Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY RESOURCES

To BYOD or Not To BYOD (October 31, 2013)

Bring Your Own Device (BYOD) programs allow employees to use their own devices to stay connected to, access data from or complete tasks for their organizations. While BYOD programs reportedly result in increased employee productivity and job satisfaction, they also bring privacy and security challenges. View research, sample policies and guidance in this IAPP Resource Center Close-Up to help you determine whether BYOD works for your organization—and, if it does, how to keep your data safe in the process.
Close-Up: BYOD

ONLINE PRIVACY

E-mail Encryptors Form Dark Mail Alliance (October 31, 2013)

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption, Forbes reports. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.”
Full Story

DHS Needs Your Help; Application Deadline Monday (October 30, 2013)

By Sam Pfeifle
Publications Director

When we reported the appointment of IAPP member Karen Neuman as the new CPO at the U.S. Department of Homeland Security (DHS), we noted she’d get help from the Data Privacy and Integrity Advisory Committee.

Well, that could be you.

DHS posted in the Federal Register on Monday that it is on the hunt for committee members and that interested parties should submit their applications—basically, a cover letter and a resume—by Monday, November 4.

Why the short notice?

“We usually get pretty good responses to our announcement of openings,” said Shannon Ballard, director, International Privacy Programs, in the DHS Privacy Office, “but because the opening came up during the two-and-a-half-week furlough, our response rate was pretty low, so we put out a one-week extension to get some more applications in.”

The committee, chaired by Hunton & Williams Partner Lisa Sotto, CIPP/US, CIPM, has 25 members, with each member serving a three-year term. It is tasked with making recommendations to the Privacy Office on a wide range of policy, operational, administrative and tech issues that may confront the department.

There are requirements, as well, that the committee be diverse.

“We’re required,” said Ballard, “to find a balance of expertise. It can come from the private sector, educators, advocacy … And we can’t have all huge company CPOs. We want some from smaller businesses, nonprofits. They just have to let me know what their expertise is and where they fall in our balance plan.”

How much work are we talking about here, though?

“We’re required to meet once a year,” said Ballard, “and in the two years I’ve been doing it, we’ve met twice a year. Once appointed, members are assigned to one of three subcommittees—policy, technology or cybersecurity—and the subcommittees will do conference calls, too. We don’t have the funding anymore to fly people to Washington, so it’s usually calls and virtual meetings.

“So, the burden on the members hasn’t been too onerous,” she said, “and now that we finally have a chief privacy officer, I know she’ll be interested in getting the membership back together and assigning them tasks.”

Just this September, for example, the committee issued a 19-page recommendation, which is public, on the use of “live data in research, testing or training, and for specific privacy protections DHS can consider when that live data includes personally identifiable information.” Other reports have covered cybersecurity pilots,...

GEO PRIVACY

Location Tracking: Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry smartphones with them every step of the day, and as these devices send and receive electronic signals, they silently map their users’ movements. More and more organizations are seeking to utilize this data, and while the industry for location-tracking analytics is becoming more sophisticated, so too is the range of interested parties—including regulators. IAPP Westin Research Fellow Kelsey Finch examines the issue in this in-depth exclusive for The Privacy Advisor. (Editor’s Note: The IAPP is hosting a web conference on this topic Oct. 31 at 1 p.m. EDT.)

ONLINE PRIVACY

Website, Researcher Rate Sites on Practices (October 29, 2013)

Forbes reports on a fledgling site using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “'I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations.
Full Story

ONLINE PRIVACY

The Economics and Future of Cookies (October 29, 2013)

As the IAPP reported in The Privacy Advisor last week, cookies may be reaching the end of the road—but not with a whimper. The Wall Street Journal reports Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites," which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Mozilla Developing Public Data Service (October 29, 2013)

PCWorld reports Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” "The data would be provided by cell towers, WiFi and IP addresses," the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia.
Full Story

PRIVACY LAW

EU, Ecuador and the FTC in This Week’s Tracker Roundup (October 28, 2013)

While much of the news was focused on the EU Data Protection Regulation over the past week, a few other things of note happened in the legal realm as well. For example, the EU Parliament adopted a resolution to suspend SWIFT based on allegations that the U.S. NSA had access to EU citizens’ bank data; the FTC reached a settlement with Aaron’s, Inc., over the company’s consumer spying regime, and in Ecuador, there are concerns that a new penal code could violate citizens’ online privacy. These are just a few of the stories—in addition to information on the LIBE vote and the future of Safe Harbor and the EU regulation—in this week’s Privacy Tracker legislative roundup.
Full Story

PRIVACY COMMUNITY

Strickland New CPO at JP Morgan Chase (October 28, 2013)

Last week was the first for Zoe Strickland, CIPP/US, CIPP/G, CIPP/IT, as managing director, SVP and CPO at JP Morgan Chase. She has left her post as VP and CPO at UnitedHealth Group to take on the new role in the financial services industry. In this exclusive for The Privacy Advisor, we talk with her about new challenges, how the two jobs overlap and why CPOs “can be an asset to the firm outside the company walls.”
Full Story

PRIVACY BUSINESS

Entrepreneurs, Businesses Focused on Privacy (October 28, 2013)

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. The Washington Post reports on ManageURiD, formed last year to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Spying Fallout Continues; Countries Draft UN Resolution (October 28, 2013)

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities, The Guardian reports. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance.
Full Story

DATA RETENTION

FINTRAC Audit Shows Unnecessary Retention (October 25, 2013)

Despite a 2009 warning not to collect and keep data unnecessarily, an audit has shown that Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the department responsible for monitoring financial institutions for fraud and terrorist funding indicators, is collecting more personal information than it needs, reports The Ottawa Citizen. Privacy Commissioner Jennifer Stoddart says she has “serious concerns about the extent to which FINTRAC’s information holdings are populated with personal information that should never have even been submitted,” and Assistant Commissioner Chantal Bernier said the office wants to see FINTRAC working harder to educate financial institutions about what information should be sent, as well as setting up a system to eliminate personal details prior to data entering the agency database.
Full Story

PRIVACY LAW

OPC To Investigate Bell (October 25, 2013)

The Office of the Privacy Commissioner (OPC) has announced it will be investigating Canadian telecom Bell after the company informed its customers it plans to collect information to offer “relevant ads,” CBC News reports. The OPC’s Scott Hutchinson said the office has received complaints from Bell customers. Prof. Michael Geist said, “They’ll literally know what web pages you visit, which search terms you enter, where you happen to be, what apps you use, what television you watch, even your calling patterns,” adding that while customers have until November 16 to opt out his understanding is “when you’re opting out, you’re opting out of targeted ads. You’re not opting out of the broader collection more generally.” Meanwhile, a Huffington Post Canada report questions how the tracking will benefit Bell customers.
Full Story

DATA PROTECTION

Commissioner: Privacy, Security Should Work Together (October 25, 2013)

Speaking at a Montreal security conference, Privacy Commissioner Jennifer Stoddart highlighted the importance of privacy and security teams working more closely, IT World Canada reports. “It is imperative that cybersecurity specialists and data protection authorities like the OPC work even more closely together to improve the defences in the private sector and ensure privacy protection is a guiding principle in cybersecurity efforts,” Stoddart told the Messaging Malware and Mobile Anti-Abuse Working Group on Wednesday. She added, “The potential harm to organization brands from data breaches is significant and on the rise. That alone should be an incentive to make cybersecurity and accountability a greater business priority.”
Full Story

HEALTHCARE PRIVACY

Commissioner, MoH Working To Prevent Breaches (October 25, 2013)

Saskatchewan Privacy Commissioner Gary Dickson and the Ministry of Health are taking steps to prevent health information “from ending up in the wrong hands,” Brandon Sun reports. Dickson has issued guidelines advising, for example, what those in the healthcare field should do to address incidents where information is sent or received in error. “For a number of years, after we went through the work in 2009 and 2010, I think we had assumed that most trustees in Saskatchewan had got the message and in fact had implemented those kinds of policies and procedures we'd recommended," Dickson said, adding, “It appears now, just reflecting on the number of breaches that we're investigating, that confidence was misplaced.”
Full Story

DATA LOSS

Following Breach Investigations, Funding Restored (October 25, 2013)

Times Colonist reports that following a year’s investigation into privacy breaches, the BC government has restored contracts and funding for researchers at the University of Victoria (UVic) and the University of British Columbia (UBC). UBC’s Therapeutics Initiative and a UVic group studying Alzheimer’s “lost access to health data and money in September 2012 as the Health Ministry investigated a privacy breach in its pharmaceutical services division,” the report states, noting the ministry has said improved data privacy and security has allowed the restoration of funds and data access. Health Minister Terry Lake indicated that “it was unfortunate a year of research was lost, but security and privacy of data were paramount,” the report states.
Full Story

SURVEILLANCE

Opinion: Gov’t Must Address Drone Use Privacy Concerns (October 25, 2013)

In a column for The Vancouver Sun, Ian Mulgrew calls for the RCMP and Canada’s police forces that use aerial drones to address privacy concerns. “The drones provide police with an incredible new tool,” he writes; however, the “primary concern is safety—not privacy. … That's why the BC Civil Liberties Association, Ontario's information and privacy commission, the Canadian privacy commissioner and others have warned the technology has the potential to become extremely invasive.” The government must address the use of drones by police “and the unique concerns they pose to privacy and the collection of evidence,” he writes. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Cookies’ Days Are Numbered, but Not Without a Fight (October 24, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology, though, may not outweigh the risks, writes David Tashroudian in this exclusive for The Privacy Advisor.

ONLINE PRIVACY—CANADA & U.S.

Dating Site Backs Off Purchase of Rival’s Database (October 24, 2013)

Canadian online dating site PlentyOfFish has withdrawn its offer to pay $700,000 for Texas-based dating site True.com’s customer database. The decision comes after Texas Attorney General Greg Abbott filed a petition to block the move, citing privacy concerns. True.com filed for bankruptcy protection last year. Its database contains tens of millions of customers’ personal information, including criminal and divorce histories, The Wall Street Journal reports. (Registration may be required to access this story.)
Full Story

PRIVACY

Global Business? Find Privacy Allies Throughout the Company (October 23, 2013)

Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it's important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP's recent Privacy Academy in Seattle, WA.
Full Story

ONLINE PRIVACY

New Open-Sourced Browser Blocks Ads by Default (October 22, 2013)

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X, InformationWeek reports. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote, “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward.
Full Story

DATA LOSS

Roundup: The Week in Breaches (October 21, 2013)

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week. In this exclusive for The Privacy Advisor, we give you a roundup.
Full Story

PRIVACY

The Big Data Fight and the Garden of Eden (October 21, 2013)

In the privacy world, we often hear the argument that, in order for the information economy to thrive, personal privacy must be leveraged—that there must be tradeoffs. In a complicated Big Data landscape, conveying transparency and consumer education are huge challenges. But in the latest iteration of the well-known TED Talks, Carnegie Mellon University researcher Alessandro Acquisti—a past co-recipient of the IAPP-Privacy Law Scholars Conference Award for his work on fairness and discrimination in job hiring practices—discusses some of his research and how it shows why privacy matters. This Privacy Perspectives post looks at Acquisti’s talk and how there may be alternative privacy solutions for consumers, businesses and policymakers alike.
Full Story

PRIVACY LAW

Legislation on the Move Globally (October 21, 2013)

This week’s Privacy Tracker legislative roundup highlights changing privacy laws from the U.S. to Bahrain. Revisions to the U.S. Telephone Consumer Protection Act went into effect last week; the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will vote today on amendments to the proposed regulation and directive, and the Bahrain cabinet has preliminarily approved a data protection law. Meanwhile, the UK Information Commissioner’s Office is considering jail time for breaches at the same time as justifying its fining practices. (IAPP member login required.)
Full Story

BIG DATA

Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends. In this exclusive for The Privacy Advisor, we give you the rundown on a wide-ranging discussion that provided key insights on decision-making and tactics.

PRIVACY LAW

Comparing Manitoba’s Privacy Law With Alberta’s (October 18, 2013)

Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states.
Full Story

DATA PROTECTION

Geist: The Great Canadian Data Grab (October 18, 2013)

In a piece for The Huffington Post, Michael Geist reports on “the great Canadian personal data grab.” The Royal Bank of Canada (RBC) recently updated its mobile app and advised users who installed it that RBC would gain access to a wide range of their personal data. But RBC isn’t alone; Air Canada has a similar practice with its loyalty program. “The personal data grab from two of Canada's best-known companies is part of a disturbing privacy trend involving a seemingly insatiable desire for customer information,” Geist writes, adding the “demands stretch Canadian privacy law to its limits and run the risk of placing user data at risk for security breaches.”
Full Story

SURVEILLANCE

Groups Come Together Against Gov’t Surveillance (October 18, 2013)

Georgia Straight reports that more than 20 organizations convened in Vancouver to launch the Protect Our Privacy Coalition, a group of “citizens, experts, organizations and businesses” that “have come together to defend our right to privacy based on a common statement of principle.” Micheal Vonn, policy director for the BC Civil Liberties Association, says the group was formed in response to indications that Prime Minister Stephen Harper plans to implement sections of Bill C-30, commonly known as the online surveillance bill, and OpenMedia.ca Executive Director Steve Anderson points to revelations about spying by Communications Security Establishment Canada.
Full Story

PRIVACY

Experts Offer Tips on Enhancing Privacy (October 18, 2013)

Five Canadian privacy experts offer up tips to consumers for how to be more aware of and better protect their privacy. At a recent Vancouver privacy conference, the CBC asked BC Information and Privacy Commissioner Elizabeth Denham and Websense Canada General Manager and Senior Director Fiaaz Walji, among others, for “a piece of privacy-enhancing homework.” In the advice from Denham we’re told, "Ask questions of the companies you're dealing with—of the online companies and the brick and mortar companies ... Ask them how they're using your personal information. Ask them for their privacy policy. Be your own privacy commissioner and just pay attention."
Full Story

PERSONAL PRIVACY

Police Consider Wearable Cameras (October 18, 2013)

The Toronto Police Service is considering wearable cameras for its police force, The Globe and Mail reports. The aim of the wearable cameras is to provide the police and the public with better accountability. Deputy Chief Peter Sloly said the force is in the process of researching the cameras and understanding the potential logistical factors. “We’ll have to look at the IT supports,” he said, “the governance—there’ll be privacy issues.” The cameras would potentially be worn on glasses to record incidents from the officer’s view. A representative from the Canadian Civil Liberties Association has expressed concern over the technology, saying that “if you have all these things on your databases, what are the other potential uses of this? Have they thought this through?”
Full Story

SOCIAL NETWORKING

Facebook Changes Teen Privacy Rules (October 17, 2013)

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.”
Full Story

MOBILE PRIVACY

Indoor Location Market Set To Boom; Privacy Concerns Loom (October 17, 2013)

In a column for MediaPost, Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations” function—and the new iPhone’s motion sensor chip are raising privacy concerns. Editor’s Note: The IAPP will host the web conference Brick-and-Mortar Is Back—Emerging Privacy Issues for U.S. Retailers on Thursday October 31.
Full Story

BIG DATA

The Dangers of Democratized Big Data (October 17, 2013)

In a report for Forbes, Woodrow Hartzog and Evan Selinger write about the dangers of democratized Big Data. Whereas presently only a few organizations use Big Data tools and techniques, in looking at the democratization of myriad Internet-based technology such as apps, cloud storage and encryption, “Big Data seems next,” the report states. Facebook’s Graph Search is an example of the progression, allowing users to look at a vast amount of data to see what other users “like.” As technology advances and more users have access to Big Data analysis, “privacy through obscurity” will become increasingly important because having “to resort to a complete withdrawal from public life simply is too steep a price to pay for whatever benefits Big Data brings,” the authors write.
Full Story

PRIVACY COMMUNITY

IAPP Hits 14k Members, Expands Into New Space (October 17, 2013)

By coincidence, the IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices.
Full Story

BIOMETRICS

Fingerprint Sensor: Tech Wonder or Privacy Headache? (October 16, 2013)

In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This exclusive for The Privacy Advisor offers a primer on biometrics and the potential “privacy alarms” triggered by the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Full Story

BIG DATA

“U.S.-Style” Data Collection Spreads Globally (October 16, 2013)

The business trend of collecting the maximum amount of information about customers and potential clients is being adopted by businesses around the world, according to Forbes. One international data catalog advertisement by California-based data broker Infocore states, “For example, you might be interested in female, affluent customers in China, Hong Kong and Singapore … From that we’ll access our repository and send you a custom data summary.” The company has access to 6.5 billion records worldwide and expects to have access to 10 billion by next year, according to the report. Infocore President and CEO Kitty Kolding said, “The data industry is very nascent right now … But there is a lot of long-term profit to be had.” In some countries, however, the data is obtained through questionable methods, Kolding said, adding, “In China, there is way more data than you would think … Some of it is dodgy.”
Full Story

PERSONAL PRIVACY

On Embarrassing Photos and Personal Accountability (October 15, 2013)

The dynamic nature of the Internet allows for information to flow quickly, but when it involves embarrassing photos, it can be a very damaging experience for an individual. In a recent column for Salon, Caitlin Seida wrote about her experience of having one such photo go viral and the harm she experienced. However, Seida took steps to be accountable for the incident and took personal control over her photo. This Privacy Perspectives post looks into her incident and explores how businesses may improve their accountability by showing their users how they can be accountable by providing them with tools for better control over their data.
Full Story

SOCIAL NETWORKING

Facebook Privacy Tool To Be Removed (October 11, 2013)

Facebook has announced the final phase of removing an old privacy feature from the site, USA TODAY reports. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting.
Full Story

MOBILE PRIVACY

RBC Acts To Alleviate Privacy Concerns Around New Mobile App (October 11, 2013)

Following an update to its mobile banking app this week, RBC began receiving a slew of customer complaints when they discovered the app was requesting access to call logs, contacts and location. RBC told The Globe and Mail that the app “requires access to only limited information on your mobile device to provide you with the best mobile experience possible” and that “RBC does not sell this information.” However, to allay fears, the bank said it will have a website up within 48 hours to answer frequently asked questions.
Full Story

SURVEILLANCE

Commissioner Concerned About Gov’t Spying (October 11, 2013)

Global News reports on the status of the Office of the Privacy Commissioner’s (OPC) offer to help Communications Security Establishment Commissioner Robert Décary in the wake of the U.S. PRISM announcements. “We just offered general help because it’s a smaller office, and I guess they weren’t sure what was coming about because an issue such as this hadn’t hit them,” said OPC spokesman Scott Hutchinson. Décary is conducting a review of how Canada shares surveillance information with the country’s “closest international partners,” the report states, while the OPC “plans to announce its approach to the cyber-spying imbroglio over the next several weeks.” Meanwhile, the Electronic Frontier Foundation has announced it is joining a group of more than 30 Canadian organizations in forming the Protect Our Privacy Coalition “to ensure Canadians get effective legal measures to protect their privacy against government intrusion.”
Full Story

PRIVACY

Change to Adoption Law Raises Concerns (October 11, 2013)

Under current adoption law in Quebec, if an adopted child would like information about a birth parent, there is a process whereby a youth and family service center contacts the parent to see if they’d be interested in meeting or communicating. Similarly, the center acts as a pass-through should a parent who has given a child up for adoption want to meet that child later in life. The Montreal Gazette reports that under a new proposed reform, however, children and parents would have to register a “veto” against their identities being given out, otherwise the information would be distributed upon request. Privacy concerns have been raised because while adopted children will have their veto automatically registered when the law passes, parents would have just 18 months to register their veto or have their identities made available.
Full Story

LOCATION PRIVACY

Opinion: Denham Distinguishes Herself With Elevator Cases (October 11, 2013)

Some might wonder, writes Drew Hasselback for Financial Post, what’s up with all the elevator company privacy cases in BC. However, the three cases brought by Elizabeth Denham’s office against firms using GPS to track their elevator repair vans break significant new ground for location privacy rights, Hasselback argues. “Denham concluded that it’s OK for companies to collect the data, but with two important limits," he writes. "First, companies must inform employees about the tracking before it starts. And second, companies must focus the data collection so it serves a specific purpose; they can’t simply track every movement all the time.”
Full Story

PRIVACY COMMUNITY

BC Celebrates 20 Years of FIPPA With Video, Conference (October 11, 2013)

British Columbia’s Office of the Information and Privacy Commissioner played host yesterday and today to a two-day conference, Privacy and Access 20/20: A New Vision for Information Rights, designed to both celebrate the 20th anniversary of the passing of the Freedom of Information and Protection of Privacy Act and to look forward to new challenges in information access and privacy. In a column for the Vancouver Sun, and accompanying video, Commissioner Elizabeth Denham lays out “some of the challenges we never envisioned in the early days of privacy legislation.”
Full Story

PRIVACY LAW

Examining the Facebook Class-Action in BC (October 11, 2013)

This week, Mondaq examines the class action lawsuit filed by Branch MacMaster LLP on behalf, initially, of Deborah Douez back in March of 2012. Two lawyers involved with the case, Greg McMullen and Christopher Rhone, tell Mondaq that while the harm of appearing in a Facebook sponsored story without consent is obviously minimal, “somone’s privacy is still invaded, which is a harm in and of itself … privacy is an important part of people’s identity.” Facebook was not contacted for the story. The certification hearing is currently scheduled for late November. You can get updates from the lawfirm on the case’s status here.
Full Story

ONLINE PRIVACY

W3C Do Not Track in Limbo (October 10, 2013)

Yesterday, the W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month, said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. In this exclusive for The Privacy Advisor, we break down the vote and comments from the voters.
Full Story

DATA LOSS

October Shaping Up To Be Month of Innumerable Breaches (October 10, 2013)

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for The Privacy Advisor, we round-up an already very busy month in data breaches and responses.
Full Story

ONLINE PRIVACY

Study Looks at Privacy Personalities (October 10, 2013)

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy, The Washington Post reports. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” (Registration may be required to access this story.)
Full Story

PRIVACY IN POP CULTURE

Eggers Book Satirizes Threat to Privacy (October 10, 2013)

The Associated Press reviews Dave Eggers’ book The Circle, which satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times wonders if the novel will change the way we use technology.
Full Story

DATA LOSS

Researcher Finds Encryption Flaw in WhatsApp (October 10, 2013)

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown,” Ars Technica reports. A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.”
Full Story

PRIVACY RESOURCES

Not a Big Tech Firm? We Can Still Help (October 9, 2013)

We at the IAPP know that it’s not only large organizations that struggle with privacy issues; small- and medium-sized businesses also need tools and guidance. With fewer employees and often lower budgets, smaller businesses have unique needs. This Close-Up offers tips and guidance from the experts on protecting consumer data, creating online privacy policies, minimizing human error and conducting employee background checks, among other tools. (IAPP member login required.)
Close-Up: Small- and Medium-Sized Businesses

DATA PROTECTION—CANADA

He Protects the Data ... By Destroying It (October 9, 2013)

You might call Ken Clupp a privacy professional by proxy. While he doesn't draft privacy policies or model contracts, he's certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn't ever be put back together again. This exclusive for The Privacy Advisor describes Clupp’s unique position within the Royal Canadian Mounted Police and might surprise you with what you don’t know about shredding.
Full Story

PRIVACY LAW

Tracker Roundup: From Government Surveillance to Presumption of Harm (October 7, 2013)

While U.S. regulators mull over the need for rules surrounding drone use by law enforcement, Montana’s new gun owner healthcare privacy law went into effect and California continues to shape privacy law moving toward a “presumption of harm” in breach cases, but one op-ed claims its “revenge porn” law doesn’t do enough. A Zimbabwean law established a central SIM card database, and Australia’s information commissioner has released a best practice guide for app developers. This Privacy Tracker weekly roundup offers information on all these issues and more, including what regulators had to say at both the IAPP Privacy Academy and the 35th International Conference of Data Protection and Privacy Commissioners. (IAPP member login required.)
Full Story

DATA BREACH

2.9 Million Customers Affected by Cyber-Attack (October 4, 2013)

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred," said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.”
Full Story

PRIVACY PROFESSION

Experts Highlight Current, Future Challenges (October 4, 2013)

In an in-depth feature for Data Informed, Eric Lucas highlights just a few of the key moments from this week’s IAPP Privacy Academy in Seattle, WA, quoting key concerns and tips from some of the speakers who addressed the international attendees. Howard Schmidt, for example, highlighted the profession’s challenges stemming from the link between privacy and security, noting, “Privacy and security are two sides of the same coin. Without security, you have no privacy. Privacy is the goal, security is the means.” Lucas also quotes several other privacy professionals, including keynote speaker Stewart Baker’s discussion of the “privacy panic” that spurred American privacy law. Meanwhile, Inside Counsel looks at how CPOs manage risk, focusing on insights from experts including Maureen Cooney, CIPP/US, CIPP/G, and Nuala O’Connor, CIPP/US, CIPP/G, at the recent Women, Influence and Power in Law conference.
Full Story

PRIVACY

Next Year Will Be A Big One for Privacy (October 4, 2013)

The next parliamentary session promises to be an eventful one for privacy, writes Kevin Chan for The Center for Internet and Society. Privacy law reform, state surveillance and the appointment of a new federal privacy commissioner all promise to be big issues. “It is an exciting time for privacy in Canada,” Chan writes, noting that media reports indicate a forthcoming Speech from the Throne will focus on a “consumer first” agenda.
Full Story

SURVEILLANCE

CIRA CEO: Local IXPs Can Help Avoid Snooping (October 4, 2013)

IT Business reports on the Canadian Internet Registration Authority (CIRA) initiative to create local Internet exchange points (IXPs) “where carriers and communications providers directly connect with each other to exchange traffic”—keeping that Internet traffic out of U.S.-based exchanges. CIRA President and CEO Byron Holland noted, “All the events coming out of the U.S. with the NSA and the PRISM program highlight that it’s a good idea to keep traffic in your own jurisdiction as much as you can.” Without local IXPs, he explained, “I could be sending you an e-mail from downtown Ottawa to another point in Ottawa, and there’s a 40-percent chance that will go through the U.S.”
Full Story

PRIVACY LAW

Denham: BC Laws Must Be Modernized (October 4, 2013)

In an op-ed for The Vancouver Sun marking today’s 20th anniversary of the province’s Freedom of Information and Protection of Privacy Act, BC Information and Privacy Commissioner Elizabeth Denham looks at the history of the law and the areas where reform and modernization are needed. Denham suggests the Document Disposal Act must be modernized to address public demand for transparency and accountability. Additionally, she calls for the province to anticipate the challenges of this age of Big Data, adding the province “should be more concerned with the magnitude and frequency of privacy breaches and data spills in the public and private sector.”
Full Story

DATA PROTECTION

Privacy Obligations in Business Transactions (October 4, 2013)

In a Mondaq report, Roland Hung and Andrea Gray of McCarthy Tétrault LLP discuss the due diligence phase of business transactions when it comes to complying with privacy obligations. PIPEDA lacks a business transactions exception to the general rule requiring consent prior to the disclosure of personal information. It would be nearly impossible to obtain consent from all affected individuals in a transaction, so it is “highly recommended that private organizations implement privacy policies that contemplate such transactions in advance,” the report states.
Full Story

PRIVACY COMMUNITY

Remembering Canada’s First Commissioner (October 4, 2013)

Justice Inger Hansen, Canada's first privacy commissioner, who passed away on September 28, is remembered in an Ottawa Citizen obituary. Hansen, who was born in Denmark in 1929, visited Canada for the first time in 1950 and emigrated a few years later. Appointed as Canada’s first privacy commissioner in 1977, she was “responsible for complaints relating to privacy rights and data protection, a field in which she soon became an internationally recognized authority.” In 1983, Hansen was appointed as Canada's first information commissioner, and she went on to an appointment to the Ontario Court of Justice in 1991. A memorial service is planned for late October.
Full Story

PRIVACY LAW

Manitoba Legislation Awaits Proclamation (October 4, 2013)

Manitoba’s new privacy legislation, which received Royal Assent last month, now awaits proclamation, Financial Post reports. The province’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) “will establish rules for the collection, use and disclosure of personal information, including employee information, for most organizations in the province,” the report states, noting, “At this time, the federal government has not determined whether PIPITPA is ‘substantially similar’ legislation, such that it will replace the Personal Information Protection and Electronic Documents Act within the province.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Union Loses Bid To Keep Recordings out of Court (October 4, 2013)

CTV News reports that a major Quebec labour union has lost its bid to prevent the provincial corruption inquiry from hearing wiretap conversations involving its senior leadership. The taped conversations of the FTQ union were taken by police during an investigation. The inquiry will only use those parts of the conversations related to “professional functions” and will not focus on individuals’ personal lives. “We must find a balance between private interests, the right to respect for privacy and the public interest in the search for truth and public information related to the mandate of the inquiry,” the commission wrote in its ruling.
Full Story

BIG DATA

Opinion: Why Data Center Locations Matter (October 3, 2013)

Andy Thurai and David Houlding of Intel write for Venture Beat about the importance of controlling where data is stored and processed in the age of Big Data and varied laws across the globe. “While most Big Data providers are able to provide security for the storage and transmission of sensitive data, most implementations that we see don’t provide location transparency or location-contingent data processing,” the authors write, adding, “imagine the power of users being able to choose where their data is processed or stored.” The authors suggest allowing consumers to choose the location and security level of their data and offer technical solutions to make that possible.
Full Story

PRIVACY COMMUNITY

Callahan Named Vanguard; Innovation Award Recipients Announced (October 2, 2013)

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, CIPP/US, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs.
Full Story

DATA LOSS

Amidst Myriad Breach Reports, Tips Offered (October 1, 2013)

It is shaping up to be a busy week for data breach incidents. Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners, ITPro UK reports. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, Krebs on Security reports the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned” from data breach incidents.
Full Story