Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PERSONAL PRIVACY

PEI Minister Eyes Unique Licence Plates for Offenders (December 21, 2012)

Prince Edward Island Transportation Minister Robert Vessey is considering a system requiring convicted drunk drivers to hang distinctive licence plates from their vehicles for the purpose of notifying the public, The Globe and Mail reports. Vessey said he is trying to “think outside the box” and the system is not an attempt at shaming drivers, the report states. A representative from the Canadian Civil Liberal Association said, “It definitely raises privacy and dignity concerns.”
Full Story

SOCIAL NETWORKING

Company Reverses Privacy Policy Changes (December 21, 2012)
The New York Times reports on Instagram’s reversal of proposed changes to its privacy policy announced earlier this week. According to a blog post released Thursday night by Instagram Co-Founder Kevin Systrom, the company plans to revert to its previous terms of service. Systrom said, “Going forward, rather than obtain permission from you to introduce possible advertising products we have not yet developed, we are going to take the time to complete our plans, and then come back to our users and explain how we would like for our advertising business to work.” Systrom added, “I want to be really clear: Instagram has no intention of selling your photos, and we never did. We don’t own your photos--you do.” (Registration may be required to access this story.)

PRIVACY

2012 Privacy Trends Expected To Stick Around (December 21, 2012)

CNET News outlines security trends from 2012 that it expects will continue to play a major role in 2013. The trends include, the Internet as a government tool; more mobile devices, bigger targets; desktop threat, still a threat; privacy and data breaches, and holistic security. The report states, “Because of their very mobile, always-connected nature,” the problems with mobile devices “will become more complex in 2013.” It also highlights the rise in awareness of data mining and notes, “security problems may start in discretely different realms, but the nature of the Internet is making them more intertwined than ever before,” adding, “security is becoming an issue of ongoing education.”
Full Story

ONLINE PRIVACY

Scientist Develops “Identity Mixer” (December 18, 2012)

A lead scientist at IBM’s Zurich Research Center has developed an “Identity Mixer” aimed at facilitating e-mail and Internet shopping without excessive disclosure of personal information, International Business Times reports. “The idea is to authenticate only the minimally necessary information for authentication,” said IBM Fellow Jan Camenisch. “We want to deal with a digital society that requires electronic authentication.” The Identity Mixer issues “'electronic tokens’ that verify user information contained in a third-party database,” the report states. The mixer has been piloted in Greece at the Research Academic Computer Technology Institute, and IBM hopes to employ it in the EU’s FutureID, introduced last month to protect personal data related to government-issued identity cards.
Full Story

TRAVELERS’ PRIVACY—CANADA & U.S.

Visa Information-Sharing Agreement Signed (December 17, 2012)

In a ceremony on Thursday, Canada and the U.S. signed a treaty to share data about visa applicants and asylum seekers including biometric information, name, birth date and gender, reports the Canadian Press. Canada’s privacy commissioner has raised concerns that the information could end up in the wrong hands, possibly endangering applicants and their families. However, Immigration Minister Jason Kenney stressed that the agreement comes with “rigorous privacy safeguards” that ensure data will be shared in accordance with Canadian law. The agreement states that either country may share data with a domestic court for immigration purposes or with a third country, but only with the approval of the providing country.
Full Story

PRIVACY LAW

Delegates Reject Proposed Internet Treaty (December 14, 2012)

An alliance of Western countries including the U.S., UK and Canada has rejected a proposed treaty saying it would give repressive governments too much power over the Internet, CNET News reports. Representatives from the Netherlands, New Zealand, Denmark, Sweden, Poland and the Czech Republic also said they would not support the International Telecommunication Union (ITU) Treaty. Some representatives questioned whether the UN was the proper organization to oversee Internet-related issues, the report states, adding, “a key concern is that putting topics related to Internet speech and surveillance to a majority vote of ITU’s 192 member nations may not end well.”
Full Story

DATA PROTECTION

Center Releases Accountability Tool (December 14, 2012)

As part of the Global Accountability Project, the Hunton & Williams Centre for Information Policy Leadership has released an accountability self-assessment tool, reports Hunton & Williams’ Privacy and Information Security Law Blog. “In collaboration with experts…we’ve outlined the key elements of a sound program to help organizations take the concrete steps necessary to be accountable,” said Marty Abrams, the centre’s president. As accountability plays a larger role in legislation, “The results of the survey may be useful in demonstrating to regulators and other interested constituencies the design of an organization’s privacy program,” added Paula Bruening, vice president of Global Policy at the Centre.
Full Story

ONLINE PRIVACY

Company Launches Social Login Privacy Seal (December 14, 2012)

Adweek reports on the launch of a social privacy certification and seal that aims to reassure consumers logging into an application or website via a social login such as Facebook or Twitter that their data “will not be abused or compromised.” Following a survey in which nearly half of respondents said they would be more comfortable using a social login if a short message indicated what information the site was collecting, Gigya collaborated with the Future of Privacy Forum (FPF) to develop its SocialPrivacy Certification. FPF Director Jules Polonetsky, CIPP/US, will chair Gigya’s recently established Privacy and Safety Advisory Board.
Full Story

HEALTHCARE PRIVACY

Commissioner: Ministry Investigation a High Priority (December 14, 2012)

BC Information and Privacy Commissioner Elizabeth Denham says her review of alleged privacy breaches in the Health Ministry’s pharmaceutical services division is a “high priority,” The Victoria Times Colonist reports. Denham aims to complete the investigation by January’s end and will make the findings public. “It’s a complex investigation. It’s a reminder that the government collects and uses a large amount of sensitive personal information of British Columbians, and the government is a steward of this information,” Denham says, adding that “personal health information is never just data,” but is often very sensitive information, and when it’s mistreated or lost, “the impact on the individuals is very real.”
Full Story

PRIVACY LAW

Advocacy Group, BC Official Call for Whistleblower Protection Law (December 14, 2012)

The BC Freedom of Information and Privacy Association is joining the province’s auditor general in calling on the BC government to establish legal protection for whistleblowers, the Canadian Press reports. In a recently released report, Auditor General John Doyle expressed concern over the lack of legal protection for whistleblowers. Doyle has called for a law that would allow a “professional approach to concerns raised in good faith,” the report states.
Full Story

SURVEILLANCE

Licence-Plate Scanning To Continue in Victoria (December 14, 2012)

The Victoria Police Department (VicPD) has said it will continue its automated licence-plate scanning program even though BC Privacy Commissioner Elizabeth Denham found it contravenes the Freedom of Information and Protection of Privacy Act, Victoria News reports. While Saanich police have decided to suspend their program until privacy concerns have been alleviated, VicPD’s chief constable says he “respectfully disagrees” with the commissioner’s report. Denham has recommended that “non-hit” data is immediately deleted from from VicPD’s servers instead of being sent on to the RCMP. Victoria’s mayor says VicPD will be working with the RCMP to bring the program into compliance.
Full Story

DATA THEFT

Authorities Arrest 10 for Data Theft (December 13, 2012)
International authorities have arrested 10 individuals from around the world for allegedly operating a network of infected computers for the purpose of stealing personal data from millions of users, The New York Times reports. Law enforcement authorities were aided in their investigation by Facebook, the report states. The Butterfly botnet allegedly spread malicious software to compromise the security of PCs, allowing the suspects to acquire personal information, including credit card numbers. The U.S. Justice Department said variations of this type of malicious software have infected approximately 11 million computers and caused more than $850 million in damages, the report states. (Registration may be required to access this story.)

SOCIAL NETWORKING

Facebook Updates Privacy Settings (December 13, 2012)

Facebook has made changes to its privacy settings by giving users more control and clarity over what personal data is shared and by removing users’ ability to remain hidden from its main search tool, The Wall Street Journal reports. A new control, called Privacy Shortcuts, will allow people to alter who can see their posts and who can contact them through the site. Facebook Director of Product Samuel Lessin said, “We’re taking the most critical things and putting them in context across the whole site.” Electronic Privacy Information Center Executive Director Marc Rotenberg said, “Facebook’s decision not to allow people to hide themselves from search appears to violate the settlement” reached with the Federal Trade Commission earlier this year. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Microsoft Standing By Do-Not-Track Default (December 13, 2012)

Despite criticism from online advertising firms, Microsoft says it will stand by its decision to make its Do-Not-Track (DNT) feature the default in its latest Internet Explorer browser. “We crossed the Rubicon and are completely comfortable being on the other side of the river,” said Microsoft General Counsel Brad Smith. “We have no intention of going back and have no intention of engaging in discussion on that possibility.” Some advertisers have said they will ignore the browser’s privacy signals. Smith said Microsoft is willing to talk with advertisers about tweaks to how it describes DNT to users and how the setting can be altered.
Full Story

PRIVACY LAW—CANADA

Stoddart: Proposed Breach Law Outdated (December 11, 2012)

Documents released under the Access to Information Act reveal that Federal Privacy Commissioner Jennifer Stoddart believes a proposed federal bill aimed at better managing data breaches “is beginning to look dated.” Prepared last June, Stoddart’s analysis of Bill C-12 also states, “Many international data protection agencies now have, or will soon have, much stronger enforcement powers than exist in Canada,” adding, “I am no longer certain I can provide wholehearted support for the legislation as currently drafted.” Stoddart also pushes for her office to have more sanctioning power, the Canadian Press reports.
Full Story

ONLINE PRIVACY

Initiatives Could Impact the Future of User Privacy (December 11, 2012)

An op-ed in The Economist discusses two initiatives that could affect Internet users’ expectations of privacy in years to come. The first is a U.S. Senate bill that would update the Electronic Communications Privacy Act of 1986. The bill would require law enforcement agencies to obtain a warrant to access e-mails that have been opened or are more than six months old; now, only a subpoena is required. “Bringing online privacy requirements into an age of cloud computing is only fit and proper, and long overdue,” the report states. The second is the International Telecommunications Union’s effort to rewrite its treaty for regulating telecommunications companies worldwide by defining the Internet as a form of telecommunication.
Full Story

ONLINE PRIVACY

Commons Committee Seeks Privacy Answers (December 7, 2012)

A Twitter representative told the Commons Committee on Ethics and Privacy that it doesn’t sell private user data or share that information with police without a court order, reports Postmedia News. The representative said the company doesn’t have much information on users because little is needed to use the service. The committee also heard from Acxiom Global Privacy Executive Jennifer Barrett-Glascow, CIPP/US, who said the company has no plans to expand collection in Canada. The committee has been investigating privacy concerns about social media and whether legislative changes are in keeping with the digital world, the report states.
Full Story

ONLINE PRIVACY

Cavoukian “Perplexed” by Ongoing C-30 Disagreement (December 6, 2012)

In a column for the National Post, Ontario Information and Privacy Commissioner Ann Cavoukian expresses her concern over the ongoing disagreement between privacy commissioners and police over Bill C-30. Cavoukian says while she understands the need for authorities to fulfill their functions, “The bill must be amended to ensure that any police power to compel telecoms to disclose subscriber information requires a warrant in all but urgent circumstances.” Cavoukian says the privacy commissioners have "identified a pragmatic and principled approach” that would expose “Terrorists, organized criminals and those who try to harm the vulnerable by misusing the right to anonymity” and protect citizens’ privacy.
Full Story

SOCIAL NETWORKING

U.S. Judge Approves Facebook Settlement, Policy Voting Open (December 4, 2012)
A U.S. judge has given preliminary approval of Facebook’s proposed settlement to a class-action lawsuit claiming the company violated privacy rights, Reuters reports. The judge says the settlement, Facebook’s second attempt, “falls within the range of possible approval as fair, reasonable and adequate.” Class members and others will have an opportunity to object to the settlement before it goes to final approval. A fairness hearing is scheduled for June 28, 2013. Meanwhile, the company has opened voting for its latest proposal to change user privacy settings. The vote is open until Monday, December 10, to all Facebook users and may determine whether its roughly one billion users will have the ability to vote on privacy changes going forward; the vote is only binding if 30 percent of users participate. The Electronic Frontier Foundation and the Center for Digital Democracy have written to Facebook CEO Mark Zuckerberg urging him to “withdraw the proposed changes” as they “raise privacy risks for users, may be contrary to law and violate your previous commitments to users about site governance.”

ONLINE PRIVACY—U.S.

Center for Internet and Society Names Director of Privacy (December 4, 2012)

Aleecia McDonald has been named the director of privacy at Stanford Law School’s Center for Internet and Society. She will “lead the center’s work at the intersection of online technologies, privacy and policy” with a focus on Do Not Track, privacy-enhancing technologies and mobile privacy, among others. McDonald has worked as a senior privacy researcher at Mozilla and as co-chair of the World Wide Web Consortium’s Tracking Protection Working Group. She told the Daily Dashboard she will also co-teach a class on privacy to Stanford Law School students and facilitate events and conferences on privacy issues as well as conduct academic research. She says she’s especially looking forward to working with peers of such a high caliber in an interdisciplinary way, which will enable a variety of perspectives on such a complicated and nuanced topic as privacy. “I just feel amazingly fortunate that I get to work on things I’m passionate about. I think right now privacy is an exceedingly interesting area and particularly interesting in terms of the public policy side. It’s getting a lot of attention that it won’t have every year,” she said. “I feel like a kid in a candy store; I get to do the cool stuff. I’m really lucky.”
Full Story

PRIVACY LAW

Conference on UN Internet Treaty Begins (December 3, 2012)
Regulators from 193 countries are in Dubai for the World Conference on International Telecommunications, and some say the discussions may threaten the future of the Internet, reports BBC News. EU Digital Agenda Commissioner Neelie Kroes tweeted, “The Internet works; it doesn’t need to be regulated by ITR treaty,” and Google representatives say the conference is a threat to the “open Internet.” But the report states that the UN International Telecommunications Union says action is needed to ensure investment in infrastructure and insists that, rather than a majority view, common ground is needed before any changes will be made to the treaty. Editor’s Note: For more on this topic, see “Privacy worries surround UN Internet regulations” from the September issue of The Privacy Advisor.

BEHAVIORAL TARGETING

Rosen: Why You Should Care About Profiling (December 3, 2012)

George Washington University Law Prof. Jeffery Rosen writes for The New York Times, “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.” Rosen creates two distinctive online identities for himself on different browsers, compares the ads he sees and—through data aggregator BlueKai, which sorts consumers into market segments—views their profiles. Rosen says such profiles lead to an uneven playing field for consumers but says “there is more at stake…the possibility of not only shared values but also a shared reality becomes more and more elusive.” (Registration may be required to access this story.)
Full Story