access to information Ambush Marketing big data citizen science copyright data breach notification data protection digital cartography ecommerce and internet law Electronic Commerce Extraterritoriality fair use freedom of expression Geospatial geospatial data intellectual property Internet internet law IP licensing open data open government personal information pipeda Privacy takings trademark law trademarks traditional knowledge transparency
Tuesday, 14 February 2017 14:11
Note: the following are my speaking notes for my appearance before the Standing Committee on Transport, Infrastructure and Communities, February 14, 2017. The Committee is exploring issues relating Infrastructure and Smart Communities. I have added hyperlinks to relevant research papers or reports.
Thank you for the opportunity to address the Standing Committee on Transport, Infrastructure and Communities on the issue of smart cities. My research on smart cities is from a law and policy perspective. I have focused on issues around data ownership and control and the related issues of transparency, accountability and privacy.
The “smart” in “smart cities” is shorthand for the generation and analysis of data from sensor-laden cities. The data and its accompanying analytics are meant to enable better decision-making around planning and resource-allocation. But the smart city does not arise in a public policy vacuum. Almost in parallel to the development of so-called smart cities, is the growing open government movement that champions open data and open information as keys to greater transparency, civic engagement and innovation. My comments speak to the importance of ensuring that the development of smart cities is consistent with the goals of open government.
In the big data environment, data is a resource. Where the collection or generation of data is paid by taxpayers it is surely a public resource. My research has considered the location of rights of ownership and control over data in a variety of smart-cities contexts, and raises concerns over the potential loss of control over such data, particularly rights to re-use the data whether it is for innovation, civic engagement or transparency purposes.
Smart cities innovation will result in the collection of massive quantities of data and these data will be analyzed to generate predictions, visualizations, and other analytics. For the purposes of this very brief presentation, I will characterize this data as having 3 potential sources: 1) newly embedded sensor technologies that become part of smart cities infrastructure; 2) already existing systems by which cities collect and process data; and 3) citizen-generated data (in other words, data that is produced by citizens as a result of their daily activities and captured by some form of portable technology).
Let me briefly provide examples of these three situations.
The first scenario involves newly embedded sensors that become part of smart cities infrastructure. Assume that a municipal transit authority contracts with a private sector company for hardware and software services for the collection and processing of real-time GPS data from public transit vehicles. Who will own the data that is generated through these services? Will it be the municipality that owns and operates the fleet of vehicles, or the company that owns the sensors and the proprietary algorithms that process the data? The answer, which will be governed by the terms of the contract between the parties, will determine whether the transit authority is able to share this data with the public as open data. This example raises the issue of the extent to which ‘data sovereignty’ should be part of any smart cities plan. In other words, should policies be in place to ensure that cities own and/or control the data which they collect in relation to their operations. To go a step further, should federal funding for smart infrastructure be tied to obligations to make non-personal data available as open data?
The second scenario is where cities take their existing data and contract with the private sector for its analysis. For example, a municipal police service provides their crime incident data to a private sector company that offers analytics services such as publicly accessible crime maps. Opting to use the pre-packaged private sector platform may have implications for the availability of the same data as open data (which in turn has implications for transparency, civic engagement and innovation). It may also result in the use of data analytics services that are not appropriately customized to the particular Canadian local, regional or national contexts.
In the third scenario, a government contracts for data that has been gathered by sensors owned by private sector companies. The data may come from GPS systems installed in cars, from smart phones or their associated apps, from fitness devices, and so on. Depending upon the terms of the contract, the municipality may not be allowed to share the data upon which it is making its planning decisions. This will have important implications for the transparency of planning processes. There are also other issues. Is the city responsible for vetting the privacy policies and practices of the app companies from which they will be purchasing their data? Is there a minimum privacy standard that governments should insist upon when contracting for data collected from individuals by private sector companies? How can we reconcile private sector and public sector data protection laws where the public sector increasingly relies upon the private sector for the collection and processing of its smart cities data? Which normative regime should prevail and in what circumstances?
Finally, I would like to touch on a different yet related issue. This involves the situation where a city that collects a large volume of data – including personal information – through its operation of smart services is approached by the private sector to share or sell that data in exchange for either money or services. This could be very tempting for cash-strapped municipalities. For example, a large volume of data about the movement and daily travel habits of urban residents is collected through smart card payment systems. Under what circumstances is it appropriate for governments to monetize this type of data?
Published in Geospatial Data/Digital Cartography
Thursday, 26 January 2017 11:45
How does one balance transparency with civil liberties in the context of election campaigns? This issue is at the core of a decision just handed down by the Supreme Court of Canada.
B.C. Freedom of Information and Privacy Association v. Attorney-General (B.C.) began as a challenge by the appellant organization to provisions of B.C.’s Election Act that required individuals or organizations who “sponsor election advertising” to register with the Chief Electoral Officer. Information on the register is publicly available. The underlying public policy goals to allow the public to see who is sponsoring advertising campaigns during the course of elections. The Supreme Court of Canada easily found this objective to be “pressing and substantial”.
The challenge brought by the B.C. Freedom of Information and Privacy Association (BCFIPA) was based on the way in which the registration requirement was framed in the Act. The Canada Elections Act also contains a registration requirement, but the requirement is linked to a spending threshold. In other words, under the federal statute, those who spend more than $500 on election advertising are required to register; others are not. The B.C. legislation is framed instead in terms of a general registration requirement for all sponsors of election advertising. BCFIPA’s concern was that this would mean that any individual who placed a handmade sign in their window, who wore a t-shirt with an election message, or who otherwise promoted their views during an election campaign would be forced to register. Not only might this chill freedom of political expression in its own right, it would raise significant privacy issues for individuals since they would have to disclose not just their names, but their addresses and other contact information in the register. Thus, the BCFIPA sought to have the registration requirement limited by the Court to only those who spent more than $500 on an election campaign.
The problem in this case was exacerbated by the position taken by B.C.’s Chief Electoral Officer. In a 2010 report to the B.C. legislature, he provided his interpretation of the application of the legislation. He expressed the view that it did not “distinguish between those sponsors conducting full media campaigns and individuals who post handwritten signs in their apartment windows.” (at para 19). This interpretation of the Election Act was accepted by both the trial judge and at the Court of Appeal, and it shaped the argument before those courts as well as their decisions.
The Supreme Court of Canada took an entirely different approach. They interpreted the language “sponsor election advertising” to mean something other than the expression of political views by individuals. In other words, the statute applied only to those who sponsored election advertising – i.e., those who paid for election advertising to be conducted or who received such services as a contribution. The Court was of the view that the public policy behind registration requirements was generally sound. It found that a legislature could mitigate the impact on freedom of expression by either setting a monetary threshold to trigger the requirement (as is the case at the federal level) or by defining sponsorship to exclude individual expression (as was the case in B.C.). While it is true that the B.C. statute could still capture organized activities involving expenditures of less than $500, and might thus have some limiting effect, the Court found that this would not be significant for a number of reasons, and that such impacts were easily reconcilable with the benefits of the registration scheme.
The decision of the Supreme Court of Canada will be useful in clarifying the scope and impact of the Election Act and in providing guidance for similar statutes. It should be noted however, that the case traveled to the Supreme Court of Canada at great cost both to BCFIPA and to the taxpayer because of either legislative inattention to the need to clarify the scope of the legislation or because of an over-zealous interpretation of the statute by the province’s Chief Electoral Officer. The situation highlights the need for careful attention to be paid at the outset of such initiatives to the balance that must be struck between transparency and other competing values such as civil liberties and privacy.
Friday, 02 December 2016 14:00
Many Canadians are justifiably concerned that the vast amounts of information they share with private sector companies – simply by going about their day-to-day activities – may end up in the hands of law enforcement or national security officials without their knowledge or consent. The channels through which vast amounts of personal data can flow from private sector hands to law enforcement with little transparency or oversight can turn the companies we do business with into informers and make us unwittingly complicit in our own surveillance.
A recent Finding of the Office of the Privacy Commissioner of Canada (OPC) illustrates how the law governing the treatment of our personal information in the hands of the private sector has been adapted to the needs of the surveillance state in ways that create headaches for businesses and their customers alike. The Finding, which posted on the OPC site in November 2016 attempts to unravel a tangle of statutory provisions that should not have to be read by anyone making less than $300 per hour.
Basically, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used and disclosed by private sector organizations at the federal level and in all provinces that do not have their own equivalent statutes (only Quebec, B.C. and Alberta do). One of the core principles of this statute is the right of access to one’s personal information. This means that individuals may ask to be informed about the existence, use and disclosure of their personal information in the hands of an organization. They must also be given access to that information on request. Without the right of access it would be difficult for us to find out whether an organization was in compliance with its privacy policies. The right of access also allows us to verify and request correction of any erroneous information.
Another core principle of PIPEDA is consent. This means that information about us should not be collected, used or disclosed without our consent. The consent principle is meant to give us some control over our personal information (although there are huge challenges in this age of overly-long, vague, and jargon-laden privacy policies).
The hunger for our personal information on the part of law enforcement and national security officials (check out these Telco transparency reports here, here and here) has led to a significant curtailment of both the principles of access and of consent. The law is riddled with exceptions that permit private sector companies to disclose our personal information to state authorities in a range of situations without our knowledge or consent, with or without a warrant or court order. Other exceptions allow these disclosures to be hidden from us if we make access requests. What this means is that, in some circumstances, organizations that have disclosed an individual’s information to state authorities, and that later receive an access request from the individual seeking to know if their information has been disclosed to a third party, must contact the state authority to see if they are permitted to reveal that information has been shared. If the state authority objects, then the individual is not told of the disclosure.
The PIPEDA Report of Findings No. 2016-008 follows a complaint by an individual who contacted her telecommunications company and requested access to her personal information in the hands of that company. Part of the request was for “any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.” (at para 4). She received a reply from the Telco to the effect that it was “fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA].” (at para 5) In case that response was insufficiently obscure, the Telco also provided the wording of the subsections in question. The individual complained to the Office of the Privacy Commissioner (OPC).
The OPC decision makes it clear that the exceptions to the access principle place both the individual and the organization in a difficult spot. Basically, an organization that has disclosed information to state authorities without the individual’s knowledge or consent, and that receives an access request regarding this disclosure, must check with the relevant state authority to see if they have any objection to the disclosure of information about the disclosure. The state authorities can object if the disclosure of the disclosure would pose a threat to national security, national defence or the conduct of international affairs, or would adversely impact investigations into money laundering or terrorist financing. Beyond that, the state authorities can also object if disclosure would adversely impact “the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purpose of enforcing any such law.” If the state authorities object, then the organization may not disclose the requested information to the individual, nor can they disclose that they contacted the state authorities about the request, or that the authorities objected to any disclosure. In the interests of having a modicum of transparency, the organization must inform the Privacy Commissioner of the situation.
The situation is complex enough that in its finding, the OPC produced a helpful chart to guide organizations through the whole process. The chart can be found in the Finding.
In this case, the Telco justified its response to the complainant by explaining that if pushed further by a customer about disclosures, it would provide additional information, but even this additional information would be necessarily obscure. The Commissioner found that the Telco’s approach was not compliant with the law, but acknowledged that compliance with the law could mean that a determined applicant, by virtue of repeated requests over time, could come up with a pattern of responses that might lead them to infer whether information was actually disclosed, and whether the state authority objected to the disclosure. This is perhaps not what Parliament intended, but it does seem to follow from a reading of the statute.
As a result of the complaint, the Telco agreed to change its responses to access requests to conform to the requirements outlined in the table above.
It may well be that this kind of information-sharing offers some, perhaps significant, benefits to society, and that sharing information about information sharing could, in some circumstances, be harmful to investigations. The problem is that protections for privacy – including appropriate oversight and limitations – have not kept pace with the technologies that have turned private sector companies into massive warehouses of information about every detail of our lives and activities. The breakdown of consent means that we have little practical control over what is collected, and rampant information sharing means that our information may be in the hands of many more companies than those with which we actively do business. The imbalance is staggering, as is the risk of abuse. The ongoing review of PIPEDA must address these gaps issues – although there are also risks that it will result in the addition of more exceptions from the principles of access and consent.
Thursday, 17 November 2016 14:47
The Supreme Court of Canada has issued a relatively rare decision on the interpretation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Although it involves fairly technical facts that are quite specific to the banking and mortgage context, the broader significance of the case lies in the Court’s approach to implied consent under PIPEDA.
The case arose in the context of the Royal Bank of Canada’s (RBC) attempt to obtain a mortgage discharge statement for property owned by two individuals (the Trangs), who defaulted on a loan advanced by the bank. The mortgage was registered against a property in Toronto, on which Scotiabank held the first mortgage. In order to recover the money owed to it, RBC sought a judicial sale of the property, but the sheriff would not carry out the sale without the mortgage discharge statement. Scotiabank refused to provide this statement to RBC on the basis that it contained the Trangs’ personal information and it could therefore not be disclosed to RBC without the Trangs’ consent.
PIPEDA allows for the disclosure of personal information without consent in a number of different circumstances. Three of these, raised by lawyers for RBC, include where it is for the purpose of collecting a debt owed by the individual to the organization; where the disclosure is required by a court order; and where the disclosure is required by law. Ultimately, the Court only considered the second of these exceptions. Because Scotiabank refused to disclose the discharge statement, RBC had applied to a court for a court order that would enable disclosure without consent. However, it found itself caught in a procedural loop – it seemed to be asking the court to order disclosure on the basis of a court order which the court had yet to grant. Although the Court of Appeal had found the court order exception to be inapplicable because of this circularity, the Supreme Court of Canada swept aside these objections in favour of a more pragmatic approach. Justice Côté found that the court had the power to make an order and felt that an order was appropriate in the circumstances. She ruled that it would be “overly formalistic and detrimental to access to justice” to require RBC to reformulate its request for a court order in a new proceeding.
Although this would have been enough to decide the matter, Justice Côté, for the unanimous court, went on to find that the Trangs had given implied consent to the disclosure of the mortgage statement in any event. Under PIPEDA, consent can be implied in some circumstances. Express consent is generally required where information is sensitive in nature. Acknowledging that financial information is generally considered highly sensitive, Justice Côté nevertheless found that in this case the mortgage discharge statement was less sensitive in nature. She stated that “the degree of sensitivity of specific financial information is a contextual determination.” (at para 36) Here, the context included the fact that a great deal of mortgage-related financial information is already in the public domain by virtue of the Land Titles Registry, which includes details such as the amount of a mortgage recorded against the property, the interest rate, payment periods and due date. Although the balance left owing on a mortgage is not provided in the Registry, it can still be roughly calculated by anyone interested in doing so. Justice Côté characterized the current balance of a mortgage as “a snapshot at a point in time in the life of a publicly disclosed mortgage.” (at para 39)
Justice Côté’s implied consent analysis was also affected by other contextual considerations. These included the fact that the party seeking disclosure of the discharge statement had an interest in it; as a creditor, it was relevant to them. According to the Court, the reasonable expectations of the individual with respect to the sensitivity of any information must be assessed in “the whole context” so as not to “unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect”. (at para 44) The fact that other creditors have a legitimate business interest in the information in a mortgage disclosure statement is “a relevant part of the context which informs the reasonable expectation of privacy.” (at para 45) In this regard, Justice Côté observed that the identity of the party seeking disclosure of the information and the reason for which they are seeking disclosure are relevant considerations. She noted that “[d]isclosure to a person who requires the information to exercise an established legal right is clearly different from disclosure to a person who is merely curious or seeks the information for nefarious purposes.” (at para 46)
Justice Côté also found that the reasonable mortgagor in the position of the Trangs would be aware of the public nature of the details of their mortgage, and would be aware as well that if they defaulted on either their mortgage or their loan with RBC, their mortgaged property could be seized and sold. They would also be aware that a judgment creditor would have a “legal right to obtain disclosure of the mortgage discharge statement through examination or by bringing a motion.” (at para 47)
It seems that it is the fact that RBC could ultimately legally get access to the mortgage discharge statement, viewed within the broader context that drives the Court to find that there is an implied consent to the disclosure of this information – even absent a court order. The Court’s finding of implied consent is nevertheless limited to this context; it would not be reasonable for a bank to disclose a mortgage discharge statement to anyone other than a person with a legal interest in the property to which the mortgage relates. The Court’s reasoning seems to be that since RBC is ultimately entitled to get this information and has legal means at its disposal to get the information, then the Trangs can be considered to have consented to the information being shared.
