The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, January 02, 2009
Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.
Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.
And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.
I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.
Birthday cake graphic used under a creative commons license from K. Pierce.
Tuesday, September 30, 2008
Today is the first day for consumers to add themselves to the Canadian Do Not Call List (https://www.lnnte-dncl.gc.ca/) but the online system has been overwhelmed with people looking to get added to the list.
If you want more info on the national DNCL, you can check out some past posts and these resources:
And if you're inclined to tell telemarketers not to call you, you should also take advantage of iOptOut, which also appears to be down.
Wednesday, July 02, 2008
When I give presentations on Canadian privacy law, the number one question I get -- without exception -- is whether a retailer can ask for your phone number or postal code at the point of sale. Sometimes I'm asked about asking for ID when making returns. According to Canada.com (I haven't been able to find the survey itself), the Privacy Commissioner of Canada has commissioned a survey that confirms that Canadians are not comfortable with retailers who ask intrusive questions at the check-out:
Most Canadians resist sharing personal details with stores: Poll
Most Canadians resist sharing personal details with stores: Poll
Don Butler , Canwest News ServicePublished: Wednesday, July 02, 2008
OTTAWA - More than half of Canadians resist requests for personal information from retailers and nearly as many simply refuse to provide it, according to a survey done for the Office of the Privacy Commissioner.
The Ipsos Reid survey, made public recently on a government website, also found that safety or security concerns are a major impetus for the refusal to give retailers personal information such as name, phone number or postal code.
The survey of 1,000 adult Canadians, conducted last December, was commissioned in part to help the privacy commissioner's office evaluate the need for public education to inform Canadians about their privacy rights during retail transactions.
The survey found 52 per cent of respondents resist retailers' requests for personal information by asking why it is needed, and 45 per cent flatly refuse to provide such information.
Thirteen per cent have deliberately given a store incorrect information when asked for a name, phone number or postal code. Eleven per cent have done the same when registering for commercial online sites.
Anne-Marie Hayden, spokeswoman for the privacy commissioner's office, said it was encouraging that many Canadians are balking at requests for personal information from retailers.
"Personal information is increasingly invaluable in the marketplace," she said. "So we're pleased that consumers are taking charge and questioning requests for their personal information."
Under the Personal Information and Electronic Documents Act, Hayden noted, businesses aren't allowed to collect personal information indiscriminately. Rather, they're supposed to limit the information gathered to what is necessary for the purposes identified by the organization.
Retailers need to be open about why they're asking for personal information, she said.
"If they can't give you a good reason why they need your personal information, don't give it out."
The survey found those who have either refused to give personal information or given incorrect information most often say they did so for reasons related to security and safety.
One in five don't trust the safety of providing such information online, while one in 10 have concerns about identity theft, fraud or computer hackers. Another six per cent mention safety or security issues in general.
A further 28 per cent refrain from providing their personal information because they consider it private or none of the retailer's business.
Others say they refuse because retailers don't need the information or they don't want to be contacted by telemarketers or sent junk mail.
One in three Canadians say they think stores use personal information they gather to compile statistics or demographic information on their customers. Three in 10 think stores sell the information to telemarketers or other companies.
The survey has a margin of error of 3.1 percentage points, plus or minus, 19 times out of 20.
In a report last month, Privacy Commissioner Jennifer Stoddart said many companies ignore "elementary security measures" to protect the personal information they gather. This has led to a growing number of "inexcusable" security breaches, she said.
Last year, the privacy commissioner's office launched an online "e-learning tool" to help retailers bring their privacy practices and policies into line with the law.
Wednesday, June 18, 2008
I've been overwhelmed by the number of questions I've received in response to "Ask the privacy lawyer". Some of them are too specific and would cross over the line between legal advice and educational. But I got this question, which is relatively generic and probably is something that many people have to deal with:
HI - In September 2007 I subscribed to a well known Canadian magazine. I did not check a box on the form saying I wanted to receive 'mail' from them. However in December 2007 I and my neighbour (whose subscription to the same magazine had just ended) started receiving unsolicited requests for magazine subscripts at a rate of about 1 a week. I knew where the subscription was coming from since they mispelled my name on all the subscriptions in the same way.
I've emailed the magazine and the company responsible for these bulk mailings and have been told they 'occasionally send mailings we think our customs will enjoy' although that's only if you check the box requesting that 'service'.
They tell me the mailings will stop soon - but they haven't and now the mailing have my correctly spelled name.
I know there is a lot of work being done with SPAM laws and no phone anti-telemarketer laws - but is there any way I can legally stop this magazine for falsely advertising that they would to share my name and information with anyone else?
They don't seem to be taking my angry emails very seriously.
This situation sounds like a classic SNAFU, which might only take some more gentle persuasion to fix. But if one wants to take the legal route ....
The first question one has to ask is what privacy law applies. The questioner wasn't specific, so one should consider the options. This is a private sector matter, since we are not dealing with a government institution. Magazines are engaged in commercial activity, so one of the Canadian private sector laws would apply. The default would be PIPEDA, which applies to the collection, use and disclosure of personal information in the course of commercial activities except where there exists an applicable provincial law that has been declared to be "substantially similar" to PIPEDA. The substantially similar laws are the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). The PIPAs of Alberta and BC are very similar to PIPEDA and are built on the same foundation.
For the purposes of considering this question, I'll assume that PIPEDA applies. PIPEDA requires the knowledge and consent of all individuals for all collection, use and disclosure of personal information. Importantly, an organization cannot require an individual to consent to uses that are not necessary.
Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes. In any event, consent ,if previously granted, may be withdrawn: Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308: "The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1." So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court.
4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.8 - An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
Commissioner's Findings - PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements - April 7, 2005
Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes.
In any event, consent ,if previously granted, may be withdrawn:
Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308:
"The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1."
So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court.
Thursday, March 27, 2008
Michael Geist has been a critic of the legislation enabling the new Canadian "Do Not Call List", which specifically permits calls from polling companies, newspapers, political parties and others. So to enable users to opt out even more, Michael has developed a website that sends specific do not call requests to individual companies and organizations. Check it out:
iOptOut - Welcome to iOptOut
Welcome to iOptOut
The Canadian government passed legislation in 2005 mandating the creation of a do-not-call registry. The registry is scheduled to take effect in mid-2008, yet many Canadians may be disappointed to learn about the exemption of a wide range of organizations (registered charities, business with prior relationships, political parties, survey companies, and newspapers). Under the law, exempted organizations are permitted to make unsolicited telephone calls despite the inclusion of the number in the do-not-call registry. However, organizations must remove numbers from their lists if specifically requested to do so. IOptOut takes advantage of this approach by allowing Canadians to create and manage a personal do-not-call list that begins where do-not-call legislation ends. Once you register, you'll be able to view a categorized list where you can opt-out of further contact from exempt organizations.
To do this we send an email notification to each organization on your behalf requesting that your name, email address and phone number(s) be removed from their active marketing lists.
Tuesday, February 19, 2008
Recently, the us Federal Trade Commission successfully brought an action against Accusearch (aka Abika) for selling customer phone records without consent.
Readers will recall that Abika was the subject of a complaint brought by CIPPIC in Canada that is still ongoing.
District Court Bars the Sale of Consumers’ Telephone Records to Third Parties
A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified.
In May 2006, the FTC charged AccuSearch, Inc., doing business as Abika.com, and its principal, Jay Patel, with violating federal law by selling consumers’ phone records to third parties without the consumers’ knowledge or authorization. According to the FTC complaint, the defendants advertised on their Web site that they could obtain the confidential phone records of any individual – including details of outgoing and incoming calls – and make that information available to their clients for a fee. To obtain such information, which is not legally available to the public, the FTC alleged that the defendants caused others to use “false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier,” to induce the telecommunications carriers to disclose the confidential records. Consumers whose phone records were sold by defendants suffered substantial injury as a result of those sales. The FTC charged that the defendants’ practices were unfair in violation of the FTC Act.
In his ruling, Judge Downes found that the defendants’ obtaining and selling of confidential phone records without consumers’ knowledge or consent was “necessarily accomplished through illegal means,” and that defendants knew that the phone records were being obtained surreptitiously. The court further found that this practice caused substantial injury to consumers, including: serious health and safety risks experienced by some consumers from stalkers and abusers; economic harm associated with changing telephone carriers and upgrading security on their accounts; and a host of “substantial and real” emotional harms. The court concluded that consumers had no way to avoid these harms. “In fact,” Judge Downes wrote, “the evidence presented before the court indicates that confidential consumer phone records were sold through Abika.com despite considerable efforts by consumers to maintain the privacy of those records.” Finally, the court found no countervailing benefits to consumers or competition that could be derived from defendants’ practice.
Judge Downes also rejected the defendants’ claimed immunity under Section 230 of the Communications Decency Act, 47 U.S.C. § 230, a federal statute that confers immunity on interactive computer service providers for publishing information content provided by a third party. The court found that the defendants failed to establish two of the three necessary elements of a CDA defense, holding that the FTC’s lawsuit did not seek to “treat” defendants as a publisher within the meaning of the CDA, and that the defendants participated in the creation or development of the information content.
Following his opinion, Judge Downes permanently barred the defendants from obtaining, causing others to obtain, marketing, or selling consumers’ telephone records except as permitted by law. The order also bars the defendants from purchasing, marketing, or selling consumer personal information unless the information was lawfully obtained. The order prohibits the defendants from making deceptive statements to obtain consumers’ personal information and from buying such information from third parties.
The judge’s order requires the defendants to give up the $199,692.71 in ill-gotten gains they earned through illegally obtaining and selling the records. The order also authorizes the FTC to notify the individuals whose phone records were sold by defendants, to the extent that those consumers can be located. The order allows the FTC to use the forfeited ill-gotten gains for this purpose. Finally, the order contains certain bookkeeping and record keeping requirements to allow the FTC to monitor compliance.
The defendants have appealed the order to the Tenth Circuit Court of Appeals.
The FTC wishes to thank the Office of the U.S. Attorney for the District of Wyoming for its assistance in this matter.
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.
Friday, December 28, 2007
Privacy resolutions from the Privacy Commissioner of Canada:
News Release: Do you resolve to protect your privacy in 2008? (December 27, 2007) - Privacy Commissioner of Canada
Do you resolve to protect your privacy in 2008?
OTTAWA, December 27, 2007 – Threats to the privacy rights of Canadians will intensify in 2008 unless organizations resolve to do more to protect personal information, warns Privacy Commissioner of Canada Jennifer Stoddart.
“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” says Commissioner Stoddart.
“The coming year will be another challenging one for privacy in Canada.”
With that prediction in mind, Commissioner Stoddart today released her 2008 list of top 10 suggested New Year’s resolutions for businesses, individuals and government.
Resolutions for businesses in Canada:
1. Protect personal information with strong security.
More than 162 million records were compromised by theft or loss in 2007, triple the number of data losses for the previous year, according to a USA Today analysis of breaches in the US, Canada and other countries. This alarming trend can be reversed if businesses begin to recognize the value of personal information. The disastrous breach involving Winner’s and HomeSense stores is an example of what can go wrong if businesses don’t invest in the latest security.
2. Use encryption to protect personal information on mobile devices such as laptops.
We are seeing too many headlines about personal information at risk because a laptop has been lost or stolen. Organizations must ensure personal information on a mobile device is encrypted – protecting information stored on a laptop with a password is simply not enough.
3. Ensure credit card processing equipment masks complete card numbers on receipts.
Complete credit card numbers should not be printed on receipts for electronically processed transactions. Businesses were supposed to switch to electronic processing equipment that masks card numbers – for example, by printing Xes – by the end of 2007. Printing complete card numbers exposes customers to the risk of identity theft. (Some very small businesses may still be manually taking imprints of cards because it is not economically feasible for them to purchase electronic equipment. They should still take all steps necessary to protect the information they collect.)
Resolutions for Canadians:
4. Think twice before posting personal information on social networking sites.
Many Facebook and Myspace users think of these sites as private, when, in reality, the information they post can often be seen by just about anyone. Before posting something, ask questions such as: How would I feel defending this comment or photo during a job interview five years from now? Am I harming someone else or invading someone’s privacy by posting this comment, photo or video? We like this simple rule of thumb: If Grandma shouldn't know, it shouldn't be posted.
5. Ask questions when someone asks for personal information.
It’s a good idea to understand why information such as your phone number or postal code, or driver’s licence is being requested and how it will be used. If you are concerned about receiving junk mail or telemarketing calls, decline to provide the information. Canada’s privacy laws offer you a choice about providing personal information that is not necessary for a transaction.
6. Take steps to protect your personal information.
Invest in a good shredder or burn all documents that include your name, address, SIN, financial information or other sensitive personal information. Papers containing personal information don’t belong in the recycling bin.
Resolutions for the federal government:
7. Overhaul the no-fly list to ensure strong privacy protections for Canadians.
The no-fly list involves the secretive use of personal information in a way that has very serious impact on privacy and other human rights. Innocent Canadians face the very real risk they will be stopped from flying because they’ve been incorrectly listed or share the name of someone on the list.
8. Move forward with proposed reforms to Canada’s privacy laws.
The federal government is currently holding consultations on important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These proposed changes include mandatory breach notification, a step that would encourage businesses to take security more seriously and protect Canadians against identity theft.
We also urge the federal government to open a review of the Privacy Act, which will be celebrating its 25th anniversary in 2008. Canadians should be offered the same level of legal protection under the Privacy Act as they have, as consumers, under PIPEDA.
9. Ensure that identity theft legislation is swiftly passed.
The government has introduced Criminal Code amendments to help police stop identity thieves or fraudsters before Canadians suffer actual financial harm. The changes include explicit penalties for collecting, possessing and trafficking in personal information.
10. Develop anti-spam legislation.
Canada remains the only G-8 country without anti-spam legislation, raising the danger that we will become a harbour for spammers. Halting the proliferation of spam is another important measure necessary to address identity theft.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Tuesday, January 02, 2007
The Privacy Commissioner of Canada suggests that you make a few New Year's resolutions to protect your privacy:
Start the New Year with privacy resolutions
Ottawa, December 27, 2006 – Privacy Commissioner of Canada Jennifer Stoddart is urging Canadians to add good privacy habits to their list of New Year’s resolutions.
"Polls have told us again and again that Canadians value their privacy. The start of the New Year is a great time for everyone to check whether they are doing enough to protect this important right," Ms. Stoddart said. "I hope people will add some good privacy habits to their New Year’s resolutions list."
Ms. Stoddart today released her top 10 resolutions for consumers to protect their privacy in 2007 and beyond. They are:
- Guard your information
Ask questions when a cashier ringing in your purchases wants your name, address or telephone number. Why is the information being requested? How will it be used? If you are concerned about unwanted junk mail or telemarketing calls, decline to provide the information. It’s as simple as saying, "Sorry, I don’t want to share that personal information." Privacy laws give you a choice. You don’t always have to say "Yes."
- Check your receipts
Some retailers still use older equipment that prints receipts with a complete credit card number – creating a risk the number will fall into the wrong hands and be fraudulently used. If the number is complete, use a pen to scratch out the middle four numbers on your copy.
- Become a junk mail buster
If you don't want to be added to marketing lists, check the "no thanks" or opt-out box, or initial a note stating your preference, whenever you give personal information to magazine publishers, retail stores, charities and other organizations.
- Take three steps to create more quiet nights at home
- Take advantage of the Do Not Contact Service (do-not-call, do-not-mail, and do-not-fax) offered at no cost by the Canadian Marketing Association (CMA). You can make the request online at www.the-cma.org.
- Ask your telephone company to remove you from the lists it sells to external organizations.
- When telemarketers call, insist they remove your name from their calling lists. They are now required by law to maintain do-not-call lists.
- Develop a shredding habit
Make sure your blue box is not a goldmine for identity thieves. Buy a shredder (many are surprisingly inexpensive). Destroy all documents that include sensitive personal information, such as bank statements, credit card statements, credit card receipts, and pre-approved credit card applications.
- Check loyalty program fine-print
- Become more privacy-aware on-line
Educate yourself about protecting your privacy on-line. Install the latest anti-spyware, anti-virus and firewall software on your computer. Shop only on secure sites – check for a lock symbol on the bottom right of the window. There’s plenty of advice on the Internet.
- Stop Spam
Invest in a good spam filter and learn how to use it. Spam affects privacy rights because it involves the inappropriate use of personal information – your e-mail address. Protect your regular e-mail address by using it only with trusted friends and business associates. Get another address for other online uses. If you receive an e-mail from a sender you don’t recognize, or with a subject line that doesn’t make sense, just delete it. Opening spam may send a confirmation that an e-mail address is valid – and lead to more spam. The OPC homepage, www.privcom.gc.ca, includes a link to more information about spam.
- Caution on the phone
Apply a healthy dose of skepticism when an e-mail or phone caller warns that your bank account or credit card has been compromised. Never reply to such e-mails, which may have been sent by ID thieves. Call your bank instead. Fraudsters are also using the telephone to get personal information. The best way to determine whether a call about account problems is legitimate is to say, "I’ll call you right back," and then call either the number on your credit card or account statement.
- Protect your SIN
Ask questions when an organization asks for your Social Insurance Number. An ID thief could use your SIN to apply for a credit card or bank account in your name. Companies can’t insist that you provide a SIN unless it is required for a specific and legitimate purpose, such as tax reporting. Ask why the organization needs your SIN and whether you are required by law to provide it. If you are refused a product or service unless you give your SIN, complain to the Office of the Privacy Commissioner of Canada.
Sunday, May 14, 2006
In this recent finding, the Commissioner dealt with a complaint by a bank customer who had contacted his bank asking not to be marketed to but subsequently was contacted a number of times by his branch about products and services.
The bank informed the Commissioner that there are two circumstances where the customer may be contacted notwithstanding a "do not solicit" flag on his or her file: (a) in-branch generated sales leads and (b) leads developed by data mining but taking advantage of service-related communication opportunities such as GIC and mortgage renewals.
The Commissioner considered that the bank had not followed the consent principle 4.3 and determined the complaint to be well-founded and resolved.
Tuesday, February 21, 2006
The CRTC is about to embark on crafting Canada's "do not call" regime. The regulator is seeking input from interested parties at hearings to be held in May in the Ottawa region. See http://www.cbc.ca/mobile/story/national/2006/02/20/crtc-060220.
Sunday, October 09, 2005
An Arizona appeals court has held that unsolicited text messages to a cell phone violate a federal anti-telemarketing law originally aimed at voice calls. See Court: Federal Law Bans Text-Message Spam - Mobile News - Designtechnica.
Thursday, August 25, 2005
CFCN of Calgary, Alberta is running a story about an individual who was called by a telemarketer on behalf of a life insurer, who got the individual's personal information from one of Canada's large retailers. The individual was upset that they had his birthdate, which was also obtained from the same source. The individual had not opted out from the information sharing.
The story is interesting also because it suggests that readers complain to the Information and Privacy Commissioner of Alberta: See the article here: CFCN.ca - Calgary news from CFCN, CTV
Sunday, July 31, 2005
What is the root cause of the identity theft "crisis". That depends upon what you consider "identity theft". The term is often used to refer to simple credit card or debit card fraud, but the definition that I use involves impersonating another person to fraudulent obtain a benefit, such as credit facilities. The root cause of this sort of fraud is that it is very easy to impersonate someone, at least to the extent that banks and credit grantors would extend credit on the basis of the faked identity.
Though conventional identification methods, such as drivers licenses, can be faked or can be fraudulently obtained, credit grantors often do not even use such methods to confirm that the applicant is who s/he says s/he is. In most online applications, it seems the credit grantors assume your identity if the information you provide matches what's retrieved from your credit file.
MSNBC is today running an article on two responses to this challenge. The first would be mandatory "fraud alerts" on credit files, so that the credit bureaus are required to confirm that the owner of a credit file consented to its disclosure before handing it over to a lender. The second is a technological method to displace the social security number as the universal identifier.
A new way to authenticate your identity? - Consumer Security - MSNBC.com
"...Several identity theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.
To be sure, the fact that many companies use Social Security numbers essentially as a password — not only are they the key to getting credit, they can also unlock access to an account over the phone — magnifies the problem. That's why Congress hopes to hide the numbers better — by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefit checks.
Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.
"It's too easy to get to data no matter what the key is, from insiders or hackers or mistakes," said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers LLP. "What we have to do is make it harder to use the data."
Westby's solution would be quite simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and doublecheck that they, rather than an impostor, really made the application.
Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.
In contrast, the data bills pending in Congress would make a lot of changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records and demanding widespread disclosure of data breaches....
Saturday, December 25, 2004
The Electronic Privacy Information Center has released their top ten privacy resolutions for 2005:
EPIC Top Ten Privacy Resolutions for 2005
Top Ten Consumer Privacy Resolutions
Protect Your Privacy in The New Year!
1. Engage in "privacy self defense." Don't share any personal information with businesses unless it is absolutely necessary (for delivery of an item, etc.). Don't give your phone number, address, or name to retail stores. If you do, they can sell that information or use it for telemarketing and junk mail. If they ask for your information, say "it's none of your business," or give "John Doe, 555-1212, 123 Main St." Don't return product warranty cards. Don't complete consumer surveys even if they appear to be anonymous. Profilers can build in barely-perceptible codes that link you to the survey, and this data goes straight to direct marketers.
2. Pay with cash where possible. Electronic transactions leave a detailed dossier of your activities that can be accessed by the government or sold to telemarketers. Paying with cash is one of the best ways to protect privacy and stay out of debt.
3. Install anti-spyware, anti-virus, and firewall software on your computer. If your computer is connected to the Internet, it is a target of malicious viruses and spyware. There are free spyware-scanning utilities available online, and anti-virus software is probably a necessary investment if you own a Windows-based PC. Firewalls keep unwanted people out of your computer and detect when malicious software on your own machine tries to communicate with others.
4. Use a temporary rather than a permanent change of address. If you move in 2005, be sure to forward your mail by using a temporary change of address order rather than a permanent one. The junk mailers have access to the permanent change of address database; they use it to update their lists. By using the temporary change of address, you'll avoid unwanted junk mail.
5. Opt out of prescreened offers of credit. By calling 1-888-567-8688, you can stop receiving those annoying letters for credit and insurance offers. This is an important step for protecting your privacy, because those offers can be intercepted by identity thieves.
6. Choose Supermarkets that Don't Use Loyalty Cards. Be loyal to supermarkets that offer discounts without requiring enrollment in a loyalty club. If you have to use a supermarket shopping card, be sure to exchange it with your friends or with strangers.
7. Opt out of financial, insurance, and brokerage information sharing. Be sure to call all of your banks, insurance companies, and brokerage companies and ask to opt out of having your financial information shared. This will cut down on the telemarketing and junk mail that you receive.
8. Request a free copy of your credit report by visiting http://www.annualcreditreport.com. All Americans are now entitled to a free credit report from each of the three nationwide credit reporting agencies, Experian, Equifax, and Trans Union. You can engage in a free form of credit monitoring by requesting one of your three reports every four months. By staggering your request, you can check for errors regularly and identify potential problems in your credit report before you lose out on a loan or home purchase. Currently, these reports are available to residents of most western states. By September 2005, all Americans will have free access to their credit report.
9. Enroll all of your phone numbers in the Federal Trade Commission's Do-Not-Call Registry. The Do-Not-Call Registry (http://www.donotcall.gov or 1-888-382-1222) offers a quick and effective shield against unwanted telemarketing. Be sure to enroll the numbers for your wireless phones, too.
10. File a complaint. If you believe a company has violated your privacy, contact the Federal Trade Commission, your state Attorney General, and the Better Business Bureau. Successful investigations improve privacy protections for all consumers.
For more information about privacy, visit the Electronic Privacy Information Center at http://www.epic.org/
Slashdot has a discussion of the resolutions at Slashdot | Privacy Resolutions for the New Year.
Wednesday, December 15, 2004
Yahoo! News - Privacy commissioner investigating new Rogers 'negative option' complaint:
Communications consultant Michael Krauss complained in September about a fine-print section of the company's service agreement that requires cellphone customers to fill out an online form or contact a customer service representative to prevent Rogers from disseminating information to other Rogers companies for telemarketing. 'I have commenced an investigation under the Personal Information Protection and Electronic Documents Act (PIPEDA) that Rogers Wireless is allegedly using negative consent when obtaining customers' permission to collect, use and disclose their personal information,' senior privacy investigator Kasia Krzymien told Krauss in a letter dated last Friday.... "
Monday, December 13, 2004
Canada's privacy law is already hobbled by the constitutional division of power. For example, as a federal law, it cannot apply to the provincially regulated workplace. But, theoretically, it can apply outside of Canada's border. This has been the theoretical position of officials from the Office of the Privacy Commissioner. However, when dealing with an actual complaint, the Commissioner did not extend the federal privacy law to an organization entirely outside of Canada.
Michael Geist, in his weekly Toronto Star Column, reports on an as-of-yet unpublished finding of the Commisioner that concludes that the law cannot regulate the use of Canadian personal information that is in the hands of an organization that has no presence in this country:
TheStar.com - CIBC breach spotlights hole in privacy law:
"...According to a recent unpublished letter from the privacy commissioner, the answer is unfortunately no. The Commissioner has adopted the position that Canada's privacy legislation stops at the border and that her office does not have the power to investigate companies that do not have a physical presence in Canada.
The letter was issued in response to a complaint launched by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Abika.com, a U.S. company that harvests databases and public reports. The company uses the information to produce reports that allegedly include, in some cases, psychosexual profiles. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without their consent in violation of Canada's national privacy law.
The privacy commissioner's office responded privately to Canadian Internet Policy and Public Interest Clinic two weeks ago. It noted that the company does not have a physical presence in Canada and therefore concluded that 'while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA' (the Personal Information Protection and Electronic Documents Act, Canada's national privacy law that governs how businesses collect and use personal information)...."
I tend to agree with Michael ... the Privacy Commissioner could have asserted jurisdiction and then dealt with the challenges of enforcement. This would at least have left the complainant with the ability to take the finding to the Federal Court of Canada to see if a real remedy could be fashioned.
Under traditional principles of international law, there are six bases on which a country such as Canada can assume jurisdiction to proscribe the actions of individuals and companies. (In most cases, these principles have arisen in the criminal law context but there is no reason to believe the Canadian courts would not apply them.) Four of the bases for jurisdiction are relevant to this discussion:
- Territorial Principle – A state has the jurisdiction to regulate individuals and subjects within its territory, including internal waters and airspace. This is the primary and most universal base for jurisdiction.
- Nationality Principle – Civil law countries have traditionally asserted jurisdiction over their nationals, regardless of where they may be located.
- Passive Personality Principle – States have assumed jurisdiction over crimes committed abroad against its nationals.
- By Agreement – A country may, by agreement, grant another country jurisdiction over certain persons or subjects within its borders.
Traditionally, the territorial principle has been the most persuasive and widely applied. This is based on the fundamental principle of international sovereignty that a state has absolute jurisdiction over "all persons, citizens and aliens alike, and things within its territory."
The Supreme Court of Canada’s decision in Libman v. The Queen is the leading Canadian authority on the issue of how and when a Canadian court may assert jurisdiction. Libman dealt with a "telemarketing scam" where the calls originated from Canada but were made to residents of the United States. Justice LaForest, who delivered the judgment of the unanimous court, recited the relevant facts:
3 During the period covered by the informations, Mr. Libman operated a telephone sales solicitation room (or "boiler room") at 43 Menin Road in Toronto, where a number of individuals were employed as telephone sales personnel. Pursuant to Mr. Libman's directions the sales personnel telephoned United States residents and attempted to induce them to purchase shares in two companies, Hebilla Mining Corporation and Claravella Corporation, which purported to be engaged in gold mining in Costa Rica. In addition to the telephone representations, the United States residents also received promotional material which was mailed from Panama City, Panama and San José, Costa Rica by associates of Mr. Libman.
4 The telephone sales personnel, on the direction of Mr. Libman, made material misrepresentations with respect to their identity, where they were telephoning from, and the quality and value of the shares they were selling. As a result of these misrepresentations, a large number of United States residents were induced to purchase shares in the two mining companies. There was some evidence tendered at the preliminary inquiry from which it could be inferred that these shares were virtually worthless.
5 The United States residents who agreed to purchase shares were told by the telephone sales personnel to send their money to offices operated by Mr. Libman's associates in either San José, Costa Rica or Panama City, Panama. There was evidence tendered that Mr. Libman went to a location outside Canada, usually Costa Rica or Panama, to meet with his associates and receive his share of the proceeds of the sale of the shares. Mr. Libman then brought this money back to Toronto and distributed a portion of it to his sales personnel. There was also evidence tendered at the preliminary inquiry with respect to the wire transfer of monies from Panama City to Mr. Libman in Toronto.
The appellant, Mr. Libman, was charged in Canada with fraud under the Criminal Code. In his defence, the appellant argued that Canada did not have the jurisdiction to prosecute him for the offence as the deprivation of the victim is the essential element of the offence and, if it did occur at all, it did not occur in Canada.
Justice LaForest began with the essential principle of territorial jurisdiction:
11 The primary basis of criminal jurisdiction is territorial. The reasons for this are obvious. States ordinarily have little interest in prohibiting activities that occur abroad and they are, as well, hesitant to incur the displeasure of other states by indiscriminate attempts to control activities that take place wholly within the boundaries of those other countries; see R. v. Martin,  2 All E.R. 86, at p. 92. … As well, along with other types of protective measures, states increasingly exercise jurisdiction over criminal behaviour in other states that has harmful consequences within their own territory or jurisdiction; see The Lotus (1927), P.C.I.J., Ser. A., No. 10. It follows from this that the same criminal act may occasionally be subject to prosecution in more than one country, a matter to which I shall refer from time to time.
The analysis is relatively straightforward where all the elements and effects of an alleged offence are within the bounds of the prosecuting state: Territorial and subject matter jurisdiction unambiguously provide that state with sufficient grounds to assert jurisdiction. In fact, it would be difficult for another state to attempt to exert jurisdiction. Matters become much more complicated when transnational activities are in question:
After surveying the threads of English and Canadian jurisprudence, LaForest J. concluded that a Canadian court may assert jurisdiction in circumstances where there is a "real and substantial link" between the offence and Canada:
16 The cases reveal several possibilities, of which I mention a few. One is to assume that jurisdiction lies in the country where the act is planned or initiated. Other possibilities include the place where the impact of an offence is felt, where it is initiated, where it is completed, or again where the gravamen, or essential element of the offence took place. It is also possible to maintain that any country where a substantial or any part of the chain of events constituting an offence takes place may take jurisdiction.
17 Though counsel for Mr. Libman argued that exclusive jurisdiction belongs to the country where the gravamen of the offence took place or where it was completed, a review of the English authorities does not really support that position. What it shows is that the courts have taken different stances at different times and the general result, as several writers have stated, is one of doctrinal confusion, a confusion compounded by the fact that the discussion often focuses on the specific offence charged, a discussion made more complicated by the further fact that some offences are aimed at the act committed and others at the result of that act.
74 I might summarize my approach to the limits of territoriality in this way. As I see it, all that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a “real and substantial link” between an offence and this country, a test well-known in public and private international law; see Williams and Castel, supra; Hall, supra. As Professor Hall notes (p. 277), this does not require legislation. It was the courts after all that defined the manner in which the doctrine of territoriality applied, and the test proposed simply amounts to a revival of the earlier way of formulating the principle. It is in fact the test that best reconciles all the cases. The only ones that do not fall within it are those like Harden and Rush which, in my view, should no longer be followed.
75 That this approach is attuned to modern times is evident from the fact that some variant of it has been recommended by numerous law reform bodies or adopted in legislation…
76 Just what may constitute a real and substantial link in a particular case, I need not explore. There were ample links here. The outer limits of the test may, however, well be coterminous with the requirements of international comity.
77 As I have already noted, in some of the early cases the English courts tended to express a narrow view of the territorial application of English law so as to ensure that they did not unduly infringe on the jurisdiction of other states. However, even as early as the late 19th century, following the invention and development of modern means of communication, they began to exercise criminal jurisdiction over transnational transactions as long as a significant part of the chain of action occurred in England. Since then means of communications have proliferated at an accelerating pace and the common interests of states have grown proportionately. Under these circumstances, the notion of comity, which means no more nor less than “kindly and considerate behaviour towards others”, has also evolved. How considerate is it of the interests of the United States in this case to permit criminals based in this country to prey on its citizens? How does it conform to its interests or to ours for us to permit such activities when law enforcement agencies in both countries have developed cooperative schemes to prevent and prosecute those engaged in such activities? To ask these questions is to answer them. No issue of comity is involved here. In this regard, I make mine the words of Lord Diplock in Treacy v. Director of Public Prosecutions cited earlier. I also agree with the sentiments expressed by Lord Salmon in Director of Public Prosecutions v. Doot, supra, that we should not be indifferent to the protection of the public in other countries. In a shrinking world, we are all our brother's keepers. In the criminal arena this is underlined by the international cooperative schemes that have been developed among national law enforcement bodies.
78 For these reasons, I have no difficulty in holding on the facts agreed upon for the purpose of this appeal, that the counts of fraud with which the appellant is charged may properly be prosecuted in Canada, and I see nothing in the requirements of international comity that would dictate that this country refrain from exercising its jurisdiction. Since these fraudulent activities took place in Canada, it follows for the reasons set forth in the Chapman case that the conspiracy count may also be proceeded with in Canada.
It goes without saying that the evolving adoption of privacy and data protection laws are not identical to criminal law, either domestically or internationally. However, analogies are easily made and there is an evolving international cooperative scheme, beginning with the OECD Guidelines.
As the basis for Canada to claim jurisdiction requires a "real and substantial link" between the activity and Canada, one must consider whether the collection of personal information about Canadians by foreign companies would be considered to provide a "real and substantial link" to Canada or the collection of information about non-Canadians by a Canadian company. The facts in Libman are sufficiently analogous to provide authority for the proposition that a court on review would likely find a “real and substantial link” between such activities and Canadian jurisdiction, notwithstanding any argument that the connection is de minimis.
The Personal Information Protection and Electronic Documents Act sets out, at Section 4, the basis of its application:
4. (1) This Part applies to every organization in respect of personal information that(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
(2) This Part does not apply to
(a) any government institution to which the Privacy Act applies;
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
*(3) Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.
The application section is entirely silent with respect to its intended territorial application. The only reference to specific jurisdictions are contained in the transitional provisions and the definition of "federal work, undertaking or business". The transition provisions begin with Section 30:
30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.
*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
These provisions are temporary (and expired on January 1, 2004), as they assist with the gradual implementation of the legislation, providing individual provinces with the ability to put in place substantially similar legislation during the period in which the law only applies to the federally regulated private sector and cross-border sales of information. It may be notable that the cross-border reference says "outside the province" and not "to another province".
In the absence of clear guidance from the statute, one can interpret it to apply in all circumstances where there exists a "real and substantial link" to Canada, following the Supreme Court's guidance in Libman. In any event, there is nothing in the statute that would prevent Canada from assuming jurisdiction in the circumstances set out above.
In the past, Officials with the Office of the Privacy Commissioner have advised that the Commissioner likely would assume jurisdiction where the collection of personal information is about Canadians or Canadian residents or where the collection originates in Canada. This appears to no longer be the case. Not only would the collection take place "in Canada", the Commissioner’s office used to be of the view that PIPEDA is part of an international scheme of privacy protection that could reach over borders.
The Privacy Commissioner has an arguable basis to make this second assertion and assume jurisdiction. As mentioned above, Canada implemented PIPEDA following the OECD Guidelines and in light of threatened restrictions on cross-border data flows caused by the EU Directive. Recital 20 of the EU Directive reads:
(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;
The EU Directive is implemented, for example, in the United Kingdom's Data Protection Act 1998, which provides that the statute would apply, for example, if a call centre contacting Canadians were located in the United Kingdom:
Application of Act.
5. - (1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if-
(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.
(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom-
(a) an individual who is ordinarily resident in the United Kingdom,
(b) a body incorporated under the law of, or of any part of, the United Kingdom,
(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and
(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-
(i) an office, branch or agency through which he carries on any activity, or
(ii) a regular practice;
and the reference to establishment in any other EEA State has a corresponding meaning.
While Canada is obviously not bound by the EU Directive, it appears to be the spirit of PIPEDA that the Canadian law fit within this general scheme of international data protection.
This may be academic, as this no longer appears to be the position of the Office of the Privacy Commissioner.
Wednesday, December 08, 2004
Both the Toronto Star and CTV are carrying stories predicting that long-awaited "no not call" legislation is on the way, sooner rather than later.
CTV.ca | Canadian do-not-call legislation coming: report:
"By the end of next week, Canadian lawmakers could be considering a bill aimed at ending the scourge of unwanted phone calls from telemarketers.
According to a report in The Toronto Star, legislation to create a national do-not-call registry similar to one already launched in the United States is expected to be tabled before the end of next week.
The bill is expected to bar telemarketers from calling anyone on the list, unless they have established a pre-existing relationship. That means someone who's requested information about a specific service can be contacted.
Previous legislation that would have allowed Canadians to register with such a list died with the last federal election call.
Under current Canadian Radio-television and Telecommunications Commission regulations, telemarketing agencies must maintain their own registry of people not wishing to be called. Numbers appearing on those lists can't be faxed or phoned for three years....."
And from the Toronto Star:
TheStar.com - National 'do-not-call' registry likely:
"The Liberal government is widely expected to introduce legislation next week that would create a national do-not-call registry, giving Canadian households the option of shielding themselves from unwanted telemarketing calls.
A similar registry was introduced with great fanfare last year in the United States and has already attracted more than 66 million households. Government and industry sources said a bill is likely to be tabled before the House of Commons breaks next week for the holidays, but could be delayed until it sits again in late January.
'I am convinced now that they have every intent of doing it, and doing it very soon,' said John Gustavson, president of the Canadian Marketing Association, which has supported a national registry since 2001. 'We think it's the right way to go, and we think it will be valuable information for marketers and valuable relief for consumers.'...."
As a complete aside, I find it interesting that Canadian marketing organizations, unlike their US counterparts, favour DNC laws and privacy laws.
Saturday, November 20, 2004
Sorry for the light (read: non-existent) blogging over the last few days. I've finally gotten to an internet connection ....
Mathew Englander e-mailed me the other day to say that the Federal Court has rendered their decision in his fight against Telus. I haven't read the full reasons, which should be available here soon, but all reports suggest that Telus did not persuade the Federal Court of Appeal to uphold the finding of the Privacy Commissioner and the Federal Court, Trial Division. I haven't found any free coverage online, but here is an extract of an article from the Calgary Herald.
Little guy wins privacy fight against giant Telus.
Canwest News Service
Saturday, November 20, 2004
Byline: Sarah Staples
In a victory for the little guy, a federal appeals tribunal has ruled unanimously that Telus Communications Inc. must go to greater lengths to get its customers' approval before reselling their personal information to telemarketers and others.
``There is no evidence that Telus made any `effort,' let alone a `reasonable' one . . . to ensure that its first-time customers are advised of the secondary purposes (of their personal information) at the time of collection,'' wrote Justice Decary on behalf of his colleagues in the decision released this week.
The case is the result of a protracted battle by Mathew Englander, a lawyer and Vancouver resident, with the phone company since 2001.
Englander argued Telus breaks new federal privacy rules by not informing customers when they sign up for service that it repackages telephone directory listings into CD-ROMs and machine-readable lists and sells them to telemarketers, charities and political parties.
Minutes after the Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted on Jan. 1, 2001, Englander became the first Canadian to lodge a formal complaint to the federal privacy commissioner under the new law.
His arguments were rejected, first by the commissioner and later by a Federal Court judge in a ruling last June. But the Federal Court of Appeals reversed those earlier decisions this week, saying Telus didn't go far enough to make Englander understand his privacy rights.
Telus has been ordered to reimburse Englander the nearly $12,000 he paid in costs after losing the earlier Federal Court decision.
Experts following Englander v. Telus said the ruling sets positive early precedents, defining the legal obligations of business at a time when consumers' expectation of privacy is under siege.
PIPEDA theoretically gives Canadians the right to scrutinize innumerable bits of data collected about them by customer service reps, squirreled into computerized cash registers, and revealed to creditors, doctors and employers. It also warns companies to seek permission before using those details. But the law frames the issues broadly, leaving it to the courts to resolve what crucial notions, such as ``informed consent,'' will mean in practice.
``There are huge costs to industry in attempting to inform the public. Nevertheless, we've moved so far into an age of technology that people don't understand what they're agreeing to,'' said Stephanie Perrin, a consultant and former federal civil servant who was one of the authors of PIPEDA.
``This gives us a first interpretation of what a person can reasonably be expected to understand.''
Englander called the ruling ``an interpretation such that people can make their own decisions about how their information will be used.
``That's what privacy is about,'' he said in a telephone interview. ``It's not only keeping things secret, it's giving individuals the right to decide what stays confidential and what does not.''
Englander's win is a partial victory: the appeals court denied his attempt to stop Telus from charging customers $2 a month for unlisted service a fee that adds $5.96 million annually to the company's coffers, from roughly 250,000 unlisted telephone numbers in Alberta and B.C., according to affidavits.
The telco now has 60 days to offer suggestions for revamping its policies to bring them into compliance with the privacy law. Any changes negotiated with the federal appeals tribunal will be incorporated into their final written judgment, to be issued at an unspecified later date.
Drew McArthur, VP of corporate affairs and privacy officer for Telus, hinted his firm will argue any court-ordered changes should apply only to new customers, and only involve ``the scripting for new customers when they call in for service,'' as opposed to more elaborate and expensive retraining for employees.
The spokesman said phone companies across Canada may be affected, and added Telus is considering its options, including appealing all or some parts of the decision to the Supreme Court of Canada.
One potential hot potato for the highest court is a question of jurisdiction: the appeals tribunal apparently granted federal judges ``overlapping jurisdiction'' to rule on PIPEDA cases, whereas Telus argued any decision on fees should be made exclusively by its regulator, the CRTC.
Also, ironically, the tribunal denied Canada's privacy commissioner deference in cases that come before the courts in future, arguing that to do so would have given privacy advocates an unfair advantage over business interests.
``I think it's now further education of how the court views the balance of the privacy rights of individual versus the needs of businesses,'' said McArthur.
Thursday, September 30, 2004
"Strict rules imposed on telemarketers in May have been put on hold pending the outcome of a regulatory review.
The Canadian Radio-television and Telecommunications Commission has decided to reconsider its new rules in response to a complaint filed in August by the Canadian Marketing Association.
The association, with 800 members that include major financial institutions, telephone operators and media companies, argued that the high cost of complying with the regulations will put many smaller phone marketers out of business and result in job loss across an industry that employs 270,000...."
Wednesday, September 29, 2004
The CRTC has temporarily suspended the application of their recent changes to the Canadian telemarketing rules. The full text of the decision is here and the "blurb" is below:
2004-63 The Commission approves, with one exception, the Canadian Marketing Association's (CMA's) application to stay Review of telemarketing rules, Telecom Decision CRTC 2004-35, 21 May 2004, pending the disposition of the CMA's application to review and vary that Decision. The stay applies to all requirements set out in Decision 2004-35 except the requirement that telecommunications service providers track and report complaint statistics; this requirement becomes effective 1 January 2005. Reference: 8662-C131-200408543. [.pdf]
Readers interested in Canadian telemarketing law and the regulation of it by the CRTC in particular are encouraged to check out Mathew Englander's site devoted to the topic at http://www.mathew-englander.ca/canada-telemarketing-law.htm
Tuesday, September 14, 2004
The Canadian Radio-television and Telecommunications Commission (CRTC) recently established a framework for the provision of Reverse Search Directory Assistance (RSDA) offered by incumbent local exchange carriers (ILECs). RSDA is an expanded directory assistance service that provides the listed name and address associated with a specific telephone number.
The Commission has decided to allow ILECs to perform information searches when presented with telephone numbers under certain conditions.
As part of the public process leading to the current CRTC decision, the ILECs stated that none of objectives of the Telecommunications Act would be adversely affected if they provided RSDA. On the other hand, groups such as the Anti-Poverty Organization and the Information and Privacy Commissioner of Ontario, argued that this service contravenes the privacy protection provided by the Act.
Because of the significant safety concerns over providing street addresses, the Commission decided the only information that can be provided by RSDA searches are name and general locality, such as city, town or postal code.
There were some concerns expressed that RSDA service could be a valuable asset to commercial entities involved with telemarketing. They could use the service to determine the names and addresses of those calling for information about products and services without their knowledge or consent.
To address this issue, the new regulations prohibit the use of RSDA for compiling and updating telemarketing lists. ..."
Monday, September 13, 2004
It’s time to catch up with two court cases that were the subject of past columns and that produced new opinions. Privacy did well in one case and poorly in the other.
The first case is the litigation over the do-not-call registry decided in February by the 10th Circuit. Everybody knows that the court rejected the telemarketing industry’s arguments that the registry is unconstitutional. It was a sweeping victory for the registry, as the court dismissed every argument put forward in opposition. ...
February also brought a decision by the Supreme Court in a case arising under the Privacy Act of 1974, a law that applies only to federal agencies. The case, Doe v. Chao, involved the improper disclosure of a Social Security number by the Department of Labor. The issue was what a plaintiff had to prove to receive the $1,000 in minimum damages that the statute provides.
The case is a setback for privacy. Privacy advocates hoped that the court would have more sympathy for the consequences of privacy violations and for the difficulty of proving damages in privacy cases, but they did not prevail.
If you didn’t like the result in these cases, just wait. There will be more decisions in more privacy cases soon.
Monday, June 28, 2004
The online business publication, ProfitGuide has an article on PIPEDA that is worth looking at.
"Recent judgments prove Canada's new privacy act has surprisingly long arms
By Laura Garetson
PROFIT Magazine / June 2004
It's 2:25 P.M. Two employees, certain no one is watching, slip into their cars and drive away from work 35 minutes early. But the shift supervisor sees the entire incident with the aid of a security camera and doles out reprimands the next day. The employees take the boss to court, arguing the camera invaded their privacy. True or false: the employees win? "
One thing that it didn't highlight is that PIPEDA only applies to employees if they are employees of a "federal work, undertaking or business". (See by blog entry "PIPEDA and Employees".)
From my perspective, the article does a good job of telling businesses that PIPEDA is for just about every organization:
"Clearly, PIPEDA is not solely the concern of telemarketers and mailing-list brokers. So how can your firm avoid falling afoul of the act? The trick is realizing that PIPEDA applies not only to personal information collected on paper or electronically, but from all sources, including various correspondence, pictures, sound recordings and videotape. "Businesses need to focus not just on info they collect from individuals, but on everything they learn about those about individuals," says Robert Parker, Toronto-based national privacy partner with Deloitte and Touche. The key, according to Parker, is to ask yourself the following when collecting personal information: "Is this reasonable to do? Was it reasonably done? Are there less intrusive methods I could use?" That, he says, is a good start to covering the bases."
Monday, May 24, 2004
From today's Toronto Star:
How to make `do not call' list work
Doesn't just the sight of the word make your blood boil? Not that all telemarketers are bad, it's just that the very word conjures up the image of dinner-time interruption and an uncomfortable phone conversation that usually ends with the handset crashing to its base.
To its credit, the Canadian Marketing Association is trying its best to separate itself from insensitive, rogue marketers who insist on bothering us at the worst of times and, despite our pleas, call back over and over again, or worse, defiantly challenge us when we say, 'Sorry, not interested.'
The problem is, the CMA only has 800 members - all big, respectable companies with reputations to protect and enough sense to listen when we ask to be removed from their respective calling lists."
Sunday, May 02, 2004
The Christian Science Monitor has published an article on issues related to the privacy of children's information, particularly information that is compliled for marketing purposes. The United States already has legislation that deals with the privacy of kids' information online (the Children's Online Privacy Protection Act), but there is -- at present -- no regulation of offline collection and marketing. This will change if a legislative initiative by Senators Wyden and Stevens is passed by congress (see http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.2160:.
Hey kid - you wanna buy a ... | csmonitor.com:
"With Gary Ruskin at its helm, Commercial Alert has gained recent attention on Capitol Hill for its "Parents' Bill of Rights."
The document includes nine provisions to help parents combat commercial influences, one of which calls for banning advertising aimed at children under 12 and two of which have already been introduced in the US Senate.
The first bill under consideration requires fast-food chains to disclose basic nutritional information, and the other, introduced last month by Sens. Ron Wyden (D of Oregon) and Ted Stevens (R of Alaska), would ban list brokers without parental permission from collecting data about children 16 and under - everything from ethnicity and family income to hobbies - and selling it to advertisers and marketers.
This practice extends even to the diaper set, which is especially alarming to parents. But no matter what the child's age, parents consider these lists an invasion of privacy.
"Parents are flabbergasted and angry when they learn that their child's information could be sold on the Internet," says Chris Fitzgerald, press secretary for Senator Wyden.
"These list brokers work by stealth," says Mr. Ruskin. "No one even knows this is happening. Children are naturally more trusting than adults, and that trust is often easy to exploit."
Repeated calls to two of the best-known list brokers, American Student List and Student Marketing Group, were not returned. But Doug Wood, general counsel to both the Association of National Advertisers and the Advertising Research Foundation, spoke up in list brokers' favor. Banning them, he says, would be discriminatory and a violation of the First Amendment.
He doesn't even favor an "opt out" feature similar to the Do Not Call Registry for telemarketers."There would be a huge rush of parents who sign up out of ignorance," Mr. Wood explains. "Some of the things they sell to kids are valuable. The fact that we are a nation of sellers is not necessarily a bad thing."
But Wood, who has three children, does concede that list brokers might want to tweak their approach: "They could do themselves a favor by being more open," he says.
The Children's Listbroker Privacy Act will be heard sometime before October, says Courtney Schikora, press secretary for Senator Stevens. That may not be soon enough for some activists, but most are encouraged that politicians are listening.
Friday, January 23, 2004
Commissioner's Findings - Privacy Commissioner of Canada - For the first time in quite a while, the Office of the Privacy Commissioner has issued a new batch of findings (and when I say "new", it only means newly-released because they all date from August through September of last year):
Tuesday, January 06, 2004
Mathew Englander was one of the very first complainants under PIPEDA. According to sources at the Office of the Privacy Commissioner, his complaint was sent by e-mail on January 1, 2001 at 12:01 am. He complained that Telus, the phone company in British Columbia, violated PIPEDA by requiring the payment of a fee to have an unlisted number. His complaint was determined by George Radwanski to be not well founded" (See PIPEDA Case Summary #8). Mr. Englander took the case to the Federal Court, where Blais J. agreed with Radwanski (See Englander v. Telus,  FCT 75). The case is now under appeal and Mr. Englander has made his Memorandum of Fact and Law [PDF] for the appeal available on his website. His website also has other links, including a page on telemarketing rules in Canada.
The Englander case will be one to watch, because it raises some very important issues that need to be sorted out. One question is how much of an obligation do consumers have to educate themselves about a company's privacy practices and policies? Telus apparently never told customers about the option of having an unlisted number or of having their names included in the normal directory but left off CD-Roms sold to marketing companies. There is also an issue of how PIPEDA interacts with other statutes or regulators, such as the Canadian Radio-Television and Telecommunications Commission, which had OK'd the Telus practices. Finally, there is the key issue of whether the hearing before the Federal Court is really a completely de novo hearing or whether the Privacy Commissioner should be granted some curial deference. Stay tuned!
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.