The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, July 23, 2009
Earlier this week, the Information & Privacy Commissioner of British Columbia issued a decision (P09-01) related to the controversial practice of scanning photo IDs of patrons by bars, pubs and night clubs.
From the Commissioner's media release:
FOR IMMEDIATE RELEASE
July 21, 2009
Information and Privacy Commissioner Releases Order on Driver’s Licence Scanning
VICTORIA — Information and Privacy Commissioner David Loukidelis today released Order P09-01, in response to a complaint about the scanning of a bar customer’s driver’s licence. The customer complained that, when he went to the bar, employees asked him to produce his driver’s licence, swiped it through a card reader and then required him to have his digital photograph taken. He did not receive what he considered to be a reasonable explanation for why his personal information was being collected and later complained under B.C.’s Personal Information Protection Act (“PIPA”), which regulates the collection, use and disclosure of personal information by businesses.
The OIPC investigated the complaint twice and a formal hearing was eventually held. In Order P09-01, the Commissioner has decided that section 7(2) of PIPA does not allow the organization complained about, the Wild Coyote Club, to force its customers to give up their personal information, to the extent this is now being done, as a condition of being allowed into the bar.
Section 7(2) says a business “must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.” The Commissioner accepted that it is “necessary” to collect personal information of certain customers for the purpose of operating a nightlife establishment, but not “to develop and maintain a personal profile containing the personal information of all customers in order to effectively track the few who may be removed from, and subsequently barred from re-entering, an establishment. Certainly, the full scope of information which is collected by Wild Coyote and the length for which it is retained is not necessary to achieve that purpose” (para. 98). The Commissioner therefore found that “a requirement for consent to the collection of personal information through the TreoScope system is a requirement for consent to the collection and use of information ‘beyond what is necessary’ for providing the service of operating a nightlife establishment in the terms I have described” (para. 98).
Section 11 of PIPA says a business “may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances”.
The Commissioner found that, under s. 11 of PIPA, the collection of personal information was not appropriate in the particular circumstances, including given the nature and amount of personal information being collected. He found that “it is reasonable, in the case of Wild Coyote, for it to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent, or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety” (para. 127). He went on to say, however, that “much of the information collected by the TreoScope system”, including driver’s licence numbers, “does not further this safety purpose”, adding, “Moreover, I have not been provided with any reason related to improved customer safety for an establishment’s retention of any information at all relating to customers who are not involved in violent incidents” (para. 127).
As regards moving forward with a system for keeping banned customers out of bars, Loukidelis said this: Of course, I have received no submissions from the other parties on this alternative, and no details from Wild Coyote on how the system would operate if it were aimed at only maintaining a list of banned customers. As a result, I can only decide whether or not the collection as a whole, as it was being conducted at the time of the Investigation Report, complies with s. 11 of PIPA. For reasons already given, I conclude that it is not. The alternative proposed in Wild Coyote’s supplemental submissions would likely involve different considerations and cannot be addressed here.
In closing, the Commissioner said this: … I am well aware of, indeed share, public concern about gang violence and public safety in British Columbia. Some may assert that the technology involved here is synonymous with safety, such that any decision perceived to constrain ID scanning is a decision against safety. These are easy claims to make, but my duty is to apply PIPA based on the evidence and argument actually before me, which I have done.
 On the basis of the material before me, I have decided that it is reasonable for Wild Coyote to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety. For the reasons given above, however, the collection of personal information as a whole does not comply with PIPA. In this light, and in view of the reasons given above, I invite –– indeed, strongly encourage––those involved to seek the views of this Office if they wish to find a solution for collecting personal information of a nature, and in a manner, that complies with PIPA.
Neither the Commissioner nor the OIPC will be giving interviews or commenting on this decision.
For previous posts on this topic, see the keywrd "id swiping".
Thursday, July 16, 2009
The Privacy Commissioner of Canada has determined that Facebook needs to improve its privacy practices to comply with Canadian privacy laws.
Here's the media release:
News Release: Facebook needs to improve privacy practices, investigation finds - July 16, 2009
Privacy Commissioner recommends steps to ensure social networking site better protects the privacy of users and meets the requirements of Canadian privacy legislation
OTTAWA, July 16, 2009 — In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site’s privacy policies and practices.
“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” says Privacy Commissioner Jennifer Stoddart.
The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law.
An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.
The Privacy Commissioner’s report recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.
The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found.
The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes.
Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.
Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.
“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.
“Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”
The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. The Commissioner is empowered to go to Federal Court to seek to have her recommendations enforced.
“The privacy issues stemming from social networking sites are still relatively new. All of us – social networking sites, users and data protection authorities – are only beginning to develop the appropriate rules of engagement in this new world of online communication,” says Assistant Commissioner Denham. “The findings of our Facebook investigation are an important contribution to the development of these rules.”
While the investigation recommendations are aimed at Facebook, Assistant Commissioner Denham said users of social networking sites also have responsibilities.
“We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she says. As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page.
A detailed report on the Facebook investigation is available at www.priv.gc.ca. The website also includes information about some of the other work the Privacy Commissioner’s Office has done on social networking, including guidelines for employers and public education materials.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Wednesday, July 15, 2009
Wednesday, July 08, 2009
This is not good and should have been avoidable:
Commissioner urges vigilance in wake of computer virus outbreak at Alberta Health Services
July 8, 2009
The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.
