Teresa Scassa - Blog

Displaying items by tag: data protection

Clearview AI and its controversial facial recognition technology have been making headlines for weeks now. In Canada, the company is under joint investigation by federal and provincial privacy commissioners. The RCMP is being investigated by the federal Privacy Commissioner after having admitted to using Clearview AI. The Ontario privacy commissioner has expressed serious concerns about reports of Ontario police services adopting the technology. In the meantime, the company is dealing with a reported data breach in which hackers accessed its entire client list.

Clearview AI offers facial recognition technology to ‘law enforcement agencies.’ The term is not defined on their site, and at least one newspaper report suggests that it is defined broadly, with private security (for example university campus police) able to obtain access. Clearview AI scrapes images from publicly accessible websites across the internet and compiles them in a massive database. When a client provides them with an image of a person, they use facial recognition algorithms to match the individual in the image with images in its database. Images in the database are linked to their sources which contain other identifying information (for example, they might link to a Facebook profile page). The use of the service is touted as speeding up all manner of investigations by facilitating the identification of either perpetrators or victims of crimes.

This post addresses a number of different issues raised by the Clearview AI controversy, framed around the two different sets of privacy investigations. The post concludes with additional comments about transparency and accountability.

1. Clearview AI & PIPEDA

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use and disclosure of personal information by private sector organizations engaged in commercial activities. Although Clearview AI is a U.S. company, PIPEDA will still apply if there is a sufficient nexus to Canada. In this case, the service clearly captures data about Canadians, and the facial recognition services are marketed to Canadian law enforcement agencies. This should be enough of a connection.

The federal Privacy Commissioner is joined in his investigation by the Commissioners of Quebec, B.C. and Alberta. Each of these provinces has its own private sector data protection laws that apply to organizations that collect, use and disclose personal information within the borders of their respective province. The joint investigation signals the positive level of collaboration and co-operation that exists between privacy commissioners in Canada. However, as I explain in an earlier post, the relevant laws are structured so that only one statute applies to a particular set of facts. This joint investigation may raise important jurisdictional questions similar to those raised in the Facebook/Cambridge Analytica joint investigation and that were not satisfactorily resolved in that case. It is a minor issue, but nonetheless one that is relevant and interesting from a privacy governance perspective.

The federal Commissioner’s investigation will focus on whether Clearview AI complied with PIPEDA when it collected, used and disclosed the personal information which populates its massive database. Clearview AI’s position on the legality of its actions is clearly based on U.S. law. It states on its website that: “Clearview searches the open web. Clearview does not and cannot search any private or protected info, including in your private social media accounts.” In the U.S., there is much less in the way of privacy protection for information in ‘public’ space. In Canada however, the law is different. Although there is an exception in PIPEDA (and in comparable provincial private sector laws) to the requirement of consent for the collection, use or disclosure of “publicly available information”, this exception is cast in narrow terms. It is certainly not broad enough to encompass information shared by individuals through social media. Interestingly, in hearings into PIPEDA reform, the House of Commons ETHI Committee at one point seemed swayed by industry arguments that PIPEDA should be amended to include websites and social media within the exception for “publicly available personal information”. In an earlier post, I argued that this was a dangerous direction in which to head, and the Clearview AI controversy seems to confirm this. Sharing photographs online for the purposes of social interaction should not be taken as consent to use those images in commercial facial recognition technologies. What is more, the law should not be amended to deem it to be so.

To the extent, then, that the database contains personal information of Canadians that was collected without their knowledge or consent, the conclusion will likely be that there has been a breach of PIPEDA. The further use and disclosure of personal information without consent will also amount to a breach. An appropriate remedy would include ordering Clearview AI to remove all personal information of Canadians that was collected without consent from its database. Unfortunately, the federal Commissioner does not have order-making powers. If the investigation finds a breach of PIPEDA, it will still be necessary to go to Federal Court to ask that court to hold its own hearing, reach its own conclusions, and make an order. This is what is currently taking place in relation the Facebook/Cambridge Analytica investigation, and it makes somewhat of a mockery of our privacy laws. Stronger enforcement powers are on the agenda for legislative reform of PIPEDA, and it is to be hoped that something will be done about this before too long.

 

2. The Privacy Act investigation

The federal Privacy Commissioner has also launched an investigation into the RCMP’s now admitted use of Clearview AI technology. The results of this investigation should be interesting.

The federal Privacy Act was drafted for an era in which government institution generally collected the information they needed and used from individuals. Governments, in providing all manner of services, would compile significant amounts of data, and public sector privacy laws set the rules for governance of this data. These laws were not written for our emerging context in which government institutions increasingly rely on data analytics and data-fueled AI services provided by the private sector. In the Clearview AI situation, it is not the RCMP that has collected a massive database of images for facial recognition. Nor has the RCMP contracted with a private sector company to build this service for it. Instead, it is using Clearview AI’s services to make presumably ad hoc inquiries, seeking identity information in specific instances. It is not clear whether or how the federal Privacy Act will apply in this context. If the focus is on the RCMP’s ‘collection’ and ‘use’ of personal information, it is arguable that this is confined to the details of each separate query, and not to the use of facial recognition on a large scale. The Privacy Act might simply not be up to addressing how government institutions should interact with these data-fuelled private sector services.

