The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, August 27, 2009
This just in:
News Release: Facebook agrees to address Privacy Commissioner’s concerns - August 27, 2009
Privacy Commissioner of Canada satisfied that proposed changes to the social networking site’s privacy practices and policies would bring Facebook into compliance with Canadian law.
OTTAWA, August 27, 2009 — Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.
The company’s decision to implement the Privacy Commissioner’s recommendations is a positive step towards bringing Facebook in line with the requirements of Canada’s privacy law.
“These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected,” says Privacy Commissioner Jennifer Stoddart.
“This is extremely important. People will be able to enjoy the benefits of social networking without giving up control of their personal information. We’re very pleased Facebook has been responsive to our recommendations.”
Last month, the Privacy Commissioner issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic.
While Facebook took some steps to resolve privacy concerns, the Commissioner remained dissatisfied by Facebook’s response at the end of the investigation. She was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications such as games and quizzes.
Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. Following a review of Facebook’s formal response and discussions with company officials, the Commissioner is now satisfied Facebook is on the right path to addressing the privacy gaps on its site.
“Facebook is promising to make significant technological changes to address the issue we felt was the biggest risk for users – the relatively free flow of personal information to more than one million application developers around the world,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.
“Application developers have had virtually unrestricted access to Facebook users’ personal information. The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access.”
An over-arching issue highlighted during the investigation was that the way in which Facebook provides privacy information to users is often confusing or incomplete.
Facebook agreed to changes to help users to better understand how their personal information will be used and, ultimately, to make more informed decisions about how widely to share that information. The Commissioner has reviewed these improvements and will be following up with Facebook as the changes are implemented.
The following is an overview of key issues raised during the investigation and Facebook’s response:
1. Third-party Application Developers
Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”
Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.
This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.
2. Deactivation of Accounts
Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.
While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.
3. Personal Information of Non-users
Issue: Facebook should better protect the privacy of non-users who are invited to join the site.
4. Accounts of Deceased Users
Facebook has committed to a timetable for implementing all of the changes, some of which, such as the third-party application changes, are technologically complex. The company has already started to make changes and we expect them to be fully complete within a year.
“It’s now up to Facebook to demonstrate to us that they are living up to their commitments,” says Assistant Commissioner Denham.
“With the conclusion of the Facebook investigation, our Office has made clear our expectations for how social networking sites need to protect personal information. Other sites should take note – and take steps to ensure they’re complying with Canadian law.”
Statements by the Commissioner and Assistant Commissioner are available on the OPC’s website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Wednesday, August 26, 2009
Apparently both the Privacy Commissioner of Canada and Facebook intend to hold separate press conferences tomorrow to discuss the outcome of the last month of negotiations between the two about whether Facebook is in compliance with Canadian privacy laws. See: Canada may reveal next step on Facebook privacy.
Monday, August 24, 2009
According to the CBC, the Information and Privacy Commissioner of British Columbia has approved a modified version of the BarWatch program. Bars, under BC's Personal Information Protection Act, are allowed to swipe a patron's drivers license or other ID, collecting name, gender, date of birth and a photograph of the patron. The information must be deleted within 24 hours, except for "rowdies", whose information can be kept and exchanged with other bars through the BarWatch database. See: Privacy commissioner OKs Barwatch software.
For more information on this controversial practice, click on the link "ID SWIPING" below.
Monday, August 17, 2009
According to the Toronto Star, the Privacy Commissioner is going to accept Facebook's friend request, just on the eve of the deadline to comply with the Commissioner's prevous adverse finding:
TheStar.com Canada Facebook, privacy commissioner make friends
OTTAWA – Friendship, fittingly, appears to have broken out in the dispute between Canada's privacy commissioner and the Facebook social networking site.
Today is the 30-day deadline for Facebook to respond to a strongly worded report issued last month by Canada's privacy commissioner, Jennifer Stoddart, criticizing how people's personal information was being treated by the global giant in online friendships.If Stoddart is not happy with Facebook's response, she has 15 days to decide whether to get the Federal Court of Canada involved.
But the two sides appear to be solving their problems in harmony.
Alexandra Brown, a Toronto spokesperson for Facebook, said a formal response is being sent today to the privacy commissioner's office, complete with timelines for Facebook to respond to the concerns raised in last month's report. Over the past month, the two sides have reportedly been working well together, with privacy-commission officials paying a visit to Facebook headquarters in Palo Alto, Calif., to negotiate a compromise.
