Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

DATA LOSS

Automaker Notifies 280,000 of Breach (May 27, 2011)

In February, Honda Canada discovered that hackers had accessed a Web server that held company-created MyHonda and MyAcura websites for 280,000 of its customers. The sites were part of a 2009 mail campaign and were prepopulated with customer data including names, addresses and vehicle identification numbers, reports Computerworld. Upon discovering the breach, Honda took the system offline and, after an investigation, sent notification letters to those affected, telling them to watch for phishing campaigns. The company says the risk of identity theft is low. One customer laments, "It appears that even if you didn't create an account on their websites, if they mailed you about upcoming specials in 2009, your data were involved."
Full Story

PRIVACY LAW

Councillor Found Guilty of Violating Privacy Law (May 27, 2011)

In a first-of-its-kind ruling, a Prince George city councillor has been convicted of violating BC's Freedom of Information and Protection of Privacy Act, The Globe and Mail reports. On Tuesday, Provincial Court Judge Ken Ballon found Brian Skakun guilty of violating the act by disclosing a report about harassment at the RCMP to the CBC in 2008, the report states. "There were serious things going on, and I was very concerned," Skakun said. He expressed shock over the ruling. 
Full Story

GENETIC PRIVACY

Familial DNA Testing Moral and Legal Questions Abound (May 27, 2011)

While familial DNA testing is used in three U.S. states and the UK, Canadian officials have been reluctant to embrace the practice due in part to privacy concerns. Is it fair, a Vancouver Sun report asks, to make "unwitting genetic informants" of relatives, and with studies showing that "crime seems to run in families," does this genetic link cast a "cloud of suspicion" over them? Some say if parliament allows familial testing, it should only be for the most serious crimes and when all other options have been exhausted, while the Office of the Privacy Commissioner has said it would not support it. A Department of Justice spokeswoman this week said it is consulting with provinces, police and others "to develop a consensus on how best to proceed."
Full Story

DATA PROTECTION

Small Organizations and Big Data (May 27, 2011)

Despite their size, in the Information Age, small organizations increasingly manage large amounts of data, The Globe and Mail reports, which presents "small businesses challenges to match that growth and to develop security policies to manage their sensitive data." The article looks at how some businesses have handled the challenge. One CEO says it's important to "find the right partners," consider data storage location concerns and choose the right platform. Also, says Adam Froman, CEO of a digital strategy firm, "You can't overlook the importance of having documented policies and guidelines about data handling."
Full Story

RFID

W. Kelowna To Be Charged $46K for Trash Sorting (May 27, 2011)

The City of Kelowna is charging the West Kelowna district $46,575 for extra sorting after it opted out of the city's RFID trash program intended to stop residents from including trash in curbside yard waste bins, reports Kelowna Capital News. On top of the charge to the district, residents will incur a $4.62 increase to their quarterly utility bill, and city officials say the costs may increase in the future. West Kelowna Mayor Doug Finlander has cited concerns over citizens' privacy and questions as to whether the program will be effective as reasons for opting out.
Full Story

ONLINE PRIVACY

Opinion: Big Data Needs Ethics (May 27, 2011)

In an article for the MIT Technology Review, Jeffrey F. Rayport delves into "Big Data" and the myriad companies emerging that mine and aggregate "massive amounts of unstructured data"--800 billion gigabytes of which is currently available, estimates market intelligence firm IDC--for financial gain. "As the store of data grows, the analytics available to draw inferences from it will only become more sophisticated," Rayport opines, adding, "The potential dark side of Big Data suggests the need for a code of ethical principles." Rayport proposes a structure of ethics, including his own digital "Golden Rule: Do unto the data of others as you would have them do unto yours."
Full Story

ONLINE PRIVACY

G-8 Leaders Talk Privacy, Internet Regulation (May 25, 2011)
In a communiqué to be issued later this week, G-8 leaders are expected to call for stronger regulation of the Internet, including strengthened privacy protections, The New York Times reports. The document is expected to call for "an international approach to protecting users' personal data," and to "encourage the development of common approaches...based on fundamental rights that protect personal data, whilst allowing the legitimate transfer of data," according to a Daily Mail report. At yesterday's opening of the e-G8 Forum in Paris--a prelude event to the Group of Eight meeting taking place later this week in Deauville, France--global Internet leaders and heads of state discussed and debated some of the issues that have provoked the attention of the G-8. (Registration may be required to access this story.)