Pragmatism is often a good thing, and it is easy to be sympathetic to the Court’s desire to not create expensive legal hurdles to achieve inevitable ends in transactions that are relatively commonplace. It should be noted, however, that the same result could have been achieved by the addition of a clause in the mortgage documents that would effectively obtain the consent of any mortgagor to disclosures of this kind and in those circumstances. No doubt after the earlier decisions in this case and in the related Citi Cards Canada Inc. v. Pleasance, banks had already taken steps to address this in their mortgage documents. One of the reasons for having privacy policies is to require institutions to explain to their customers what personal information is collected, how it will be used, and in what circumstances it will be disclosed. While it is true that few people read such privacy policies, they are at least there for those who choose to do so. Nobody reads implied terms because they are… well, implied. Implied consent works where certain uses or disclosures are relatively obvious. In more complicated transactions implied consent should be sparingly relied upon.
It will be interesting to see what impact the Court’s judicial eye roll to the facts of this case will have in other circumstances where consent to disclosure is an issue. The Court is cautious enough in its contextual approach that it may not lead to a dangerous undermining of consent. Nevertheless, there is a risk that the almost exasperated pragmatism of the decision may cause a more general relaxation around consent.
Wednesday, 26 October 2016 14:42
In a press release issued on October 26, 2016, the Ontario Provincial Police announced that they would be adopting a new investigative technique – one that relies on cellphone tracking of ordinary members of the public. The use of this new technique is being launched in the context of the investigation of an unsolved murder that took place in Ottawa in 2015. Police are searching for leads in the case.
The OPP sought a Production Order from a justice of the peace. This order required major cellular phone service providers to furnish them with a list of cellphone numbers used in the vicinity of West Hunt Club and Merivale Road in Ottawa, between 12:30 and 3:30 p.m. on December 15, 2015. Production orders for cell phone information have become commonplace. Typically, however, they have been used to determine whether a person of interest to the police was in a certain area at a specific time. This is not the case here. In this case, the police intend to send text messages to the individual cell phone numbers provided by the phone companies. These messages will encourage recipients to visit a web site set up by the police and to respond to some questions. According to the press release, the production order did not include customer name and address information associated with the phone numbers. In theory, then, individual privacy is protected by the fact that an person who does not respond to the text message does provide any further identifying information to the police.
There is clearly a public interest in solving crimes. Where investigations have grown cold, new techniques may be important to finding justice for victims and their families. However, it is also important that any new investigative techniques are consistent with the principles and values that are an integral part of our justice system. Privacy advocates and the public have reason to be concerned about this new investigative technique. Here are some of the reasons why:
First, production orders of this kind provide completely inadequate opportunities to hear and consider the privacy interests of affected individuals. Persons accused of crimes can always challenge in court the way in which the police went about collecting the evidence against them. They can argue that their privacy interests were violated and that search warrants should never have been issued. However, ordinary members of the public have little practical recourse when their privacy rights are infringed by investigations of crimes that have nothing to do with them. In a decision of the Ontario Superior Court (which I wrote about here) Justice Sproat reviewed production orders for massive amounts of cell phone data sought by police. He was sharply critical of both the seeking and the granting of a production order for quantities of cell phone customer data that far exceeded what was genuinely required for the purpose of the investigation. The case impacted the privacy rights of the broad public (it involved the data of over 43,000 customers) yet as is so often the case, the public had no way to learn of or challenge the production order before it was granted. In that case, it was the Telcos – Rogers and Telus – who challenged the production orders and raised privacy issues before the courts. Without this intervention, there would have been no voice for the privacy interests of ordinary citizens and no means of reviewing the legitimacy of the order.
Second, production orders of this kind come with no safeguards for the protection of data after it has been used by police. Production orders typically do not contain directions on how long data can be retained, whether it should be destroyed after a certain time, what other uses it might (or should not) be put to, or what safeguards are required to protect it while it is in the hands of police. The lack of such safeguards was commented upon by Justice Sproat in the case mentioned above. He was of the view that this was an issue for Parliament to address. Parliament has yet to do so.
In its press release, the OPP analogized what it was doing to police going through a neighborhood where a crime has taken place and knocking on doors to see if anyone has seen or heard anything that might be relevant. The analogy is problematic. The existence and location of houses and apartment units are matters of public record – they are in plain view. However, data about the cell phone usage of individuals, along with their location information, as they carry out their day to day activities are not. When police seek access to information that allows them to identify the locations of thousands of individuals who are not suspected of engaging in criminal activity, they are doing more than knocking on doors.
