Federal Ombudsman for Victims of Crime Recommends Changes to Address Internet-Facilitated Child Sexual Abuse
OTTAWA (Ontario), June 2, 2009 - The Office of the Federal Ombudsman for Victims of Crime (FOVC) today released its first special report Every Image, Every Child which makes nine recommendations to the federal government on how to address the difficult issue of internet-facilitated child sexual abuse.
According to the report, internet-facilitated child sexual abuse is growing at an alarming rate. Between 1998 and 2003, the number of charges for production or distribution of child pornography increased by 900 percent and between 2003 and 2007 the number of images of serious child abuse quadrupled. In addition to increased volume, the images are getting more violent and feature younger children. Statistics show that 83 percent of children are 12 years old or younger and over 80 percent of the images involve penetration.
Through Every Image, Every Child FOVC urges the federal government to amend laws and policies to make investigations faster and more effective by:
- introducing legislation to make it mandatory for Internet service providers to give law enforcement basic customer name and address information upon request;
- requiring internet service providers to keep data and internet surfing records for longer periods to ensure that evidence is not destroyed; and
- making it a criminal offence to refuse to give law enforcement a password or encryption information during an investigation.
"Giving law enforcement the tools they need to quickly and effectively investigate these cases is the first and most basic step in addressing this issue," said Steve Sullivan, the Federal Ombudsman for Victims of Crime. "Each case represents more than a chance to catch an offender, it represents a chance to help a child who is suffering horrific abuse."
Every Image, Every Child also encourages the federal government to support stronger efforts to find and help the child victims in the photos. This includes recommendations to:
- increase the capacity of the RCMP's National Child Exploitation Coordination Centre to identify and rescue the child victims in the images;
- support research into the impact of internet-facilitated child sexual abuse on children; and
- more effectively help victimized children through special child-friendly multi-disciplinary child advocacy centres.
"These children suffer a unique horror," explains Sullivan "in addition to the actual abuse, they have to cope with the constant fear and humiliation of knowing that their image is being traded around the world and could surface anytime. That's why support for victims is so important. Child Advocacy Centres are one solution that benefits the children and the community. Not only do these centres provide coordinated child-friendly services, they are less expensive and result in more charges and guilty pleas as well as higher conviction rates."
Finally, Every Image, Every Child recommends the federal government consider the trauma these children face knowing their image is being shared and introduce new measures to reduce distribution. Specifically, the report recommends imposing strict rules on how evidence is shared with defence counsel and requiring internet service providers to block access to sites that contain child sexual abuse material.
Created in 2007, the Office of the Federal Ombudsman for Victims of Crime helps victims to address their needs, promotes their interests and makes recommendations to the federal government on issues that negatively impact victims.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.