DATA LOSS—CANADA

Breach Spreads to Canadian Website (May 25, 2011)

Bloomberg reports on an unauthorized intrusion into a Sony Ericsson Mobile Communications website located in Canada. The names and e-mail addresses of approximately 2,000 customers were stolen. Discovered on Tuesday, the incident prompted the mobile phone company to disable the website. This latest breach comes after incidents earlier this week affecting Sony services in Thailand, Indonesia and Greece. "This is getting very serious," one analyst notes. "What looked like a game-related attack in the U.S. is spreading to other businesses, such as music, and to all over the world."  
Full Story

ONLINE PRIVACY

Opinion: Users Need Internet Control (May 25, 2011)

In an op-ed piece for The New York Times entitled, "When the Internet Thinks It Knows You," Eli Pariser of MoveOn.org writes about the ability of algorithms and Internet giants to edit and sift through the Web's wealth of information, offering "personalized filters that show us the Internet that they think we want to see." The danger, Pariser writes, is an Internet that "offers up only information that reflects your already-established point of view." When it comes to tracking our likes and dislikes, clicks and searches on the Internet, he contends that companies "need to give us control over what we see--making it clear when they are personalizing and allowing us to shape and adjust our own filters." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

EU Cookie Rules Will Have International Impact (May 24, 2011)

New EU privacy rules requiring companies to give users "clear, comprehensive and understandable information about how, why and for how long their data is processed" will affect any Web company with EU customers, eWEEK reports. The law, which gives Internet users more control of their data, went into effect May 26. "The e-Privacy Directive applies to cookies used to collect information that is not directly related to the service offered by the site and would be used for advertising purposes," the report states, noting cookies used for the collection of non-advertising data such as passwords may still be installed without explicit user consent.
Full Story

ONLINE PRIVACY

Schmidt: Legalese Makes Simple Policies Hard To Do (May 24, 2011)

At a conference in the UK last week, Google CEO Eric Schmidt said the company is trying to make its privacy policies easier to read and understand--especially those for mobile devices--but required legalese makes it difficult. While not committing to a specific plan, Schmidt said the company is working on a "series of simplification projects" for its policies and noted that one option "may be to have simple statements followed by 'legally required' text," reports The Wall Street Journal. Google updated its policies last year, but a company blog post acknowledged it has further to go. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

CPO: “You Can’t Prepare Enough” (May 23, 2011)

HealthcareInfoSecurity has released a two-part interview with Kirk Herath, CIPP, CIPP/G, chief privacy officer of Nationwide Insurance Companies. In the interview, Herath discusses how to handle scrutiny after a breach incident--stressing the need for communications professionals to guide public relations. "At the end of the day," he says, "the worst thing you can do is look like you're not transparent." The interviews also cover the scope and scale of a privacy officer's job; a review of the Epsilon and Sony breach incidents; how to manage privacy during a breach incident; Herath's personal experiences managing privacy at Nationwide, and the privacy concerns brought on by mobile devices and cloud computing.
Full Story

DATA LOSS

Hackers Target Small Firms, Too (May 23, 2011)

Small firms that think they are not a target for hackers should think again, The Los Angeles Times reports. One small California company last year lost $465,000 after hackers gained access to its business bank account, most likely through the owner's computer system. One fifth of the money was recovered. A 2010 survey by Symantec found that 74 pecent of small and medium-size companies have been the target of cyber attacks. "It's a competitive advantage" now to have privacy protections in place, one consultant said, as companies are increasingly looking for contractors that do.
Full Story 

GENETIC PRIVACY

Court Bans Donor Anonymity (May 20, 2011)

In what one expert suggested is a case where the rights of the child trump privacy interests, a BC Supreme Court judge has ruled that legislation providing anonymity for sperm and egg donors is unconstitutional. The Globe and Mail reports on the lawsuit, which sought the same rights as those provided for adoptees. Madam Justice Elaine Adair agreed, giving the province 15 months to rewrite the law. BC would then join 11 jurisdictions in Europe, Australia and New Zealand that have banned anonymous donation, the report states. BC's attorney general has not decided whether to appeal.
Full Story

PRIVACY LAW

OIPC Releases Annual Report (May 20, 2011)

Urging public organizations to "be proactive," Ontario Information and Privacy Commissioner Ann Cavoukian released her annual report on Tuesday. In a year where more Freedom of Information requests were filed in Ontario, the press release said, it was also a year that set a new record for the number of privacy complaints closed. Key issues identified in the report include the protection of personal health information on mobile devices; international recognition of Privacy by Design and Access by Design by government frameworks; the OIPC's collaboration with Hydro One and Toronto One to embed privacy into the smart grid; a privacy-friendly biometric facial recognition system for the Ontario Lottery and Gaming Corporation, and the issue of standardizing the cost of health record access.
Full Story

PRIVACY LAW

Opinion: Crime Package Threatens Privacy (May 20, 2011)

On the agenda for the upcoming parliamentary session is consideration of a crime bill package that has prompted privacy concerns, writes University of Ottawa Prof. Michael Geist in the Ottawa Citizen. The bill includes provisions to require Internet service providers to disclose customer information without a court order and allow for real-time surveillance of their networks. Geist says the legislation "has far-reaching consequences for privacy, security and free speech" and that the privacy commissioners of Canada have expressed their concerns in a joint letter.
Full Story

INFORMATION ACCESS

Court: Public Gets Limited Access to Gov’t Documents (May 20, 2011)

The Supreme Court of Canada has unanimously upheld a Federal Court of Appeal decision restricting the public's right to access documents in the offices of the prime minister and cabinet ministers, the CBC reports. The court reasoned that ministers are "beyond the reach of the law" because they are "essentially separate" from the departments they head, but the ruling also states that some records can be accessed in certain cases. Suzanne Legault, Canada's information commissioner, said Canadians "should be concerned. If they don't know what is occurring in some very important meetings, then they have no idea of the basis of the decision government is making on their behalf."
Full Story

ONLINE PRIVACY

Schmidt: No Facial Recognition for Google (May 20, 2011)

Google CEO Eric Schmidt, talking this week at the company's "Big Tent" conference in the UK, said that Google is "unlikely" to create a facial recognition database, saying the accuracy of the technology is "very concerning" and that popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences, reports PC Advisor. Schmidt also announced Google's new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. "It is worth stressing that we can only do this with data you have shared with Google. We can't be a vacuum cleaner for the whole Internet," said Schmidt.
Full Story 

ONLINE PRIVACY

Expert Explores Internet Data Dilemma (May 20, 2011)

When it comes to controlling personal information online, the best option Internet users have lies in that old adage, "if you can't beat them, join them." That's according to MIT Prof. Sandy Pentland, whose work has focused on finding a data collection approach that works for organizations, advocates and regulators, The Wall Street Journal reports. Pentland suggests an approach where consumers manage their data and receive compensation for making it available. "Your data becomes a new asset class," he said, adding, "you have more control over the information, and it becomes your most lucrative asset." (Registration may be required to access this story.)
Full Story 

TRAVELLERS’ PRIVACY

Report: Electronic Device Searches Need Probable Cause (May 20, 2011)

On Wednesday, a think tank released a report recommending that the U.S. Department of Homeland Security (DHS) use probable cause before searching electronic devices at its borders, The Globe and Mail reports. "Technology is developing so much more quickly, and the law needs to catch up," one expert said. By carrying electronic devices, travellers "are unknowingly subjecting volumes of personal information to involuntary search and review by federal law enforcement authorities," the report said, and the "problem is compounded" because the devices often contain "personal and business-related information."
Full Story

DATA LOSS

Security Flaw Forces Site Shutdown (May 19, 2011)

Sony has shut down a website that was designed to help those affected by last month's data breaches, Reuters reports. The announcement came after Sony found a "security hole"--potentially allowing hackers to access users' accounts by using personal information stolen during the original breaches. The news comes after U.S. lawmakers wrote a letter to the company questioning the breach incidents and response. One expert said, "The Sony network in general still isn't secure and still has security issues that could be exploited by hackers." A Sony spokesman said the issue has been fixed, and the site will be back up soon.
Full Story 

ONLINE PRIVACY

Research: Flaw Could Compromise Smartphones (May 18, 2011)

Researchers from Germany's Ulm University have found a security flaw that could make it possible for hackers to breach data on certain Google Android applications, the Financial Times reports. The research indicates that photo-sharing, calendar and contacts applications could be breached, the report states, spurring warnings to Android users to avoid public WiFi networks. Google is quoted as saying, "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa." As the effort to fix the issues continues, IT PRO reports that Google is adding trust accreditation to its Marketplace Apps. (Registration may be required to access this story.)
Full Story 

HEALTHCARE PRIVACY—CANADA

Opinion: Blood Test Lawsuit Hits Upon Privacy Rights (May 17, 2011)

In a column for the Vancouver Sun, Ian Mulgrew writes about a lawsuit filed by an anonymous couple against the Provincial Health Services Authority in British Columbia. The lawsuit alleges that their child's blood "samples were obtained and stored as a result of a negligent or fraudulent concealment of facts that constituted an unlawful search and seizure violating the Charter of Rights and Freedoms." The Newborn Screening Program takes blood samples from newborn children to check for conditions, and the results are recorded and stored until the children reach the age of 10. According to the article, the judge has given the suit a "green light to proceed," but the family's lawyer has 30 days to "reframe the pleadings."
Full Story

DATA THEFT

Company Investigating PIN Pad Tampering (May 13, 2011)

Michaels Stores, Inc., has announced that approximately 90 PIN pads in at least 20 U.S. states have shown "signs of tampering," and it is currently looking into whether PIN pads in Canadian stores were affected, reports the Associated Press. As a result, customers can only make purchases with cash, checks or credit cards for now. The company announced earlier this month that Illinois-area stores were affected. In response, Michaels has "disabled and quarantined suspicious PIN pads and removed another 7,200 as a precautionary measure." 
Full Story

DATA LOSS

Recent Breaches Result in Dozens of Lawsuits (May 13, 2011)

The Globe and Mail reports that Sony faces at least 25 lawsuits in U.S. federal courts that stem from recently reported data breaches. The company is being accused of negligence and breach of contract. But, the article points out, plaintiffs' lawyers may find it difficult to establish damages rather than liability in the cases. Meanwhile, Sony is trying to rebuild consumer confidence in its services. One analyst said, "The key point is whether Sony will be able to get consumers to move on after this incident." Sony has announced that it will provide ID theft monitoring and other free services.
Full Story

ONLINE PRIVACY

Research Raises New Smartphone Concerns (May 12, 2011)

The Wall Street Journal reports on research suggesting that unique smartphone identifiers can be linked with other information to allow third parties access to personal information without users' consent. "The identifiers--long strings of numbers and letters associated with the phone--don't themselves hold any information about users," the report states, but New Zealand-based researcher Aldo Cortesi has found that U.S. gaming company OpenFeint "connected the IDs to users' locations and Facebook profiles and then made the combined data available to outsiders." Although the company has since fixed those issues, Cortesi has noted it is likely that other databases also link the unique IDs with other user information. (Registration may be required to access this story.)
Full Story

PRIVACY—CANADA

Commissioner Stepping Down (May 12, 2011)

Alberta Information and Privacy Commissioner Frank Work says he will step down when his term expires at the end of this year, The Edmonton Journal reports. "It has been my privilege to serve the people of Alberta in promoting open, transparent government and to guide citizens in the protection of their personal information," said Work, who has served as commissioner since 2002. Work oversaw the expansion of the commissioner's office in 2001 and 2004, following the Health Information Act and the Personal Information Protection Act, the report states. The government will appoint a committee to search for Work's replacement.
Full Story 

ONLINE PRIVACY

App Glitch Allowed Fourth-Party Access to Accounts (May 11, 2011)

A security firm has exposed a Facebook vulnerability that allowed third-party applications to share "access tokens" with advertisers and analytics companies, giving them access to users' accounts--including the ability to post information, read wall posts, access friends' profiles and mine personal information, reports The Wall Street Journal. The vulnerability has existed for years and likely affected about 100,000 apps, according to Symantec, which also said it's possible the third parties didn't know they had this ability. Symantec alerted Facebook to the vulnerability in April and the company has since addressed the problem and conducted an investigation that revealed "no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," said a Facebook spokeswoman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Clement Willing To Discuss ICO Fining Powers (May 10, 2011)

In response to Privacy Commissioner Jennifer Stoddart's call for the power to impose "significant, attention-getting fines" for data breaches, Industry Minister Tony Clement said he's willing to discuss the idea, The Vancouver Sun reports. Stoddart said last week that the most recent proposal to update the privacy law--which was tabled in May of 2010 and was based on a review done in 2008--is now "out of synch" with the "continuing occurrence of major data breaches." Clement on Friday agreed that it would "behoove us" to do the consultations again and said that the bill "is a pretty critical component of the broader digital economy strategy."
Full Story

ONLINE PRIVACY

Stoddart Calls for Transparency and Meaningfulness (May 6, 2011)

Privacy Commissioner Jennifer Stoddart yesterday released a report detailing the results of a series of public consultations about online privacy held last year, The Vancouver Sun reports. In the report, Stoddart calls on companies to better communicate with customers about their practices. "Transparency and meaningfulness of consent are serious issues and they generated a great deal of discussion on the panels," Stoddart said at the IAPP Canada Privacy Symposium in Toronto. "It is perhaps easy to get lost in the issue of opt-in versus opt-out, but one issue that needs serious consideration is that of meaningfulness." Stoddart's report also calls for the creation of standards to ensure privacy in the cloud computing environment.
Full Story

DATA LOSS

Commissioner: OPC Fining Powers Are Needed (May 6, 2011)

In a speech on Wednesday, Privacy Commissioner Jennifer Stoddart spoke about Sony's recent data breaches and described the need for the Office of the Privacy Commissioner to have fining powers, reports The Globe and Mail. Citing an "alarming trend towards ever-bigger data breaches," Stoddart said she will ask Industry Canada to rework proposed legislation that would give her the ability to impose "significant, attention-getting fines." Though the commissioner was "disappointed" that her office was not notified by the company about the breach, she noted that "since my office contacted Sony, the company has been very cooperative." 
Full Story 

ONLINE PRIVACY

Cavoukian: Recent Breaches “Unacceptable” (May 6, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has called the past weeks' high-profile privacy breaches involving mobile devices and an online gaming site "unacceptable and avoidable," ITBusiness.ca reports. Speaking at this week's IAPP Canada Privacy Symposium, Cavoukian described the recent incidents involving Apple's iPhone and other mobile devices tracking users' locations and multiple breaches involving Sony's PlayStation Network as "privacy disasters that didn't need to happen," the report states. Simple safeguards could have been put in place to avoid the incidents, she noted.
Full Story

PRIVACY LAW

Judge Rules Against IP Address Linkage (May 6, 2011)

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers' personal details, OUT-LAW News reports. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address--which, when linked with subscriber information, can identify the owner of the Internet connection line--could falsely identify the illegal file sharer, who could be a subscriber's family member, friend or anyone using the subscriber's IP address. The judge described trying to identify file-sharers by IP addresses as a "fishing expedition," which he said wouldn't be allowed for the "purpose and intention of class actions."
Full Story

ONLINE PRIVACY

Opinion: Recent Breaches Should Incite Action (May 6, 2011)

Though advocates' concerns about consumer privacy have long fallen on deaf legislative ears, recent high-profile breaches may incite a shift, opines Michael Geist in the Ottawa Citizen. Whether governments take action following headlines about breaches at Sony and Apple, consumers must take it upon themselves to act as "the front line guardians of their own privacy," Geist says, by "rotating passwords, only providing personal information that is strictly necessary for the services they use and opting out of unnecessary disclosures to third parties." Legislatively, Canada needs a mandatory breach notification system, Geist says. Now, breaches may go unreported to consumers and authorities without legal repercussions.
Full Story

ONLINE PRIVACY

Apple Releases iPhone Update (May 6, 2011)

The New Zealand Herald reports on Apple's release of software to update how long its iPhone stores users' location information in the wake of privacy concerns. Information included with the update indicates that location information will no longer be backed up on computers and disabling location features will result in location data being deleted. "Apple says the location data won't be kept for more than a week after the changes to the iPhone's operating system are installed," the report states.
Full Story

DATA PROTECTION—CANADA

Privacy Offices Launch Assessment Tool (May 5, 2011)

In the wake of recent high-profile data breaches, three of Canada's privacy commissioners have together created a tool for small- to medium-sized businesses to assess whether they are meeting federal and provincial data protection standards. The federal privacy commissioner and those from Alberta and British Columbia developed the online tool, which is made up of "dozens of yes or no questions," covering topics such as network and database security, access control and incident management, reports IT Business. One privacy expert questions how much the tool will be used, saying it may be better suited for larger organizations, as it "may be over the heads of most smaller businesses."
Full Story

ONLINE PRIVACY

Study: Define “Do Not Track” (May 4, 2011)

Initial results of a study of 200 Web users reveal that consumers might define the term "do not track" differently than Web companies, MediaPost reports. Preceding last week's World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40 percent of respondents felt that "nothing at all" would be collected. Fifty-one percent of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. Eighty-one percent said it was the first time they had heard the phrase do not track.
Full Story

DATA LOSS—CANADA

Suit Seeks $1 Billion in Damages (May 4, 2011)

A $1 billion suit has been launched against Sony Corporation and its PlayStation and Qriocity networks for alleged negligence associated with the company's recent data breaches, the Toronto Star reports. The suit was filed in the Ontario Superior Court of Justice and seeks class-action status. The plaintiff, a 21-year-old college student and self-described loyal Sony customer, said in a statement that she was disappointed. "If you can't trust a huge multinational corporation like Sony to protect your private information, who can you trust?" she asked. The complaint alleges that Sony "failed to adequately safeguard certain personal information, financial data and usage data" and that it delayed notifications to affected and interested parties.
Full Story