The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, January 02, 2010

Canadian airlines look to goverment to solve privacy dilemma 

The timing on this couldn't be worse, in the aftermath of the Christmas day "underwear bomber" and unprecedented scrutiny of airline passengers.

The National Airlines Council of Canada is looking to the federal government to develop a "permanent solution" to the dilemma they are facing. Airlines that overfly the United States are required to send passenger information to the US TSA, but the airlines contend this violates Canadian privacy laws.

There are a number of circumstances under Canadian privacy laws where organizations require the collection of personal information that's not strictly necessary for the provision of goods or services. PIPEDA permits collection, use and disclosure where it is "required by law", but this is not a Canadian legal requirement.

From the Canadian Press:

The Canadian Press: Canadian airlines plead with government to solve U.S. security dilemma

Canadian airlines plead with government to solve U.S. security dilemma

By Jim Bronskill (CP) – 13 hours ago

OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.

The National Airlines Council of Canada, which represents the four largest Canadian carriers, is pleading with the government to find "a permanent solution" to the dilemma posed by the U.S. Secure Flight program.

The program would collect the name, gender and birth date of the approximately five million Canadians who fly through American airspace each year en route to destinations such as the Caribbean, Mexico and South America, even if their planes don't touch the ground in the States.

The U.S. Transportation Security Administration (TSA) would then vet the names against security watch lists.

Passengers whose names appear on the list could face anything from extra security screening to being barred from a flight. There are also concerns the personal data could be used for purposes unrelated to aviation security.

Washington is still reeling from an apparent attempt by a Nigerian man to blow up a jetliner over Michigan by igniting explosives sewn into his clothes.

The near-disaster has put renewed pressure on the TSA to ensure the skies are safe.

Canadian airlines have already begun passing along the personal information for flights that land in the United States.

But the requirement to hand over information for international flights over U.S. airspace was put on hold last February pending discussions with the governments of Canada, Mexico and some Caribbean countries.

In a November letter to Bill Baker, deputy minister of Public Safety, the National Airlines Council says Canadian carriers "are not aware of any progress" on the discussions and are concerned the TSA might suddenly enact the overflight provisions.

The council says this would force Canadian airlines to breach either Secure Flight or the Personal Information Protection and Electronic Documents Act, a federal privacy law that applies to Canadian companies.

An internal Public Safety document prepared last January agrees that sharing such information is "currently prohibited" under the privacy law.

Nicole Baer, a spokeswoman for the federal privacy commissioner, said it was too early to determine whether giving overflight data to the Americans would break Canadian privacy law.

The Public Safety document, obtained under the Access to Information Act, raises other concerns about Secure Flight.

"It is possible that Canadians overflying the United States could be denied boarding based on U.S. no-fly lists that were developed based on lower U.S. risk tolerance," says the January 2009 assessment.

"There are also no guarantees how the U.S. will use the information it obtains from carriers overflying its territory."

The United States has indicated it will waive the Secure Flight requirement to provide information for overflights if Canada creates an equivalent security screening system.

Last March, the airlines council told Public Safety Minister Peter Van Loan in a letter that application of U.S. Secure Flight rules in Canada "is a direct result of the failure to ensure" that Canada's no-fly list, known as Passenger Protect, is "an accepted part of a continental aviation security system."

The airlines council favours a homegrown system as long as carriers don't bear any new costs.

Canada has been working for years on a more comprehensive passenger screening system. The Public Safety Department had no immediate update on those plans.

Critics say extending the Secure Flight program to Canadian flights that merely pass over the U.S. would indeed be a threat to Canadian sovereignty.

The Ottawa-based International Civil Liberties Monitoring Group has argued that sprawling American watch lists could ensnare many Canadians - or activists, immigrants and refugees who want to fly to Canada from Latin America but must travel through American airspace to do so.

Washington says Secure Flight, which transfers the task of watch-list screening to the TSA from individual airlines, will reduce the number of false matches - a longstanding problem with common names - and clear up mistakes more quickly.

Copyright © 2010 The Canadian Press. All rights reserved

Labels: , , , ,

Monday, November 30, 2009

EU Clears SWIFT Data Transfers to United States Treasury Department 

The New York Times is reporting on an agreement reached between European ministers and the United States for restored access to information about bank transfers processed by the Society for Worldwide Interbank Financial Telecommunications (SWIFT). See: EU Clears Bank Data Transfers to United States - NYTimes.com.

There has been some coverage of this already on blogs, particularly the Brussels Blogger (SWIFT - EU to grant USA nearly unlimited access to all EU banking data). Much of the tone has suggested that wholesale transfers of information will take place with massive datamining operations to be set up, but take a look at the actual agreement between the US and Europeans. It's available at wikileaks: EU draft council decision on sharing of banking data with the US and restructuring of SWIFT, 10 Nov 2009 - Wikileaks.

The agreement doesn't contemplate wholesale, massive data downloads of the kind one would expect if the database were in the United States. Instead, targeted requests must be made and these are directed through European authorities rather than to SWIFT directly. There are covenants on the US side that it will not be used for data mining purposes and other privacy-protective promises. And, to top it off, the term of the agreement is one year so that it can be renegotiated if it's not working out.

While all of this needs to be examined with a critical eye and it's not perfect, the cynic in me was pleasantly surprised by the details of the agreement.

Labels: , , , ,

Wednesday, October 28, 2009

Amendments to PIPA tabled, including breach notification and regulation of export of personal information 

Yesterday (October 27, 2009), the Alberta Government introduced Bill 54, the Personal Information Protection Amendment Act, 2009. The Bill includes notification requirements for export of personal information to a service provider outside of Canada and breach notification. The principal export provision is:
Notification respecting service provider outside Canada

13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).

(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).

(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of

(a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and

(b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.

(4) The notice required under this section is in addition to any notice required under section 13.

Permitted "as required by law" disclosures are now limited to required by Canadian or Alberta law. The breach notification provisions require notice to the Commissioner and the Commissioner may order that individuals be notified. I'm sure we'll be hearing more about this. Here's an extract from yesterday's Hansard:

ISYSweb 8 Search Results for Bill 54

Bill 54

Personal Information Protection Amendment Act, 2009

Mr. Denis: Thank you very much, Mr. Speaker. I rise to introduce Bill 54, the Personal Information Protection Amendment Act, 2009. Mr. Speaker, this bill is a direct result of the hard work of the SelectSpecialPersonalInformation Protection ActReviewCommittee, an all-party special committee of the Legislature that in 2006 undertook a complete review of the act and tabled a report to the Legislature in November 2007 outlining recommendations for amendments. This bill incorporates a number of their proposed amendments.The main proposals for change include emerging issues such as notifying the commissioner or individuals about security breaches that place personal information at risk and informing individuals when services involving personal information are occurring outside of Canada. Mr. Speaker, as required for any new legislation in a rapidly evolving area, this bill also does some updating and finetuning of the existing provisions of this act.

Thank you very much, Mr. Speaker.

[Motion carried; Bill 54 read a first time]

The Speaker: The hon. Government House Leader.

Mr. Hancock: Thank you, Mr. Speaker. I move that Bill 54 be moved onto the Order Paper under Government Bills and Orders.

[Motion carried]

Labels: , , ,

Friday, February 06, 2009

4th Annual Payment Card Compliance In Canada 

I had the pleasure of speaking this morning at the Canadian Institutes 4th Annual Payment Card Compliance In Canada. I was on a panel with Art Dunfee, Director General of Investigations and Inquiries at the Office of the Privacy Commissioner of Canada and Sandy Stephens, Senior Manager, Legal CounselCapital One Canada. Sandy covered the new Do Not Call List and Art covered PIPEDA compliance and the new breach notification guidelines. I then presented on a few additional topics: (i) the effect of US breach notification laws on Canadian companies and (ii) the effect of provincial anti-USA PATRIOT Act laws on Canadian banks.

Here's my presetation if you're interested:

And if Google Documents isn't showing you the love, here it is as a PDF: Payment%20Card%20Compliance.pdf

Labels: , , ,

Friday, August 01, 2008

Nomadic laptops can expect the rubber glove treatment 

There's been a bit of a buzz lately about laptop inspections by the Department of Homeland Security (Crossing the border? Consider the possibility of laptop searches, Hands off my laptop, Your papers and laptops, please?, US Customs confiscating laptops). Today, the Washington Post is reporting on recently disclosed policies used by the DHS to take and inspect laptops:

Travelers' Laptops May Be Detained At Border (washingtonpost.com)

... The policies state that officers may "detain" laptops "for a reasonable period of time" to "review and analyze information." This may take place "absent individualized suspicion."

The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as 'pocket trash' or 'pocket litter.' "

Reasonable measures must be taken to protect business information and attorney-client privileged material, the policies say, but there is no specific mention of the handling of personal data such as medical and financial records.

When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials.

"They're saying they can rifle through all the information in a traveler's laptop without having a smidgen of evidence that the traveler is breaking the law," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Notably, he said, the policies "don't establish any criteria for whose computer can be searched." ...

If you want to take a look at the policy itself, it's here.

Thanks to Rob Hyndman for the tipoff.

Labels: , , , , ,

Tuesday, July 15, 2008

Ask the privacy lawyer: Data in transit outside of Canada 

I received the following question the other day:

In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.

Under PIPEDA, is patient or personal data limited to just traverse within Canada ?

In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:
5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...
While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:
Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:

1 2 ms 1 ms 1 ms [REDACTED]

2 20 ms 9 ms 9 ms [REDACTED]

3 17 ms 12 ms 10 ms [REDACTED]

4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]

5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]

6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]

7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]

8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]

9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]

10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]

11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]

12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]

13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]

14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]

15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]

16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]

Trace complete.

This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.

So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".

Update: Added reference to Quebec statute. Thanks, commenter.

Labels: , , , ,

Sunday, June 29, 2008

Cross-border movement of personal health information 

Earlier this week, I co-chaired Insight Information's conference on electronic health records here in Halifax. I was very pleased to see a lot of expertise in privacy developing in Atlantic Canada, which is necessary as Nova Scotia, New Brunswick and Newfoundland move towards developing and implementing health privacy laws and as electronic health record projects are driving forward.

I gave a presentation on the mess and uncertainty related to the cross-border movement of personal health information in Canada. The complicated overlap of laws that we see in provinces such as Nova Scotia is compounded when the information is disclosed out of the province.

If you're interested, the presentation is here and can be flipped through below:

Labels: , , , ,

Saturday, June 28, 2008

US and Europe closer to information sharing pact 

For over a year now, the United States and the European Union have been negotiating an arrangement so that US law enforcement and national security organizations can have easier access to data in Europe and about Europeans. The New York Times is reporting that that the two parties are closer to an arrangement that would permit trolling through personal information for suspicious activities, such as the review of SWIFT data that the American government undertook as the data was resident in the United States. One of the remaining issues is whether European citizens will have an ability to sue the Americans for misuse of their data.

The fact that Europe and the Bush administration are engaged in this process is a good thing. The alternatives are to shut off the tap entirely, which may not be a good idea, or to allow American authorities to freely troll through European data as easily as information about Americans, which would be worse. In Canada, Maher Arar learned the hard way about what can happen if an unstructured, unregulated information sharing "system" results in the transfer of unreliable information to the Bush administration.

Recently, the Canadian Bar Association presented its recommendations to Parliament, demanding that all information sharing arrangements be in writing with safeguards and oversight to make sure that information is accurate and does not unreasonably invade personal privacy.

The NYTimes article is here: U.S. and Europe Near Accord on Privacy - NYTimes.com.

Thanks to Rob Hyndman for the link.

Labels: , , , , ,

Saturday, May 17, 2008

Cleanse or secure your electronics before crossing the border 

Over the past weeks, I've done a lot of travelling. First to Geneva and then to the US. On both occasions, I had to be very mindful of what information I have on my laptop and my USB drives, since I am subject to the Personal Information International Disclosure Protection Act.

This new law prohibits the export of personal information by Nova Scotia public bodies and their service providers. As a lawyer to a number of public bodies and an instructor at Dalhousie Law School, my laptop an blackberry are subject to those laws. Since I didn't want to go to the bother of asking the chief executive of each public body I work for wheter I had one-off permission to take their data with me (and since I wouldn't need their data on the road), I had to delete all traces of such personal information from my portable electronics. While this is a concern for public bodies in Nova Scotia and their service providers, it's also a concern for anyone who is crossing the border into the United States as increasingly customs officers are scrutinizing laptops at the border.

Bruce Schneier, who always has interesting things to say, has an article in the Guardian on how to secure your laptops if you're taking them into the US. It's a good read and probably something to bookmark to read next time you're crossing the frontier: Read me first: Taking your laptop into the US? Be sure to hide all your data first Technology The Guardian.

Labels: , , , ,

Thursday, May 01, 2008

First stats on National Security Letters 

According to EPIC, the first public reporting on National Security Letters has been released, showing over twelve thousand NSLs were issued in 2006.

FISA Orders Up, Government Reporting on National Security Letters Begins. According to the 2007 FISA report (broken link), the Foreign Intelligence Surveillance Court approved 2,370 application to conduct electronic surveillance and physical searches in the United States in 2007, up from 2,176 applications approved in 2006. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. The 2007 NSL statistics are expected later this year. (May 1)

Labels: ,

Tuesday, April 22, 2008

US border agents given unfettered access to travelers' laptops 

A US Federal Appeals Court has overruled a lower court ruling that had previously restricted laptop searches at the border. The 9th Circuit Court of Appeals, in a unanimous three judge ruling, held that border agents do not need any probable cause to rummage through portable electronics.

Border Agents Can Search Laptops Without Cause, Appeals Court Rules Threat Level from Wired.com

... Federal agents at the border do not need any reason to search through travelers' laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government's power to look through belongings like suitcases at the border to electronics.

The unanimous three-judge decision reverses a lower court finding that digital devices were "an extension of our own memory" and thus too personal to allow the government to search them without cause. Instead, the earlier ruling said, Customs agents would need some reasonable and articulable suspicion a crime had occurred in order to search a traveler's laptop.

On appeal, the government argued that was too high a standard, infringing upon its right to keep the country safe and enforce laws. Civil rights groups, joined by business traveler groups, weighed in, defending the lower court ruling.

The 9th U.S. Circuit Court of Appeals sided with the government, finding that the so-called border exception to the Fourth Amendment's prohibition on unreasonable searches applied not just to suitcases and papers, but also to electronics.

Via Boing Boing.

Previously: Canadian Privacy Law Blog: Crossing the border? Consider the possibility of laptop searches, Canadian Privacy Law Blog: Your papers and laptops, please?, Canadian Privacy Law Blog: US Customs confiscating laptops.

Labels: , , , ,

Saturday, March 29, 2008

US Patriot Act deters Canadians from Google service 

I was interviewed last week by Out-Law.com, a service of UK firm Pinsent Masons, for an article on the recent stories out of Canadian universities about hesitation to use Google's services due to USA Patriot Act concerns. See: US Patriot Act deters Canadians from Google service OUT-LAW.COM.

Out-law also has a weekly podcast that featured this story, which includes portions of my interview. See: High quality recording (10MB, 12 minutes) or Low quality recording for 27/03/2008 (2MB, 12 minutes).

Labels: , ,

Sunday, March 09, 2008

Crossing the border? Consider the possibility of laptop searches 

As March Break is almost in full swing, it's timely to read Compterworld's recent 5 things you need to know about laptop searches at U.S. borders. State sovereignty usually means that a country has total control over who and what gets in and traditional searches are being extended to laptop searches. This makes sense on one level but seems futile as any traveller can upload ilicit digital content before crossing into the US and then download it on the other side of the border.

But searches are happening, so make sure you delete from your computer all content that you wouldn't want disclosed as part of such a search. Lawyers should particularly remove any privileged content they don't need to be taking with them. And if you're a public servant from BC, Alberta or Nova Scotia, you can't take it with you thanks to the USA Patriot Act blocking legislation in your province.

Labels: , , , ,

Wednesday, January 02, 2008

Happy birthday to the Canadian Privacy Law Blog 

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at david.fraser@mcinnescooper.com.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: , , , , , , , , ,

Friday, November 16, 2007

The Canadian Response to the USA Patriot Act 

I was recently invited to contribute an article to the IEEE Security & Privacy magazine on the Canadian response to the USA Patriot Act. Here's the abstract:

The Canadian Response to the USA Patriot Act

Since the attacks of September 11, 2001, US authorities have spent untold millions of dollars guarding their frontiers to regulate what gets into the country. On the other side of the border, many Canadian jurisdictions have turned their thoughts to regulating what information flows southward into the US. This isn't out of concern about terrorism but rather about the US response to it.

Citation: David Fraser, "The Canadian Response to the USA Patriot Act," IEEE Security and Privacy, vol. 5, no. 5, pp. 66-68, Sept/Oct, 2007

I think I reserved the right to publish the article on the blog after the publication by IEEE, but I'll have to track down that release .... stay tuned.

Labels: , , ,

Sunday, September 16, 2007

New video on National Security Letters and the US Constitution 

The US Bill of Rights Defence Committee has produced a two-part video on National Security Letters under the USA Patriot Act. There are additional materials on their website: FBI Unbound: How National Security Letters Violate Our Privacy

Labels: , , , , ,

Thursday, September 13, 2007

Government moving to access personal info, sparking privacy fears 

The CBC has a lengthy piece on the quiet consultation I referred to the other day (Canadian Privacy Law Blog: Public Safety Canada Quietly Launches Lawful Access Consultation):

Government moving to access personal info, sparking privacy fears

Government agencies are moving to gain access to telephone and internet customers' personal information without first getting a court order, according to a document obtained by CBCNews.ca that is raising privacy issues.

Public Safety Canada and Industry Canada have begun a consultation on how law enforcement and national security agencies can gain lawful access to customers' information. The information would include names, addresses, land and cellphone numbers, as well as additional mobile phone identification, such as a device serial number and a subscriber identity module (SIM) card number.

The consultation also seeks input on access to e-mail addresses and IP addresses. An IP address is a number that can be used to identify a computer's location.

The document says the objective of the consultation is to provide law enforcement and national security agencies with the ability to obtain the information while protecting the privacy of Canadians.

The document says that under current processes, enforcement agencies have been experiencing difficulties in gaining the information from telecommunications service providers, some of which have been demanding a court-issued warrant before turning over the data.

"If the custodian of the information is not co-operative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer," the document says. "This poses a problem in some contexts."

It says enforcement agencies may need the information for matters other than probes, such as informing next-of-kin of emergency situations, or because they are at the early stages of an investigation.

"The availability of such building-block information is often the difference between the start and finish of an investigation," according to the document.

Privacy advocates, however, expressed displeasure over both the content and the process of the consultation.

Criticizes short consultation time

Michael Geist, chair of internet and e-commerce law at the University of Ottawa, said the process is not being conducted publicly as two previous consultations have been, in 2002 and in 2005.

The consultation has not been published in the Canada Gazette, where such documents are normally publicized, or on the agencies' websites.

Interested parties have been given until Sept. 27 to submit their comments, which is a short consultation time, Geist said. Several organizations and individuals contacted by CBCNews.ca only received their documents this week.

More pointedly, a number of parties that took part in the previous consultations, including privacy and civil liberty advocates — and even some telecommunication service providers — have not been made aware of the discussion, he said.

"It's really disturbing particularly in light of the fact that they've had two prior consultations on lawful access in the past, so it's not as if they don't know the parties that are engaged on this issue," Geist said.

Officials with the Canadian Civil Liberties Association were not aware of the consultation.

All about appearances?

Jacqueline Michelis, an Ottawa-based spokeswoman at Bell Canada Inc., the country's largest telecommunications provider, said the company was aware of the consultation but would not comment further. Rogers Communications Inc. and Telus Corp., the country's next biggest providers, did not have immediate comment.

Geist said the other problem with the consultation is that it appears as if the government agencies have already made up their minds on how to proceed and are simply conducting it for appearances' sake.

"The fear is that law enforcement knows what it would like to do — it would like to be able to obtain this information without court oversight — and so it has pulled together this consultation in the hope that they can use that to say they have consulted, and here are the safeguards that the consultation thought was appropriate."

Denies document secrecy

Mélisa Leclerc, a spokeswoman for Public Safety Minister Stockwell Day, said the government was not trying to keep the consultation secret and would post the document on the internet on Thursday. The deadline for submissions would also be extended, although no decision on a date has been made yet.

Colin McKay, a spokesman for the privacy commissioner of Canada, said the government agencies have not yet proven that accessing information without a court order is necessary. The commissioner will be making a submission to the consultation on that matter.

"We'd like to see some proof that this is a necessary step because at the moment there is provision in privacy law if necessary and if presented with a legal authority to do it, in most cases that's a court order," McKay said. "That gives Canadians some level of protection."

The Information Technology Association of Canada, which will also be making a submission, agreed and said it would like to see details on instances where telecommunication providers have refused to co-operate with authorities.

"This is about transposing to new technology the same kind of law enforcement we used to have on wire-line phone networks," said Bernard Courtois, president and chief executive officer of ITAC. "Conversely, just because you're going to do law enforcement on new technology people should not lose any of their privacy protection or rights in terms of the nature of investigation."

Canada's move is in contrast to one by the United States, where last week a federal judge overturned a part of the Patriot Act that allowed the Federal Bureau of Investigation to secretly obtain personal records about customers from internet providers, phone companies, banks, libraries and other businesses without a court's permission.

Speaking on the phone from Paris, Peter Fleischer, global privacy counsel for internet search giant Google Inc., told CBCNews.ca that even in the security-conscious United States, courts have moved to curtail excessive attempts by the government at extracting personal information.

A year and a half ago, the Department of Justice obtained a warrant demanding Google turn over users' personal information as part of an investigation into the effectiveness of anti-pornography software that was being tested. Google refused and a judge ending up siding with the company.

"The order we had from the U.S. Department of Justice was a valid legal order under the U.S. legal system, but even then it was excessive and infringed privacy, and was curtailed by a U.S. court when we challenged it," Fleischer said.

Companies operating in Canada, and their customers, should have the same rights here, he said.

"There should be judicial authorization and a valid legal process before a government should be able to compel companies to hand over information about their users."

Ironically, Google on Wednesday came under fire from Privacy Commissioner Jennifer Stoddart for its Street View web photo application. The commissioner said many of the images used by the application could break Canada's privacy laws.

Fleischer would not comment on the matter, but said he would address it when he visits Canada later this month.

Labels: , , , , , , , , , ,

Thursday, September 06, 2007

National Security Letters unconstitutional 

US District Court Judge Victor Marrero (U. S. District Court, Southern District of New York) has struck down portions of the USA Patriot Act as unconstitutional. Specifically, the provisions related to National Security Letters and the prohibition of disclosing their existence has been found to violate the First Amendment and the separation of powers under the US Constitution. From the Washington Post:

Judge Rules Provisions of Patriot Act Unconstitutional - washingtonpost.com

A federal judge today struck down portions of the USA Patriot Act as unconstitutional, ordering the FBI to stop issuing "national security letters" that secretly demand customer information from Internet service providers and other businesses.

U.S. District Judge Victor Marrero in New York ruled that the landmark anti-terrorism law violates the First Amendment and the Constitution's separation of powers provisions because it effectively prohibits recipients of the FBI letters (NSLs) from revealing their existence and does not provide adequate judicial oversight of the process.

Marrero wrote in his 106-page ruling that Patriot Act provisions related to NSLs are "the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values."

The decision has the potential to eliminate one of the FBI's most widely used investigative tactics. It comes amid widespread concern on Capitol Hill over reported abuses in the way the FBI has used its NSL powers....

Thanks to fellow privacy lawyer Cappone D'Angelo at McCarthy's for passing along the news, hot off the presses.

Labels: , , , ,

Sunday, July 01, 2007

OPC finds LSAT fingerprinting violates PIPEDA 

In a preliminary letter to the complainant, the Office of the Privacy Commissioner of Canada has concluded that the Law School Admissions Council violates PIPEDA by requiring candidates to submit to fingerprinting at the time the LSAT test is taken:

CIPPIC News « CIPPIC

In a decision released earlier this month, the Privacy Commissioner of Canada found that the requirement for Canadian students to provide a finger/thumb print in order to take the Law School Admission Test (LSAT) is an unnecessary infringement of privacy.

Copy of letter decision sent to Complainant

One of the most interesting aspects of the letter is the conclusion that the non-profit LSAC is engaged in commercial activities sufficient to have PIPEDA apply in the first place.

Also, the Assistant Commissioner's conclusion turned on the four point test applied in the past to video surveillance:

  • Is the measure demonstrably necessary to meet a specific need?
  • Is it likely to be effective in meeting that need?
  • Is the loss of privacy proportional to the benefit gained?
  • Is there a less privacy-invasive way of achieving the same end?

Labels: , , , ,

Saturday, April 28, 2007

Does the SWIFT incident expose PIPEDA's loopholes? 

IT Business is running an article entitled SWIFT scandal exposes PIPEDA holes, in which the Privacy Commissioner of Canada and Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic lament that PIPEDA allows the disclosure of personal information without consent in response to a foreign subpoena.

(For some background, see my previous posts on SWIFT.)

Is this a loophole or something that should be remedied? Certainly the European Union thinks that disclosing European info in this way is not OK.

I'm not sure there is really anything that can be done about this, other than to keep data out of jurisdictions with laws that you consider offensive. Certainly, we have seen that the EU and some Canadian provinces think that the USA Patriot Act is overbroad and a threat to privacy. Unlike some public sector laws in Canada, PIPEDA is completely silent with respect to the export of personal information. But if data is in a jurisdiction with a lawful power to compel the production of that information, the practical impact of a foreign law is virtually nil. Particularly if the foreign law is as toothless as PIPEDA.

Practically speaking, the solution is really to keep those data warehouses out of those jurisdictions. While SWIFT is a European outfit, they had a data centre in the US that was within the lawful jurisdiction of the US authorities armed with subpoenas. As an international clearing system, it would obviously have to transmit some data back and forth between HQ and the US. But there doesn't seem to be any compelling argument to suggest that all that data should have been kept there.

Canada, with it's European-accepted privacy laws, would have been an ideal place to locate the SWIFT data centre. Miliseconds from New York and Brussels, but a world away from the US as far as privacy laws go. Any international company doing business with personal information in the United States really should think about this. What SWIFT did may have been completely lawful in the US, but it certainly has caused more than its fair share of headaches and has opened it up to potential liability in the EU.

Labels: , , , , , ,

Friday, April 20, 2007

Google introduces Google Web History 

I don't envy Google these days. (Other than for the fact that they net a billion dollars in the first quarter of '07.) Many of their incredibly popular services depend upon knowing their users and in many cases being knowing them on a one-on-one basis. Because their slice of the web is growing, there are concerns out there that the aggregated databases of user information may be misused.

One of the newest services will probably be the most controversial: Google Web History tracks all your surfing and all your searches. You can easily go back to that website you visited two weeks ago but forgot the address, and you can analyze the trends in your browsing. That's a convenience. At the same time, every website you've visited and each search you've done will be very strongly linked to you and will be hosted in the United States. This means that it will be available to be handed over to law enforcement under the USA Patriot Act and other statutes. It may also be available to your spouse's divorce lawyer armed with a subpoena. Or is just there to be hacked into.

This may be very convenient and appealing for a lot of users, but people need to think carefully about the risks of having someone else host this highly personal data ....

Official Google Blog: Your slice of the web

Your slice of the web

Thursday, April 19, 2007 at 4:23:00 PM

Posted by Payam Shodjai, Product Manager for Personalization

I'll probably visit more than 100 web pages today, and so will hundreds of millions of people. Printed and bound together, the web pages you'll visit in just one day are probably bigger than the book sitting on your night table. Over the next month alone, that's an entire bookcase full! The idea of having access to this virtual library of information has always fascinated me. Imagine being able to search over the full text of pages you've visited online and finding that one particular quote you remember reading somewhere months ago. Imagine always knowing exactly where you saw something online, like that priceless YouTube video of your friend attempting to perform dance moves from a bygone age. Better yet, imagine having this wealth of information work for you to make searching for new information easier and faster.

Today, we're pleased to announce the launch of Web History, a new feature for Google Account users that makes it easy to view and search across the pages you've visited. If you remember seeing something online, you'll be able to find it faster and from any computer with Web History. Web History lets you look back in time, revisit the sites you've browsed, and search over the full text of pages you've seen. It's your slice of the web, at your fingertips.

How does Web History work? All you need is a Google Account and the Google Toolbar with PageRank enabled. The Toolbar, as part of your browser, helps us associate the pages you visit with your Google Account. If you're currently a Search History user, you'll notice that we've renamed Search History to Web History to reflect this new functionality. To sign up for Web History, visit http://www.google.com/history.

Labels: , ,

Thursday, March 15, 2007

Librarians to talk about Patriot Act challenge in Vermont 

Seven Days, the Vermont alternative web weekly is running a preview of a presentation to be given by Peter Chase and George Christian later this month. Both are librarians who were on the receiving end of national security letters under the USA Patriot Act and fought them with the assistance of the ACLU.

If I get my hands on the presentation materials, I'll post them here.
Seven Days: Librarians, No Longer Gagged, Detail Patriot Act Abuses

WINDSOR, CT — In September 2003, then-U.S. Attorney General John Ashcroft ridiculed the American Library Association for its “breathless reports and baseless hysteria” about a USA PATRIOT Act provision that allows FBI agents to search library records without a warrant. Until he left office in early 2005, Ashcroft repeatedly denied that the feds were snooping into Americans’ reading habits and computer activities.

In July 2005, Peter Chase and George Christian discovered firsthand that Ashcroft was lying. They couldn’t tell anyone, though — not friends, co-workers or family members — even as Congress debated the Patriot Act’s reauthorization.

Christian is executive director of the Library Connection, a nonprofit consortium in Windsor, Connecticut. Chase is president of the group’s executive committee and director of one of its 27 member libraries. An eight-month gag order prevented them from disclosing that they’d received a “national security letter” from the FBI seeking confidential library computer records.

“We were shocked,” Chase recalls. “None of us had ever heard of a national security letter before.”

....

Chase and Christian, along with fellow committee members Barbara Bailey and Janet Nocek, decided to fight the warrantless search. Though the librarians were never told why the FBI wanted their files, a federal prosecutor later disclosed that it was a matter of “domestic surveillance.”

The Connecticut librarians have since been released from their gag order. On March 20, they’ll speak at the University of Vermont about how they fought the Patriot Act — and won. Civil libertarians say their case is a chilling example of the threats to privacy rights in the post-9/11 era.

“My initial twinge in opposing [the FBI] was that I was aiding and abetting a catastrophe,” recalls Christian. “But right away, I could glean that they weren’t worried that someone was going to cause a catastrophic event tomorrow.” The letter, he notes, was dated two months earlier, and the records the FBI wanted were six months old. In Connecticut, as in 47 other states, library records are protected by law.

Vermont’s own protections for library records aren’t as strong as those in other states, notes Trina Magi, who chairs Vermont’s Intellectual Freedom Committee. Though library records are exempt from the open-records law, she says, nothing explicitly prevents librarians from disclosing them. Moreover, last year’s Patriot Act reauthorization did nothing to alleviate librarians’ concerns.

“What people read at libraries is confidential,” Chase argues. “People should feel free to come to the library and look up whatever information they need, without thinking that Big Brother is looking over their shoulder.”

In August 2005, the Connecticut librarians sued the federal government, with help from the ACLU. Initially, they were collectively known as “John Doe.” However, because of sloppy redacting of court records by government attorneys, Christian’s and Chase’s identities were made public, and reporters soon came calling.

...

Even after the librarians’ names were known, the gag order still barred them from discussing their case. Those restrictions reached absurd proportions. When the government asserted that the librarians’ presence in federal court in Bridgeport raised a “national security issue,” they had to watch the proceedings on closed-circuit TV from a locked courtroom in Hartford. When an appeal was heard in federal court in Manhattan, the librarians were allowed to attend but were prohibited from entering the courtroom together, sitting together, speaking to each other, or making eye contact with their attorneys.

Tellingly, the librarians were released from the document request and gag order shortly after the Patriot Act was reauthorized in March 2006. Once the government dropped its appeal, the librarians lost their legal standing to challenge the statute’s constitutionality.

Today, Christian is troubled by how many Americans have apparently complied with NSL requests. “I’m trying to figure out in my mind how 30,000 NSLs can be issued each year,” he says, “and in five years only two people have said, ‘I don’t think so.’”

Peter Chase and George Christian give a lecture titled "Gagged by the Government: Two Librarians Tell How They Resisted the USA PATRIOT Act." Tuesday, March 20, 3:30-5 p.m. Bailey Howe Library, University of Vermont. Free. Info, 656-5723.

Labels: , , , , ,

Friday, March 09, 2007

US DOJ audit discloses abuses of National Security Letter powers 

This probably isn't a big surprise to a lot of people, but I'm surprised to see it publicly disclosed:

Mueller Admits Fault in FBI Intrusions

Mar 9, 8:33 PM EST

By LARA JAKES JORDAN

Associated Press Writer

WASHINGTON (AP) -- The nation's top two law enforcement officials acknowledged Friday the FBI broke the law to secretly pry out personal information about Americans. They apologized and vowed to prevent further illegal intrusions.

Attorney General Alberto Gonzales left open the possibility of pursuing criminal charges against FBI agents or lawyers who improperly used the USA Patriot Act in pursuit of suspected terrorists and spies.

The FBI's transgressions were spelled out in a damning 126-page audit by Justice Department Inspector General Glenn A. Fine. He found that agents sometimes demanded personal data on people without official authorization, and in other cases improperly obtained telephone records in non-emergency circumstances.

The audit also concluded that the FBI for three years underreported to Congress how often it used national security letters to ask businesses to turn over customer data. The letters are administrative subpoenas that do not require a judge's approval.

"People have to believe in what we say," Gonzales said. "And so I think this was very upsetting to me. And it's frustrating."

"We have some work to do to reassure members of Congress and the American people that we are serious about being responsible in the exercise of these authorities," he said.

Under the Patriot Act, the national security letters give the FBI authority to demand that telephone companies, Internet service providers, banks, credit bureaus and other businesses produce personal records about their customers or subscribers. About three-fourths of the letters issued between 2003 and 2005 involved counterterror cases, with the rest for espionage investigations, the audit reported.

...

FBI Director Robert S. Mueller said many of the problems were being fixed, including by building a better internal data collection system and training employees on the limits of their authority. The FBI has also scrapped the use of "exigent letters," which were used to gather information without the signed permission of an authorized official.

...

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information.

...

Both Gonzales and Mueller called the national security letters vital tools in pursuing terrorists and spies in the United States. "They are the bread and butter of our investigations," Mueller said.

...

In 2000, for example, the FBI issued an estimated 8,500 requests. That number peaked in 2004 with 56,000. Overall, the FBI reported issuing 143,074 requests in national security letters between 2003 and 2005.

But that did not include an additional 8,850 requests that were never recorded in the FBI's database, the audit found. A sample review of 77 case files at four FBI field offices showed that agents had underreported the number of national security letter requests by about 22 percent.

Additionally, the audit found, the FBI identified 26 possible violations in its use of the letters, including failing to get proper authorization, making improper requests under the law and unauthorized collection of telephone or Internet e-mail records.

The FBI also used exigent letters to quickly get information - sometimes in non-emergency situations - without going through proper channels. In at least 700 cases, these letters were sent to three telephone companies to get billing records and subscriber information, the audit found.


On the Net:

The report is at: http://www.usdoj.gov/oig/reports/FBI/index.htm

Justice Department: http://www.usdoj.gov

FBI: http://www.fbi.gov

Labels: , , , ,

Thursday, February 08, 2007

Recruiting software company sets up data centre in Canada to address Patriot Act concerns 

This is the first public announcement of the establishment of a data centre in Canada in response to privacy concerns about data being hosted in the United States:

Cytiva Responds to Canadian Privacy Concerns With New Canadian Data Centre: Financial News - Yahoo! Finance

Wednesday February 7, 9:00 am ET

New Data Centre Helps Canadian Employers Comply With Privacy Laws and Addresses Concerns About the United States Patriot Act

VANCOUVER, BC--(MARKET WIRE)--Feb 7, 2007 -- Cytiva Software Inc. (CDNX:CRX.V - News), a leading provider of on-demand recruiting software solutions, announced today the establishment of a new data centre located in Burnaby, BC. This new data centre provides Canadian clients of Cytiva's SonicRecruit recruiting software with assurance that their candidate and employee data will remain in Canada. This is important news for Canadian companies trying to comply with privacy laws. A growing number are concerned about their employee data being subject to a United States Patriot Act that lessens requirements for government seizure of personal data in U.S. territories.

Because of the Personal Information Protection and Electronic Documents Act (PIPEDA), and other provincial privacy laws, Canadian companies that use software from U.S. companies to manage their recruiting and other human resource processes face a complicated landscape in trying to protect employee data. When employee data is transferred outside of Canada to U.S. servers that run on-demand human resources software, the issue becomes even more complicated. This data may become subject to the United States Patriot Act, which supersedes PIPEDA inside the U.S.

Canadian privacy laws are some of the most stringent in the world and have been evolving rapidly over the last ten years. All this has compelled many Canadian companies to require that their customer and employee data stay in Canada.

"Some vendors walk away from Canadian business, while others try and deal with the issue through contractual language regarding privacy," said Jason Moreau, president and CEO of Cytiva Software. "But Cytiva recognizes how important an issue this is to Canadian companies, so we have taken the extra step of establishing a data centre on Canadian soil."

The Burnaby BC data centre provides state-of-the-art security, network access, climate control and power backup.

Cytiva announces the establishment of the Canadian data centre a few months after implementing a host-based Intrusion Protection System (IPS) which goes beyond mere firewalls or detection systems and provides the highest level of data protection available.

"With the Intrusion Protection System and the option of local hosting for our Canadian clients, Cytiva sets the standard for privacy and data protection for on-demand recruiting software," says Moreau. "We believe that all companies should expect this level of protection."

About Cytiva Software Inc.

Cytiva Software Inc. (CDNX:CRX.V - News) provides innovative recruiting software and services to mid-sized and Fortune 500 companies. More than an application, its flagship talent acquisition product, SonicRecruit, allows corporations to screen applicants, automate their recruiting departments, customize their corporate career sites and hire great people. This premier applicant tracking system improves recruiting effectiveness, speeding up the hiring process and reducing cost per hire. For more information, visit http://www.sonicrecruit.com

The TSX has not reviewed and does not accept responsibility for the accuracy or adequacy of this news release, which has been prepared by management.

Distributed by Filing Services Canada and retransmitted by Market Wire

Labels: , ,

Tuesday, January 30, 2007

EU parliament debates personal data rules in wake of SWIFT scandal 

In the wake of the SWIFT privacy scandal, the European parliament will be debating the scandal, European data protection laws and broader issues of access to personal data. Should be interesting to watch:

theparliament.com - EU parliament debates personal data rules

EU parliament debates personal data rules

MEPs are this week expected to intensify pressure on the European commission to act over the controversial Swift case.

In November, an independent panel found that the Belgian-based money transfer company Swift had breached EU privacy laws by secretly giving personal financial data to the US authorities.

Swift denied breaking the law, saying it was subpoenaed to give limited data for use in the fight against terrorism.

On 31 January, in the first Brussels parliamentary plenary of the year, deputies will debate the issue of current personal data legislation and table a series of questions to the commission on the Swift case.

Included in the list of questions is a demand to know whether the commission is aware of any other requests to private companies to make their data available to the US.

MEPs also want to know what action the commission intends to take given that access to data handled by Swift makes it possible to get information on the economic activities of individuals and businesses.

The ongoing row involving Swift, which handles 11 million transactions a day, could further exacerbate tensions between the EU and the US over the use of personal flight data in the fight against terrorism.

The EU and US recently resolved a long-running dispute over the issue and is confident of reaching an agreement on passenger name records (PNR).

US negotiator Michael Chertoff and his EU counterpart Wolfgang Schauble said at the weekend that despite continued differences of opinion on the use of the personal data they were confident of reaching a deal by July.

Some MEPs, however, are currently raising concerns which they would like the commission to take on board when the executive alone negotiates a new agreement with the US.

The plenary, though, will be urged by British Conservative MEP Timothy Kirkhope to back the deal brokered by the EU and US.

"Some of these concerns are warranted but the most important thing to adopt are appropriate air safety and anti-terrorism measures and provide certainty for the airlines, while also ensuring that data protection norms are respected,” Kirkhope said.

Labels: , , , , , ,

Tuesday, January 23, 2007

Tracked in America 

The American Civil Liberties Union, along with a coalition of civil liberties groups, has put up an interesting web site with stories of state surveillance in America, from pre-WWI to post 9/11. Check it out: Tracked in America.

Labels: , , , ,

Publicity for Nova Scotia's Patriot Act blocker 

Nova Scotia's Personal Information International Disclosure Protection Act has kept a pretty low profile as of late, but the Halifax Chronicle Herald has devoted a quarter page in its technology supplement to the legislation. It includes a fair amount of content provided by yours truly, but may have the effect of making Nova Scotians more aware of this important development.

Click on the image to download the article in PDF format.

Labels: , , , , ,

Wednesday, January 17, 2007

Bush administration to seek warrants for terrorism investigation wiretapping 

In what appeas to be a significant retreat from its previous position, the Bush administration is reportedly going to turn to the Foreign Intelligence Surveillance Court to remove the word "warrantless" from the controversial warrantless wiretapping program. AP, via ABC News: Secret Court to Govern Wiretapping Plan.

Labels: , , , ,

Tuesday, January 16, 2007

Law enforcement access to e-mail in the US 

Today's Washington Post is running an interesting article on the unique legal regime in the US related to law enforcement / intelligence access to e-mail stored by third parties. A bit ...

The Legal Tangles Of Data Collection - washingtonpost.com

... E-mail is a slightly different matter. The law makes a distinction between intercepting e-mail in transit and obtaining stored e-mail from a service provider's servers. The distinction made sense in the 1980s and early 1990s when downloaded e-mail often sat only on the user's computer. If the government wanted the records, it had to go to the e-mail recipient.

These days, most e-mail is held and stored by third parties. So the government claims the authority to read someone's most intimate communications, including stored chat sessions, by serving a subpoena -- no probable cause required. A person may never even know that this has been done, as there is no legal requirement for an Internet service provider to provide notice. In most cases where the government subpoenas the e-mail, it demands that the third party keep that fact confidential, at least for a while.

The same holds true for virtually any information held by a third party: phone company records that indicate who called you, when they called and how long the call lasted; Internet service provider records on what Web sites you visited, when and for how long; tollbooth records; security camera footage; records of emergency calls made from a car; supermarket purchase records. All that and more can be requested by the government with a search warrant, or sometimes with an administrative subpoena or other demand, frequently without judicial review....

Labels: , , , , ,

Sunday, January 14, 2007

Military and CIA seeking access to financial info of US residents 

The New York Times, always on the leading edge of reporting in this area, is reporting that US military intelligence is expanding its role in domestic intelligence gathering. It, and the CIA, have been using non-compulsory letters to get access to financial information on residents of the United States. Perhaps more troubling from a privacy point of view is that most recipients of these letters volunteer the info. Check it out: Military Is Expanding Its Intelligence Role in U.S. - New York Times.

In related news, changes to an American army manual have raised concerns that the Army also takes the position that warrants are not required for domestic wiretapping. See: Deletions in Army Manual Raise Wiretapping Concerns - New York Times.

Update (20070114): On Fox News Sunday, VP Dick Cheney says the practice isn't illegal:

Cheney: Credit checks aren't illegal - Yahoo! News

"The Defense Department gets involved because we've got hundreds of bases inside the United States that are potential terrorist targets," Cheney said.

"The Department of Defense has legitimate authority in this area. This is an authority that goes back three or four decades. It was reaffirmed in the Patriot Act," he said. "It's perfectly legitimate activity. There's nothing wrong with it or illegal. It doesn't violate people's civil rights."

The Pentagon and the CIA, to a lesser extent, have used this little-known power, officials said. The FBI, the lead agency on domestic counterterrorism and espionage, has issued thousands of such letters since the attacks of Sept. 11, 2001.

Labels: , , , ,

Thursday, November 23, 2006

SWIFT broke data privacy laws 

According to the Associated Press, a panel of EU privacy regulators has found that SWIFT violated European privacy laws by handing over SWIFT data to the US. See: EU panel: SWIFT broke data privacy laws.

Labels: , ,

Wednesday, November 15, 2006

Patriot Act blocking statute now the law in Nova Scotia 

The Governor-in-Council for Nova Scotia today proclaimed into force the new Personal Information International Disclosure Protection Act.

For more background, see

Here's the official release from the government of Nova Scotia:

News Release: Department of Justice

November 15, 2006 13:07


Legislation to ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act was proclaimed today, Nov. 15.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

"This legislation will help ensure that Nova Scotians' personal information will be protected," said Justice Minister Murray Scott. "The act outlines the responsibilities of public bodies, municipalities and service providers and the consequences if these responsibilities are not fulfilled."

The act provides protection regarding storage, disclosure and access to personal information outside of Canada or in the custody or under the control of a public body or municipality.

The legislation comes into effect for government, school boards, universities, district health authorities and other public bodies today and on Nov. 15, 2007 for municipalities.

Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.

The act also address whistleblower protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.

Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.

Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.

Information sessions have been held in Truro and Halifax over the past month to educate partners and stakeholders about the provisions of the act.


FOR BROADCAST USE:

New provincial legislation which will ensure that Nova Scotians' personal information is not at risk from activities under the U-S Patriot Act has been proclaimed today (November 15th).

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body.

Labels: , , , , , ,

Sunday, November 05, 2006

Canadian universities abandon US research databases out of privacy fears 

The CBC is reporting that a range of Canadian universities are beginning to abandon US research databases out of fears that data trails left by researchers would be fodder for the FBI under the USA Patriot Act. See: Patriot Act fears prompt universities to patriate computers.

Via the excellent Library Boy blog.

Labels: , ,

Sunday, October 29, 2006

ACLU drops USA Patriot Act challenge 

The ACLU has dropped its court challenge to section 215 of the USA Patriot Act. The Washington Post reports that the reason for the withdrawal is the recent amendment that clarifies the right to seek legal counsel and challenge a demand for personal records under that section. See: ACLU Withdraws Lawsuit Challenging Patriot Act - washingtonpost.com.

Labels: ,

Friday, October 13, 2006

Swiss Banks should have warned about SWIFT vulnerability 

Swiss Data Protection authorities have found that Swiss banks, usually known for their emphasis on privacy, broke that country's data protection laws for not telling clients that their information could be obtained by third parties via the banks' use of SWIFT. See: Official: Swiss Banks Broke Privacy Law: Financial News - Yahoo! Finance.

Labels: , ,

Tuesday, October 03, 2006

Belgian Commissioner's report on US SWIFT subpoenas 

The Office of the Belgian Privacy Commissioner has released its report into the subpoena of large quantities of transactional data from the inter-bank SWIFT system: here.

On the basis of her general investigation, the Commission is of the opinion that
  • The DPL is applicable to the exchange of data via the SWIFTNet FIN service;
  • SWIFT and the financial institutions bear joint responsibility in light of the DPL for the processing of personal data via the SWIFTNet FIN service;
  • SWIFT is a data controller of the personal data which are processed via the SWIFTNet FIN service;
  • The financial institutions are data controllers as they co-determine the objective and the means to perform payment instructions in the inter-bank traffic. The financial institutions in particular, at an inter-bank level, choose to process financial messages with regard to these payment messages via the SWIFTNet Fin service;
  • As far as the normal processing of personal data in the framework of the SWIFTNet FIN service is concerned, SWIFT should have complied with its obligations under the DPL, amongst which, the duty to provide information, the notification of the processing and the obligation to provide an appropriate level of protection conform to articles 21 § 2 of the DPL;

As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. Iit must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law;

  • In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection. These requirements are indeed formulated in the second paragraph of article 8 of the ECHR, Treaty no. 108, the Directive 95/46/EC and the DPL and are applicable to SWIFT. The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the UST, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level.

Considering the complexity of the issue and its importance, the Commission remains available to issue further guidance.

The administrator,

(sign.) Jo BARET (sign.)

In the absence of the President, The Vice-President,

Willem Debeuckelaere

For some background: Canadian Privacy Law Blog: US reviews international financial database, Canadian Privacy Law Blog: Privacy Commissioner launches investigation of SWIFT disclosures.

Labels: , , , ,

Friday, July 28, 2006

CIPPIC complains about SWIFT disclosure 

The Canadian Internet Policy and Public Interest Clinic has filed a complaint with the Privacy Commissioner against the Big Six Canadian banks over the disclosure of information by the international, inter-bank clearinghouse SWIFT. (Via Michael Geist.)

According to previous reports, the Commissioner is already on the case (Canadian Privacy Law Blog: Canadian Commissioner investigates whether Canadian banking records were reviewed by the CIA).

Labels: , ,

Monday, July 24, 2006

Australian Privacy Foundation calls for inquiry into US SWIFT monitoring 

According to Open and Shut, the Australian Privacy Foundation is pressing that country's Privacy Commissioner to investigate US review of SWIFT interbank transfer information, as the Canadian Commissioner is currently doing. See: Open and Shut: Australian Privacy Foundation calls for inquiry into US SWIFT monitoring.

Labels: , ,

Saturday, July 15, 2006

Nova Scotia passes USA Patriot Act blocking statute 

In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,
(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Labels: , , , , , , , ,

Tuesday, July 11, 2006

Nova Scotia USA Patriot Act response is back on! 

After a brief recess for an election, the Nova Scotia House of Assembly is back with a new session but a boatload of bills that fell off the order paper. Among them is (newly renumbered) Bill 19, the Personal Information International Disclosure Protection Act, which I blogged about earlier.

The Bill was reintroduced on June 30 and received second reading on July 6, 2006. It is now headed to committe for consideration, with what appears to be the approval of all three parties.

Here is the Minister of Justice making the motion for second reading and the response from the opposition parties:

Handsard - July 6, 2006, p. 314

MR. SPEAKER: The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, this legislation will strengthen protections against the disclosure of Nova Scotians' personal information, under the U.S. Patriot Act. The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure. We know that the U.S. security legislation has caused concerns about the American Government's ability to access personal information of Nova Scotians, held outside of Canada. This legislation clearly outlines responsibilities of public bodies, municipalities and technology service providers and the consequences if these responsibilities are not fulfilled.

Under the bill, the Minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. The bill also requires that service providers storing information only collect and use personal information for the purposes of their work, for a public body or a municipality. In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing, under this bill. To that end, the bill will also provide whistle-blower protection for employees of external service providers to ensure they are protected if they report an offence under the bill. Whistle-blower protection for Nova Scotia Government staff already exists under the Civil Service Act.

Mr. Speaker, penalties under the Act include a fine of up to $2,000, or six months of imprisonment for malicious disclosure by employees of public bodies and municipalities. The Act also creates offences for service providers with penalties of up to $2,000 for employees and $500,000 for companies. Under this bill, these penalties will become part of any new contract. At the same time, we are working to strengthen our existing contracts with current service providers.

Mr. Speaker, this is a serious issue and this bill will help ensure that the privacy of Nova Scotians' information continues to be protected. With those few comments, I move second reading of Bill No. 19. Thank you.

MR. SPEAKER: The honourable member for Cole Harbour-Eastern Passage.

MR. KEVIN DEVEAUX: Mr. Speaker, Bill No. 19 is a bill that the NDP has been pressuring the government to pass for, I guess, two years. This is a bill that two years ago when the NDP discovered, I think it happened in British Columbia originally where the Privacy Commissioner - where they actually have a Privacy Commissioner, I may note, for the record - noticed that under the Patriot Act in the United States, an American investigating body, FBI, CIA, National Security Agency, what have you, under the Patriot Act, if there are records held

[Page 315]

by an American corporation or its subsidiary, in another country, that those organizations can go in and access those records; it may even be without a subpoena, but there's probably very little judicial review, but under the Patriot Act they have access to that information.

So, for example, in Nova Scotia, if our government contracts out the maintenance of the data for people who are on social assistance, or motor vehicle records, that information is handed over to an American corporation to manage that data, that maybe even a subsidiary of that company in this province or in Canada, the American authorities would have access to that. That is a concern, one that British Columbia addressed a while back and it's one that I know that this province, for two years we've asked this government to do this, it's one that we have introduced legislation on and it's one that we're now glad to see the government also understands, finally, that what the NDP was asking for is something we need to do.

It is abhorrent that even for two years we allowed this province to farm out information that could easily be accessed under the Patriot Act. Now even more, we've heard recently how the American authorities have been poring over telephone records, have been monitoring telephone calls. In this age in which - if you want to call it Neo-McCarthyism, in many ways - it's very important that we have an opportunity to ensure that the information in the private information and data of Nova Scotians is protected.

Now, someone raised this with me when the bill was first introduced back in the Spring, before the election, Mr. Speaker. At that time, we had an opportunity - it was asked, well, what's a $2,000 fine going to do? They're probably right. To be frank, the fines in this legislation are not punitive, are not a form that is going to look at these findings and say to themselves wow, do we pay a $2,000 fine and give them information to the FBI or do we say under this act we can't?

The real punitive measure in this is that the contract can be cancelled immediately if there's a violation, that is important. I suspect if we're talking about a long-term contract of maintaining data, I would suggest to you that it would result in that company having to think long and hard about having that contract ripped up and voided. That's the kind of punitive measure we can put in. I would also suggest to the government, for the record, that if they want to avoid this from happening it can easily be done by ensuring that the maintenance of that information remains in house within the government and isn't contracted out. When you contract it out then the opportunity arises.

Mr. Speaker, these are things that can be done, I'm glad to see this legislation coming forward, I'm glad to see the Tory government finally agreeing with us. I will note for the record that the minister's comments that there is a whistle-blower protection in the Civil Service Act is not correct. I would suggest to you that the regulations that were passed about a year ago, a year and a half ago in regard to whistle-blower, do not provide any protection for civil servants. Frankly, they only require them to basically have to report their problems higher up and God knows what will happen after that happens. I would suggest to you that this legislation is the

[Page 316]

first step, it's a good step, the NDP has asked for this for two years, we're glad to see this legislation coming forward, we're glad to see it go to the Law Amendments Committee and we're hopeful we can get it passed in this session. Thank you.

MR. SPEAKER: The honourable member for Cape Breton South.

MR. MANNING MACDONALD: Mr. Speaker, on behalf of our Leader and our Justice Critic, I stand in my place this evening and say that we too will be supporting Bill No. 19 as it moves through the House. I want to commend the minister for bringing this bill forward this evening. I believe that it's an important protection for Nova Scotians and I think all Parties in this House realize that this is a bill, as the NDP House Leader states, that may be able to be improved on over time. Certainly it's a first step to have it here and hopefully it will meet with a smooth passage throughout the Law Amendments Committee and on to third reading. Thank you.

MR. SPEAKER: If I recognize the honourable minister it will be to close the debate.

The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, I'd like to thank the Leader of the Opposition and also the House Leader for the Liberal Party for their support of this government bill. We can stand in the House and we can all take credit for good things that have happened here. This is an initiative of government and over the next coming weeks there's going to be a pattern formed here that this government is intent on increasing the penalties and supporting the laws in this province, bringing new legislation such as this, that will make our province as safe as we possible can, and that's what Nova Scotians want.

Mr. Speaker, this is a good bill that goes a long way to doing that and with that I move to close debate on second reading of Bill No. 19.

MR. SPEAKER: The motion is for second reading of Bill No. 19. Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

Ordered that this bill be referred to the Committee on Law Amendments.

(See: Nova Scotia introduces amendments to thwart USA Patriot Act, Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia), Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper.)

Labels: , , , , , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs