Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY COMMUNITY

A Record Night of Privacy After Hours Gatherings (January 31, 2014)

Privacy pros know that when they gather on IAPP Privacy After Hours nights they are part of something big. This past Tuesday night, however, was bigger than ever. More than 500 people who work with data—from all levels of experience, every sector and industry—gathered around the world in more than 30 locations. A big thank you to our volunteer hosts for setting up gatherings being described by participants as “extremely successful” and “practically a party … people didn’t want to leave.” For The Privacy Advisor, we’ve gathered up some scenes from around the globe.
Full Story

PRIVACY RESOURCES

New Whitepapers on Cloud Computing (January 31, 2014)

The IAPP has recently added to the Resource Center a series of four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. Editor’s Note: Christopher Millard will take part in the preconference session The Privacy Pro's Field Guide to Contracting and Compliance in the Cloud at this year’s Global Privacy Summit. Register for the session online and receive a free copy of Millard’s book, Cloud Computing Law.
Full Story

BEHAVIORAL TARGETING

Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs (January 31, 2014)

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. Editor's Note: Julia Angwin will give a keynote address at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

SURVEILLANCE

Bernier: Gov’t Should Rein In Spying Powers (January 31, 2014)

Interim Privacy Commissioner Chantal Bernier “is urging Ottawa to rein in surveillance powers of the country’s spy agencies by rewriting outdated laws to limit snooping powers online,” The Globe and Mail reports. Bernier’s report is being lauded by some privacy and security experts, but the “recommendations are nonbinding, leaving the issue in the hands of Stephen Harper’s government,” the report states, noting two cabinet ministers refused to comment and Communications Security Establishment Canada (CSEC) has said it is already “taking steps to better inform Canadians about our activities, including publishing new fact sheets on our website.” Bernier said her recommendations are “a call to action for greater transparency, to then have greater accountability.” In other surveillance-related news, Ontario Information and Privacy Commissioner Ann Cavoukian raised concerns about smartphone apps “that may be being exploited by spy agencies to access personal information,” and an Access to Information request from The Globe revealed CSEC “received nearly 300 requests for assistance from domestic security agencies over a four-year period—a degree of collaboration that is raising alarm bells for privacy advocates.”
Full Story

DATA SHARING

Banking and Border Data To Be Shared with U.S. (January 31, 2014)

This July, the U.S. Foreign Accounts Tax Compliance Act (FATCA) goes into effect, mandating that non-U.S. banks ask clients if they are, or have been, a U.S. “person,” CBC News reports. The law requires banks to search for customers with certain “indicia” to determine their U.S. status. A representative from the Canadian Bankers Association said, “Bottom line is there is absolutely no way that a large, modern financial institution like a Canadian bank or a large credit union could escape FATCA.” Meanwhile, the Toronto Star reports that Canadian border officials plan to share personal data of travelers with other federal departments. The move is part of a new Canada-U.S. border data exchange program. “With this system, it is a blank cheque to the Big Brother,” said one immigration policy analyst, who added, “Where you go and when you go becomes government property.”
Full Story

PRIVACY LAW

Alberta To Update Law (January 31, 2014)

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional,” The Canadian Press reports. The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government's intention to pass the amendments early in the fall 2014 session to comply with the court's ruling,” Service Alberta’s Gerald Kastendieck said Wednesday. The amendments will “focus on unions and picketing,” the report states, noting, “There won't be a general review of the 10-year-old legislation this year.”
Full Story

DATA LOSS

Another Health Breach in Alberta; Former Commish Says Enough Is Enough (January 31, 2014)

Global News reports Covenant Health had a briefcase stolen just before Christmas containing both personal health information of patients and the resumes of potential employees. Luckily, said Chief Quality and Privacy Officer Jon Popowich, the briefcase was recovered after a few days, and all of the documents were accounted for, but “it’s always good practice, I think, on our part that we let people know right away. We disclosed; we were honest, open, transparent.” However, breaches like this one and the 620,000 patient records lost on a laptop by Medicentres Canada are becoming too commonplace, former Alberta Information and Privacy Commissioner Frank Work told Calgary Herald. He recommends a new look at the Health Information Act, saying “if the carrot isn’t working, I guess you have to look at beefing up the stick.”
Full Story

BEHAVIOURAL TARGETING

Consumer Groups Challenge Wireless Tracking (January 31, 2014)

Public Interest Advocacy Centre and the Consumers' Association of Canada have filed a complaint with the Canadian Radio-television and Telecommunications Commission (CRTC) questioning Bell Canada’s tracking of how “wireless customers use the web, what they watch on TV and their phone call patterns in order to deliver targeted online advertising.” The groups suggest the practice is an “abuse of privacy,” the report states, noting the CRTC has said it is reviewing the complaint. The Office of the Privacy Commissioner of Canada has confirmed it received “more than 150 complaints about Bell's data collection,” and is reviewing whether the data collection is compliant with the Personal Information Protection and Electronic Documents Act.
Full Story

INFORMATION ACCESS

Premier Calls for Changes to Restrictions (January 31, 2014)

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended,” The Globe and Mail reports. Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports.
Full Story

PERSONAL PRIVACY

Which Data Do Consumers Guard; What Would They Sell? (January 31, 2014)

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create with Context (CwC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50 percent off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CwC’s Ilana Westerman and Gabriela Aschenberger found, including how “97 percent of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” Meanwhile, CBC News reports on a Microsoft study indicating “32 percent of Canadians are willing to sell all their digital data to the right company for the right price and 45 percent would sell at least some of it.
Full Story

PRIVACY BY DESIGN

Whitepaper Highlights Emerging Privacy Engineer Discipline (January 30, 2014)

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, CIPP/US, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” Editor’s Note: In a Privacy Perspectives installment, Cronk wrote, “Is 2013 the Year of the Privacy Engineer?
Full Story

PRIVACY

Given the Heightened Fervor, What’s To Come in 2014? (January 29, 2014)

In this exclusive for The Privacy Advisor, Brian Dean, CIPP/US, pulls out his “foggy crystal ball” and prognosticates the future of privacy and security, looking at controversial topics including Safe Harbor, the NSA, the erosion of consumer trust, facial recognition and data brokers. “For data privacy and security professionals, this year offers optimism, but with looming midterm elections and recent significant data breaches, only subtle privacy improvements are likely,” Dean writes.
Full Story

PRIVACY

IAPP Releases Two New Whitepapers for #DPD2014 (January 28, 2014)
Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers” is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense” was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, CIPP/US, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. Help spread the word of professional privacy practices. Editor’s Note: Celebrate Data Privacy Day at one of a record 36 scheduled Privacy After Hours events tonight.

PRIVACY

Opinion: Privacy Is Not Dead; Innovate for the Future (January 28, 2014)

“It’s time to get over zero-sum thinking about Internet privacy,” writes Respect Network CEO Drummond Reed, adding, “Privacy is not dead or dying because of the advances in new technologies.” Reed’s comments are in response to a recent Privacy Perspectives post by IU CLEAR Director Stanley Crosley, CIPP/US, CIPM, called “Old School Privacy is Dead, But Don’t Go Privacy Crazy.” Reed opines in his response on Perspectives that “it’s not an either/or proposition, and the thought of abandoning the notion of user control simply invites control by others.” Instead of “suggesting that privacy must adapt to technology,” Reed notes, privacy should be “embedded into technology systematically so as to remove the burden from the individual to protect their privacy.”
Full Story

PRIVACY COMMUNITY

Want to Speak at the All-New Academy? (January 28, 2014)

The IAPP and the Cloud Security Alliance have opened up the call for presentations for the 2014 Privacy Academy, a joining of the IAPP Privacy Academy and the Cloud Security Alliance Congress. The event happens September 17-19, and the programmers of the event are looking for innovative presentations in areas like the Internet of Things and connected devices, Big Data, risk management, privacy and cloud computing, employee privacy issues like BYOD and many more. This is the place where information security and privacy meet up to find technological solutions to the leading privacy issues of our day. The call for proposals ends February 21.
Full Story

PRIVACY LAW

Privacy on the Docket from Davos to DC (January 27, 2014)

While industry leaders at the World Economic Forum in Davos, Switzerland, called for new rules surrounding data protection, the U.S. Supreme Court announced it will hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. And, the U.S. Federal Trade Commission announced settlements with 12 companies over false claims of alignment with Safe Harbor rules. In this Privacy Tracker roundup, learn about these issues as well as bills being considered by U.S. state legislatures, how Obama’s NSA plans may affect EU law and more. (IAPP member login required.)
Full Story

DATA PROTECTION

E-Receipts Helping Retailers Do More than Save Paper (January 27, 2014)

Paper receipts are headed toward extinction, Today reports, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83 percent of retailers offering e-receipts did so to obtain a customer’s e-mail address.
Full Story

PRIVACY TOOLS

A New Handy Guide to Global DPAs (January 24, 2014)

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 3.0 just in time for Data Privacy Day. Find out where it lives and how it was developed in this exclusive for The Privacy Advisor.
Full Story

PRIVACY BUSINESS

IAPP Launches Industry of Privacy Survey (January 24, 2014)

As part of our organization’s efforts to better understand the industry of privacy and the collective budgetary power of privacy professionals, the IAPP has launched an ambitious program to study the economic impact of the privacy industry and distribute the results to the world at large. And we need your help. Please take our first survey and be part of this effort to benchmark spending and help privacy professionals around the globe better shape their privacy programs.
Full Story

BIOMETRICS

Facial Recognition Databases Demand “Responsible” Actions; App Explores Augmented Reality (January 24, 2014)

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.”
Full Story

SURVEILLANCE

Can Privacy Be a Business Driver for Canada? (January 24, 2014)

With U.S. National Security Agency (NSA) revelations continuing to make international headlines, Bloomberg Businessweek reports “companies such as Vancouver-based Telus and Rogers Communications (RCI) in Toronto see opportunity in telling customers about Canada’s privacy protections.” For example, Canada’s Privacy Act “limits the amount of personal information the government can collect, use and disclose,” and the Communications Security Establishment “is forbidden by law from monitoring domestic communications,” the report states. However, Citizen Lab Director Ron Deibert offers a different perspective. “Anyone who would look to Canada as a safe haven would be fooling themselves,” he says, adding the idea that Canada’s privacy protections are greater than those in the U.S. “can actually become a bit of a tricky question, and one that is probably used more often for rhetoric than anything else.”
Full Story

DATA LOSS

Health Minister “Outraged” Over Stolen Laptop Incident; Clayton Investigating (January 24, 2014)

The Canadian Press reports Alberta Health Minister Fred Horne is "outraged" after learning that “a laptop containing key information on 620,000 patients was stolen four months ago but only now brought to his department's attention.” The unencrypted data included patients' dates of birth, health card numbers, billing data and diagnostic codes. Horne said that although the laptop, which was stolen in September, was reported missing to Alberta Privacy Commissioner Jill Clayton and the Edmonton police days later, he just learned of the incident this week. Horne asked Clayton to investigate the incident, and she has begun that process. “This incident raises concerns about how privacy breaches are reported generally,” Clayton said, adding, “In terms of reporting these incidents to the public or the government of Alberta, I have no authority to do so.”
Full Story

SURVEILLANCE

Advocate Concerned About Tracking of BC Seniors (January 24, 2014)

BC Civil Liberties Association Policy Director Micheal Vonn is questioning “the ways CCTV cameras and other technologies are being used to keep track of seniors,” CBC News reports. Although she indicated use of security technology to monitor seniors at acute care facilities is not too concerning, Vonn flagged the use of “physical surveillance that extends to in-room video monitoring, the monitoring of vital signs and the installation of these technologies in private homes,” the report states. “Technology isn't always the right answer,” Vonn said, citing a recent poll indicating “seniors often said they were willing to be monitored not so much for their own safety, but for the peace of mind of their caregivers.”
Full Story

INFORMATION ACCESS

Officer: Nova Scotia Gov’t Ignoring Own Laws (January 24, 2014)

The Canadian Press reports Nova Scotia Freedom of Information Officer Dulcie McCallum has issued a report indicating the “government is routinely ignoring its own laws by denying basic information to former foster children trying to learn about their family history” and “disregarding previous practice and the law through an incorrect interpretation of the Freedom of Information and Protection of Privacy Act.” Former foster children have not been told such information as why they were removed from their biological families, where they lived or information about family health history, the report states. McCallum issued a statement calling for foster children to have “the same right to their life story as all other children.”
Full Story

HEALTHCARE PRIVACY

Opinion: Dickson Is Right (January 24, 2014)

In an op-ed for The StarPhoenix, Murray Mandryk looks back on Saskatchewan Information and Privacy Commissioner Gary Dickson’s 10 years in office and his efforts to get the provincial government to “take health privacy issues seriously,” quoting Dickson as saying, “Good luck as a healthcare patient in Saskatchewan.” Mandryk writes, “no officer of the legislature has borne the brunt of this government's pettiness more than has Dickson, who raised issues concerning our health information privacy with a rare combination of passion and reasoned eloquence …The government didn't afford Dickson the courtesy of indicating it might have actually bothered to listen. It just ignored him, as it tends to ignore all officers of the legislature.”
Full Story

PRIVACY LAW

Laws, Amendments Set To Roll Out Across Globe (January 23, 2014)

This Privacy Tracker weekly roundup reports on new compliance hurdles for organisations in Canada and Australia as new laws are set to roll out in those countries. In the EU, the LIBE has published amendments it would like to see in the Network and Information Security (NIS) Directive. The report also looks at lawmakers’ efforts to get privacy-protecting laws on the books in the U.S., where FTC Commissioner Maureen Ohlhausen has called for legislators to look to existing laws, saying, “We simply do not need new talk, new laws or new regulations.” (IAPP member login required.)
Full Story

DATA PROTECTION

Microsoft Hints Overseas Users Can Store Data Outside U.S. (January 23, 2014)

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland.
Full Story

PRIVACY LAW

At World Economic Forum, Industry Leaders Call for New Privacy Rules (January 22, 2014)

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system,” CNET News reports. Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100-percent privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch's call this week for "a clear regulatory framework to keep intelligence services in check."
Full Story

SURVEILLANCE

Verizon Releases First Transparency Report (January 22, 2014)

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012.
Full Story

ONLINE PRIVACY

Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally (January 22, 2014)

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network, according to Ars Technica. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56 percent of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11 percent of all users say they use the Tor network.
Full Story

DATA PROTECTION

Top Tips for a Data Incident Plan (January 21, 2014)
With recent data breach incidents practically saturating headlines, and with increasing evidence that preventing breaches altogether is next to impossible, Online Trust Alliance Director of Public Policy and Outreach Heather Federman, CIPP/US, writes about the importance of developing a data incidence plan (DIP). “The DIP is a playbook that describes the breach fundamentals an organization can deploy on a moment’s notice,” she writes, adding, “A good DIP helps you quickly determine the nature of an incident, immediately contain it, ensure evidence is not accidentally ruined and easily notify regulators.” In this Privacy Perspectives post, Federman, “in honor of the upcoming Data Privacy Day” next Tuesday, January 28, presents the top 14 tips for creating a DIP.

PRIVACY

Opinion: Old-School Privacy Is Dead, Embrace the New School (January 21, 2014)

“There is nothing left to debate. Our old-school privacy, as we’ve known it for decades, is dead and buried,” writes Indiana University Center for Law, Ethics and Applied Research Director Stanley Crosley, CIPM, CIPP/US. “But there’s good news,” he adds in this installment of Privacy Perspectives. “If your notion of privacy is defined by your personal control over all of the data about you, well, you’re privacy crazy, and I have tragic news: That privacy is lost.” Crosley notes that regulations “that default to all ‘use’ of data as being impermissible unless authorized by the individual are trying to protect a version of privacy that no one really wants”—the equivalent of going back to using “VCRs and flip phones.” Rather, Crosley explains, “our parents’ brand of privacy is being replaced by a better, more sustainable and meaningful privacy.”
Full Story

PRIVACY LAW

Making a Privacy Law for the 21st Century (January 20, 2014)
With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E. In this post for Privacy Perspectives, Lee reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.”

BIG DATA

Privacy, Security Leading Issues for Big Data, IoT (January 20, 2014)

A 2014 predictions report from Stratecast finds “privacy will ‘almost certainly’ be the leading Big Data issue this year,” InformationWeek reports, questioning how that could impact such retail “Big Data” uses as “in-store analytics systems that use WiFi-enabled devices—typically smartphones—to gather information on customers' shopping and purchasing habits.” Meanwhile, Financial Post reports on similar concerns for the Internet of Things, where questions about security and privacy continue to grow with the use of “smart home” devices. "It's getting more complicated," Gartner’s Angela McIntyre said, citing the broadening types of data being collected. "Companies are realizing they need to update their privacy policies and terms of service (with) easy-to-read disclosure of privacy up front."
Full Story

PRIVACY COMMUNITY

Cavoukian: “So Glad You Didn’t Say That” (January 17, 2014)
In the latest response in an ongoing Privacy Perspectives dialogue, Ontario Information and Privacy Commissioner Ann Cavoukian responds to this week’s post by Oxford Prof. Viktor Mayer-Schönberger. “My first thought … was, ‘I’m so glad he didn’t mean that!’ In sum, Mayer-Schönberger assures me that our views are aligned as follows: The belief that individuals have an interest in privacy protection; privacy should be anchored in the OECD Fair Information Practice Principles; the public should have control over their personal information, and privacy does not impede innovation,” she writes. Cavoukian later writes, “it is nonetheless important to voice other perspectives, such as Privacy by Design, that are not currently reflected in his view of how the OECD principles should be revised,” noting she will hold a live webinar on January 24 on the topic “Big Data Calls for Big Privacy—Not Only Big Promises” with Commissioner Alexander Dix, Professor Khaled El Emam and CDT President Nuala O’Connor, CIPP/US. Mayer-Schönberger participates in a separate webinar, “Privacy Models: The Next Evolution,” alongside Fred Cate, O’Connor, David Hoffman and Peter Cullen, on January 21.

BEHAVIOURAL TARGETING

OPC: Google Ads Violated Privacy Law (January 17, 2014)

The Office of the Privacy Commissioner (OPC) has said Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements. After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s investigation and order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioural advertising.” Bernier, who, The Star reports, "is confident Google will force advertisers to respect consumers’ rights” following the probe, has said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.” The Globe and Mail, meanwhile, is praising the OPC for showing "admirable persistence in investigating" the complaint.
Full Story

PRIVACY LAW

CRTC Announces $200K Penalty for Violation (January 17, 2014)

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced “1051080 Ontario Inc. has paid a penalty of $200,000 on behalf of itself and certain subsidiaries operating as Weed Man Ottawa, Weed Man Montreal, Weed Man Hamilton, Weed Man Scarborough and Weed Man Surrey (Turf Operations Group) … as part of a settlement over violations to the Unsolicited Telecommunications Rules.” Turf Operations Group, which operates lawn care franchises “violated the Unsolicited Telecommunications Rules by making telemarketing calls to Canadians who were registered on the National Do-Not-Call List and whose numbers were or should have been on its internal do-not-call lists,” a CRTC release states.
Full Story

PRIVACY

“Sunshine List” Called Privacy Invasion (January 17, 2014)

A battle is brewing over the “Sunshine List,” which—if approved by the Calgary City Council after it meets on January 27—would make public “the wages, the expense accounts, the benefits, the pensions and, where it applies, the severance payouts of those at the city who score an annual base salary over $100,000,” Calgary Sun reports. Canadian Union of Public Employees Local 38 President Peter Marsden is among those raising concerns, the report notes. “I see it as an invasion of privacy. We have to respect people’s privacy. The privacy issue trumps other issues,” he said. Citing other provinces and cities that have lists, the report notes that one of those other issues “is the public’s right to know where its money is going.”
Full Story

PRIVACY LAW

OPC Posts Outsourcing Resources (January 17, 2014)

The Office of the Privacy Commissioner (OPC) has posted resources for organizations that outsource information, Canadian Cloud Law Blog reports. The OPC’s "Fact Sheet: Privacy and Outsourcing” “leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA),” the report states, noting in addition to links to resources, the fact sheets contain some general statements to assist organizations. For example, the report states, “Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”
Full Story

DATA LOSS

Dickson: Misdirected Fax Breaches Persist (January 17, 2014)

Saskatchewan Information and Privacy Commissioner Gary Dickson spoke Thursday about incidents involving the exposure of personal health information on about 1,000 patients in the province over the past few years, CJME reports. “The information report deals with misdirected faxes involving Saskatchewan health trustees," said Gary Dickson Thursday morning. In 2013, there were 20 different investigation “on these misdirected faxes, many of which can be attributed to things like misdialing the fax number, having the wrong fax number on file or sending to the wrong person because of an auto-select option,” the report states—noting these are issues Dickson previously highlighted in a 2010 report.
Full Story

PRIVACY BUSINESS

IAPP and CSA Announce New Strategic Alliance (January 16, 2014)
The IAPP announced today that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes, CIPP.

PRIVACY LAW—CANADA

CASL: What You Need To Know and When (January 16, 2014)

Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL) in this Privacy Tracker blog post. Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

“I Never Said That” - A Response to Cavoukian et al. (January 15, 2014)
In response to a Privacy Perspectives post and announcement of a whitepaper from last week, author and Oxford University Internet Governance Prof. Viktor Mayer-Schönberger writes that “assumptions” made by Ontario Information and Privacy Commissioner Ann Cavoukian et al. “are not borne out in fact.” Mayer-Schönberger adds, “I very much appreciate a robust debate about the future of how we best protect information privacy … But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value.” In this new Privacy Perspectives installment, Mayer-Schönberger aims to offer readers “the opportunity to appreciate what I actually said…”

PRIVACY RESOURCES

Looking To Hire or To Hone Your Interview Prowess? (January 15, 2014)

New to the IAPP’s online Resource Center is a list of interview questions submitted by several dozen subscribers to the IAPP Privacy List. With the help of Jay Cline, CIPP/US, of Minnesota Privacy Consultants, the IAPP compiled this collection of list subscribers’ favorite questions to find the privacy job candidates with the highest potential. Topics covered include incident management, running a privacy program, legal concepts and EU privacy.
Full Story

PRIVACY BUSINESS

Privacy-Enhancing Phone, Dating App Unveiled (January 15, 2014)

The creators of Silent Circle have announced they will unveil a privacy-enhancing smartphone called Blackphone, GigaOM reports. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. Editor’s Note: Privacy Perspectives recently posted “Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships.”
Full Story

PRIVACY PROFESSION

How Privacy Engineers and Lawyers Can Get Along (January 14, 2014)
The burgeoning technological landscape is increasing the need for lawyers to work with engineers on privacy protection initiatives. In this post for Privacy Perspectives, two Georgia Tech professors—one a law professor, the other a software engineering professor—consider four points showing “how to bring together and leverage the skill sets of engineers, lawyers and others to create effective privacy policy with correspondingly compliant implementations.” Profs. Peter Swire, CIPP/US, and Annie Antón look into how lawyers and engineers make the simple complicated, why using the term “reasonable” works in privacy rules but not software specifications and, perhaps most importantly, “how to achieve consensus when both lawyers and engineers are in the same room.”

MOBILE PRIVACY

Turnstyle: Making a Business on Phones’ Continuous Broadcasting (January 14, 2014)

The Wall Street Journal profiles Turnstyle Solutions, a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” (Registration may be required to access this article.)
Full Story

DATA LOSS

Snapchat Assures Users Spam Is Unrelated to Breach (January 14, 2014)

Following reports recently from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers, Los Angeles Times reports. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post.
Full Story

PRIVACY COMMUNITY

Dickson Stepping Down (January 10, 2014)

CTV reports Saskatchewan Information and Privacy Commissioner Gary Dickson is resigning for personal reasons, effective at the end of this month. “We have seen considerable progress in the way that Saskatchewan public bodies and health trustees address both statutory goals of greater transparency and heightened privacy protection for citizens,” Dickson said. “This reflects good work by access and privacy coordinators in a very large number of public bodies and health trustees.” In an editorial, The Regina Leader-Post hails Dickson, who has served since 2003, as “a game changer as Saskatchewan's information and privacy commissioner.”
Full Story

SURVEILLANCE

Spying Fallout Continues, Could Affect Commerce (January 10, 2014)

Tyler Dawson examines issues surrounding government surveillance for The Ottawa Citizen, writing, “when we cannot know what is being done to us—as is the case with much modern surveillance—then we have clearly not consented to give away our private information.” A separate story in The Ottawa Citizen suggests Canada could face a blow to global commerce under proposed EU legislation to curb the sharing of personal data with “countries involved with the unprecedented U.S.-led cyber-surveillance of the world’s citizens.” Meanwhile, experts suggest efforts to have tech giants “battered by the National Security Agency spy scandal” move their sensitive data to Canada might have economic value but will “do little to concretely safeguard delicate personal information,” The Star reports.
Full Story

PERSONAL PRIVACY

Poll: Technology Can Solve Problems, But Privacy Concerns Persist (January 10, 2014)

The Ottawa Citizen reports on a Nanos Research/Policy Options poll of 1,000 Canadians that indicates while respondents believe technology can help solve problems, its impact on their privacy raises concerns. Canadians weighed in on how technology could help with climate change, medical care for the elderly, creating jobs for the middle class, creating economic equality and preserving personal privacy, the report states. Nik Nanos, chairman of Nanos Research, said the majority of responses were positive, with the “one dark cloud” being that about 34 per cent believe technology has a negative impact on privacy. “We’re technology optimists in the big picture,” Nanos said. “But when it comes to our personal lives, we worry.”
Full Story

NOTICE & CONSENT

Counterpoint: Consent, User Control Are Not Things of the Past (January 8, 2014)

In response to arguments presented by privacy scholar and author Victor Mayer-Schönberger on notice, choice and the regulation of use, Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin State Parliament (Germany) Commissioner Alexander Dix and Prof. Khaled El Emam collectively contend that consent and personal control are not things of the past. In this Privacy Perspectives post, they write, “In fact, in the wake of Edward Snowden’s revelations, we are witnessing the opposite: A resurgence of interest in strengthening personal privacy.”
Full Story

SURVEILLANCE

Yahoo Implements Default Encryption; Speakers Canceling Due To NSA Claims (January 8, 2014)

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the National Security Agency to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference, CNET reports.
Full Story

CONSUMER PRIVACY

Unsurprisingly, CES Buzzes With Privacy News (January 7, 2014)
With more than 150,000 attendees descending on Las Vegas, the Consumer Electronics Show, which kicked off yesterday, is the largest event of its kind in the world and is often the venue where electronics manufacturers make their big product unveilings. This year, privacy has more prominence at the event than ever before. The Privacy Advisor wraps up the big privacy news, from the latest in wearables to biometrics to smart cars and TVs. Further, the news makes two upcoming web conferences seem relevant. Rebecca Herold, CIPM, CIPP/US, CIPP/IT, hosts an event with ISACA on Thursday at noon, “Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things.” And at 1 p.m. on Thursday, the IAPP hosts a web conference on “Working with Third-Party Vendors: Moving Toward a Standardized Solution,” featuring Jules Polonetsky, CIPP/US; Ellen Giblin, CIPP/US, CIPP/C, CIPP/G; and Al Silipigni, CIPP/US.

DATA PROTECTION

10 Tips for Data Privacy in 2014 (January 7, 2014)

Several recent data breaches continue to show how “the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.” In this Privacy Perspectives post, AvePoint Vice President of Risk Management and Compliance Dana Simberkoff, CIPP/US, writes, “The good news here is that this should be highly preventable.” With Data Privacy Day around the corner, Simberkoff shares 10 tips for improving an organization’s privacy and data protection programs—from identifying the “Crown Jewels” to building bridges, not walls, to creating a pervasive culture of compliance and more.
Full Story

ONLINE PRIVACY

Are Data-Use Policies Useless? (January 7, 2014)

In an op-ed for Ars Technica, Casey Johnston questions whether the recent hack of Snapchat and the company’s allegedly questionable data security practices shows how data-use policies fail. Privacy policies and terms of use “make plenty of promises about all of the third-party evils they will protect our data from,” Johnston writes, “But those policies contain few limits on what the companies themselves can do with our info or how they will secure it.” Meanwhile, The Hill reports that Snapchat has hired lobbyists in Washington, DC, to work on “educating policymakers regarding the application’s operation and practice.” According to The Guardian, the integration of Google+ into its Android operating system “has made it too easy for users to leak personal information.” And in a column for Computerworld, Evan Schuman looks into what app developers should include in their mobile privacy policies.
Full Story

DATA PROTECTION

Security Firm Buys Mandiant for $1 Billion (January 3, 2014)

FireEye, a major security firm, announced on Thursday that it is bolstering its security offerings in the purchase of Mandiant for $1 billion, IDG News Service reports. Mandiant, which does $100 million in sales per year, made headlines last January after it helped The New York Times discover alleged Chinese hackers lying dormant within the publisher’s network. Though the companies reside in the same industry, each specializes in different offerings. FireEye specializes in network monitoring and intrusion detection, while Mandiant provides an incident response platform, helps clients determine what data has been compromised and closes vulnerabilities, The Washington Post reports. FireEye Chairman and CEO David DeWalt said the combination of firms will allow it to move more quickly from detection to response.
Full Story