The Privacy Act is, in fact, out of date and clearly acknowledged to be so. The Department of Justice has been working on reforms and has attempted some initial consultation. But the Privacy Act has not received the same level of public and media attention as has PIPEDA. And while we might see reform of PIPEDA in the not too distant future, reform of the Privacy Act may not make it onto the legislative agenda of a minority government. If this is the case, it will leave us with another big governance gap for the digital age.

If the Privacy Act is not to be reformed any time soon, it will be very interesting to see what the Privacy Commissioner’s investigation reveals. The interpretation of section 6(2) of the Privacy Act could be of particular importance. It provides that: “A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.” In 2018 the Supreme Court of Canada issued a rather interesting decision in Ewert v. Canada, which I wrote about here. The case involved a Métis man’s challenge to the use of actuarial risk-assessment tests by Correctional Services Canada to make decisions related to his incarceration. He argued that the tests were “developed and tested on predominantly non-Indigenous populations and that there was no research confirming that they were valid when applied to Indigenous persons.” (at para 12). The Corrections and Conditional Release Act contained language very similar to s. 6(2) of the Privacy Act. The Supreme Court of Canada ruled that this language placed an onus on the CSC to ensure that all of the data it relied upon in its decision-making about inmates met that standard – including the data generated from the use of the assessment tools. This ruling may have very interesting implications not just for the investigation into the RCMP’s use of Clearview’s technology, but also for public sector use of private sector data-fueled analytics and AI where those tools are based upon personal data. The issue is whether, in this case, the RCMP is responsible for ensuring the accuracy and reliability of the data generated by a private sector AI system on which they rely.

One final note on the use of Clearview AI’s services by the RCMP – and by other police services in Canada. A look at Clearview AI’s website reveals its own defensiveness about its technologies, which it describes as helping “to identify child molesters, murderers, suspected terrorists, and other dangerous people quickly, accurately, and reliably to keep our families and communities safe.” Police service representatives have also responded defensively to media inquiries, and their admissions of use come with very few details. If nothing else, this situation highlights the crucial importance of transparency, oversight and accountability in relation to these technologies that have privacy and human rights implications. Transparency can help to identify and examine concerns, and to ensure that the technologies are accurate, reliable and free from bias. Policies need to be put in place to reflect clear decisions about what crimes or circumstances justify the use of these technologies (and which ones do not). Policies should specify who is authorized to make the decision to use this technology and according to what criteria. There should be record-keeping and an audit trail. Keep in mind that technologies of this kind, if unsupervised, can be used to identify, stalk or harass strangers. It is not hard to imagine someone use this technology to identify a person seen with an ex-spouse, or even to identify an attractive woman seen at a bar. They can also be used to identify peaceful protestors. The potential for misuse is enormous. Transparency, oversight and accountability are essential if these technologies are to be used responsibly. The sheepish and vague admissions of use of Clearview AI technology by Canadian police services is a stark reminder that there is much governance work to be done around such technologies in Canada even beyond privacy law issues.

Published in Privacy

A recent story in iPolitics states that both the Liberals and the Conservatives support strengthening data protection laws in Canada, although it also suggests they may differ as to the best way to do so.

The Liberals have been talking about strengthening Canada’s data protection laws – both the Privacy Act (public sector) and the Personal Information Protection and Electronic Documents Act (PIPEDA) (private sector) since well before the last election, although their emphasis has been on PIPEDA. The mandate letters of both the Ministers of Justice and Industry contained directions to reform privacy laws. As I discuss in a recent post, these mandate letters speak of greater powers for the Privacy Commissioner, as well as some form of “appropriate compensation” for data breaches. There are also hints at a GDPR-style right of erasure, a right to withdraw consent to processing of data, and rights of data portability. With Canada facing a new adequacy assessment under the EU’s General Data Protection Regulation (GDPR) it is perhaps not surprising to see this inclusion of more EU-style rights.

Weirdly, though, the mandate letters of the Minister of Industry and the Minister of Heritage also contain direction to create the new role of “Data Commissioner” to serve an as-yet unclear mandate. The concept of a Data Commissioner comes almost entirely out of the blue. It seems to be first raised before the ETHI Committee on February 7, 2019 by Dr. Jeffrey Roy of Dalhousie University. He referenced in support of this idea a new Data Commissioner role being created in Australia as well as the existence of a UK Chief Data Officer. How it got from an ETHI Committee transcript to a mandate letter is still a mystery.

If this, in a nutshell, is the Liberal’s plan, it contains both the good, the worrisome, and the bizarre. Strengthening PIPEDA – both in terms of actual rights and enforcement of those rights is a good thing, although the emphasis in the mandate letters seems very oriented towards platforms and other issues that have been in the popular press. This is somewhat worrisome. What is required is a considered and substantive overhaul of the law, not a few colourful and strategically-placed band-aids.

There is no question that the role of the federal Privacy Commissioner is front and centre in this round of reform. There have been widespread calls to increase his authority to permit him to issue fines and to make binding orders. These measures might help address the fundamental weakness of Canada’s private sector data protection laws, but they will require some careful thinking about the drafting of the legislation to ensure that some of the important advisory and dispute resolution roles of the Commissioner’s office are not compromised. And, as we learned with reform of the Access to Information Act, there are order-making powers and then there are order-making powers. It will not be a solution to graft onto the legislation cautious and complicated order-making powers that increase bureaucracy without advancing data protection.

