regulation of internet commerceclass four – january 8, 2013

professor michael geist

university of ottawa, faculty of law

Privacy Law Basics

Privacy Law - The Basics - Based on the CSA Model Code

- Proposed in 1998 - response to EU pressure

- Took effect in 2001 (federally regulated orgs), 2004 (everyone else)

- Limited to commercial activity for constitutional reasons

- Shared responsibility with provinces - substantially similar

- Enforced by Privacy Commissioner of Canada in an ombuds+ role

- Complaints driven + audit power

Privacy Law - The Basics

Application - Subject matter

• Personally identifiable information only - includes information about employees

• Public domain exception

– Telephone Directory

– Professional or Business Directory

– Registry Collected under Statutory Authority

– Court Record

– Information Appearing in the Media Where the Individual has Provided the Information

• Federal Privacy Act exempt

• Name, Title, Business address or Telephone number of an employee exempt - not email though

Privacy Law - The Basics

10 PRINCIPLES -- 1 1. Accountability

• organization is accountable for personal information• Includes privacy point person, training staff

• 2. Identifying Purposes• purpose of collection must be clear• Identify any new purposes• Grandfathering issue

• 3. Consent• individual has to give consent to collection, use, disclosure• “meaningful” consent -- will depend upon circumstances

Privacy Law - The Basics

10 PRINCIPLES (cont.) -- • 4. Limiting Collection

• collect only information required for identified purpose• 5. Limiting Use, Disclosure and Retention

• consent required for other purposes• Destroy or anonymize information once no longer needed

• 6. Accuracy• keep as accurate as necessary for identified purpose

Privacy Law - The Basics

10 PRINCIPLES (cont.) -- 7. Safeguards

• protection and security required

8. Openness• policies should be available• Clear language

9. Individual Access– info available upon request, inaccuracies corrected

10. Challenging Compliance – ability to challenge all practices

Privacy Law - The Basics

Compromise statute -- Purpose clause (s.3)The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would

consider appropriate in the circumstances.

Privacy Law - The Basics - Shared responsibility with provinces

- “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy

- Hundreds of OPC findings

- Statutory review every 5 years

- Last review in 2006 leads to Bill C-12 (first reading)

- Privacy Act - governs public sector privacy law

- No updates since first enacted

- Multiple privacy legislative initiatives

- C-12 (PIPEDA update)

- C-30 (Lawful access)

- Anti-spam legislation

Penalties & Enforcement

Privacy Law – Penalties/Enforcement

- Non-binding findings

- Court challenges

- Powers largely limited to investigations

- Call for:

- Order making power

- Expansion of naming names

- Administrative monetary penalties

Findings…

- Evolving approach to case management

- Naming names

SAMPLE FINDINGS

• NWT Video Surveillance - storefront video of the street is captured by the Act

• IMS Health - doctors’ prescribing habits not personal information

• Telus unlisted number - charging for unlisted number does not violate the Act; some success on appeal

• Railway surveillance

• Courier electronic signature

Damages - Nubody’s Fitness- Nubody’s a chain of fitness clubs

- Randall joins the gym using company-sponsored membership

- Company knows about frequency of use of the membership, Randall complains and that is also disclosed

- Leaves company & later files complaint with the OPC

- Well founded finding

Issue: Any damages?

- Randall wants $85,000

- No damages awarded:

- “Damages are awarded where the breach has been one of a very serious and violating nature such as video-taping and phone-line tapping”

Investigations - Blood Tribe - 2008 SCC decision (Blood Tribe Department of Health v. Canada

(Privacy Commissioner))

- Wrongful dismissal claim seeking access to records. Some records subject to privilege withheld

- Ruling: - OPC does not have the power to compel disclosure of documents subject

to solicitor-client privilege.

- Must have explicit power included in the statute.

- Can go to federal court to compel disclosure.

Constitutionality – Union Food- Union videotapes people crossing the picket line, threatens to post

online

- Complaints follow to the Alberta PC. Concludes no right to collect and use the personal information

- Union challenges – PIPA provisions violation of Charter rights

ABCA – Union Food The pressing and substantial problem is the potential misuse of personal information. Limiting the ability of organizations to collect, store, and use that information has a rational connection to the objective.  There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:

• It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.

• The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.

• The definition of “publicly available information” is artificially narrow.

• There is no general exemption for information collected and used for free expression.

• There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

ABCA – Union Food“This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.”

- SCC to hear appeal in June 2013

- Reference Re: Securities Act (Dec 2011) raises other constitutional concerns for PIPEDA

Bill C-12

C-12

• Mandatory review every five years• Years to respond with bill• Overdue for another round of reform• Privacy Act reform?

C-12new business exceptions

• Changes definition of business contact information - exclude business email

• Business transaction exception – Covers due diligence in transactions– Doesn’t apply if personal information is primary reason for transaction

• Exception for collection, use, & disclosure in witness statement related to insurance claim

• Work product exception• Exception for businesses that voluntarily disclose personal information

to other organizations investigating breach of agreement

C-12law enforcement changes • Attempted clarification of “lawful authority” - circular

approach as lawful authority is lawful authority• Encourages disclosures without court oversight• Once information disclosed

– Organization prohibited from disclosing the disclosure– Organization cannot comply with access request from individual– Must notify lawful authority if plans to disclose and delay by at

least 30 days

C-12security breach disclosure

• Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners)

• California disclosure law spreading fast - at least 40 other states with similar laws

• Two possible reporting requirements in event of breach:– Requirement to report “material breach of security safeguards involving

personal information under control” to Privacy Commissioner– Criteria to determine whether to report:

• Sensitivity of information• Number of affected individuals• Cause of breach/systemic problem

C-12security breach disclosure

– Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”

– What is significant harm?• bodily harm• humiliation• damage to reputation or relationships• loss of employment, business or professional opportunities• financial loss• identity theft• negative effects on the credit record and damage to or loss of property

– Risk factors - (1) sensitivity of info; (2) risk of misuse

C-12security breach disclosure

– Notifications • “ as soon as feasible”• Understandable to affected individuals• To other organizations who may be able to mitigate harm

Bill C-30

lawful access - history

– 2002 - documents/consultation on lawful access– 2005 - Liberals introduce first lawful access bill (dies on the order paper)– 2007 - Conservatives launch lawful access consultation; Day pledges no

mandatory disclosure without court oversight– 2009 - Conservatives introduce second lawful access bill (dies on the order

paper)– 2010 - Conservatives introduce third lawful access bill (dies on the order

paper)– 2012 - Bill C-30 introduced

C-30 - 1st layer• Mandatory subscriber info disclosure to “designated person” (CSIS, law enforcement):

– Name– Address– telephone number – Email address– Internet protocol address

• Individual police officer can also require in exceptional circumstances• Data obtained via Access to Information indicates TSPs provide this information 94% of

the time without a warrant already

C-30 - 2nd layer• Interception equipment capabilities

– Capability to provide intercepted communications– In same format as the communication (no requirement to decrypt)

• Operational requirements– Enable interception– Isolate communication– Provide proscribed info– Multiple interceptions

• Must maintain capabilities with new software, services• Must report some new equipment to government if acquire from another telco provider• Every telco provider must submit report on equipment within 6 months of law taking

effect• Government can reduce requirements

– Phase in period - 18 months for new equipment; 3 years for ISPs with <100,000 subscribers

• Penalties for non-compliance

C-30 - 3rd layer– Transmission data warrant

– What it covers» relates to the telecommunication functions of dialling, routing,

addressing or signalling» generated during the creation, transmission or reception of a

communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication

» does not reveal the substance, meaning or purpose of the communication

– Warrant needed for real-time information– Production order for historical data– Expires 21 days after initial demand

C-30 - 3rd layer– Preservation orders

• Designed as temporary order to preserve subscriber information• Includes data related to particular subscriber, specific communication• Expires 90 days after issued• Must destroy information after conclusion

– Production orders• General production order of a document• Specified communication - transmission data to identify person or device• Transmission data• Tracking data• Financial data• Judge may order prohibition on disclosing production order• ISP, FI, etc. may apply to vary order within 30 days

Can lawful access be saved?

C-30 - Key Concerns

1. Evidence, Evidence, Evidence2. No Mandatory Warrantless Access to

Subscriber Information3. Reporting Warrantless Disclosure of Subscriber

Information4. Remove the Disclosure Gag Order5. "Voluntary" Warrantless Data Preservation and

Production6. Government Installation of Surveillance

Equipment

C-30 - Key Concerns

7. Reconsider the Internet Provider Regulatory Framework

8. Improve Lawful Access Oversight9. Limit the Law to Serious Crimes10. Come Clean on Costs11. The Missing Regulations12. Deal With The Failure of Privacy Laws To Keep

Pace