There needs to be a public conversation about how and when police get to tap into the massive volumes of data collected about the minutiae of our daily activities by private sector companies. The use of cell phone data production orders by the OPP in this case merely adds to list of subjects for that conversation. Because the use of this data by police is now to identify and contact people who are themselves not the targets of criminal investigation, these individuals effectively have no way in which to raise privacy concerns. This is a conversation that must be led by Parliament and that most likely will require new law.
Tuesday, 20 September 2016 14:25
The Ontario Supreme Court of Justice has just approved the settlement of a class action law suit against Home Depot over a data privacy breach that took place in 2014. Both the settlement agreement and the decision by Justice Perell offer some interesting insights into privacy class actions in Canada.
Between April 11, 2014 and September 13, 2014 Home Depot’s payment system was hacked by criminals who used malware to skim data from credit card purchases at self-serve stations. When Home Depot discovered the breach it notified potentially affected customers through the French and English press in Canada. It also sent out over half a million emails to potentially affected customers in Canada. The emails apologized for the breach, and confirmed that the malware had been eradicated. Customers were assured that they would not be held responsible for fraudulent charges to their credit card accounts and they were offered free credit monitoring and identity theft insurance.
Although the breach led to complaints against Home Depot being filed with the privacy commissioners of Alberta, Quebec, B.C. and Canada, the commissioners all concluded that Home Depot had not breached their respective private sector data protection statutes. The fact that Home Depot had acted quickly and decisively to notify customers and to offer them protection also clearly influenced Justice Perell in his decision on the settlement agreement. He noted that Home Depot “apparently did nothing wrong”, and that it “responded in a responsible, prompt, generous and exemplary fashion to the criminal acts perpetrated on it by the computer hackers.” (at para 74.)
After the breach, which affected customers in the U.S. and Canada, a number of class action lawsuits were filed in both countries. The U.S.-based suits were consolidated into a single action which led to a settlement. The U.S. agreement was used as a template for the Canadian settlement. Under the terms of the settlement agreement put before Justice Perell, Home Depot admitted no wrongdoing. In exchange for releasing their claims against Home Depot, class members would be entitled to access a settlement fund of $250,000 available to compensate them for any actual expenses incurred as a result of the data breach up to a maximum of $5000 per claimant. The agreement also provides for class members to access free credit monitoring to a cap of $250,000. Justice Perell noted that given the cost of bulk purchases of credit card monitoring, this amount would allow for between 2,500 and 5,000 of the class members to access credit monitoring. In order to be entitled to any funds or credit monitoring, class members would have to file a claim form by October 29, 2016. Under the terms of the agreement, Home Depot would assume the costs of notifying class members and of administering the funds. Any money not distributed from the funds at the end of the claims period could be used to offset these costs. Justice Perell approved these terms of the settlement agreement.
The agreement also provided for a sum of $360,000 plus HST to be paid to the class action lawyers for legal fees, costs and disbursements. Small sums were also provided for in the agreement as honoraria for the representative plaintiffs in the class, although Justice Perell declined to approve these amounts, noting that honoraria were not appropriate in this case. He noted that “Compensation for a representative plaintiff may only be awarded if he or she has made an exceptional contribution that has resulted in success for the class.” (at para 80)
In assessing the settlement agreement, Justice Perell made it clear that the value of the settlement for class members was at most $400,000. He noted that in terms of compensation very little might actually be paid out. No class members would have had to cover the cost of fraudulent credit card charges and, in the time since the breach, there were no documented cases of identity theft related to this breach. He noted that the only information obtained through the hack was credit card information; other identity details used in identity theft such as driver’s licence data or social insurance numbers, were never stolen. He thus found it “highly unlikely” that the $250,000 fund would be used for damage awards. He also expressed doubt whether, given the short deadline in the agreement, the $250,000 fund for identity theft insurance would be used up.
Given the modest value of the settlement agreement, Justice Perell would not approve the $360,000 bill for legal fees and disbursements. Instead, he set the amount at $120,000. He noted that to do otherwise would pay class counsel more than would be received by the class members. He noted as well that in his view the case against Home Depot was very weak: the data breach was the result of a criminal hack; the privacy commissioners had found no wrongdoing on the part of Home Depot; and Home Depot had not attempted to cover it up and instead had acted promptly to notify customers and to help them mitigate any possible harm. Further, he noted that “by the time the actions against Home Depot came to be settled, there were no demonstrated or demonstrable losses by the Class Members” (at para 101). Justice Perell observed that while class counsel may have incurred higher fees than what were being awarded, there is a degree of risk with any class proceeding. He noted that “class counsel should not anticipate that every reasonably commenced class action will be remunerative and a profitable endeavor.” (at para 103)
The result is interesting on a number of fronts. Clearly Home Depot found it less costly to settle than to proceed with the litigation even though Justice Perell seems to be of the view that they would have won their case. The case illustrates just how costly data breaches can be, even for companies that have done nothing wrong and are themselves victims of criminal activities. In terms of the class action law suit, as with many data breaches, proof of actual harm to the class members was difficult to come by, making losses quite speculative. Further, as litigation of this kind tends to proceed slowly, the lack of harm to class members becomes increasingly apparent in cases where there is no evidence that the illegal obtained data has been used by the malefactors. The result in this case suggests that in class action law suits related to privacy breaches, class members who do not suffer actual pecuniary loss should not expect significant payouts; and companies who are not at fault in the breach and who act promptly to assist affected customers may substantially reduce (or eliminate) their liability. These factors may affect decisions by class counsel to launch class action lawsuits where the link between the breach and actual harm is weak, or where defendants are not obviously at fault.