The bizarre comes in the form of the references to a new Data Commissioner. At a time when we clearly have not yet managed to properly empower the Privacy Commissioner, it is disturbing that we might be considering creating a new bureaucracy with apparently overlapping jurisdiction. The mandate letters suggest that the so-called data commissioner would oversee (among other things?) data and platform companies, and would have some sort of data protection role in this regard. His or her role might therefore overlap with both those of the Privacy Commissioner and the Competition Bureau. It is worth noting that the Competition Bureau has already dipped its toe into the waters of data use and abuse. The case for a new bureaucracy is not evident.

The Conservatives seem to be opposed to the creation of the new Data Commissioner, which is a good thing. However, Michelle Rempel Garner was reported by iPolitics as rejecting “setting up pedantic, out of date, ineffectual and bloated government regulatory bodies to enforce data privacy.” It is not clear whether this is simply a rejection of the new Data Commissioner’s office, or also a condemnation of the current regulatory approach to data protection (think baby and bath water). Instead, the Conservatives seem to be proposing creating a new data ownership right for Canadians, placing the economic value of Canadians’ data in their hands.

This is a bad idea for many reasons. In the first place, creating a market model for personal data will do little to protect Canadians. Instead, it will create a context in which there truly is no privacy because the commercial exchange of one’s data for products and services will include a transfer of any data rights. It will also accentuate existing gaps between the wealthy and those less well off. The rich can choose to pay extra for privacy; others will have no choice but to sell their data. Further, the EU, which has seriously studied data ownership rights (and not just for individuals) has walked away from them each time. Data ownership rights are just too complicated. There are too many different interests in data to assign ownership to just one party. If a company uses a proprietary algorithm to profile your preferences for films or books, is this your data which you own, or theirs because they have created it?

What is much more important is the recognition of different interests in data and the strengthening, through law, of the interests of individuals. This is what the GDPR has done. Rights of data portability and erasure, the right to withdraw consent to processing, and many other rights within the GDPR give individuals much stronger interests in their data, along with enforcement tools to protect those interests. Those strengthened interests are now supporting new business models that place consumers at the centre of data decision-making. Open banking (or consumer-directed banking), currently being studied by the Department of Finance in Canada, is an example of this, but there are others as well.

The fix, in the end, is relatively simple. PIPEDA needs to be amended to both strengthen and expand the existing interests of individuals in their personal data. It also needs to be amended to provide for appropriate enforcement, compensation, and fines. Without accountability, the rights will be effectively meaningless. It also needs to happen sooner rather than later.

 

(With thanks to my RA Émilie-Anne Fleury who was able to find the reference to the Data Commissioner in the ETHI Committee transcripts)

Published in Privacy

The year 2020 is likely to bring with it significant legal developments in privacy law in Canada. Perhaps the most important of these at the federal level will come in the form of legislative change. In new Mandate letters, the Prime Minister has charged both the Minister of Justice and the Minister of Innovation Science and Industry with obligations to overhaul public and private sector data protection laws. It is widely anticipated that a new bill to reform the Personal Information Protection and Electronic Documents Act (PIPEDA) will be forthcoming this year, and amendments to the Privacy Act are also expected at some point.

The mandate letters are interesting in what they both do and do not reveal about changes to come in these areas. In the first place, both mandate letters contain identical wording around privacy issues. Their respective letters require the two Ministers to work with each other:

. . . to advance Canada’s Digital Charter and enhanced powers for the Privacy Commissioner, in order to establish a new set of online rights, including: data portability; the ability to withdraw, remove and erase basic personal data from a platform; the knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data; the ability to review and challenge the amount of personal data that a company or government has collected; proactive data security requirements; the ability to be informed when personal data is breached with appropriate compensation; and the ability to be free from online discrimination including bias and harassment. [my emphasis]

A first thing to note is that the letters reference GDPR-style rights in the form of data portability and the right of erasure. If implemented, these should give individuals considerably more control over their personal information and will strengthen individual interests in their own data. It will be interesting to see what form these rights take. A sophisticated version of data portability has been contemplated in the context of open banking, and a recent announcement makes it clear that work on open banking is ongoing (even though open banking is notably absent from the mandate letter of the Minister of Finance). GDPR-style portability is a start, though it is much less potent as a means of empowering individuals.

The right of erasure is oddly framed. The letters describe it as “the ability to withdraw, remove and erase basic personal data from a platform” (my emphasis). It is unclear why the right of erasure would be limited to basic information on platforms. Individuals should have the right to withdraw, remove and erase personal data from all organizations that have collected it, so long as that erasure is not inconsistent with the purposes for which it was provided and for which it is still required.

Enhancements to rights of notice and new rights to challenge the extent of data collection and retention will be interesting reforms. The references to “appropriate compensation” suggest that the government is attuned to well-publicized concerns that the consequences of PIPEDA breaches are an insufficient incentive to improve privacy practices. Yet it is unclear what form such compensation will take and what procedures will be in place for individuals to pursue it. It is not evident, for example, whether compensation will only be available for data security breaches, or whether it will extend to breaches of other PIPEDA obligations. It is unclear whether the right to adequate compensation will also apply to breaches of the Privacy Act. The letters are mum as to whether it will involve statutory damages linked to a private right of action, or some other form of compensation fund. It is interesting to note that although the government has talked about new powers for the Commissioner including the ability to levy significant fines, these do not appear in the mandate letters.

Perhaps the most surprising feature of the Minister of Industry’s mandate letter is the direction to work with the Minister of Canadian Heritage to “create new regulations for large digital companies to better protect people’s personal data and encourage greater competition in the digital marketplace.” This suggests that new privacy obligations that are sector-specific and separate from PIPEDA are contemplated for “large digital companies”, whatever that might mean. These rules are to be overseen by a brand new Data Commissioner. Undoubtedly, this will raise interesting issues regarding duplication of resources, as well as divided jurisdiction and potentially different approaches to privacy depending on whether an organization is large or small, digital or otherwise.

Published in Privacy

Class action lawsuits for privacy breaches are becoming all the rage in Canada – this is perhaps unsurprising given the growing number of data breaches. However, a proceeding certified and settled in October 2019 stands out as significantly different from the majority of Canadian privacy class action suits.

Most privacy class action lawsuits involve data breaches. Essentially, an entity trusted with the personal information of large numbers of individuals is sued because they lost the data stored on an unsecured device, a rogue employee absconded with the data or repurposed it, a hacker circumvented their security measures, or they simply allowed information to be improperly disclosed due to lax practices or other failings. In each of these scenarios, the common factor is a data breach and improper disclosure of personal information. Haikola v. Personal Insurance Co. is a notably different. In Haikola, the alleged misconduct is the over collection of personal information in breach of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The legal issues in this case arose after the representative class plaintiff, Mr. Haikola, was involved in a car accident. In settling his claim, his insurance company asked him to consent to providing them access to his credit score with a credit reporting agency. Mr. Haikola agreed, although he felt that he had had no choice but to do so. He followed up with the insurance company on several occasions, seeking more information about why the information was required, but did not receive a satisfactory explanation. He filed a complaint with the Office of the Privacy Commissioner. The subsequent investigation led to a Report of Findings that concluded, in the words of Justice Glustein, that the insurance company’s “collection and use of credit scores during the auto insurance claim assessment process is not something that a reasonable person would consider to be appropriate.” (at para 13) The company eventually changed its practices.

Under PIPEDA, the Commissioner’s findings are not binding. Once a complainant has received a Report of Findings, they can choose to bring an application under s. 14 of PIPEDA to Federal Court for an order and/or an award of damages. After receiving his Report of Findings, Mr. Haikola took the unusual step of seeking to commence a class action lawsuit under s. 14 of PIPEDA. The defendants argued that the Federal Court had no jurisdiction under s. 14 to certify a class action lawsuit. There is no case law on this issue, and it is not at all clear that class action recourse is contemplated under s. 14.

The parties, in the meantime, negotiated a settlement agreement. However, quite apart from the issue of whether a class action suit could be certified under s. 14 of PIPEDA, it was unclear whether the Federal Court could “make an enforceable order in a PIPEDA class action against a non-governmental entity.” (at para 28) With advice from the Federal Court case management judge, the parties agreed that Mr. Haikola would commence an action in Ontario Superior Court, requesting certification of the class action lawsuit and approval of the settlement. The sole cause of action in the suit initiated in Ontario Superior Court was for breach of contract. The argument was that in the contract between the insurance company and its customers, the insurance company undertook to “”act as required or authorized by law” in the collection, use, and disclosure of the Class Members’ personal information – including information from credit reporting agencies.” (at para 56) This would include meeting its PIPEDA obligations.

The class included persons whose credit history was used as part of a claim settlement process. The insurance company identified 8,525 people who fell into this category. The settlement provided for the paying out of $2,250,000. The court estimated that if every member of the class filed a valid claim, each would receive approximately $150.

In considering whether a class action lawsuit was the preferable procedure, Justice Glustein noted that generally, for this type of privacy complaint, the normal recourse was under PIPEDA. The structure of PIPEDA is such that each affected individual would have to file a complaint; the filing of a complaint and the issuance of a report were both prerequisites to commencing an action in Federal Court. Justice Glustein considered this to be a barrier to access to justice, particularly since most individuals would have claims “of only a very modest value”. (at para 66) He found that “The common law claim proposed is preferable to each Class Member making a privacy complaint, waiting for the resolution of the complaint from the Privacy Commissioner with a formal report, and then commencing a Federal Court action.” (at para 67)

Justice Glustein certified the proceedings and approved the settlement agreement. He was certainly aware of the potential weaknesses of the plaintiff’s case – these were factors he took into account in assessing the reasonableness of the amount of the settlement. Not only were there real issues as to whether a class action lawsuit was a possible recourse for breach of PIPEDA, a proceeding under s. 14 is de novo, meaning the court would not be bound by the findings of the Privacy Commissioner. Further, the Federal Court has been parsimonious with damages under PIPEDA, awarding them only in the most “egregious” circumstances. It is, in fact, rare for a Federal Court judge to award damages unless there has been an improper disclosure of personal information. In this case, the insurance company was found to have collected too much information, but there had been no breach or loss of personal data.

