Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

ONLINE PRIVACY

Tech Firms Discuss DNT, Data Currency (February 28, 2013)

A panel of privacy experts from some of the Internet’s top technology companies—including Microsoft, Mozilla, Facebook and Google—discussed Do Not Track, mobile privacy and third-party data transfers, NETWORKWORLD reports. According to SC Magazine, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “It hasn’t yet been defined on a broad level what a service should do when they receive a Do-Not-Track signal,” adding, “It’s going to be confusing for people if there’s not a common understanding of what Do-Not-Track means.” Meanwhile, author Cory Doctorow questions whether personal information sharing for free services overlooks the value of an individual’s personal data.
Full Story

BIG DATA

Facebook To Partner With Data Brokers (February 26, 2013)
NBC News reports that Facebook is planning to announce partnerships with three data marketing firms to deliver online targeted ads gleaned from offline information. Acxiom, Epsilon and Datalogix will all partner with the social networking company and allegedly upload customer lists to Facebook, which will then find matches among its users to create “custom audiences,” the report states. Facebook will not know the identity of the customers because the data will be hashed. The combination of the online and offline databases has raised privacy concerns. “There needs to be limits on Facebook’s growing use of outside data broker information,” Jeffrey Chester of the Center for Digital Democracy. Meanwhile, a security specialist was able to access any Facebook account through an authentication flaw. The company says it has since fixed the problem. Editor’s Note: The breakout session Big Data, Not Big Brother: Best Practices for Data Analytics will be part of next week’s IAPP Global Privacy Summit in Washington, DC.

ONLINE PRIVACY

Web Tracking Tags Raise Concerns; Ad Industry Reacts to Browser Changes (February 26, 2013)

Financial Times reports on the rise of website tracking tags and corresponding security and privacy concerns. According to an Evidon report that surveyed 7.5 million Internet users, 55 percent of tracking devices used by major websites were placed by third parties rather than the first-party publisher. One Evidon representative said, “If you’re unaware of the companies injecting scripts into your page, it makes it hard to keep your users safe.” Meanwhile, AdvertisingAge reports on the ad industry’s reaction to news that Mozilla will block third-party tracking by default in its latest version of Firefox. Mozilla’s Alex Fowler said “strong user support for more control is driving our decision to move forward with this patch.” An industry representative said “the unintended consequences may outweigh the benefit that’s achieved.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Lobbyists Want Data on Skype Disclosures (February 25, 2013)

A coalition of digital rights groups and individuals are calling on Microsoft to release regular transparency reports on data collected from Skype users, including whether it’s been shared with third parties such as advertisers and law enforcement agencies. Microsoft purchased Skype in 2011, The New York Times reports. “We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” said Prof. Paul Bernal, a lawyer who is one of the 61 individuals to sign the open letter to Microsoft. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.” The coalition also wants to know whether Skype’s headquarters have changed from the EU since it was purchased by a U.S.-based company. (Registration may be required to access this story.)
Full Story

BIG DATA

Opinion: Is Big Data All It’s Cracked Up To Be? (February 25, 2013)

In a column for MACLEANS.CA, Julia Belluz writes that, despite claims it can “cure cancer, transform business and government, foretell political outcomes, even deliver TV shows we didn’t know we wanted,” Big Data’s “big promises” may not have the research community sold. “Some say vast data collections—often user-generated and scraped from social media platforms or administrative databases—are not as prophetic or even accurate as they’ve been made out to be,” Belluz writes. In the example of Big Data genomics, Belluz states that "it’s hard to tell the signal from the noise.” And some are questioning the “integrity of Big Data,” Belluz writes, noting that a recent article showed that Google Flu Trends “massively overestimated the year’s flu season.”
Full Story

TRAVELLERS’ PRIVACY—CANADA & U.S.

Rights Have Limits at the Border (February 22, 2013)

Kashmir Hill writes for Forbes about the ability of U.S. customs officials to search digital devices—including looking through e-mails and social media posts. Using the experience of a Canadian actor, Hill explores what an American Civil Liberties Union attorney calls border crossers’ “limited ability to say no,” adding, “You can say no but there are consequences. They might not let you in. They might detain you for 25 hours while they get a warrant. Or they might just seize your property.” The U.S. Department of Homeland Security’s privacy head has recently voiced support of warrantless searches of digital devices at the border, but the Electronic Frontier Foundation is pushing for a warrant requirement, the report states.
Full Story

MOBILE PRIVACY

Court Ruling Raises Privacy Concerns (February 22, 2013)

A recent Ontario Court of Appeal ruling allowing law enforcement warrantless access to a suspect’s cellphone is raising privacy concerns among some legal experts and privacy advocates, CBC News reports. One attorney said, “You never know when you’ll be stopped and arrested improperly…The problem is that people put so much personal information on their cellphones, and if they’re not taking any type of steps they might be giving a lot away.” A representative from the Canadian Civil Liberties Association also expressed similar concerns.
Full Story