Wednesday, 15 June 2016 08:46
Yesterday I appeared before the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, along with Professor David Lyon of Queen’s University and Professor Lisa Austin of the University of Toronto. The Committee is considering long overdue reform of the Privacy Act, and we had been invited to speak on this topic.
All three of us urged the Committee to take into account the very different technological environment in which we now find ourselves. Professor Lyon cogently addressed the changes brought about by the big data context. Although the Privacy Act as it currently stands largely address the collection, use and disclosure of personal information for “administrative purposes” all three of us expressed concerns over the access to and use by government of information in the hands of the private sector, and the use of information in big data analytics. Professor Austin in particular emphasized the need to address not just the need for accuracy in the data collected by government but also the need to assess “algorithmic accuracy” – the quality/appropriateness of algorithms used to analyse large stores of data and to draw conclusions or predictions from this data. She also made a clear case for bringing Charter considerations into the Privacy Act – in other words, for recognizing that in some circumstances information collection, disclosure or sharing that appears to be authorized by the Privacy Act might nevertheless violate the Canadian Charter of Rights and Freedoms. There was also considerable discussion of information-sharing practices both within government and between our government and other foreign or domestic governments.
The Committee seemed very interested and engaged with the issues, which is a good sign. Reform of the Privacy Act will be a challenging task. The statute as a public sector data protection statute is sorely out of date. However, it is also out of context – in other words, it was drafted to address an information context that is radically different from that in which we find ourselves today. Many of the issues that were raised before the Committee yesterday go well beyond the original boundaries of the Privacy Act, and the addition of a few provisions or a few tweaks here and there will not come close to solving some of these privacy issues – many of which overlap with issues of private sector data protection, criminal law and procedure, and national security.
The notes related to my own remarks to the Committee are available below.
Written Notes for Comments by Professor Teresa Scassa to the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, June 14, 2016
Thank you for the opportunity to address this Committee on the issue of reform of the Privacy Act.
I have reviewed the Commissioner’s recommendations on Privacy Act reform and I am generally supportive of these proposals. I will focus my remarks today on a few specific issues that are united by the theme of transparency. Greater transparency with respect to how personal information is collected, used and disclosed by government enhances privacy by exposing practices to comment and review and by enabling appropriate oversight and accountability. At the same time, transparency is essential to maintaining public confidence in how government handles personal information.
The call for transparency must be situated within our rapidly changing information environment. Not only does technology now enable an unprecedented level of data collection and storage, enhanced analytic capacity has significantly altered the value of information in both public and private sectors. This increased value provides temptations to over-collect personal information, to share it, mine it or compile it across departments and sectors for analysis, and to retain it beyond the period required for the original purposes of its collection.
In this regard, I would emphasize the importance of the recommendation of the Commissioner to amend the Privacy Act to make explicit a “necessity” requirement for the collection of personal information, along with a clear definition of what ‘necessary’ means. (Currently, s. 4(1) of the Privacy Act requires only that personal information “relate directly to an operating program or activity of the institution”.) The goal of this recommendation is to curtail the practice of over-collection of personal information. Over-collection runs counter to the expectations of the public who provide information to government for specific and limited purposes. It also exposes Canadians to enhanced risks where negligence, misconduct or cyberattack result in data breaches. Data minimization is an important principle that is supported by data protection authorities around the world and that is reflected in privacy legislation. The principle should be explicit and up front in a reformed Privacy Act. Data minimization also has a role to play in enhancing transparency: not only do clear limits on the collection of personal information serve transparency goals; over-collection encourages the re-purposing of information, improper use and over-sharing.
The requirement to limit collection of information to specific and necessary purposes is tied to the further requirement on government to collect personal information directly from the individual “where possible” (s. 5(1)). This obviously increases transparency as it makes individuals directly aware of the collection. However, this requirement relates to information collected for an “administrative purpose”. There may be many other purposes for which government collections information, and these fall outside the privacy protective provisions of the Privacy Act. This would include circumstances that is disclosed to a government investigative body at its request in relation to an investigation or the enforcement of any law, or that is disclosed to government actors under court orders or subpoenas. Although such information gathering activities may broadly be necessary, they need to be considered in the evolving data context in which we find ourselves, and privacy laws must adapt to address them.
Private sector companies now collect vast stores of personal information, and this information often includes very detailed, core-biographical information. It should be a matter of great concern, therefore, that the permissive exceptions in both PIPEDA and the Criminal Code enable the flow of massive amounts of personal information from the private sector to government without the knowledge or consent of the individual. Such requests/orders are often (although not always) made in the course of criminal or national security investigations. The collection is not transparent to the individuals affected, and the practices as a whole are largely non-transparent to the broader public and to the Office of the Privacy Commissioner (OPC).