The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.
AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.
Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.
The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.
Sunday, July 05, 2009
A lesson that just because you're not on Facebook, your friends, acquaintances and spouses may have put your information up there. Or information that may compromise your eligibility to be the head of the British Secret Intelligence Service (aka MI6): MI6 chief blows his cover as wife's Facebook account reveals family holidays, showbiz friends and links to David Irving Mail Online.
Facebook is responding to privacy
backlash concerns by introducing a new unified privacy interface and making users more aware of where their posted materials may be broadcast on the service. This stems, in part, from their plans to make users postings available system-wide like Twitter. (See: Canadian Privacy Law Blog: One privacy step forward, one back for Facebook.)
This is a Good Thing, in my view. The more control you give people to make informed decisions about their privacy, the better. Even if they're completely ignored, it's harder for people to later say they didn't know what was going on. Privacy is about giving people the ability to make informed choices about how their information is collected, used and disclosed.
A copy of a WebEx given by Facebook is available here: Facebook’s Complete Privacy Presentation.
And some additional details are on Facebook's blog: Facebook Improving Sharing Through Control, Simplicity and Connection.
Some coverage from SiliconValley.com.
Responding to privacy concerns, Facebook streamlines user controls - SiliconValley.com
By Scott Duke Harris and Elise Ackerman
Posted: 07/01/2009 11:57:07 AM PDT
Amid mounting concerns about Internet privacy, Facebook on Wednesday announced plans to streamline its user controls by introducing a "Unified Privacy Page."
The Palo Alto social-networking leader said it was taking action to address common complaints among its more than 200 million users worldwide about privacy. The company also announced that it is phasing out familiar regional networks such as "Silicon Valley" to minimize confusion.
Facebook credits its growth to fostering a culture that assures privacy and encourages authenticity. But in the past, Facebook has also engendered controversy by gathering data without user consent — a practice later reversed amid a user backlash.
On Wednesday, Facebook also sought to allay puzzlement and concerns over its fledgling "Everyone" posting feature, which it introduced in March. The feature, Facebook says, eventually will enable users to broadcast messages, photos and video far beyond their personal social networks and to the Internet at large. Facebook is vague about products, but acknowledged they could take the form of bulletin boards or forums on a vast array of topics, as well as a new searchable database.
The "Everyone" initiative has helped revive questions about Facebook's dedication to privacy safeguards. Jeffrey Chester, executive director of the Center for Digital Democracy, portrayed the latest changes as a public relations gimmick.
"I think Facebook realizes they have a political problem,'' he said. "They are in denial. They are in digital denial."
But Facebook Chief Privacy Officer Chris Kelly, in a conference call with reporters and analysts, insisted that Facebook's fundamental philosophy remains to give users full control over their privacy settings, and said the changes will simplify those controls.
"We've always believed privacy controls enhance this mission," Kelly said.
Facebook users can expect the changes to be tested and refined over the next three weeks. The Unified Privacy Page, the company said, should alleviate user frustration by simplifying and consolidating some 45 privacy settings scattered across six pages in the current format.
Facebook, because of its size and influence, is closely watched by Internet privacy advocates in the United States and abroad. It is the only company listed among 16 "hot policy issues" on the home page of the Washington, D.C.-based Electronic Privacy Information Center, along with such general topics as "domestic surveillance," "cloud computing," "search engine privacy" and "social-networking privacy." Marc Rotenberg, executive director of the Electronic Privacy Information Center, advised Facebook users to carefully watch the changes.
"Changing user settings is a risky strategy, particularly in the privacy world. And this is always what gets Facebook into trouble," Rotenberg said. "It will be very important that users are not opted-in to data sharing under the new settings where they had previously opted out with the original settings.
"Facebook also needs to do more to address data collection by third-party app developers," he added. "Too much personal information, made public by Facebook, ends up in secret profiles."
The Center for Digital Democracy's Chester flatly questioned Kelly's statement that Facebook allows users to control data shared with advertisers. "That's not true. The fact of the matter is they are really not transparent when it comes to how the data is used for advertising," Chester said. "We think it's a black box."
Facebook said care will be taken to guide users through the changing privacy process. There will be, for example, pop-up questions to make users doubly aware of where their posts will be sent.
Facebook has already started phasing out the regional networks users often join. About half of Facebook users opted in to such networks, the purpose of which often has caused confusion as Facebook has grown and attracted users with identical and similar names.
Local businesses and advertisers that relied on such networks for marketing will instead be able to use data such as city of residence to reach Facebook users.
Wednesday, July 01, 2009
One step forward and one step backward for privacy on Facebook ...
One Step Back: According to the New York Times (The Day Facebook Changed - Messages to Become Public by Default - NYTimes.com), Facebook "feeds" will become publicly available. This is seen as a step to compete with Twitter. This will surprise and upset a lot of Facebook users.
One Step Forward: Facebook will let users specify privacy settings for individual status updates, so you can let your real friends know you're hung over but your acquaintances will remain clueless (Facebook More Ways to Share in the Publisher).
Facebook shoud have learned from the Feed and Beacon debacles by making the default settings more privacy protective. Choice is good, but assuming that people want to disclose more of their personal information is not a good idea.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.