DATA LOSS

OIPC Investigating Discarded Documents (February 22, 2013)

Alberta’s Office of the Information and Privacy Commissioner (OIPC) is investigating after a man found documents containing potentially sensitive information in the trash behind a restaurant. The information included credit card batch and employee reports related to the restaurant. OIPC spokeswoman Diane McLeod-McKay said organizations are responsible for properly disposing of personal information, and of particular concern in the case is the detailed reports on employees “If I work at an organization and there is anything related to my employment such as my employee record or hours of work, then the organization needs to ensure it is protected,” she said.
Full Story

DATA PROTECTION

Commissioner Urges Encryption (February 22, 2013)

In light of several recent high profile data breaches, Alberta Information and Privacy Commissioner Jill Clayton is urging public- and private-sector organizations to encrypt sensitive personal information, particularly when stored on portable devices, Calgary Herald reports. Clayton said, “The device might be lost, but the harm is preventable and encryption is very much a piece of that…As there are more and more of these devices and they are increasingly mobile and they’re capable of storing just massive amounts of information, the risks are pretty high.”
Full Story

BEHAVIORAL TARGETING

How Our Online Experiences Affirm What We Already Believe (February 21, 2013)

Based on companies’ abilities to collect data on individuals online in order to send targeted ads based on behaviors, “99 percent of us live on the wrong side of a one-way mirror, in which the other one percent manipulates our experiences,” reports Scientific American. Unseen hands “curate your entire experience” and predetermine the news you see and even the people you meet, which serves to “affirm, instead of challenge, what we already believe to be true.” Meanwhile, Eric Clemens reports for the Huffington Post on the “myth of anonymization” and the misconception that targeted ads mean a better online experience—and for free.
Full Story

PRIVACY

Information Privacy Trailblazer Alan Westin Passes Away (February 19, 2013)
Alan Westin, a groundbreaking scholar of information privacy who helped influence a generation of privacy study and the privacy profession itself, passed away Monday at the age of 83. “Today, literally tens of thousands of statutes, court decisions, regulations and company best practice standards, throughout the globe, are based upon” principles set forth by Westin, said friend and Arnall Golden Gregory Privacy Partner Bob Belair. The Privacy Advisor explores Westin’s legacy in this exclusive feature, including commentary from privacy notables. As Indiana University Prof. Fred Cate told The Privacy Advisor, “Alan's passing is especially hard to come to grips with because he was such a larger-than-life figure who not only helped to create and define the modern field of privacy law but welcomed, included and mentored so many of us who followed in his giant footsteps. I wouldn't be in privacy law if it weren't for Alan, and I suspect that is true--directly or indirectly--for many IAPP members.”

SOCIAL NETWORKING

Features Spark Privacy Worries (February 19, 2013)

While IDG News Service reports on Facebook’s efforts “to assure users that Graph Search, its new search engine…does not compromise the privacy rights of minors,” The Guardian reports on privacy concerns prompted by the social network’s new promote-post feature. “Facebook announced the launch of a new feature on Friday that allows users to pay to promote their friends' posts,” the report states, noting that while the feature is governed by the site’s privacy settings, it “has already sparked privacy concerns” because users do not have to give permission to have their posts promoted by their friends.
Full Story

MOBILE PRIVACY

Developer Raises App Store Privacy Policy Concerns (February 15, 2013)

An Australian-based app developer has raised concerns that Google’s app store policies allow for the sharing of users’ personal information—including e-mails, names and addresses—without consent, Reuters reports. Electronic Privacy Information Center Executive Director Marc Rotenberg said the company buries the notice explaining how it shares users’ personal data and does not clearly obtain express consent. “In a situation like this,” he said, “where people just don’t know what information is being transferred or who it’s going to or for what purpose, it seems ridiculous to say that Google has consent.” Google has said, “Google Wallet shares the information needed to process transactions, and this is clearly stated in the Google Wallet Privacy Notice.”
Full Story

PRIVACY LAW

OPC, Media Hail End of Internet Surveillance Bill (February 15, 2013)

Federal Justice Minister Rob Nicholson has announced Bill C-30 will not go ahead due to public opposition. The bill, also known as the Protecting Children from Internet Predators Act, had been opposed by civil liberties and privacy groups as well as Privacy Commissioner Jennifer Stoddart, who said the announcement is “a welcome development for privacy in Canada, and I applaud the many Canadians who spoke out about their concerns with the bill and their deep attachment to their privacy rights.” An editorial in the Ottawa Citizen also supports the move, noting, “Privacy is a hallowed right in western liberal societies because it fosters personal autonomy by effectively establishing a kind of 'space'—breathing room, if you will—between the individual and the state, between the personal and the political.”
Full Story

DATA LOSS

Questions Remain Unanswered in Student Loan Breach (February 15, 2013)

Human Resources Minister Diane Finley faced questions in the House of Commons regarding the loss of an external hard drive from Human Resources and Skills Development Canada, Postmedia News reports. One question she was not able to answer was whether the breach affected only those students who obtained loans between 2000 and 2006. The drive contained the personal information of 583,000 student loan borrowers. Action taken so far by the department has included a six-year contract with Equifax to protect the credit of those whose data may have been compromised, the report states.
Full Story

PRIVACY LAW

BC Commissioner Voices Concern Over Services Card (February 15, 2013)

Last week, British Columbia Information and Privacy Commissioner Elizabeth Denham voiced concern over the launch of the new BC Services Card that aims to put British Columbians’ personal information all on one card while improving access to online government services, Global News reports. Denham said the new cards could put personal data at risk and has asked for more security safeguards to be in place before the cards’ issuance. Other critics have asked that the public be given more information about the cards overall before being required to use them.
Full Story

DATA LOSS

Commissioner Tells Health Authority To Improve (February 15, 2013)

Saskatchewan’s privacy commissioner says Regina Qu’Appelle Regional Health Authority must take action to thwart employee “snooping,” NEWS TALK 980 CJME reports. The recommendation follows three privacy breaches at the health authority within the past five years involving employees’ inappropriate access to patient health information. The privacy commissioner says planned changes after the second breach were never implemented, and the authority’s current safeguards are not sufficient.
Full Story

MOBILE PRIVACY

Developer Releases Privacy Locker App (February 14, 2013)

A Thai developer has released an app that allows users to import photos and videos from their cameras into a secured folder, CNET Asia reports. The Private Locker for Photo & Video is designed to be unnoticeable unless a user actively seeks it out, the report states. If an individual enters an incorrect password on a smartphone, its front-facing camera takes a picture of the user, and any secured data is deleted after five failed attempts to access the locker. Editor’s Note: The breakout session The Mobile Majority: Building Privacy by Design into Mobile Apps will be part of this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

DATA LOSS

Report: Hacking Caused Majority of Breaches (February 12, 2013)

CSO reports a new survey by Open Security Foundation has found hacking was the most common source of data breaches in 2012. There were 2,644 known data breaches last year, slightly more than double the number of breaches reported in 2011, the report states. Hacking was the reason for 68.2 percent of breaches. Meanwhile, a nonprofit organization in Maine inadvertently posted to its website a database containing details on a portion of its membership. The details included each member's donation amount, address, telephone number, birthday and emergency contact information.
Full Story

ONLINE PRIVACY

Glitch Overrides User Privacy Settings (February 12, 2013)

A privacy bug reversed some Flickr users’ privacy settings to become ineffective, causing their private images to become public, Digital Trends reports. In response, Flickr set all public photos to private and e-mailed affected members of the glitch. The exposed photos were not indexed by search engines, however.
Full Story

SOCIAL NETWORKING

Self-Destructing App Grows; Software Mines Social Media (February 11, 2013)

The New York Times reports on the growing popularity of Snapchat, a service that allows users to send messages that self-destruct seconds after they’re viewed. According to the report, “Snapchat is being embraced as an antidote to a world where nearly every feeling, celebration and life moment is captured to be shared, logged, liked, commented on, stored, searched and sold.” Meanwhile, The Guardian reports on Riot—software capable of tracking individuals’ movements and predicting their behaviors by mining social media data. EPIC Attorney Ginger McCall said, “Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

“Godfather of Encryption” Introduces Smartphone Service (February 8, 2013)
The New York Times reports on the release of a new technology that provides encryption for smartphone users. Phil Zimmermann, “widely considered the godfather of encryption software,” has introduced Silent Circle, which allows users to make encrypted phone calls, send encrypted texts and conduct videoconferencing. Zimmermann’s company has planted its servers in Canada, known to have stronger privacy laws than the U.S. or the EU, the report states. The company has said it will not cooperate with law enforcement requests for data. (Registration may be required to access this story.)

DATA LOSS

HRSDC Breach: Officials To Be Summoned, Notification Problems (February 8, 2013)

The NDP and Liberal Parties continue to push for more information about the loss of a hard drive at Human Resources and Skills Development Canada (HRSDC) containing the student loan data of 600,000 Canadians. PostMedia News reports that a Commons committee plans to summon departmental officials to testify about the breach but decided HRSDC Minister Diane Finley would not be summoned. The breach has resulted in at least four class-action lawsuits, and those affected, including NDP MP Ruth Ellen Brosseau, are concerned about the threat of identity theft. Meanwhile, CBC News reports that some notifications sent to breach victims have been delivered to the wrong recipients.
Full Story

ONLINE PRIVACY

OPC: Websites Cleaning Up Their Acts (February 8, 2013)

The Office of the Privacy Commissioner (OPC) has said popular Canadian websites that were found to be leaking user data last year are beginning to improve their practices, Financial Post reports. Valerie Lawton, an OPC representative said, “With certain companies, the matter is entirely resolved…Through verification with them, we found that the information shared was not personal (or) the company has addressed the issue.” Lawton added, “With others, we have been engaged in specific discussions to address any remaining issues.” According to the report, the OPC is developing best practice guidance for how websites can seek informed consent from users for data sharing and how best to process and disclose such data to third parties.
Full Story

PRIVACY LAW

Fate of Bill Unknown (February 8, 2013)

Bill C-30 is now nearly a year old and has not been sent to a parliamentary committee for study, leading many to think the likelihood of enactment is fading quickly, reports The Globe and Mail. The Office of the Privacy Commissioner continues to review the bill and how it may be improved “if and when the government asks” for its advice, the report states. A government spokesperson said the government is also reviewing the legislation, and it will “strike an appropriate balance between protecting privacy and giving police the tools they need to do their job.”
Full Story

ONLINE PRIVACY

How Much Privacy Can Users Expect? (February 8, 2013)

CBC News reports on experts’ assertions that even by limiting the amount of personal information one discloses, online privacy is no longer a realistic expectation. That’s because of advances in technology that make it increasingly easy to aggregate information, and there’s a “tremendous financial incentive for organizations to do this,” one expert says, adding that “it’s done so unobtrusively, so you can’t really tell what data is being accessed by whom and what they’re doing with it.” A spokesman for the Office of the Privacy Commissioner of Canada says because the Privacy Act hasn’t been amended in more than 30 years, citizens “have little mechanism for redress when things go wrong.”
Full Story

ONLINE PRIVACY

Firm Using Privacy As Competitive Advantage (February 7, 2013)

The competitive battlefield over privacy is heating up as Microsoft unveils a new print, television and online advertising campaign against Google’s privacy practices, The New York Times reports. The advertisements will reportedly reveal research showing consumers are unaware of e-mail monitoring practices for personalized advertising and their disapproval once they find out. A Microsoft representative said, “There’s a lot of fear out there. We can bring these issues to light without fear.” Google said in a statement, “We work hard to make sure that ads are safe, unobtrusive and relevant,” adding, “No humans read your e-mail…in order to show you advertisements or related information.” (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook To Join Ranks, Employ AdChoices Icon (February 6, 2013)
Following pressure from ad agencies and advertisers, Facebook has agreed to start displaying the “AdChoices” icon on its FBX display ads. The symbol will appear only when users move their mouse over an “x” displayed over the ads, however. The move will likely appease advertisers who choose not to invest in behavioral targeting campaigns without the icon, Ad Age reports, but whether the move satisfies the Digital Advertising Alliance is yet to be seen. Genie Barton of the Online Interest-Based Advertising Accountability Program, who worked with Facebook to come to the icon agreement, says if a business feels this solution isn’t sufficient, “they only have to let me know.”

MOBILE PRIVACY

App Vetting Service Alerts Users of Privacy Issues (February 6, 2013)

BlackBerry has rolled out a new privacy notification service to warn app developers and users when an app may collect more data than it states, USA Today reports. Any apps approved for distribution in the BlackBerry World online store are vetted for privacy and security issues. The company’s privacy notices “are for applications that do not appear to have malicious objectives or aim to mislead customers but rather don't clearly or adequately inform users about how the app is accessing and possibly managing customers' data,” the BlackBerry website states. Lockheed Martin Director of Cybersecurity Steve Adegbite said the new service “gives power back to the user to protect important information.” A BlackBerry representative said, “We believe this is the way forward for the entire mobile ecosystem.”
Full Story

DATA THEFT

Hackers Compromise 250,000 Twitter Accounts (February 4, 2013)

Twitter has said nearly 250,000 user accounts may have been breached in what it called a “sophisticated attack,” The New York Times reports. In a blog post, the company said it detected out-of-the-ordinary access patterns and that user data—including user names, e-mail addresses and encrypted passwords—may have been compromised. Twitter Director of Information Security Bob Lord said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.” Both the Times and The Wall Street Journal announced last week that hackers infiltrated their internal networks. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

OIPC, Oracle Release Security-By-Design Paper (February 1, 2013)

Ontario Information and Privacy Commissioner Ann Cavoukian and Oracle Director Marc Chanliau have released a paper promoting the need for privacy and security integration, ITWorldCanada reports. They write, “Privacy must be incorporated into networked data systems and technologies, not as an afterthought, but rather, by default.” Released in conjunction with Data Privacy Day, the authors write privacy and security “must become integral to organization priorities, project objectives and planning operations…and embedded into every standard, protocol and process that touches our lives.”
Full Story