We have heard the most about this issue in relation to telecommunications companies, which are regularly asked or ordered to provide detailed information to police and other government agents. It should be noted, however, that many other companies collect personal information about individuals that is highly revelatory about their activities and choices. It is important not to dismiss this issue as less significant because of the potentially anti-social behaviour of the targeted individuals. Court orders and requests for information can and do encompass the personal information of large numbers of Canadians who are not suspected of anything. The problem of tower dump warrants, for example, was recently highlighted in a recent case before the Ontario Supreme Court (R. v. Rogers Communication (2016 ONSC 70))(my earlier post on this decision can be found here). The original warrant in that case sought highly detailed personal information of around 43,000 individuals, the vast majority of whom had done nothing other than use their cell phones in a certain area at a particular time. Keep in mind that the capacity to run sophisticated analytics will increase the attractiveness of obtaining large volumes of data from the private sector in order to search for an individual linked to a particular pattern of activity.
Without adequate transparency regarding the collection of personal information from the private sector, there is no way for the public to be satisfied that such powers are not abused. Recent efforts to improve transparency (for example, the Department of Innovation, Science and Economic Development’s voluntary transparency reporting guidelines) have focused on private sector transparency. In other words, there has been an attempt to provide a framework for the voluntary reporting by companies of the number of requests they receive from government authorities, the number they comply with, and so on. But these guidelines are entirely voluntary, and they also only address transparency reporting by the companies themselves. There are no legislated obligations on government actors to report in a meaningful way – whether publicly or to the OPC – on their harvesting of personal information from private sector companies. I note that the recent attempt by the OPC to audit the RCMP’s use of warrantless requests for subscriber data came to an end when it became clear that the RCMP did not keep specific records of these practices.
In my view, a modernization of the Privacy Act should directly address this enhanced capacity of government institutions to access the vast stores of personal information in the hands of the private sector. The same legislation that permits the collection of personal information from private sector companies should include transparency reporting requirements where such collection takes places. In addition, legislative guidance should be provided on how government actors who obtain personal information from the private sector either by request or under court order should deal with this information. Specifically, limits on the use and retention of this data should be imposed.
It is true that both the Criminal Code and PIPEDA enable police forces and investigative bodies under both federal and provincial jurisdiction to obtain personal information from the private sector under the same terms and conditions, and that reform of the Privacy Act in this respect will not address transparency and accountability of provincial actors. This suggests that issues of transparency and accountability of this kind might also fruitfully be addressed in the Criminal Code and in PIPEDA, but this is no reason not to also address it in the Privacy Act. To the extent that government institutions are engaged in the indirect collection of personal information, the Privacy Act should provide for transparency and accountability with respect to such activities.
Another transparency issue raised by the Commissioner relates to information-sharing within government. Technological changes have made it easier for government agencies and departments to share personal information – and they do so on what the Commissioner describes as a “massive” scale. The Privacy Act enables personal information sharing within and between governments, domestically and internationally, in specific circumstances – for investigations and law enforcement, for example, or for purposes consistent with those for which it was collected. (Section 8(2)(a) allows for sharing “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”). Commissioner Therrien seeks amendments that would require information-sharing within and between governments to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with the legislation, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another – or whether and under what conditions their personal information may be shared with provincial or foreign governments.
Another important transparency issue is mandatory data breach reporting. Treasury Board Secretariat currently requires that departments inform the OPC of data security breaches; yet the Commissioner has noted that not all comply. As a result, he is asking that the legislation be amended to include a mandatory breach notification requirement. Parliament has recently amended PIPEDA to include such a requirement. Once these provisions take effect, the private sector will be held to a higher standard than the public sector unless the Privacy Act is also amended. Any amendments to the federal Privacy Act to address data security breach reporting would have to take into account the need for both the Commissioner and for affected individuals to be notified where there has been a breach that meets a certain threshold for potential harm, as will be the case under PIPEDA. The PIPEDA amendments will also require organizations to keep records of all breaches of security safeguards regardless of whether they meet the harm threshold that triggers a formal reporting requirement. Parliament should impose a requirement on those bodies governed by the Privacy Act to both keep and to submit records of this kind to the OPC. Such records would be helpful in identifying patterns or trends either within a single department or institution or across departments or institutions. The ability to identify issues proactively and to address them either where they arise or across the federal government can only enhance data security – something which is becoming even more urgent in a time of increased cybersecurity threats.
Monday, 25 April 2016 07:06
A recent news story from the Ottawa area raises interesting questions about big data, smart cities, and citizen engagement. The CBC reported that Ottawa and Gatineau have contracted with Strava, a private sector company to purchase data on cycling activity in their municipal boundaries. Strava makes a fitness app that can be downloaded for free onto a smart phone or other GPS-enabled device. The app uses the device’s GPS capabilities to gather data about the users’ routes travelled. Users then upload their data to Strava to view the data about their activities. Interested municipalities can contract with Strava Metro for aggregate de-identified data regarding users’ cycling patterns over a period of time (Ottawa and Gatineau have apparently contracted for 2 years’ worth of data). According to the news story, their goal is to use this data in planning for more bike-friendly cities.
On the face of it, this sounds like an interesting idea with a good objective in mind. And arguably, while the cities might create their own cycling apps to gather similar data, it might be cheaper in the end for them to contract for the Strava data rather than to design and then promote the use of theirs own apps. But before cities jump on board with such projects, there are a number of issues that need to be taken into account.
One of the most important issues, of course, is the quality of the data that will be provided to the city, and its suitability for planning purposes. The data sold to the city will only be gathered from those cyclists who carry GPS-enabled devices, and who use the Strava app. This raises the question of whether some cyclists – those, for example, who use bikes to get around to work, school or to run errands and who aren’t interested in fitness apps – will not be included in planning exercises aimed at determining where to add bike paths or bike lanes. Is the data most likely to come from spandex-wearing, affluent, hard core recreational cyclists than from other members of the cycling community? The cycling advocacy group Citizens for Safe Cycling in Ottawa is encouraging the public to use the app to help the data-gathering exercise. Interestingly, this group acknowledges that the typical Strava user is not necessarily representative of the average Ottawa cyclist. This is in part why they are encouraging a broader public use of the app. They express the view that some data is better than no data. Nevertheless, it is fair to ask whether this is an appropriate data set to use in urban planning. What other data will be needed to correct for its incompleteness, and are there plans in place to gather this data? What will the city really know about who is using the app and who is not? The purchased data will be deidentified and aggregated. Will the city have any idea of the demographic it represents? Still on the issue of data quality, it should be noted that some Strava users make use of the apps’ features to ride routes that create amusing map pictures (just Google “strava funny routes” to see some examples). How much of the city’s data will reflect this playful spirit rather than actual data about real riding routes is a question also worth asking.
Another important issue – and this is a big one in the emerging smart cities context – relates to data ownership. Because the data is collected by Strava and then sold to the cities for use in their planning activities, it is not the cities’ own data. The CBC report makes it clear that the contract between Strava and its urban clients leaves ownership of the data in Strava’s hands. As a result, this data on cycling patterns in Ottawa cannot be made available as open data, nor can it be otherwise published or shared. It will also not be possible to obtain the data through an access to information request. This will surely reduce the transparency of planning decisions made in relation to cycling.
Smart cities and big data analytics are very hot right now, and we can expect to see all manner of public-private collaborations in the gathering and analysis of data about urban life. Much of this data may come from citizen-sensors as is the case with the Strava data. As citizens opt or are co-opted into providing the data that fuels analytics, there are many important legal, ethical and public policy questions which need to be asked.
Published in Geospatial Data/Digital Cartography
Monday, 04 April 2016 11:34
The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.
The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.
RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.
In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)
After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)
RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.
The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.
The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.
Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.
Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.
Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.
Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.
Tuesday, 15 March 2016 11:01
The department formerly known as Industry Canada (now Innovation, Science and Economic Development or ISED) has just released a discussion paper that seeks public input on the regulations that will accompany the new data breach notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA).
The need to require private sector organizations in Canada to report data breaches was first formally identified in the initial review of PIPEDA carried out in 2007. The amendments to the statute were finally passed into law in June of 2015, but they will not take effect until regulations are enacted that provide additional structure to the notification requirements. The discussion paper seeks public input prior to drafting and publishing regulations for comment and feedback, so please stop holding your breath. It will still take a while before mandatory data breach notification requirements are in place in Canada.
The new amendments to the legislation make it mandatory for organizations to report data breaches to the Privacy Commissioner if those breaches pose “a real risk of significant harm to an individual”. (s. 10.1) An organization must also notify any individuals for whom the breach poses “a real risk of significant harm (s. 10.1(3). The form and contents of these notifications remain to be established by the regulations. A new s. 10.2 of PIPEDA will also require an organization that has suffered a reportable breach to notify any other organization or government institution of the breach if doing so may reduce the risk of harm. For example, such notifications might include ones to credit reporting agencies or law enforcement officials. The circumstances which trigger this secondary notification obligation remain to be fleshed out in the regulations. Finally, a new s. 10.3 of PIPEDA will require organizations to keep records of all data breaches not just those that reach the threshold for reporting to the Privacy Commissioner. In theory these records might enable organizations to detect flaws in their security practices. They may also be requested by the Commissioner, providing potential for oversight of data security at organizations. The content of these records remains to be determined by the new regulations.
From the above, it is clear that the regulations that will support these statutory data breach reporting requirements are fundamentally important in setting its parameters. The ISED discussion paper articulates a series of questions relating to the content of the regulations on which it seeks public input. The questions relate to how to determine when there is a “real risk of significant harm to an individual”; the form and content of the notification that is provided to the Commissioner by an organization that has experienced a breach; the form, manner and content of notification provided to individuals; the circumstances in which an organization that has experienced a breach must notify other organizations; and the form and content or records kept by organizations, as well as the period of time that these records must be retained.
There is certain that ISED will receive many submissions from organizations that are understandably concerned about the impact that these regulations may have on their operations and legal obligations. Consumer and public interest advocacy groups will undoubtedly make submissions from a consumer perspective. Individuals are also welcome contribute to the discussion. Some questions are particularly relevant to how individuals will experience data breach notification. For example, if an organization experiences a breach that affects your personal information and that poses a real risk of harm, how would you like to receive your notification? By telephone? By mail? By email? And what information would you like to receive in the notification? What level of detail about the breach would you like to have? Do you want to be notified of measures you can take to protect yourself? Do you want to know what steps the organization has taken and will take to protect you?
Canadian Trademark Law
Published in 2015 by Lexis Nexis
Electronic Commerce and Internet Law in Canada, 2nd Edition
Published in 2012 by CCH Canadian Ltd.
Intellectual Property for the 21st Century
Intellectual Property Law for the 21st Century: