Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY

Data Privacy Day Raises Awareness, EDPS Issues Statement (January 31, 2013)

The U.S.-based National Cyber Security Alliance (NCSA) officially kicked off Data Privacy Day events with a broadcast from George Washington University Law School featuring U.S. Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government. Observed in countries across the globe, “Data Privacy Day highlights a year-round effort for all of us to improve measures to protect our personal data,” said NCSA Executive Director Michael Kaiser, noting, “We want all digital citizens to feel like they have a choice in how their data is being collected, stored and consumed and that starts with being educated about the privacy policies of online companies and web properties. As society increasingly becomes more wired, it's imperative we understand how to best protect our data.” European Data Protection Supervisor Peter Hustinx issued a message in honour of the occasion reminding individuals that they “have the right to know what information is held about you on major government and industry databases. In some circumstances you can object to the processing of your personal information, and you’re entitled to complain if your rights to privacy and data protection are being infringed.”
Full Story

DATA PROTECTION

A How-To on Kick-Starting Your Company’s Privacy Program (January 30, 2013)

It’s not enough for a business to create a privacy policy and place it on its website, says Bob Siegel, CIPP/US, CIPP/IT, founder of Privacy Ref. Businesses must also define policies and practices, verify employees are complying and confirm third-party service providers are practicing adequate data protection. In this exclusive for The Privacy Advisor, Siegel identifies 10 steps companies should follow when kick-starting their organization’s privacy program. Editor's Note: For more tips and tools from the pros, visit the IAPP's Resource Center.
Full Story

MOBILE PRIVACY—CANADA & THE NETHERLANDS

Regulators Say App Violates International Law (January 29, 2013)

A joint report released by the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) states that WhatsApp—one of the world’s most popular mobile apps—violates international privacy law, Reuters reports. The instant-messaging application requires users to provide access to their complete address book, including users and non-users, the report states. Dutch DPA Chairman Jacob Kohnstamm said, “This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.” The OPC initiated an investigation of the company in January 2012 for potentially violating the nation’s federal privacy law. Bird & Bird Partner Gerrit-Jan Zwenne told the Daily Dashboard, “Clearly the Dutch DPA thinks it has extra-territorial powers. The implications are far-reaching, as this would be no different for other DPAs in the EU. If this interpretation of EU data protection law is right—many doubt that—all national DPAs could investigate any non-EU-based controller that provides apps to EU nationals."
Full Story 

SOCIAL NETWORKING

Facebook Unveils “Ask Our CPO” Feature (January 29, 2013)

As a replacement for its now defunct user voting policy and to “enable you to send us your questions, concerns and feedback about privacy,” Facebook has launched a new “Ask Our CPO” feature, TechCrunch reports. Facebook CPO Erin Egan answered three of the most common questions in a blog post. “We’ve built a comprehensive privacy program that helps us take a systematic approach to privacy,” she wrote in answer to whether the company thinks about privacy when designing new products. Egan also stated the company does not sell users’ private information to advertisers. “We use the things you do and share on Facebook, including demographics, likes and interests to show ads that are more relevant to you,” she wrote. Editor’s Note: As part of our Conversations in Privacy series, Egan will be joined by Facebook Associate General Counsel Edward Palmieri, CIPP/US, and Future of Privacy Forum Director Jules Polonetsky, CIPP/US, in the breakout session Facebook and Your Organization—What Every CPO Should Know at the IAPP Global Privacy Summit.
Full Story

ONLINE PRIVACY

Google, Twitter Push Awareness of Gov’t Access (January 29, 2013)

Monday marked the fourth annual Data Privacy Day, and saw two major tech companies observing it by working to increase public awareness of the ease at which governments worldwide can access online data, reports CNN. Twitter released its latest transparency report outlining government requests for data, including more detail this year, and Google followed up on its report released last week with calls for more stringent protections for users’ data. Google’s chief legal officer said, “We want to be sure we’re taking our responsibilities really seriously,” adding, “we are going to make sure that governments around the world follow standards and do this in a reasonable way that strikes the balance.”
Full Story

SURVEILLANCE—CANADA

Prof. Offers Privacy-Compliant Camera Reward (January 28, 2013)

A professor is offering $100 to any person who can provide an example of a surveillance camera operated by a business that is compliant with Canadian privacy law, Metro News reports. University of Toronto Information Policy Research Program Prof. Andrew Clement said, “We thought this is something that calls for more attention, so we wanted to document the problem without having to do all the documentation ourselves.” Privacy laws differ between provinces and the public and private sectors, the report states, but guidelines have been provided by Canada’s federal privacy commissioner. Signs informing individuals they are being recorded, the purpose of the surveillance and who to contact should all be provided, according to the report.
Full Story

SOCIAL NETWORKING

Open Letter Seeks Skype Transparency (January 25, 2013)

A collection of privacy advocates, Internet activists, journalists and others have written an open letter asking for public disclosure of the privacy and security practices used by video communications service Skype, CNET News reports. The group—which includes the Electronic Frontier Foundation and Reporters Without Borders—is particularly concerned about government access to conversations, the report states. The letter asks Skype owner Microsoft to provide a “regularly updated Transparency Report.” Microsoft said it is reviewing the letter. Meanwhile, a newly introduced video-sharing service for Twitter experienced a privacy snag when it was discovered that users were logged in as the incorrect user. The service was temporarily taken down, and bugs have since been ironed out.
Full Story

TRAVELLERS’ PRIVACY

Canadian Airports Testing Less-Invasive Scanners (January 25, 2013)

The U.S. Transportation Security Administration recently announced it will remove airport x-ray body scanners due to privacy concerns, and Canada may not be far behind, National Post reports. Canadian Air Transport Security Authority spokesman Mathieu Larocque says the authority is testing “automated target recognition software” on scanners. “It essentially generates just a stick man image…that will highlight an area of the body that could need more inspection, like the angle, for example, or the elbow,” he said, adding the authority made a commitment to passengers when it introduced scanners that it would continue to look at ways to “ensure that the perception of the privacy of passengers is kept.”
Full Story

PERSONAL PRIVACY

OPC Questioning Tax Agency Over Changes (January 25, 2013)

The Office of the Privacy Commissioner of Canada (OPC) says the Canada Revenue Agency did not consult it before its decision to eliminate the requirement of a web-access code to file personal income taxes online, Postmedia News reports. The OPC is seeking information from the agency before deciding “if there’s a need to go further,” said an OPC spokesman, adding, “Lacking details, we have not had an opportunity to examine the changes made from a privacy standpoint…one important question for the agency to answer would be: How is the security of personal information being upheld?”
Full Story

SURVEILLANCE

RCMP To Modify Licence Plate Scanning (January 25, 2013)

Based on recommendations made by BC’s information and privacy commissioner, the RCMP says it will make changes to its automated licence plate scanning system, CBC News reports. The system’s cameras record licence plate and vehicle information and compare it to data stored in police databases to help police identify missing people or those with outstanding warrants or driving restrictions. But the privacy commissioner raised concerns about police sharing and storing data on innocent drivers. “We’re looking, or working through an IT solution that will see us eliminate that information in the (police) vehicle, prior to being downloaded to the RCMP server,” said an RCMP spokesman.
Full Story

PERSONAL PRIVACY

Senate Recommends Stricter Privacy in Assault Cases (January 25, 2013)

The Senate Legal and Constitutional Affairs Committee recently tabled a report with recommendations for when personal records of sexual assault victims can be released in court cases, CBC News reports. The federal government is now reviewing the 18 recommendations submitted by the committee, which conducted a two-year study that analyzed Criminal Code provisions related to the release of personal records—including psychiatric and medical documents and employment and child welfare histories—to third parties in such sensitive cases. Several of the recommendations limit what type of records can be released and when, the report states.
Full Story

ONLINE PRIVACY

Google Report: Increase in Gov’t Requests for Data (January 24, 2013)

Governments around the world continue to make requests for users’ private data at an ever-increasing rate, The Guardian reports. “User data requests of all kinds have increased by more than 70 percent since 2009,” said Richard Salgado, legal director at Google. Google’s latest transparency report shows U.S. government requests up 136 percent, and explains the U.S. legal process for gathering electronic information. The report says that under the Electronic Communications Privacy Act, 68 percent of U.S. data requests require no subpoena or warrant.
Full Story

ONLINE PRIVACY

Panel Discusses Consumer, Industry “Privacy Gap” (January 24, 2013)

A panel featuring representatives from government, industry and advocacy met to discuss the “privacy gap” between businesses and consumers, ZDNet reports. The president of the Application Developers Alliance noted “effective communication” between consumers and companies about what data is collected, how it’s shared and whether a firm has experienced a data breach contribute to filling in the gap, the report states. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, promoted baking privacy into product and system design from the beginning, adding, “often it’s a matter of choosing better default settings on behalf of users.” Microsoft has also commissioned a survey on consumer privacy expectations.
Full Story

ONLINE PRIVACY

Film Explores Evolution of Privacy Policies (January 23, 2013)

A new film exploring the changing legal and privacy rights of Internet users premiered at the Sundance Film Festival, CNET News reports. “Terms and Conditions May Apply” documents the evolution of online tech companies’ policies and how user anonymity has diminished as a result of government intervention—such as the USA PATRIOT Act—and advertisers, the report states. Film director Cullen Hoback argues that diminished online anonymity has put some users at greater risk, citing an example of a Facebook post that brought a SWAT team to a comedian’s house. Hoback also seeks out one firm’s original privacy policy, which reportedly included language promising anonymity to users. Now, Hoback says, privacy policies are “designed to be as uninviting as humanly possible.”
Full Story

SOCIAL NETWORKING

Expert: Graph Is “Watershed Moment” for Social Search (January 21, 2013)

Coming at a time when people are increasingly more cautious about posting information online, Facebook’s new search tool “Graph Search” has some experts wondering whether users will continue to share the information that will make it valuable, reports The New York Times. The tool mines users’ interests, photos, check-ins and “likes” and displays results ranked by the friends and brands that it thinks a user would trust the most. “This is a watershed moment,” said one University of Washington computer science professor, adding, “There have been other attempts at social search, but it’s the scale at which Facebook operates, especially once they fully index everything we’ve said or say or like.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

“Privacy Visor” Blocks Facial Recognition (January 21, 2013)

The integration of facial recognition into people’s lives, from surveillance cameras to social networks, has prompted Japanese researchers to develop a pair of high-tech glasses that block facial recognition cameras, reports Slate. The two professors set out to counter the “invasion of privacy caused by photographs taken in secret.” The prototype consists of a pair of goggles attached to a battery that use infrared light sources to create “noise” across key areas of the face. This is not the only recent invention aimed at thwarting surveillance technologies; a New York artist has come out with a line of “anti-surveillance” clothing.
Full Story

DATA LOSS—CANADA

Breach of 500,000 Spurs Class-Action Suits, Investigations (January 18, 2013)

A Human Resources and Skills Development Canada breach of 583,000 records—its second this month—has prompted investigations by the RCMP and the Office of the Privacy Commissioner (OPC) and two class-action lawsuits, reports the Canadian Press. A hard drive containing names, social insurance numbers, contact information, birth dates and balance amounts of Canada Student Loans Program borrowers went missing in November but was not reported to the OPC until more than a month later, resulting in some criticism for the delay. Assistant Privacy Commissioner Chantal Bernier says after this investigation, the OPC is considering conducting audits of government agencies that hold large volumes of sensitive data, and the human resources minister has requested all department employees participate in mandatory security training.
Full Story

DATA PROTECTION

Legal Threats Could Lead to Changes In Securing Data, Health Data Lost (January 18, 2013)

Postmedia News reports that the growing number of lawsuits aimed at the government over data breaches may be the catalyst for improving data security—and a move to the cloud. While the cloud is not perfect, the article states, it would reduce the need for portable devices to carry personal data, “which is typically how they lose it,” says one expert. The government is currently looking into creating a private cloud network. Meanwhile, a USB stick was lost containing the health data, personal health numbers, genders and dates of birth, among other information, of 38,000 BC residents. Seven Health Ministry staff and contractors involved in patient research were fired due to the breach.
Full Story

DATA PROTECTION

Experts Discuss Privilege Management Tool (January 17, 2013)

CSO reports on a technology some say can “trump human weaknesses,” making data breaches due to human error less likely. “Least privilege management” operates on a need-to-know basis but allows access privileges to applications instead of individuals; however, it hasn’t been widely deployed among organizations, the report states. One expert said, “It’s nigh impossible to account for all types of user interaction with a system. But in interactions that are fairly small or focused, properly implemented least privilege would be a solid and nigh unusurpable control.” Another expert said the problem isn’t “unwitting employees but malicious attackers.”
Full Story

DATA LOSS—CANADA

Ministry Says Breaches Affected Five Million (January 15, 2013)

The Huffington Post reports on breaches affecting five million British Columbians. In the most serious cases, the provincial government will contact those affected by letter, the report states. Health Minister Margaret MacDiarmid has announced three data breaches occurring between October 2010 and June 2012 involving health data saved on USB sticks and shared with researchers without the proper permissions. The USB sticks were not encrypted or password protected, despite ministry policies. “We don’t believe there is a great risk to individuals with this information because there is no evidence at all that the information has been used for anything other than health research,” MacDiarmid said. Editor’s Note: The preconference workshop Surviving a Data Breach in the Digital Age will be part of the Global Privacy Summit in Washington, DC, March 6.
Full Story

DATA PROTECTION

Insurance To Grow if Proposals Approved (January 15, 2013)

MEP Jan Philipp Albrecht’s recent report on the European Commission’s draft regulation suggests companies seeking to process data in countries outside of the European Economic Area that have not been designated as meeting EU standards should have to provide “financial indemnification” to individuals for data breaches, reports Out-Law.com. The need for insurance products “to transfer risk for the data processor or controller has grown,” said Pinsent Mason’s Ian Birdsey. “While a standard professional indemnity policy may have been considered adequate five years ago, both companies and insurers have appreciated the need for specialist insurance products dealing with the myriad data risks.”
Full Story

PERSONAL PRIVACY

BC Commissioner To Review Provincial ID Cards (January 11, 2013)

Plans by the government of British Columbia (BC) to introduce new provincial identification cards is drawing concern from privacy advocates and precipitating a review by BC Information and Privacy Commissioner Elizabeth Denham, The Globe and Mail reports. Health Minister Margaret MacDiarmid has said the card will be required for residents to receive medical services. Denham said, “It is critical that in developing this program that the sensitive personal information of British Columbians is protected.” BC Freedom of Information and Privacy Association Executive Director Vincent Gogolek has said the government does not have the best track record when creating high-tech programs, the report states.
Full Story

ONLINE PRIVACY—CANADA

OPC Denies Reports on Bill C-30 Compromise (January 11, 2013)

The Office of the Privacy Commissioner (OPC) is refuting claims reported earlier this week that it was working on a compromise on legislation that would increase law enforcement’s surveillance powers over the Internet, MACLEANS.CA reports. “I reject the characterization of this as a compromise outright,” Assistant Privacy Commissioner Chantal Bernier said. “Privacy is a fundamental right. You don’t compromise on fundamental rights.” Bernier added that the OPC was “doing our homework. A legal and technical analysis. What we’re exploring is, if the warrant system is too cumbersome—which is unproven—is there then a way to preserve privacy under a new system?”
Full Story

INFORMATION ACCESS

68-Month Delay “Unconscionable,” Says Commissioner (January 11, 2013)

A new report filed by Saskatchewan Information and Privacy Commissioner Gary Dickson has been critical of the Justice Ministry’s handling of a citizen’s request to access government records about himself, CBC News reports. Dickson wrote, “I am struck by the profound lack of respect shown for the applicant and his right to access records that are fundamentally about him.” The man in question and Dickson’s office have repeatedly asked the ministry for the records. "My recommendation to Justice is that it immediately undertake a thorough examination of its process to determine how it can better meet the letter and spirit of the Freedom of Information and Protection of Privacy Act," Dickson said in the report.
Full Story

DATA RETENTION

Study: Data Deletion Practices Don’t Match Beliefs (January 11, 2013)

A study of the data retention practices of 500 companies in Canada, Germany, the U.S. and the UK revealed that while the number of companies without a data retention plan dropped by half last year, there has been no improvement in the discrepancy between companies’ beliefs and their practices, reports IT World Canada. “Eighty-one percent of respondents say proper information retention allows companies to delete un-needed data, but these organizations say they retain 42 percent of their backups indefinitely,” said Trevor Daughney of Symantec, the company that conducted the survey.
Full Story

ONLINE PRIVACY

Firm Says It Decrypts HTTPS, But Doesn’t Access It (January 11, 2013)

Nokia has confirmed reports by a security researcher that it decrypts HTTPS data flowing through its Xpress Browser—including banking sessions and encrypted e-mail—but the company says it does not access the decrypted information, GigaOm reports. Security Researcher Gaurang Pandya said, “From the tests that were performed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information, which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.” Nokia said it has “implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
Full Story

ONLINE PRIVACY

Changes Grant Data Access, Tech Giants Join Forces (January 10, 2013)

Foursquare users would be wise to study the application’s new privacy policy, effective January 28, ZDNet reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. The window of time to access the list has also expanded. Meanwhile, Apple, Facebook and Microsoft have joined forces to launch ACT 4 Apps, an effort to educate app developers on privacy. The Association for Competitive Technology will facilitate the effort.
Full Story

ONLINE PRIVACY

HTTPS Function Rolled Out by Yahoo (January 9, 2013)

A new option to enable HTTPS for full webmail sessions has been introduced by Yahoo, IDG News Service reports. Digital rights and privacy advocates have welcomed the new rollout. The Electronic Frontier Foundation, along with other advocates, sent a letter to Yahoo CEO Marissa Mayer last November asking for the secure function. The new interface features a “Turn on SSL” setting that users must manually switch on. In a blog post, AccessNow.org supported the decision and wrote, "Pending technical analysis of its implementation, we believe this decision by Yahoo responds to some of the concerns raised by civil society and security experts and signals a continuing strengthening of their services' privacy protections."
Full Story

SURVEILLANCE

Study: Cameras Violate Federal Laws (January 4, 2013)

A recent study has found that most Canadian retailers using surveillance cameras are failing to follow new federal rules, CBC News reports. University of Toronto Prof. Andrew Clement’s study of hundreds of cameras found that about 30 percent contained a sign alerting individuals of their use, and none met the minimum requirements under the Personal Information Protection and Electronic Documents Act. Nathalie Des Rosiers, general counsel for the Canadian Civil Liberties Association, said it’s “a question of not depriving people of the opportunity to make a decision themselves about what they want to share and what they do not want to share, and that’s a fundamental aspect of human dignity.”
Full Story

DATA LOSS

Commissioner to Dating Company: Educate Your Workers (January 4, 2013)

Alberta’s privacy commissioner has ordered a speed-dating company to tighten its training following the inadvertent disclosure of a woman’s e-mail address, MACLEANS.CA reports. A woman complained after attending a speed-dating event organized by FastLife International when she received an e-mail from a man who claimed he obtained her e-mail address from the company. The woman had not given her consent. Following a December 2011 investigation prompted by the woman’s complaint, adjudicator Keri Ridley ruled the incident was due to human error, the report states, and FastLife has been given 50 days to educate employees on privacy laws.
Full Story

PRIVACY LAW—ITALY

Italian DPA Cooperates with International Regulators (January 3, 2013)

Rocco Panetta of Panetta & Associati reports that the Italian data protection authority (Garante) has established three resolutions in the field of international data processing and transfer. Panetta, who is the Garante’s former head of legal, notes cooperation between data protection authorities is increasing when it comes to enforcement profiles. In one case, a data subject made a claim against Italian company “Badoo” for publishing fake profiles by a third party on a UK social network.
Full Story

BEHAVIORAL TARGETING

Ad Industry Concerned With Firms’ Privacy Practices (January 3, 2013)

Ad Age reports on concerns within the advertising industry that Facebook and Amazon are not using the industry’s standardized ad privacy program while a majority of large media firms and ad networks comply or integrate with the Digital Advertising Alliance’s (DAA) Ad Choices program. Ad campaigns operated by Facebook and Amazon also raise privacy concerns, the report states. One industry executive said, “We need publishers to adopt the industry standard,” adding, “We cannot have everyone embrace it in their own flavor.” A TRUSTe representative said Facebook is “pushing the edge of what online advertising is doing” and added the two companies “may warrant a whole new category within the DAA’s program.”
Full Story

DATA LOSS—CANADA

Commissioner’s Office To Investigate Breach (January 3, 2013)

The Office of the Privacy Commissioner of Canada (OPC) will investigate a breach at Human Resources and Skills Development Canada (HRSDC), The London Free Press reports. The breach occurred when an HRSDC employee transported and lost an unencrypted USB stick containing the personal information of 5,000 Canadians. The USB stick went missing November 17 but was not reported to OPC until December 21, the report states. The office has received 100 calls and several complaints on the matter, prompting an investigation that will focus on “the application of the Privacy Act,” how the USB stick was misplaced and what data was stored on it, said OPC spokeswoman Anne-Marie Hayden.
Full Story

SOCIAL NETWORKING

Foursquare Changes Privacy Policy, Suit Filed Against Instagram (January 2, 2013)

Foursquare announced last week that it is changing its privacy policy effective January 28, PC Magazine reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. A company e-mail stated, “This is great for helping store owners identify their customers and give them more personal service or offers.” Foursquare has also created “Privacy 101,” a stripped-down version of its privacy policy. Meanwhile, a class-action lawsuit has been filed against Instagram for its proposed privacy policy changes. According to the report, the lawsuit cites a breach of contract, among other claims.
Full Story