"I know there's been lots of discussion and there will continue to be discussion over the next 15 days," Brown said.
Canada's privacy commission was sounding similarly upbeat about the status of the dispute.
Anne-Marie Hayden, a spokesperson for the commission said: "We continue to have very positive discussions with Facebook.... It's going very well."
Neither side was willing to talk about details of their agreement to date or even what is in the report that Facebook sent to the privacy office today. Hayden said that the privacy commission needs time to review what Facebook has filed, and more will be said closer to the next deadline, 15 days from now.
Stoddart's original report on Facebook last month identified concerns in the following areas:
* A lack of adequate safeguards to restrict outside software developers — of games, quizzes and the like — from gaining access to personal profiles of users and their online friends.
* Facebook's indefinite retention of personal information of people who have deactivated their accounts.
* A lack of clarity about how Facebook material can be used in the event of a person dying, which the privacy office calls "memorialization" concerns.
* A lack of protection of information about non-users — people who may not have their own Facebook accounts, but whose personal data may be on friends' or associates' pages.
Sunday, August 16, 2009
Following the Commissioner's adverse finding against Facebook, the social networking site's deadling to respond is tomorrowf (See: Canadian Privacy Law Blog: Canadian Privacy Commissioner calls on Facebook to improve privacy practices). I don't expect a big response from Facebook, so we'll have to wait to see if the Commissioner takes them to court. See: Facebook must satisfy Canada's privacy commissioner by Monday.
Thursday, August 06, 2009
The next in the series of three privacy OpEds in the National Post goes to Phillipa Lawson, formerly of CIPPIC:
Give privacy laws teeth Internet use in Canada has had enormous economic and social benefits; individuals and organizations can now broadcast their ideas, promote their businesses and build communities of interest instantly, at minimal cost, worldwide. But technology is a double-edged sword; it can be used for bad as well as good, and the impacts of its use even for non-criminal purposes are not all positive. The greatest casualty of our enthusiastic embrace of the Internet is, without doubt, individual privacy.
Fraudsters, identity thieves, stalkers and vengeance-seekers are using the Internet to solicit, track and prey on victims, often by taking advantage of the vast amount of personal information available online. While such information is a gold mine for imposters and stalkers, its collection, use and trading by non-criminals can be equally damaging for the individuals whose personal information is at issue.
Careless or malicious posting of photos, videos and personal information online can have devastating reputational impacts on individuals -- impacts that may never fully disappear because the digitized information, once released online, never disappears.
A video posted on You-Tube, for example, can turn a small-town student into an instant celebrity, but it can also provoke ridicule worldwide. False rumours can spread like wildfire. Embarrassing photographs posted online can seriously impede future employment prospects. And because the digital medium is so persistent, reputational effects may never be overcome.
Easily abused personal information is offered up to a remarkable extent by individuals themselves on social-networking sites, personal blogs and chat rooms. But many users don't appreciate the extent to which such information is publicly accessible, easily gathered and compiled by others and thus vulnerable to abuse. Only a minority of Facebook users, for example, bother to adjust their privacy settings from the defaults set by Facebook, which are to share with everyone in the Facebook-determined networks they have joined.
Personal information is also made public by friends, acquaintances and organizations who post it online often without the individual's knowledge, let alone consent. Once discovered, it can be too late to undo the damage caused, for instance, by publication of an indiscreet photo or the home address of a high-risk social worker.
Furthermore, there is a huge industry in the collection and trading of personal information, much of it covert. Marketers want to manipulate us into buying more stuff. Insurers want to minimize their risk. Employers want reliable, mature employees. Governments want to make sure that we aren't threatening national security.
Privacy law is about protecting our right to control with whom we share information about ourselves. But it should also recognize that certain uses are simply inappropriate, and that "consent" is often no more than a fiction.
Canada has a reasonably good set of data-protection laws. In general, corporations are required to get our informed consent before collecting, using or disclosing our personal data, and can do so only for purposes that a reasonable person would consider appropriate in the circumstances. Government entities can collect, use and disclose our data only for certain specified purposes.
But these laws do not place explicit limits on the collection and use of personal information posted by children, who are most vulnerable to abuse online.
Nor do our laws, outside Quebec, Alberta and B. C., place significant limits on non-commercial and nongovernmental uses of personal data without consent. While courts are starting to recognize a common-law right to privacy that would fill this gap, there is little to protect most Canadians from privacy abuses that arise outside the commercial or government context.
Moreover, existing privacy laws are only as good as their enforcement. At least one study has shown that there is widespread non-compliance with Canadian privacy laws, especially in the commercial sector.
This is not surprising given that the costs of non-compliance are minimal. The federal privacy commissioner is limited to making recommendations. Complainants in most jurisdictions must engage in expensive lawsuits in order to get binding orders for which they will likely receive no compensation.
This is not good enough. Privacy laws should apply to non-commercial as well as commercial activities. They should prohibit collection and use of kids' data, other than in exceptional cases. They should require meaningful consent, not just an easily overlooked opt-out check box. And we should be able to hold others accountable under privacy laws without undue effort and cost -- it's time to put some teeth into our privacy laws.
Philippa Lawson was director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa from 2003 to 2008 and currently practises law in Whitehorse, Yukon.
Wednesday, August 05, 2009
Jacob Glick, Canadian policy counsel for Google Inc., has a good OpEd piece in today's National Post. I agree that innovators need to build privacy into their products, not only to manage their own risks but as members of society who have responsibilities for their users. I would say that responsibility is heightened for companies whose products are used by young people who may have an under-developed sense of privacy.
Privacy is in the product
This week, the National Post brings you a three-part series on the rocky place where the Internet meets the law. The question put to today's contributors: Given the proliferation of personal information on the Internet, especially on social-networking sites such as Facebook, how must Canada's laws adapt to ensure our privacy online?
When I moved to Ottawa four years ago, social-networking sites helped me keep up with my friends in Toronto and elsewhere -- in a way and on a scale that wasn't possible previously. Recently, I started micro-blogging on Twitter (mostly because I'm too lazy to blog more than 140 characters at a time) to share my thoughts on work-related matters and other miscellany. Through the Internet, we're reshaping the ways we do business, communicate and represent ourselves to the world. The good news is, we can embrace these changes without surrendering our privacy.
Privacy protection can and ought to be at the heart of innovative tools -- not only as a matter of legal compliance, but also as a principle of product design. This is what Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, calls "Privacy by Design."
Questions about the sufficiency of Canada's privacy regime, while relevant, miss the bigger picture. Privacy is best protected by good product design. In fact, Canada has a well-functioning private-sector privacy regime. The Internet is not a Wild West: Existing rules related to legal jurisdiction and privacy apply online, as they do in the physical world. Internet companies, just like their brick-and-mortar brethren, are legally accountable for the ways they collect, use and disclose personal information.
For example, street-level photography has long been part of cartography. With a quick trip to your local municipal archive, you'll discover thousands of photos, taken over decades, of our urban landscapes. For those of us who can't read maps, seeing the world at street level is the easiest way to get around unfamiliar locales. Google Street View takes this traditional discipline and integrates it with digital mapping.
Google's approach is to build products that harness the power of the Internet while protecting privacy for the benefit of hundreds of millions of people worldwide, including tens of millions of Canadians. That's why we have built facial and license-plate blurring into Google Street View and why we make it easy for Canadians to request that we remove any image containing themselves, their kids, their cars or their homes -- even if the image is already blurred. There are privacy rules that apply to Google Street View just as they do to more traditional cartographers.
In addition to offering more accessible and useful mapping data, today's online applications provide exciting tools for collaboration and community building. They help us break through the alienation endemic to urban society and reconnect with our communities in new and fun ways. For example, here in Ottawa, online groups and web-sites give new parents a great support network and help them find local activities they can enjoy with their kids.
One of these innovative communications and collaboration tools is YouTube, a revolutionary platform that turned four this year. YouTube enables people to make their videos, professional or amateur, available worldwide. This ability can blur the line between the public and the private spheres, and Canadians get that. They also know that they are in control of what they post on YouTube -- and with whom they share it.
That's why not every video on YouTube has to be made public. Some can be shared with a smaller circle of friends. That's also what Google has done with the recent launches of Google Latitude, our mobile feature which enables users to select people to share their location with, and our Interest-based advertising system, which was built with tools that allow users to specify which categories of ads they'd like to see (or not see).
Of course, to make sensible choices people must have products that let them make such choices. Innovators should therefore develop applications in which privacy is built in from the start, so that Canadians can control the parts of themselves they reveal to the world.
Regulators ought to hold companies accountable for their privacy practices. However, privacy ultimately should be about good product design -- not just about legislation, regulation or compliance. The best products and businesses will have transparency and user choice built right in. Canadians should expect it.
-Jacob Glick is Canada policy counsel for Google.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.