• Shortcuts : 'n' next unread feed - 'p' previous unread feed • Styles : 1 2

» Publishers, Monetize your RSS feeds with FeedShow:  More infos  (Show/Hide Ads)


Date: Monday, 30 Jun 2014 06:48
Canada's anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.

My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.


PIPEDA already requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations since the three primary requirements involving obtaining user consent, providing an unsubscribe mechanism, and maintaining accessible contact information. 

So why has the new anti-spam law caused such an uproar?  Three reasons: a shift in approach on consents, the confusion that comes from trying fit into the myriad of exceptions contained in the law, and fear of tough new penalties.

The biggest substantive change in the law comes from the requirement for express consent. Express consent requires disclosing the purposes for why consent is being requested and identifying who is seeking consent. This represents a significant change from current practice, where businesses have frequently relied upon "implied" consent for their use of personal information.

The reality is that users were often unaware that their information was being collected, used, and even disclosed for commercial purposes. The terms were often buried in legal agreements that few bothered to read or presented alongside confusing negative option check boxes that left many bewildered as to whether they needed to check or uncheck the box in order to avoid more email marketing.

Yet business relied upon these approaches to claim they had obtained the necessary implied consent. The shift to express consent represents an important change that has forced many businesses to directly request consent from their users for the first time (if a business already has express consent there is no need to ask again). Those arguing that the new law will have little impact on spam miss the point: the law is shifting privacy expectations in how our information is collected and used.

Given the fears associated with seeking express consent, many businesses are seeking to rely upon exceptions contained in the law. There are many exceptions in CASL with everything from most business-to-business emails to Twitter direct messages excluded. Yet reliance on exceptions creates an assortment of complications that many businesses are finding difficult and has become another source of concern. The exceptions require a close reading and some interpretations, but it is should be remembered that businesses can always seek express consent and avoid the issue altogether.

The third major concern involves the consequences for failing to comply with the law. Failure to comply with the current privacy law results in little more than a non-binding finding from the Privacy Commissioner of Canada with practically no likelihood of financial penalties. On the other hand, CASL's penalties are significant with the maximum penalty set at $1 million per violation for an individual and $10 million per violation for a business (despite fears of massive penalties for a single slip-up, warnings are far more likely than penalties).

The law also includes a three-year transition period that ensures that as long as an organization already has implied consent, it has until 2017 to upgrade to an express consent. Email marketing will not stop on Canada Day, but the arrival of the anti-spam law after a decade of debate does mean that Canadians are being meaningfully asked for the first time if they give consent to the collection, use and disclosure of their personal information, a change in approach that seems well worth celebrating.
Author: "Michael Geist" Tags: "casl, privacy, spam"
Send by mail Print  Save  Delicious 
Date: Friday, 27 Jun 2014 14:13
The challenge of jurisdiction and the Internet has long been one of the most contentious online legal issues. Given that the Internet has little regard for conventional borders, the question of whose law applies, which court gets to apply it, and how it can be enforced is seemingly always a challenge.  

Striking the right balance can be exceptionally difficult: if courts are unable to assert jurisdiction, the Internet becomes a proverbial “wild west” with no applicable law. Conversely, if every court asserts jurisdiction, the Internet becomes over-regulated with a myriad of potentially conflicting laws vying to govern online activities.

My weekly technology law column (Toronto Star version, homepage version) notes that in recent years, courts in many countries have adopted a reasonable balance where they are willing to assert jurisdiction over online activities or companies where there is a “real and substantial” connection, but they limit the scope of enforcing their rulings to their own jurisdiction.  In other words, companies cannot disregard local laws where they operate there, but courts similarly should not disregard the prospect of conflicting rules between different countries.


For example, the recent European Court of Justice decision on the “right to be forgotten”, which requires Google to remove links to certain content, is based on European privacy law and is limited in application to the European Union.

Earlier this month, the Supreme Court of British Columbia confronted a similar issue – whether it could assert jurisdiction over Google and how far to extend its order to remove links from the search giant’s index – but adopted a far more aggressive approach. Rather than ordering Google to remove certain links from the search results available through Google.ca, the order intentionally targets the entire database, requiring the company to ensure that no one, anywhere in the world, can see the search results.

The case involves a Canadian company that claims that another company used its trade secrets to create a competing product along with "bait and switch" tactics to trick users into purchasing their product. The defendant company had been the target of several court orders demanding that it stop selling the copied product on their website. Google voluntarily removed search results for the site from Google.ca search results, but was unwilling to block the sites from its worldwide index.

The court was concerned that a Canada-only order would be ineffective since Canadians could still access links to the site if they switched from Google.ca to a different country site such as Google.com. Yet even with a global court order, Canadians could still use competing search engines to find the same information. Moreover, that same order blocks content in countries where there was presumably no awareness of the competing site and no commercial impact.

More troubling are the broader implications of the ruling, since if a Canadian court has the power to limit access to information for the globe, presumably other courts do as well. While the court does not grapple with this possibility, what happens if a Russian court orders Google to remove gay and lesbian sites from its database? Or if a Saudi Arabian court orders it remove Israeli sites from the index? The possibilities are endless since local rules of freedom of expression often differ from country to country.

The ruling provides the sense that the court felt that its reach needed to match Google's global footprint. While there is much to be said for asserting jurisdiction over Google - if it does business in Canada, then Canadian law should apply - attempts to extend blocking orders to a global audience could lead to a run on court orders that target the company's global search results.

That would leave two possible problematic outcomes: Google would selectively decide which court orders it wishes to follow or local courts would begin deciding what the rest of the world can access online. Either way, the overreach of the B.C. court could lead to legal conflicts online and potential suppression of freedom of speech on the Internet.
Author: "Michael Geist" Tags: "bc, equustek, google, ip, jurisdiction"
Send by mail Print  Save  Delicious 
Date: Thursday, 26 Jun 2014 11:35
As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled "Few Companies Prepared for New Privacy Law":

The new law..says organizations can only collect personal information for a stated reason - and can use it only for that purpose. Among others things, that means a company that supplies a service can't sell its list of subscribers to another company's marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law."

The article continues by noting that "there's confusion over which organizations might be exempt" and that "there is no grandfather clause - all existing customer information needs to be compliant." The message is similar in a Globe and Mail article titled "Many small firms not ready for privacy rules", which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:

most Canadian organizations are not aware of the [law]. And very few are prepared to comply.

What makes these articles noteworthy is that none involve CASL. Instead, they all date from 2004, when the current private sector privacy law (PIPEDA) was about to take effect. Then, as now, there was ominous warnings about how ill-prepared Canadian business was to address their privacy law obligations. Yet as I noted in my post on complying with the new anti-spam law:

For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so.  Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.

While CASL does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations.
Author: "Michael Geist" Tags: "casl, pipeda, privacy, spam"
Send by mail Print  Save  Delicious 
Date: Thursday, 19 Jun 2014 07:48
The Supreme Court of Canada's Spencer decision is still only a few days old, but it has become clear that the ruling has left the government's privacy and lawful access strategy in tatters. I've posted earlier on how the decision - which held that Canadians have reasonable expectation of privacy in their subscriber information and that voluntary disclosure of such information to the police constitutes an unlawful search - blows away the government's plans for Bills C-13 and S-4 by contradicting longstanding government policy positions.

While there are options for the government to establish reforms that are consistent with the court ruling and that would grant police the access they say they need, government ministers have instead adopted a rather bizarre response of saying anything, no matter how inconsistent with prior positions, the court's analysis, or public comments from authorities such as the Privacy Commissioner of Canada. There is admittedly a track record for this: Conservatives have dismissed privacy concerns from Carole Todd, the Boys and Girls Club of Canada, the Privacy Commissioner of Canada, and many more. Further, the Conservative leader in the Senate claims Spencer has "no impact whatsoever" on Bill S-4. 


However, the inconsistencies or misleading comments from government ministers takes this to another level. The government's brief to the Supreme Court of Canada in the Spencer case states:

does a person enjoy a reasonable expectation of privacy in subscriber information? Put another way, should the police have to get judicial authorization to determine the physical address of an internet connection and the subscriber's name before they apply for judicial authorization to search that physical address? The answer to those questions must be "no", for the subscriber information sought says nothing more than that a person or company has an internet link.

Justice Minister Peter MacKay argued in favour of voluntary disclosure in the House of Commons when moving that Bill C-13 be read a second time:

organizations would still be bound by the Personal Information Protection and Electronic Documents Act, something known as PIPEDA, which makes it clear that an organization is entitled to voluntarily disclose personal information to the police, without the consent of the person to have the information relayed.

The court responded directly to these positions in Spencer:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Yet how does MacKay now characterize the decision? On Tuesday, he argued that the case confirms what the government has said all along:

The Supreme Court's decision actually confirms what the government has said all along, that Bill C-13's proposals regarding voluntary disclosures do not provide legal authority for access to information without a warrant.

On Wednesday, he doubled down by quoting from the Spencer decision:

let us look at the actual Supreme Court decision, paragraph 73. It is a declaratory provision that confirms the existing common law powers of police officers to make enquiries as indicated by the fact that the section begins with the phrase “for a greater certainty”. That is exactly what we have been saying. It is the same provision of Bill C-13.

Yet anyone who reads paragraph 73 will know that MacKay references only the first half of the paragraph.  Read in its entirety, the court argues the opposite:

With respect, I cannot accept that this conclusion applies to s. 7(3) (c.1)(ii) of PIPEDA .Section 487.014(1)  is a declaratory provision that confirms the existing common law powers of police officers to make enquiries, as indicated by the fact that the section begins with the phrase “[f]or greater certainty”: see Ward, at para. 49. PIPEDA  is a statute whose purpose, as set out in s. 3 , is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.

MacKay is not alone in engaging in creative interpretations. Daniel Therrien, the new Privacy Commissioner who was just appointed by the Conservatives, gave an interview to the Globe and Mail this week , in which he said that Bills C-13 and S-4 should be reviewed in light of the Spencer decision. Within hours, Industry Minister James Moore responded to a question on twitter about warrantless disclosure by stating that the Privacy Commissioner supports the bill.
Author: "Michael Geist" Tags: "c-13, lawful access, mackay, moore, priv..."
Send by mail Print  Save  Delicious 
Date: Wednesday, 18 Jun 2014 08:13
Countries from around the world last year reached agreement on a landmark copyright treaty designed to improve access to works for the blind and visually impaired. As the first copyright treaty focused on the needs of users, the success was quickly billed the "Miracle in Marrakesh" (the location for the final round of negotiations) with more than 50 countries immediately signing the treaty.

The pact, which was concluded on June 27, 2013, established a one-year timeline for initial signatures, stating that it was "open for signature at the Diplomatic Conference in Marrakesh, and thereafter at the headquarters of WIPO [the World Intellectual Property Organization] by any eligible party for one year after its adoption."

My weekly technology law column (Toronto Star version, homepage version) notes that in the months since the diplomatic conference, 67 countries have signed it. The list of signatories includes most of Canada's closest allies, including the United States, European Union, United Kingdom, and France. The major developing economies such as Brazil, China, and India have also signed the agreement. Curiously absent from the list of signatories, however, is Canada.

The issue was raised in the House of Commons by NDP MP Peggy Nash, leading to the following exchange with Industry Minister James Moore:


Nash: Mr. Speaker, over 90% of published materials are simply not accessible to blind and visually impaired Canadians. The Marrakesh treaty on copyright seeks to fix this problem. Sixty-seven countries have signed on, including the EU, U.K., India, and China, but not Canada. The Conservatives left these measures out of their proposed copyright changes. The treaty's deadline is June 27. Will the Conservatives do the right thing and sign this treaty so we can improve access for visually impaired Canadians?

Moore: Mr. Speaker, of course our government has taken the lead with our Copyright Modernization Act. In fact, just today we put in place the notice regime to further modernize our copyright regime in this country. With regard to those who are perceptually disabled, my colleague should know very well that when we put together the Copyright Modernization Act, we worked with the Canadian National Institute for the Blind and others. Of course, we are more than willing to look at ways to improve our copyright legislation to ensure that all Canadians recognize that their needs are met in Canadian law.

In other words, when asked specifically why Canada has yet to sign the treaty, Moore refused to provide a direct answer.

Canada's failure to sign the treaty is particularly surprising given the important role it reportedly played in facilitating a deal. Reports from Marrakesh indicated that Canada worked to find common ground and helped craft the final agreement. Moreover, from both policy and legal perspectives, supporting the treaty would appear to be a proverbial no-brainer.

The treaty expands access for the blind by facilitating the export of works to the more than 300 million blind and visually impaired people around the world, which is needed since only a tiny percentage of books are ever made into accessible formats. Further, it restricts digital locks from impeding access, by permitting the removal of technological restrictions on electronic books for the benefit of the blind and visually impaired.

The treaty would require few changes to Canadian law. The basic requirements of the treaty are an exception or limitation in national law that permits the creation of accessible format copies for the blind or visually impaired without permission of the copyright holder as well as a scheme to permit the cross-border exchange of qualifying copies.

Canada already has an exception in national law relating to persons with perceptual disabilities. The current exception is not identical to the treaty requirements and would need some modest tweaking to comply with the new international standard.

The biggest change would likely come from the need to establish an entity that would facilitate, promote, and disseminate accessible format copies of work and exchange information with other countries about accessible works. In other words, the treaty would require Canada to invest in improving access for the blind.

Given the narrow goals of promoting greater access for the visually impaired, signing the treaty should be relatively uncontroversial. Indeed, while both the U.S. and European Union expressed some concerns during the negotiation process, both are now signatories.

With a copyright review planned for 2017, Canada could sign the treaty now with the expectation of incorporating the necessary reforms as part of the next reform process. Alternatively, there are several bills currently before the House of Commons that involve intellectual property issues that could be amended to include the necessary changes.

Regardless of what legislative approach is adopted, the first step is for Canada to sign the treaty before the June 27th deadline. Failure to become part of the initial group of signatories would raise troubling questions about why the government was unwilling to take a strong stand in favour of the rights of the blind and visually impaired in Canada.
Author: "Michael Geist" Tags: "copyright, treaty for the blind, tvi, wi..."
Send by mail Print  Save  Delicious 
Date: Tuesday, 17 Jun 2014 08:22
Having had the benefit of a few days to consider the implications of the Supreme Court of Canada decision in Spencer, the Senate last night proceeded to ignore the court and pass Bill S-4, the Digital Privacy Act, unchanged. The bill extends the ability to disclose subscriber information without a warrant from law enforcement to any private sector organizations by including a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. Given the Spencer decision, it seems unlikely that organizations will voluntarily disclose such information as they would face the prospect of complaints for violations of PIPEDA.

Despite a strong ruling from the Supreme Court of Canada that explicitly rejected the very foundation of the government's arguments for voluntary warrantless disclosure, the government's response is "the decision has no effect whatsoever on Bill S-4."


As I posted yesterday, the government had argued in committee that:

In the instance of PIPEDA, because of the type of information provided in a pre‑warrant phase such as basic subscriber information, it would be consistent with privacy expectations and therefore it's not really putting telecoms, for example, in some unique position in terms of police investigations.

The Supreme Court of Canada rejected this view, concluding that:

there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous.

That cannot be credibly described as "no effect whatsoever." Indeed, the government's recently appointed Privacy Commissioner also pointed to Spencer and urged the government to consider the implications on S-4. 

In another post yesterday on the future of C-13 and S-4, I lamented that the "government could adopt the 'bury our heads in the sand approach' by leaving the provisions unchanged, knowing that they will be unused or subject to challenge." I argued that a better approach would be to address the issue directly, providing certainty to businesses and Canadians.

Perhaps unsurprisingly given its recent track record on privacy, it has chosen the head in the sand approach. During debate at the Senate yesterday, Conservative Senators repeatedly argued that Bill S-4 actually strengthens privacy, despite the fact that it opens the door to warrantless voluntary disclosure to any organization (it also enshrines weak data breach rules that do not provide protection as strong as that found in some other jurisdictions). Moreover, they tried to distinguish Spencer by arguing that it involves a criminal investigation disclosure to police, while the S-4 expansion of warrantless disclosure involves disclosures to private organizations.

Yet the principle is obviously the same: there is a reasonable expectation of privacy in subscriber information that should not be disclosed without a warrant or court order. No organization should be disclosing that information and when they do, they are likely to face a complaint with the Privacy Commissioner of Canada for violating PIPEDA. By leaving S-4 unchanged, the government is encouraging voluntary disclosures even after the Supreme Court explicitly ruled against them.

While the bill must still pass through the House of Commons, the government's decision to rush the legislation through the Senate (it conducted only a few hours of hearings) and to seemingly ignore the Supreme Court's decision creates further uncertainty for Canadians and Canadian businesses. Everyone needs rules that comply with the letter and spirit of the Spencer decision, which Bill S-4 fails to do on both counts. 
Author: "Michael Geist" Tags: "digital privacy act, pipeda, s-4, spence..."
Send by mail Print  Save  Delicious 
Date: Tuesday, 17 Jun 2014 07:44
The government today announced that there will be no additional regulations associated with the notice-and-notice rules that provide rights holders with the ability to have Internet providers forward notifications to subscribers alleging infringement. The government had delayed implementation of the rules amid a consultation on the issue. The notice-and-notice system does not require the ISP to disclose the subscriber's personal information to the rights holder nor to takedown the content. The system, which other countries are now considering due to its effectiveness, is set to take effect on January 1, 2015.
Author: "Michael Geist" Tags: "c-11, copyright, isp, notice and notice"
Send by mail Print  Save  Delicious 
Date: Tuesday, 17 Jun 2014 06:11
In the aftermath of the European Court of Justice "right to be forgotten" decision, many asked whether a similar ruling could arise in Canada. While a privacy-related ruling has yet to hit Canada, last week the Supreme Court of British Columbia relied in part on the decision in issuing an unprecedented order requiring Google to remove websites from its global index. The ruling in Equustek Solutions Inc. v. Jack is unusual since its reach extends far beyond Canada. Rather than ordering the company to remove certain links from the search results available through Google.ca, the order intentionally targets the entire database, requiring the company to ensure that no one, anywhere in the world, can see the search results. Note that this differs from the European right to be forgotten ruling, which is limited to Europe.

The implications are enormous since if a Canadian court has the power to limit access to information for the globe, presumably other courts would as well. While the court does not grapple with this possibility, what happens if a Russian court orders Google to remove gay and lesbian sites from its database? Or if Iran orders it remove Israeli sites from the database? The possibilities are endless since local rules of freedom of expression often differ from country to country. Yet the B.C. court adopts the view that it can issue an order with global effect. Its reasoning is very weak, concluding that:

the injunction would compel Google to take steps in California or the state in which its search engine is controlled, and would not therefore direct that steps be taken around the world. That the effect of the injunction could reach beyond one state is a separate issue.

Unfortunately, it does not engage effectively with this "separate issue."


The case involves a company that claims that another company used its trade secrets to create a competing product along with "bait and switch" tactics to trick users into purchasing their product. The defendant company had been the target of several court orders demanding that it stop selling the copied product on their website. Google voluntarily removed search results for the site from Google.ca search results, but was unwilling to block the sites from its worldwide search results.

The case turned largely on jurisdictional questions: could a B.C. court assert jurisdiction over Google? Was a Canadian court the right court to hear the case when Google is based in California?  Is it appropriate to issue an order requiring the complete removal of results for all users worldwide?

The court answered affirmatively to all questions. On the issue of jurisdiction, the court cited the European Court of Justice decision, concluding that the companies search and advertising services were inextricably linked and that therefore Google has a Canadian connection. As for concerns that the decision would give every state jurisdiction over Google, the court was unmoved:

I will address here Google's submission that this analysis would give every state in the world jurisdiction over Google’s search services. That may be so. But if so, it flows as a natural consequence of Google doing business on a global scale, not from a flaw in the territorial competence analysis.

Further, on concerns that the B.C. court order would have global effect, the court was similarly unpersuaded:

I note that Google objects to British Columbia retaining jurisdiction because the order sought would require Google to take steps in relation to its websites worldwide. That objection is not resolved by "going to California". If the order involves worldwide relief, a California court will be no more appropriate a forum than British Columbia to make such an order. Even if the order can be construed more narrowly as requiring Google to take steps at the site where the computers controlling the search programs are located, Google has not established that those computers are located in California, or that they can only be reprogrammed there.

The issues raised by the decision date back to the very beginning of the globalization of the Internet and the World Wide Web as many worried about jurisdictional over-reach with courts applying local laws to a global audience. This decision provides the sense that the court felt that Google's global reach needed to be matched by the court's reach. While there is much to be said for asserting jurisdiction over Google - if it does business in the jurisdiction, the law should apply - attempts to extend blocking orders to a global audience has very troubling implications that could lead to a run on court orders that target the company's global search results.
Author: "Michael Geist" Tags: "equustek solutions, free speech, google,..."
Send by mail Print  Save  Delicious 
Date: Monday, 16 Jun 2014 08:18
In the fall of 2007, Public Safety Canada quietly launched a lawful access consultation that envisioned mandatory disclosure of customer name and address information. After I posted the consultation online, the department claimed that the consultation was not secret and then-Public Safety Minister Stockwell Day suggested that the document actually contained old Liberal wording. Day promised not introduce legislation compelling disclosure without a court order, a commitment that Peter Van Loan, the next Public Safety Minister, rejected when the Conservatives introduced their first lawful access bill in 2009.

This third post on Spencer (case summary, comparison with government talking points) begins with some lawful access history because it is important for understanding what might come in the aftermath of the Supreme Court of Canada's evisceration of the government's arguments on voluntary disclosure of personal information in the Spencer decision. The starting point for the voluntary disclosure provisions in Bills C-13 and S-4 can be traced back to the 2007 consultation. Law enforcement complained about inconsistent access to customer name and address information and sought new provisions to make such disclosure mandatory (PIPEDA permitted voluntary disclosure but did not require it).


Public Safety responded with a plan to create a mandatory disclosure provision, but hit a roadblock when Day promised no warrantless disclosure. Once Day was shuffled out of that position, the Van Loan and Vic Toews lawful access bills both brought it back, with Van Loan's bill specifying 13 identifiers that would be required to be disclosed and Toews' bill slimming the list down to six identifiers. Both bills did not proceed past first reading: the Van Loan bill died with an election call weeks after it was introduced and the Toews bill was infamously shelved after the public outrage over the bill and Toews characterization of either siding with the government or child pornographers.

After then-Justice Minister Rob Nicholson promised no Criminal Code reforms based on the Toews bill (another promise that did not last long), the government adopted a different approach. If mandatory warrantless disclosure was out (the Spencer decision makes it clear those provisions would have been struck down as unconstitutional), a more robust voluntary disclosure system might do the trick.  PIPEDA already contains voluntary disclosure provisions, which are used thousands of times every year.  The government envisioned expanding the current system by offering full criminal and civil immunity for voluntary disclosures in Bill C-13 and expanding the scope of voluntary disclosures to public officials (in C-13) and any private sector organization (in S-4). The Privacy Commissioner and other experts argued against the changes, but the government relied on claims that disclosure was permitted by law (now debunked by the Supreme Court) to support the policy.

All of which raises the question of what comes next. With the Spencer decision, the expanded voluntary warrantless disclosure strategy is effectively dead. Law enforcement will not seek voluntary disclosure (except in exigent circumstances) since it is likely to be treated as an illegal search and the resulting information will be inadmissable. In any event, telecom companies will no longer provide customer name and address information on a voluntary basis since that is likely to be treated as a violation of Canadian privacy law.  With no one seeking voluntary disclosure and no one providing it, the C-13 and S-4 provisions have been neutered by the Supreme Court. In fact, the immunity provision now seems inoperable since it is contingent on a lawful voluntary disclosure, which customer name and address information is not.

The government could adopt the "bury our heads in the sand approach" by leaving the provisions unchanged, knowing that they will be unused or subject to challenge. That would run counter to the spirit of the Supreme Court ruling and do nothing to assist law enforcement. The better approach would be to directly address the problems in the bills and the current legislation. The first involves voluntary warrantless disclosure of subscriber information. Those provisions in C-13 and S-4 should be dropped from the bill. Moreover, the existing PIPEDA provisions should also be eliminated. In their place, a new subscriber information warrant could be developed that ensures court oversight, an appropriate standard given the Supreme Court of Canada's finding of the privacy import of such information, and a system to allow law enforcement to apply for a subscriber information warrant expeditiously.

Second, the transmission data warrant (typically referred to as metadata) in C-13 should be amended as many recommended to the committee. Numerous witnesses (myself included) argued that the reason to suspect standard was too low given the privacy implications of metadata and that the reason to believe standard was more appropriate. Given the Spencer decision, the transmission data warrant is a court challenge waiting to happen and adopting the higher standard would provide far more legal certainty.
Author: "Michael Geist" Tags: "c-13, lawful access, privacy, s-4, spenc..."
Send by mail Print  Save  Delicious 
Date: Monday, 16 Jun 2014 08:06
For weeks, the government has been claiming that the provisions in Bill C-13 and S-4 were compatible with the law. Last week, the Supreme Court of Canada disagreed, issuing its decision in Spencer on the legality of voluntary warrantless disclosure of subscriber information. The court ruled that there was a reasonable expectation of privacy with subscriber information and that voluntary disclosure to police may constitute an illegal search.

The court's comments are particularly striking when contrasted with claims from government ministers, MPs, and officials, who have defended C-13 and S-4 at committee.  Consider what the court said about subscriber information:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

In contrast, Bob Dechert, the Parliamentary Secretary to the Minister of Justice, argued at committee that subscriber information was similar to a licence plate on a car:


Sure, it's kind of like akin to, as I think Officer Pardy said, if you see a car driving down the street and you suspect that the driver is impaired, you copy down the licence number and provide that to police. I assume the police can also ask you for it. If I see, today, somebody harassing one of my neighbours on their front porch, and there's a car in the driveway, I assume I can note down that licence number and provide it to police, and by the same token the police can come to my door and say, “Did you see somebody harassing your neighbour; do you have any information that would lead us to that person's identity?” That's true? Okay.

When Industry Minister James Moore appeared before the Senate Transport Committee to defend the expansion of voluntary disclosure of personal information, his Assistant Deputy Minister Lawrence Hanson told the committee:

So the existing provisions of PIPEDA do allow voluntary disclosure to law enforcement without a warrant, but there are a couple of really important things to note.  First of all, it is voluntary; they are not compelled to do that.  Secondly, the types of information that law enforcement could request would have to identify their lawful authority to request it, and they would be receiving what we would call basic subscriber information. This basically ties into the charter, the reasonable expectation of privacy.  In the sense of basic subscriber data, that could be obtained without a warrant.  I would distinguish that from something more intrusive like transmission data or about an electronic intercept, for example, which would require a warrant.

Hansen later added:

In the instance of PIPEDA, because of the type of information provided in a pre‑warrant phase such as basic subscriber information, it would be consistent with privacy expectations and therefore it's not really putting telecoms, for example, in some unique position in terms of police investigations.

The court was also dismissive of arguments that consumers had consented to the disclosure of their information in their ISP user agreements:

Whether or not disclosure of personal information by Shaw is “permitted” or “required by law” in turn depends on an analysis of the applicable statutory framework. The contractual provisions, read as a whole, are confusing and equivocal in terms of their impact on a user’s reasonable expectation of privacy in relation to police initiated requests for subscriber information.

Moreover:

Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

But that isn't what Moore emphasized to the Senate committee, when he argued that consumers may have agreed to the voluntary disclosures in their user agreements:

Well, if you agree to a contract, for example, with a telecommunications company, and as part of that contract you can surrender some of your capacity to have your information shared under certain circumstances, that can exist in a number of contractual situations, but that's an individual signing a contract and agreeing to that openness in the case of a criminal investigation.

Justice Minister Peter MacKay said much the same thing when asked about immunity for voluntary disclosure at the Justice Committee hearing on C-13:

That really is an issue that is covered under the PIPEDA. It is really as well an issue of potentially contract law between the individual and the service provider, the company. But the provision provides protection for those who are voluntarily assisting police in an investigation where such assistance is not otherwise prohibited by law. So, the element of protection, if you will, or immunity has to respect the common law provision of voluntary disclosure as well as any existing contractual obligations that may exist. It must be done in a way that complies with section 25 and this other section that you're referring to 47.

In other words, the government's key defences for C-13 and S-4, namely that there is no reasonable expectation of privacy and that users consent to the disclosure in their agreements, were both soundy rejected by the Supreme Court of Canada.
Author: "Michael Geist" Tags: "c-13, privacy, s-4, spencer"
Send by mail Print  Save  Delicious 
Date: Friday, 13 Jun 2014 08:52
For the past several months, many Canadians have been debating privacy reform, with the government moving forward on two bills: lawful access (C-13) and PIPEDA reform (S-4). One of the most troubling aspects of those bills has been the government's effort to expand the scope of warrantless, voluntary disclosure of personal information.

Bill C-13 proposes to expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant. Meanwhile, Bill S-4, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. I appeared before both committees in recent weeks (C-13, S-4), but Conservative MPs and Senators were dismissive of the concerns associated with voluntary disclosures.

This morning another voice entered the discussion and completely changed the debate. The Supreme Court of Canada issued its long-awaited R. v. Spencer decision, which examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision written by (Harper appointee) Justice Thomas Cromwell, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.


I discuss the implications below, but first some of the key findings. First, the Court recognizes that there is a privacy interest in subscriber information. While the government has consistently sought to downplay that interest, the court finds that the information is much more than a simple name and address, particular in the context of the Internet. As the court states:

the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. “Cookies” may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided. The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous - by guarding the link between the information and the identity of the person to whom it relates - the user can in large measure be assured that the activity remains private.

Given all of this information, the privacy interest is about much more than just name and address.

Second, the court expands our understanding of informational privacy, concluding that there three conceptually distinct issues: privacy as secrecy, privacy as control, and privacy as anonymity.  It is anonymity that is particularly notable as the court recognizes its importance within the context of Internet usage.  Given the importance of the information and the ability to link anonymous Internet activities with an identifiable person, a high level of informational privacy is at stake.

Third, not only is there a significant privacy interest, but there is also a reasonable expectation of privacy by the user.  The court examines both PIPEDA and the Shaw terms of use (the ISP in this case) and concludes that PIPEDA must surely be understood within the context of protecting privacy (not opening the door to greater disclosures) and that the ISP agreement was confusing at best and may support the expectation of privacy.  With those findings in mind:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Fourth, having concluded that obtaining subscriber information was a search with a reasonable expectation of privacy, the information was unconstitutionally obtained therefore led to an unlawful search. Addressing the impact of the PIPEDA voluntary disclosure clause, the court notes:

Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.

There are several important implications that flow from this decision. First, with a finding that police need a warrant for subscriber information (except in exigent circumstances), the practice of obtaining information on a voluntary basis should come to an end.

Second, the government's plans for expanded voluntary, warrantless disclosure under Bill C-13 must surely be reformed as it is unconstitutional. Just yesterday, Conservative MP Bob Dechert relied on R. v. Ward to support the C-13 approach with respect to immunity for voluntary disclosure. The court has effectively rejected the Ward decision and Dechert's defence of the provision no longer stands.

Third, the government should remove the expansion of voluntary disclosure in S-4. With the Supreme Court emphasizing the privacy importance of subscriber information, the government should not be seeking to expand warrantless disclosures. In fact, immediate reports indicate that the Senate has delayed debate on the bill to consider the ruling. 

Fourth, Internet providers need radical reform of their current approach to disclosure of subscriber information. The Supreme Court examined Shaw's terms of service policy and found it provided "a confusing and unclear picture of what Shaw would do when faced with a police request for subscriber information."  The same can be said for virtually every ISP in Canada. While ISPs have been regularly disclosing this information hundreds of thousands of times, the Court ruled:

Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

The court notes that ISPs are not required to disclose this information and this case reaches the conclusion that they are not permitted to do so absent a warrant either.  This means ISPs must change their practices on voluntary warrantless disclosure. Much more to come on a decision that seems likely to define Internet privacy for many years to come.
Author: "Michael Geist" Tags: "c-13, privacy, s-4, spencer"
Send by mail Print  Save  Delicious 
Date: Wednesday, 11 Jun 2014 04:35
Bills C-13 and S-4, the two major privacy bills currently working their way through the legislative process, both reached clause-by-clause review yesterday, typically the best chance for amendment. With Daniel Therrien, the new privacy commissioner, appearing before the C-13 committee and the sense that the government was prepared to compromise on the controversial warrantless disclosure provisions in S-4, there was the potential for real change. Instead, the day was perhaps the most disastrous in recent memory for Canadian privacy, with blown chances for reform, embarrassingly bogus claims from the government in defending its bills, and blatant hypocrisy from government MPs who sought to discredit the same privacy commissioner they were praising only a few days ago.


The blown chance for reform arose at the Senate committee conducting its review of Bill S-4.  The review of the bill was very short - I appeared before the committee last week, but very little time was devoted to a bill that was years in the making. Liberal Senator George Furey proposed an amendment to remove the most controversial provision in the bill that would massively expand the scope of voluntary, warrantless disclosures by allowing companies to reveal customer information to other companies. There appeared to be sufficient support for the amendment since one Conservative Senator supported it. However, when the chair of the committee, Liberal Senator Dennis Dawson, abstained, the committee was left deadlocked at 4 in support and 4 against. Dawson tried to change his vote, but it was ruled out of order. The government was likely ready to lose on the issue, but the amendment was defeated and with it, the best chance to remove the provision.

In fact, Industry Minister James Moore appears to have assumed that the amendment was adopted at committee. Later in the afternoon during Question Period, Moore responded to a question about the expansion of warrantless disclosure in Bill S-4 by stating "we dealt with this issue at the Senate. We adopted an amendment at the Senate committee and it will come to the House of Commons where we will move forward." In other words, the amendment was a done deal and the committee blew it.

The bogus claims were strewn over both committees. Conservative Senator Don Plett argued that the Furey amendment would impede self-regulating professional associations such as lawyers and doctors from investigating its own members. The reality is that the law currently permits these investigations with regulations that cover dozens of such associations. Bill S-4 seeks to expand the disclosures to anyone, but Furey's amendment was clearly aimed at stopping the expansion of voluntary warrantless disclosures, not rolling back those current powers.

Meanwhile, at the C-13 committee, government MPs were using the most incredible justifications for problematic provisions in the bill. Responding to concerns about a provision that expands voluntary warrantless disclosure to a wider range of public officials, Conservative MP Bob Dechert argued that the expanded approach was needed to allow fisheries officers to request data from telecom companies and to give military police the power to investigate soldiers overseas if they send cyberbullying images. 

Most troubling was the sheer hypocrisy taking place at both committees. Last week, Treasury Board President Tony Clement described Therrien as "an exceptional candidate" in the House of Commons, while Prime Minister Harper called him an "expert." That exceptional candidate and expert told the committee that Bill C-13 should be split, that a higher threshold should be used for metadata warrants, and that immunity for voluntary disclosures of personal information was likely to lead to a rise in such disclosures. With those criticisms in hand, Conservative MP Kyle Seeback was no longer impressed with Therrien's expertise, bizarrely asking if he had ever been a police officer or a crown attorney. Those comments came as part of a series of aggressive questions that surprised many observers.

Yet while Conservative MPs were dismissing any criticism of the bill and indicating that they would side with police testimony, consider that the police testimony involved representatives who were not even fully aware of the substance of the bill.  For example, when the Ontario Provincial Police appeared before the committee last month, their representative stated:

Under the proposed legislation, ISPs will be compelled to provide this information in a timely fashion and on a consistent basis. Access to this information will be strictly controlled and limited to law enforcement officials who would be fully trained in these procedures and subject to auditing and/or reporting processes. The outcome will be that the police can quickly and consistently gain access to information that makes a difference to our effectiveness in investigating and preventing criminal activity and victimization.

The problem with the testimony is that the refers to an old bill, not Bill C-13. This bill does not have mandatory disclosure provisions and the voluntary provisions expand the scope of who many have access to personal information. So Conservative MPs side with police testimony that did not accurately describe the substance of the bill.

Moreover, at the Senate committee, the only amendment to Bill S-4 that was approved was proposed by Conservative Senator Plett, who weakened police powers as part of the data breach disclosure rules. Plett and the Conservative senators removed a provision that would have allowed police to request delayed notification to the public if the notice might impede a criminal investigation. That seems like a sensible provision where police are pursuing a criminal hacking or data theft operation, yet it was the Conservatives that removed the provision.

That provided a fitting conclusion to a disastrous day for Canadian privacy in which a Senate committee blew the best chance for privacy reform and the government made it clear it thinks the privacy commissioner is expert except when he disagrees with them, that police concerns trump public and privacy concerns except when they don't, and the military has a cyberbullying problem that necessitate warrantless access to personal information.

Author: "Michael Geist" Tags: "c-13, lawful access, privacy, s-4"
Send by mail Print  Save  Delicious 
Date: Tuesday, 10 Jun 2014 04:32
The imminent arrival of Canada's anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so.  Compliance with the new anti-spam law (CASL) involves much the same obligations.  While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information. 

This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive - some organizations will face unique issues - it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.

The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.



1.    What electronic messaging is covered by the law?

The starting point is to first identify whether your message is captured by the law. The law only addresses commercial electronic messages, but CASL takes a broad approach to what is included. The law states that "a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity." That covers a lot - so long as the content, links, or contact information appears to have as a purpose encouraging commercial activity, it is caught by the definition. Note that the CRTC has said that encouraging commercial participation refers to encouraging the recipient's participation.

2.    What are the "big three" requirements under the law?

Sending commercial electronic messages is subject to three requirements under CASL. First, the law prohibits sending messages (or causing or permitting messages to be sent) unless the recipient has consented to receive it. Second, it establishes form requirements for electronic messages that specify that they must identify who sent the message, include contact information, and contain an unsubscribe mechanism. Third, the contact information must remain valid for at least 60 days after the message has been sent. The law expands on each of these requirements, as discussed further below.

3.    Does my message qualify for an exception?

CASL features many exceptions to the general rule of having to comply with the big three requirements.  Even among the exceptions, there are two types: those exceptions that exclude the message from all the requirements and those exceptions that exclude only the consent requirements (but leave the form and contact information requirements).

General exceptions that exclude the message from all the requirements include:

  • messages between individuals with a personal or family relationship. The regulations indicate these messages involve direct, voluntary, two-way communications. They do not involve social-media only relationships (ie. likes or follows)
  • messages sent between employees within an organization
  • messages sent to a business (or person engaged in a commercial activity) where the message consists of an inquiry or application related to that commercial activity
  • messages sent in response to a request, inquiry or complaint
  • messages sent on an electronic messaging service (such as a social media direct message service) provided that there is adequate information and unsubscribe mechanisms on the service site
  • messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who gave the account to the recipient
  • messages sent to satisfy or enforce a legal or juridical obligation
  • messages sent to recipients outside the country with qualifying anti-spam laws (see jurisdiction discussion below)
  • two-way voice calls, faxes, and voice recordings sent to a telephone account

The exceptions that exclude consent requirements but keep the form and contact information requirements include:

  • quotes or estimates sent to someone who has requested it
  • completion of commercial transactions
  • providing warranty, product recall or safety information
  • notifying the recipient of factual information about an ongoing product, service, subscription, membership, account, etc.
  • information directly related to an employment relationship
  • delivering a product, good or service (including product upgrades) if the recipient was entitled to receive it
  • one third-party referral message, subject to certain requirements (including naming who made the referral in the message)

4.    Does my organization qualify for an exemption?

The law features a number of exemptions for several types of organizations. First, registered charities are exempt provided that the primary purpose of the message is to raise money for the charity. Second, political parties and political candidates are exempt if the primary purpose of the message is to solicit a contribution. Third, telecom providers are exempt where their role in the communication is to merely provide telecommunications services.
 
5.    My messages or organization do not qualify for an exception. What consent is acceptable under the law?

The law identifies two kinds of consent: express and implied. Express consent requires identifying the purposes for why consent is being requested and identifying who is seeking consent. The law generally requires express consent.  Express consent may not involve pre-checked boxes. Rather, there must be an express, opt-in by the user to indicate their consent.

However, there are several exceptions that permit implied consent for electronic messaging:

  • there is an existing business relationship between the sender and recipient. This includes any purchase of a product, good or service within the prior two years, the acceptance of a business opportunity within the prior two years, a written contract between the two parties from the previous two years, or any inquiry within the prior six months.
  • there is an existing non-business relationship between the sender and recipient. This includes donations or volunteer work to or for charities, political parties, and political candidates, as well as membership over the prior two years in a club, association, or voluntary organization
  • the recipient's email address has been prominently published, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person's business, role or duties
  • the recipient's email address was disclosed to the sender, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person's business, role or duties


6.    Are my existing consents valid?

Express consents obtained before the law took effect remain valid. Implied consents are subject to the transition described below.

7.    What are the requirements for the unsubscribe mechanism?


The unsubscribe mechanism must allow the recipient to unsubscribe using the same electronic means that was used to send the message. There must also be a Web-based address that allows for unsubscribing.

8.    What are the jurisdictional limitations in the law?  Does it apply to non-Canadians sending messages to Canadians? To Canadians sending messages to non-Canadians?

The law applies to messages sent to Canadians and is invoked when a computer system in Canada is used to send or access the message. There are important exceptions in the application of the law to Canadian organizations that send messages outside the country. First, sending the message to a person in a country with comparable anti-spam laws means those local laws apply.  The government has identified 116 countries that qualify for this exception and the list includes virtually all major countries that are likely to have commercial electronic traffic with Canada. Second, merely routing a message through Canada (but not using a Canadian computer server to send or access the message) does not trigger the law.

9.    Does everything start on July 1st or is there a phase-in period?

While the law takes effect on July 1st, there is a three-year transition period.  Where there is an existing business or non-business relationship, consent is implied for the full three years. In fact, the CRTC has apparently interpreted the transition provision to cover any prior business relationship. In other words, as long as the organization has implied consent, it effectively has until 2017 to upgrade to an express consent.

10.    What are the penalties for violating the law?

The penalties are significant, which is why many people are paying attention to the law. The maximum penalty is $1 million per violation for an individual and $10 million per violation for a business.
Author: "Michael Geist" Tags: "c-28, casl, spam"
Send by mail Print  Save  Delicious 
Date: Monday, 09 Jun 2014 04:02
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.

My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.

While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.


There are two major problems with the government's proposal, which appears to have been placed on a legislative fast track.  First, the standard for disclosing a data breach is set at "a real risk of significant harm to the individual." This standard is considerably higher than that found in some other jurisdictions.  

For example, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also lower threshold than the Canadian plan.

Second, earlier versions of the privacy bill envisioned a two-stage approach in which organizations would be required to notify the Privacy Commissioner of Canada of material data breaches (a far lower standard), who would then work with the organization to assess whether a wider notification to all affected Canadians was warranted. The two-stage approach is increasingly common with New Zealand announcing plans for a similar approach late last month.

The Digital Privacy Act removes the notification of material breaches to the Privacy Commissioner altogether. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks and no one seriously expects the Commissioner to regularly ask every organization about whether they have experienced any data breaches.

The elimination of notifications of material breaches is likely to result in significant under-reporting since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation.  Rather than providing Canadians with the necessary information to take steps to mitigate against identity theft and misuse of their personal information, the bill will often leave them unaware of data breaches or security risks.

While there are other serious concerns with the Digital Privacy Act - notably the massive expansion of warrantless voluntary disclosures of personal information - the government promoted the data breach rules as the centerpiece of its effort to better protect Canadians against the misuse of their personal information. Yet the core requirements of that system actually provide less protection than earlier proposals and would be one of the weaker approaches in the developed world.

Privacy has emerged as dominant issue on Parliament Hill in recent weeks, with the focus on surveillance, lawful access, and the new Privacy Commissioner. The Digital Privacy Act has received less attention, however, its failure to keep Canadians informed about many data breaches should be added to the list of privacy disappointments.
Author: "Michael Geist" Tags: "data breach, digital privacy, s-4"
Send by mail Print  Save  Delicious 
Date: Friday, 06 Jun 2014 08:57
Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.

Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities' requests were granted, the company stated:


“We don’t keep track of it. Our tracking to date has really been for internal management purposes, not for creating a transparency report. So that's something we’re going to look to expand in the future and hopefully provide more information in the future."

By contrast, the TekSavvy report provides data on both requests and disclosures as do many other transparency reports (Google, Twitter, Microsoft).

The claim that Rogers only tracks in-bound requests and not out-bound data is hard to believe. The reason may be financial - the "internal management purpose" may be to charge a fee to law enforcement for the process. Further, the company says that if it considers an order too overbroad, it will "push back and, if necessary, go to court to oppose the request." Is it really possible that the company has no records of when it has gone to court to oppose a request?

[Update 7/6/14: Rogers has provided a private response in which it indicates that it does have records of individual responses to requests for subscriber information, but that it does not track aggregate numbers. Further, it does know the number of times it went to court, but did not include that information in the transparency report.]

Tracking disclosures of subscriber information should not be viewed as optional. Privacy law gives individuals a right of access to their information:

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.

The statute continues at 4.9.3:

In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

If Rogers is not tracking disclosures, the approach raises privacy compliance concerns. Moreover, this helps explain why it does not notify customers that their information has been disclosed since it does not seem to track the information itself.  title
Author: "Michael Geist" Tags: "privacy, rogers, transparency"
Send by mail Print  Save  Delicious 
Date: Thursday, 05 Jun 2014 04:22
Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill's shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.

The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.

Appearance before the Senate Transport and Communications Committee, June 4, 2014


Good evening. My name is Michael Geist.  I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.

I'd like to structure my remarks by focusing on three welcome elements of Bill S-4, three areas in need of improvement, and one glaring omission.

The Welcome Provisions

First, the good news.  Bill S-4 importantly provides additional clarification for the standard of consent. Given that meaningful consent provides the foundation for the law, the clarification is much-needed, particularly for minors. Consent is meaningless if the person does not understand to what they are consenting. By clarifying the standard of consent, businesses will have greater certainty and a clear obligation to ensure that Canadians are better informed about the collection, use and disclosure of their personal information.

Second, the expansion on publicly disclosing information is also a welcome addition and long overdue. I have long argued that the Office of the Privacy Commissioner adopted an unnecessarily conservative interpretation of the current provision that allows for naming organizations subject to complaints. The expansion of the provision sends a signal that the Commissioner should not hesitate to publicly disclose any information if it is in the public interest to do so.  This would include poor organizational practices, well-founded complaints or public privacy risks.

Third, the extension of the deadline to take a complaint to the Federal Court is much needed as well, given that the current system represents an unnecessary barrier to potential pursuit of federal court review.

Areas in Need of Improvement

Let me now turn to three important aspects of the bill in need of improvement.  First, the long-awaited security breach disclosure requirements.  As you are aware, creating mandatory security breach disclosure requirements at the federal level is long overdue as it creates incentives for organizations to better protect our information and allows Canadians to take action to avoid risks such as identity theft. There are aspects of the Bill S-4 security breach rules that are better than those found in prior bills such as C-12 and C-29.  Most notably, the inclusion of actual penalties is essential to create the necessary incentives for compliance. 

However, there are problems with the standards for disclosure, some left over from the prior bill and some new to this bill.

From the prior bill, the standard for notification to individuals - "a real risk of significant harm to the individual" - should be lowered to ensure that the law captures more breaches. By comparison, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also better than the Bill S-4 approach.  These are better approaches that make it more likely that Canadians will be informed when their information is caught up in a breach.

New to this bill is the removal of a two-stage process that involved first informing the Privacy Commissioner and then the individual where circumstances warrant it. Bill S-4 puzzlingly establishes the same standard - "real risk of significant harm" - for both notifying the Commissioner and individuals. This means there may be no notification for systemic security problems within an organization or technical standard vulnerabilities. I repeat - those kinds of breaches would not be disclosed to anyone. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks.

Why is this a problem?  Because it is likely to result in significant under-reporting of breaches since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation since there is no reporting requirement to that office.

You have heard some suggest that all breaches should be reported to the Commissioner. This is the approach is some jurisdictions. For example, under a European Union regulation passed last year, all personal data breaches at telecom companies must reported to the national data protection authority.

I believe that the prior government bills (C-12 and C-29) offered a better, two-stage approach. The first notification to the Privacy Commissioner would occur where there is a "material breach of security safeguards".  Whether the breach was material depended upon the sensitivity of the information, the number of individuals affected, and whether there was a systemic problem.  It did not require a risk of significant harm.  The two-stage approach was far better, since it ensured notifications first to the Commissioner, including identifying systemic problems that may not be caught by the Bill S-4 approach.

I would therefore recommend two changes to these provisions: the California-style standard for notifications to individuals and the government's own approach in C-12/C-29 to notifying the Commissioner as a first step.

The second major area for improvement involves the expansion of warrantless disclosure. At a time when many Canadians are concerned with voluntary, warrantless disclosure, the bill expands the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).

While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. This runs counter to recent Federal Court decisions that have sought to establish clear limits and oversight over such disclosures.

Moreover, the disclosure itself is kept secret from the affected individual, who is unlikely to complain since they will be unaware that their information has been disclosed. In fact, while a House of Commons committee may have recommended a similar reform in 2006, that recommendation was rejected at the time by both the Conservative government and the Privacy Commissioner of Canada.

The reform here is clear: the provision opening the door to the massive expansion of warrantless, non-notified voluntary disclosures should be removed.

Third, given the distinct lack of powers for the Privacy Commissioner of Canada, the creation of compliance agreements is a step in the right direction, but order-making power or at least some form direct regulatory action such as administrative and monetary penalties is needed. The inability to make well-founded findings 'stick' without first navigating an inaccessible and impractical trip to the federal court has been an enormous source of frustration for many Canadians.

The creation of compliance orders would have made sense if there had been some power to issue penalties or take regulatory action, as is the case in the United States where compliance orders are commonly used. Without such a threat, however, it is difficult to see why an organization would enter into such an agreement. Avoiding the federal court is something you do when you fear you might lose. That has not been the case under PIPEDA. Reforms are needed with real penalties to ensure compliance.

The Glaring Omission

The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures is a glaring omission from the bill and should be addressed. The stunning revelations about over 1 million requests and 750,000 disclosures of personal information - the majority without court oversight or warrant - points to an enormously troubling weakness in Canada's privacy laws.  Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope.  In my view, this makes victims of us all - disclosure of our personal information often without our awareness or explicit consent.

This can be addressed through two reforms.  First, the law should require organizations to publicly report on the number of disclosures they make to law enforcement without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception. This information should be disclosed in aggregate every 90 days.  Second, organizations should be required to notify affected individuals within a reasonable time period of the disclosure - perhaps 60 days - unless doing so would affect an active investigation.

The adoption of these provisions - which would be consistent with what we heard from Mr. Therrien yesterday - would be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
Author: "Michael Geist" Tags: "digital privacy act, s-4"
Send by mail Print  Save  Delicious 
Date: Tuesday, 03 Jun 2014 07:39
In recent years, it has become fashionable to argue that Canadians no longer care about their privacy. Supporters of this position note that millions of people voluntarily post personal information and photos about themselves on social media sites, are knowingly tracked by Internet advertising giants, and do not opt-out of "targeted" advertising from telecom companies. Yet if the past few months are any indication, it is not Canadians that have given up on privacy. It is the Canadian government.

My weekly technology law column (Toronto Star version, homepage version) notes the public response to the tidal wave of stories regarding widespread surveillance, the 1.2 million government requests to telecom companies for customer information, and the growing number of security breaches suggest that many Canadians are deeply concerned about the protection of their privacy. However, many feel helpless in the face on recent revelations and wonder whether the government is prepared to tighten privacy rules and establish stronger oversight.


Unfortunately, the answer to that question is increasingly clear.  Not only has the government largely abandoned stronger privacy protections, but legislative proposals currently before Parliament seem certain to weaken the current legal framework even further.

For example, Bill C-13, the lawful access and cyberbullying bill, raises such serious privacy concerns that Carole Todd, the mother of cyberbullying victim Amanda, pointedly told Members of Parliament studying the bill that "we should not have to choose between our privacy and our safety."

Much like the government's divisive approach to the last lawful access bill (in which then-Public Safety Minister Vic Toews infamously stated that people could stand with the government or with child pornographers), Justice Minister Peter McKay is again forcing Canadians to choose.  

The latest bill grants telecom companies and other organizations legal immunity for the voluntary disclosure of their customers' personal information. Law enforcement officials have confirmed that this goes well beyond basic subscriber information and may include transmission and tracking data.

The bill also establishes a low threshold for warrants to access metadata, which numerous experts confirm may reveal private and sensitive information. Despite the concerns, no Canadian privacy commissioner will appear before the committee study the bill and groups such as the British Columbia Civil Liberties Association have been similarly excluded (I appeared before the committee last Thursday).

The situation is similarly grim with respect to Bill S-4, the Digital Privacy Act that is currently winding its way through the Senate. That bill expands the scope of voluntary warrantless disclosures of personal information by allowing for such disclosures to any organization, not just law enforcement.  

Moreover, the law does not require telecom providers to notify customers of these disclosures, meaning that hundreds of thousands of Canadians remain in the dark when their information is voluntarily handed over to officials.  In fact, telecom companies have thus far rejected calls for greater transparency on their disclosure practices, pointing to government rules that they claim prohibit them from opening up.

The government's decision to weaken privacy protection also extends to its unwillingness to rein in surveillance activities. While the U.S. has begun to reconsider its approach and to establish more effective oversight mechanisms, the state of Canadian surveillance remains shrouded in secrecy.  Repeated revelations about Canadian involvement in global surveillance programs, including programs that have involved domestic interceptions, have been met with a collective shrug from elected officials.

As if to emphasize the point, last week the government named a senior Justice lawyer for the Canadian surveillance agencies as the new Privacy Commissioner of Canada. While past performance does not guarantee future policies (Chantal Bernier, Canada's interim Privacy Commissioner, came to the office from Public Safety), the decision to pass over several well-qualified privacy experts with commissioner experience sends an unmistakable message about the government's general view of privacy.

The bleak state of Canadian privacy is difficult to reconcile with a government that has prioritized a consumer perspective on telecom, broadcast, and banking issues. Further, conservative government policies are often consistent with civil libertarian views that abhor public intrusion into the private lives of its citizens.  

But with Ottawa showing no signs of backtracking on its privacy reforms, Canadians can be forgiven for wondering how its government became so hostile towards their privacy at the very time that they woke up to the importance of the issue.
Author: "Michael Geist" Tags: "c-13, lawful access, privacy, s-4"
Send by mail Print  Save  Delicious 
Date: Tuesday, 03 Jun 2014 07:33
I appeared this morning on CBC's The Current to discuss the state of Canadian privacy and the nomination of Daniel Therrien as the new Canadian privacy commissioner. Audio of the segment, which includes George Radwanski and Wayne Easter, here.
Author: "Michael Geist" Tags: "cbc the current, privacy, therrien"
Send by mail Print  Save  Delicious 
Date: Monday, 02 Jun 2014 07:55
The federal government created the Office of the Federal Ombudsman for Victims of Crime in 2007 to ensure that victims concerns and voices were heard. Last week, Sue O'Sullivan, the current ombudsman, appeared before the committee studying Bill C-13, the lawful access/cyberbullying bill. Ms. O'Sullivan, a former Deputy Chief of Police for the Ottawa Police Service, confirmed what has become increasingly obvious. Despite the government's expectations that victims and their families would offer strong support for Bill C-13, that community is split on the bill:

I would like to touch briefly on what appears to be the most controversial aspects of the bill, those which relate to investigative tools and the balance of powers and privacy. Privacy matters and technical investigative tools do not generally fall within my mandate. It is worth noting that among the victims we have spoken to, there is no clear consensus on the element of the bill. I have spoken with victims who very much support further measures to assist law enforcement in their investigation, and find the tools included in this bill to be balanced and necessary. I have, like you, heard opposing points of views from victims who don't wish to see these elements of the bill proceed for fear they will impinge on Canadians' privacy rights. From my own perspective, I would say that there is a balance to be struck, and the dialogue that Canadians are having is a needed and valuable one.


The comments come after Carole Todd, the mother of Amanda, told the committee:

I don't want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process. We are Canadians with strong civil rights and values. A warrant should be required before any Canadian's personal information is turned over to anyone, including government authorities. We should also be holding our telecommunication companies and Internet providers responsible for mishandling our private and personal information. We should not have to choose between our privacy and our safety.

The Boys and Girls Clubs of Canada, also expected to be a supporter of Bill C-13, expressed similar concerns:

We understand that Bill C-13 has also raised concerns on the respect of privacy. Young people deserve to be protected from cyberbullying, but they also deserve to be protected and respected for their privacy. Now, we're no experts on privacy, so our only recommendation on that is to encourage you to listen, obviously, to any concerns that are brought up, any considerations that are brought up, by the experts who are dealing with privacy, to make sure that we're protecting youth from cyberbullying but we're also protecting our children and youth and their privacy rights.

Despite the concerns - and the urging to listen to the privacy community - the committee will not hear from a single Canadian privacy commissioner as part of its study on the bill.
Author: "Michael Geist" Tags: "c-13, lawful access, privacy"
Send by mail Print  Save  Delicious 
Date: Monday, 02 Jun 2014 07:42
With Daniel Therrien, the government's nominee for Privacy Commissioner of Canada, scheduled to appear before the House of Commons Access to Information, Privacy and Ethics committee tomorrow, reports this morning provide new insights into the government's selection process. Josh Wingrove of the Globe reports that there was a short-list of six candidates, but that neither of the presumed leaders - Chantal Bernier and Liz Denham - made the final two short-short list. Treasury Board President Tony Clement ultimately made the final recommendation of Mr. Therrien to Prime Minister Harper, who approved the recommendation.

Stephen Maher reports that the selection committee's preferred candidate was Lisa Campbell, the Acting Senior Deputy Commissioner of Competition at the Competition Bureau. Maher reports that government officials derailed the recommendation by seeking a second finalist for the position. The report is noteworthy since it confirms that the selection committee's own recommendation was not followed. The delayed nomination means that no privacy commissioner will appear before the committee studying Bill C-13, the lawful access bill.
Author: "Michael Geist" Tags: "campbell, privacy commissioner, therrien"
Send by mail Print  Save  Delicious 
Next page
» You can also retrieve older items : Read
» © All content and copyrights belong to their respective authors.«
» © FeedShow - Online RSS Feeds Reader