This case is interesting because raises the possibility of class action lawsuits being used for privacy complaints other than data security breaches. This should put fear into the heart of any company whose general practices or policies have led them to collect too much personal information, obtain insufficient consent, or retain data for longer than necessary (to name just a few possible shortcomings). Perhaps the facts in Haikola are exceptional enough to avoid a landslide of litigation. Justice Glustein was clearly sympathetic towards a plaintiff who had doggedly pursued his privacy rights in the face of an insufficiently responsive company, and who had been vindicated by the OPC’s Report of Findings. Justice Glustein noted as well that it was the plaintiff who had sought to initiate the class action lawsuit – he had not been recruited by class counsel.

There is clearly also an element in this decision of frustration and dissatisfaction with the current state of Canadian data protection law. Justice Glustein observed: “If systemic PIPEDA breaches are not rectified by a class procedure, it is not clear what incentive large insurers and others will have to avoid overcollection of information.” (at para 88) Justice Glustein also observed that “While the Privacy Commissioner may encourage or require changes to future practices, it [sic] has very limited powers to enforce compliance through strong regulatory penalties.” (at para 88) This is certainly true, and many (including the Privacy Commissioner) have called for greater enforcement powers to strengthen PIPEDA. This comment, taken with Justice Glustein’s additional comment that the settlement imposes on the Defendants a “meaningful business cost” for the overcollection of personal information, are nothing short of a condemnation of Canada’s private sector data protection regime.

The government has heard such condemnations from the Commissioner himself, as well as from many other critics of PIPEDA. It is now hearing it from the courts. Hopefully it is paying attention. This is not just because PIPEDA obligations need stronger and more diverse enforcement options to provide meaningful privacy protection, but also because class action lawsuits are a blunt tool, ill-designed to serve carefully-tailored public policy objectives in this area.

 

 

Published in Privacy

The second discussion paper in Ontario’s lightning-quick consultation on a new data strategy for the province was released on September 20, 2019. Comments are due by October 9, 2019. If you blink, you will miss the consultation. But if you read the discussion paper, it will make you blink – in puzzlement. Although it is clear from its title that Ontario wants to “create economic benefits” through data, the discussion paper is coy, relying mainly on broad generalities with occasional hints at which might actually be in the works.

Governments around the world are clearly struggling to position their countries/regions to compete in a burgeoning data economy. Canada is (until the election period cooled things off) in the middle of developing its own digital and data strategy. Ontario launched its data strategy consultation in February 2019. The AI industry (in which Canada and Ontario both aspire to compete) is thirsty for data, and governments are contemplating the use of AI to improve governance and to automate decision-making. It is not surprising, therefore, that this document tackles the important issue of how to support the data economy in Ontario.

The document identifies a number of challenges faced by Ontario. These include skill and knowledge deficits in existing industries and businesses; the high cost of importing new technologies, limited digital infrastructure outside urban core areas, and international competition for highly qualified talent for the data economy. The consultation paper makes clear that the data strategy will need to address technology transfer, training/education, recruitment, and support for small businesses. Beyond this, a key theme of the document is enhancing access to data for businesses.

It is with respect to data that the consultation paper becomes troublingly murky. It begins its consideration of data issues with a discussion of open government data. Ontario has had an open data portal for a number of years and has been steadily developing it. A new law, pushed through in the omnibus budget bill that followed the Ford government’s election is the first in Canada to entrench open government data in law. The consultation document seems to suggest that the government will put more resources into open data. This is good. However, the extent of the open data ambitions gives pause. The consultation document notes, “it is important for governments to ensure that the right level of detailed data is released while protecting government security and personal privacy.” Keep in mind that up until now, the approach to open data has been to simply not release as open data datasets that contain personal information. This includes data sets that could lead to the reidentification of individuals when combined with other available data. The consultation paper states “Ontario’s government holds vast amounts of data that can help businesses develop new products and services that make Ontarian’s lives easier, while ensuring that their privacy is protected.” These references to open data and privacy protection are indications that the government is contemplating that it will make personal data in some form or another available for sharing. Alarmingly, businesses may be invited to drive decision-making around what data should be shared. The document states, “New collaboration with businesses can help us determine which data assets have the greatest potential to drive growth.” An out-of-the-blue example provided in the consultation paper is even more disturbing. At a point where the document discusses classic categories of important open data such as geospatial reference and weather data, it suddenly states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered a high-value dataset that may present various opportunities for Ontario.”

If personal data is on the table (and the extent to which this is the case should be a matter of serious public consultation and not lightning-round Q & A), then governance becomes all the more important. The consultation paper acknowledges the importance of governance – of a sort. It suggests new guidelines (the choice of words here is interesting – as guidelines are not laws and are usually non-binding) to help govern how data is shared. The language of standards, guidance and best practices is used. Words such as law, regulation and enforcement are not. While “soft law” instruments can have a role to play in a rapidly changing technological environment, Canadians should be justifiably wary of a self-regulating private sector – particularly where there is so much financially at stake for participating companies. It should also be wary of norms and standards developed by ‘stakeholder’ groups that only marginally represent civil society, consumer and privacy interests.

If there is one thing that governments in Canada should have learned from the Sidewalk Toronto adventure, it is that governments and the private sector require social licence to collect and share a populations’ personal data. What this consultation does instead is say to the public, “the data we collect about you will be very valuable to businesses and it is in the broader public interest that we share it with them. Don’t worry, we’re thinking about how to do it right.” That is an illustration of paternalism, not consultation or engagement. It is certainly not how you gain social licence.

The Ontario government’s first Consultation Paper, which I discuss here was about “promoting trust and confidence”, and it ostensibly dealt with privacy, security and related issues. However, the type of data sharing that is strongly hinted at in the second discussion paper is not discussed in that first paper and the consultation questions in that document do not address it either.

There is a great deal of non-personal government data that can be valuable for businesses and that might be used to drive innovation. There is already knowledge and experience around open data in Ontario, and building upon this is a fine objective. Sharing of personal and human behavioural data may also be acceptable in some circumstances and under some conditions. There are experiments in Canada and in other countries with frameworks for doing this that are worth studying. But this consultation document seems to reflect a desire to put all government data up for grabs, without social licence, with only the vaguest plans for protection, and with a clear inclination towards norms and standards developed outside the usual democratic processes. Yes, there is a need to move quickly – and to be “agile” in response to technological change. But speed is not the only value. There is a difference between a graceful dive and a resounding belly flop – both are fast, only one is agile.

 

Published in Privacy

A ruling under B.C.’s Personal Information Protection Act (PIPA) will add new fuel to the fires burning around the issue of whether Canada’s federal political parties should have to comply with data protection laws. In Order P19-02, B.C. Privacy Commissioner Michael McEvoy rejected constitutional challenges and ruled that B.C.’s data protection law applied not just to provincial political parties (something it indisputably does), but also to electoral district associations in B.C. established under the Canada Elections Act. The decision means that the hearing into a complaint against the Courtenay-Alberni Riding Association of the New Democratic Party of Canada will now proceed. The riding association will still have the opportunity to argue, within the factual context of the complaint, that the application of specific provisions of PIPA place unacceptable limits on the right to vote and the freedom of expression under the Canadian Charter of Rights and Freedoms (the Charter).

There has been considerable attention paid to the relatively unregulated information handling practices of Canadian political parties in the last few years. A 2012 report commissioned by the Office of the Privacy Commissioner of Canada laid out the legal landscape. In the fall of 2018, federal, provincial and territorial privacy commissioners issued a joint call for meaningful privacy regulation of political parties in Canada. In late 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics issued its report titled Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly in which it recommended, among other things, that Canadian political parties be made subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Instead, the federal government chose to amend the Canada Elections Act to add some fairly tepid requirements for parties to have and make available privacy policies. Meaningful oversight and enforcement mechanisms are notably absent. In April 2019, Office of the Privacy Commissioner of Canada issued guidance for political parties on how to protect privacy. On August 7, Open Media conducted a review of the privacy policies of Canada’s federal political parties, measuring them against the guidelines issued by the OPC. The review reveals a fairly dismal level of privacy protection. As noted above, B.C.’s PIPA applies to B.C.’s provincial political parties. A review of those parties’ privacy practices earlier this year resulted in an investigation report that makes interesting reading.

It is within this context that a B.C. couple filed a complaint with the B.C. Office of the Information and Privacy Commissioner after each received and email from the NDP’s Courtenay-Alberni Riding Association inviting them to attend a meet and greet with the federal party’s leader. The couple wrote a letter to the local NDP seeking to know what information the party had on them, from whom it had been sourced, with whom it had been shared, and how the information had been and would be used. When they did not receive a satisfactory response, they filed a complaint with the OIPC. Since the NDP objected to the jurisdiction of the OIPC in the matter, the OIPC issued a notice of hearing to determine the preliminary issue of whether BC’s PIPA applied to the Courtney-Alberni Riding Association (the Organization).

The Organization made three constitutional arguments objecting to the jurisdiction of the OIPC. The first is that PIPA cannot apply to federally registered political entities because s. 41 of the Constitution Act, 1867 gives the federal government sole jurisdiction over the conduct of federal elections. The second is that PIPA cannot apply because other federal laws, including the Canada Elections Act and PIPEDA are paramount. The third argument was that, if PIPA were found to apply, to the extent that it did so, it would place unjustified limits on the right to vote and the freedom of expression guaranteed under the Charter. As noted above, on this third issue, the adjudicator ruled that there was an insufficient factual context to make a determination. Because Commissioner McAvoy ultimately decided that PIPA applies, the third question will be considered in the context of the hearing into the actual complaint.

Commisioner McAvoy noted that PIPA applies to every “organization” in BC. “Organization” is defined broadly to include: “a person, an unincorporated association, a trade union, a trust or a not for profit organization.” The Riding Association, as an unincorporated association, falls within this definition. He ruled that it made no difference that the organization was established under the constitution of a federal political party or that it is involved in federal politics. He rejected the Organization’s rather convoluted argument that since PIPEDA also applied to ‘organizations’, it precluded the application of BC’s statute. The Commissioner noted that because there is no commercial activity, PIPEDA did not apply to the collection, use or disclosure of personal information by the organization, and thus did not preclude the application of PIPA.

Commissioner McAvoy rejected the first constitutional argument on the basis that PIPA does not attempt to regulate the conduct of federal elections. PIPA’s purpose relates to “the regulation of the collection, use and disclosure of personal information by organizations.” (at para 45) It has nothing to do with any election-related issues such as the establishment of political parties, voting processes, or campaign financing. PIPA itself falls within provincial jurisdiction over “property and civil rights” in B.C. The Organization argued that by applying to federal riding associations in the province, it attempted to affect matters outside the province, but the adjudicator disagreed. He stated: “Analysis of incidental effects should be kept distinct from assessment of whether a provincial statute is validly enacted under the Constitution Act, 1867” (at para 52). He noted that in any event, incidental effects do not necessarily render a statute unconstitutional.

The Commissioner also rejected the paramountcy argument. The Organization argued that PIPA’s provisions conflicted with the Canada Elections Act, as well as the Telecommunications Act and Canada’s Anti-Spam Legislation (CASL) and frustrated a federal purpose and therefore could not apply to federal riding associations in B.C. Commissioner McEvoy found that there was no actual conflict between the federal and provincial laws. The Canada Elections Act imposes no substantive obligations around, for example, consent to the collection of personal information. It is not a situation where one statute says consent is not required and another says that it is. The Canada Elections Act is simply more permissive when it comes to personal information. Because the do-not-call list established under the Telecommunications Act does not address email communications, which is the subject matter of the actual complaint, there is no conflict with that law. Similarly, he found no conflict with the CASL. Although the CASL permits political parties or organizations to send emails with out consent to solicit donations, the email that was the subject of the complaint before the OIPC did not solicit a donation, but was rather an invitation to an event. As a result there is no conflict between the laws. Further, case law does not support the view that a conflict is found simply because a provincial law has more restrictive elements than a federal law. The Commissioner stated: “the fact that the Canada Elections Act and the two other federal laws take a permissive approach to use of certain personal information of electors does not of itself establish a conflict with PIPA’s requirements (even if one assumes, for discussion purposes only, that PIPA actually prohibits that which federal law permits.) . . . It is possible to comply with both PIPA and the federal laws [. . .]” (at para 79).

Commissioner McAvoy also rejected the argument that the application of PIPA would frustrate the federal purpose pursued under the Canada Elections Act. He found that the Organization had not adequately established the federal purpose nor had it managed to demonstrate how PIPA frustrated it.

Clearly this particular skirmish is far from complete. It is entirely possible that the Organization will challenge the Commissioner’s decision, and the matter may head to court. Nevertheless, the decision is an important one, as it raises the clear possibility that riding associations of federal political parties in BC might be held to a far stricter standard of data protection that that required of political parties elsewhere in Canada. This will increase the growing pressure on the federal government to take real, concrete steps to ensure that political parties are held to the same standards as private sector organizations when it comes to collecting, using and disclosing personal information. Given vast amounts of data available, the potential for intrusive and inappropriate uses, the controversies around profiling and targeting, and the growing risks of harm from data breaches, this is an unacceptable legislative gap.

 

Published in Privacy

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

Published in Privacy

On May 21, 2019, Canada’s federal government launched its Digital Charter, along with several other supporting documents, including its action plan for the Charter and proposals for modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA). Together, the documents discuss the outcomes of the recent federal digital strategy consultation and chart a path forward for federal policy in this area. The documents reflect areas where the government is already forging ahead, and they touch on a number of issues that have been at the centre of media attention, as well as public and private sector engagement.

As a strategy document (which, launched less than six months away from an election, it essentially is) the Digital Charter hits many of the right notes, and its accompanying documentation reveals enough work already underway to give shape to its vision and future directions. Navdeep Bains, the Minister of Innovation, Science and Economic Development, describes the Digital Charter as articulating principles that “are the foundation for a made in Canada digital approach that will guide our policy thinking and actions and will help to build an innovative, people-centred and inclusive digital and data economy.”

The Digital Charter features 10 basic principles. Three relate to digital infrastructure: universal access to digital services; safety and security; and open and modern digital government. Another three touch on human rights issues: data and digital for good; strong democracy; and freedom from hate and violent extremism. Two principles address data protection concerns: control and consent; and transparency, portability and interoperability — although the latter principle blends into the marketplace and competition concerns that are also reflected in the principle of ensuring a level playing field. Perhaps the most significant principle in terms of impact is the tenth, an overarching commitment to strong enforcement and real accountability. Weak enforcement has undermined many of our existing laws that apply in the digital context, and without enforcement or accountability, there is little hope for a credible strategy. Taken together, the 10 principles reflect a careful and thorough synthesis of some of the issues confronting Canada’s digital future.

Yet, this digital charter might more accurately be described as a digital chart. In essence, it is an action plan, and while it is both credible and ambitious, it is not a true charter. A charter is a document that creates legal rights and entitlements. The Digital Charter does not. Its principles are framed in terms of open-ended goals: “Canadians will have control over what data they are sharing,” “All Canadians will have equal opportunity to participate in the digital world,” or “Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.” Some of the principles reflect government commitments: “The Government of Canada will ensure the ethical use of data.” But saying that some can “expect” something is different from saying they have a right to it.

The goals and commitments in the Digital Charter are far from concrete. That is fair enough — these are complex issues — but concepts such as universal digital access and PIPEDA reform have been under discussion for a long time now with no real movement. A chart shows us the way, but it does not guarantee we’ll arrive at the destination.

It is interesting to note as well that privacy as a right is not squarely a part of the Digital Charter. Although privacy has (deservedly) been a high-profile issue in the wake of the Cambridge Analytica scandal and the controversies over Sidewalk Labs’ proposed smart city development in Toronto, this Digital Charter does not proclaim a right to privacy. A right to be free from unjustified surveillance (by public or private sector actors) would be a strong statement of principle. An affirmation of the importance of privacy in supporting human autonomy and dignity would also acknowledge the fundamental importance of privacy, particularly as our digital economy plows forward. The Digital Charter does address data protection, stating that Canadians will have control over the data they share and will “know that their privacy is protected.” They will also have “clear and manageable access to their personal data.” While these are important data protection goals, they are process-related commitments and are aimed at fostering trust for the purpose of data sharing.

Indeed, trust is at the the core of the government strategy. Minister Bains makes it clear that, in his view, “innovation is not possible without trust.” Further, “trust and privacy are key to ensuring a strong, competitive economy and building a more inclusive, prosperous Canada.”

Privacy, however, is the human right; trust is how data protection measures are made palatable to the commercial sector. Trust is about relationships — in this case, between individuals and businesses and, to some extent, between individuals and governments. In these relationships, there is a disparity of power that leaves individuals vulnerable to exploitation and abuse. A trust-oriented framework encourages individuals to interact with businesses and government — to share their data in order to fuel the data economy. This is perhaps the core conundrum in creating digital policy in a rapidly shifting and evolving global digital economy: the perceived tension between protecting human rights and values on the one hand, and fostering a competitive and innovative business sector on the other. In a context of enormous imbalance of power, trust that is not backed up by strong, enforceable measures grounded in human rights principles is a flimsy thing indeed.

And this, in a nutshell, is the central flaw in an otherwise promising Digital Charter. As a road map for future government action, it is ambitious and interesting. It builds on policies and actions that are already underway, and sets a clear direction for tackling the many challenges faced by Canada and Canadians in the digital age. It presents a pre-election digital strategy that is in tune with many of the current concerns of both citizens and businesses. As a charter, however, it falls short of grounding the commitments in basic rights and enshrining values for our digital future. That, perhaps, is a tall order and it may be that a transparent set of principles designed to guide government law and policy making is as much as we can expect at this stage. But calling it a Charter misleads, and creates the impression that we have done the hard work of articulating and framing the core human rights values that should set the foundational rules for the digital society we are building.

Published in Privacy

On April 25 the federal Privacy Commissioner and the Privacy Commissioner of British Columbia released a joint Report of Findings in an investigation into Facebook’s handling of personal information in relation to the Cambridge Analytica scandal. Not surprisingly, the report found that Facebook was in breach of a number of different obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). Somewhat more surprisingly, the Report also finds that the corresponding obligations under BC’s Personal Information Protection Act (PIPA) were also breached. The Report criticizes Facebook for being less than fully cooperative in the investigation. It also notes that Facebook has disputed the Commissioners’ findings and many of their recommendations. The Report concludes by stating that each Commissioner will “proceed to address the unresolved issues in accordance with our authorities” under their respective statutes. Since the federal Commissioner has no order-making powers, the next step for him will be the Federal Court seeking a court order to compel changes. This will be a hearing de novo – meaning that the same territory will be covered before the Court, and Facebook will be free to introduce new evidence and argument to support its position. The court will owe no deference to the findings of the Privacy Commissioner. Further, while the Federal Trade Commission in the US contemplates fines to impose on Facebook in relation to its role in this scandal, Canada’s Commissioner does not have such a power, nor does the Federal Court. This is the data protection law we have – it is not the one that we need. Just as the Cambridge Analytica scandal drew attention to the dynamics and scale of personal data use and misuse, this investigation and its outcomes highlight the weaknesses of Canada’s current federal data protection regime.

As for the BC Commissioner – he does have order making powers under PIPA, and in theory he could order Facebook to change its practices in accordance with the findings in the Report. What the BC Commissioner lacks, however, with all due respect, is jurisdiction, as I will discuss below.

While the substantive issues raised in the complaint are important and interesting ones, this post will focus on slightly less well-travelled territory. (For comment on these other issues see, for example, this op-ed by Michael Geist). My focus is on the issue of jurisdiction. In this case, the two Commissioners make joint findings about the same facts, concluding that both statutes are breached. Although Facebook challenges their jurisdiction, the response, in the case of the BC Commissioner’s jurisdiction is brief and unsatisfactory. In my view, there is no advantage to Canadians in having two different data protection laws apply to the same facts, and there is no benefit in a lack of clarity as to the basis for a Commissioner’s jurisdiction.

This investigation was carried out jointly between the federal and the BC Privacy Commissioner. There is somewhat of a BC nexus, although this is not mentioned in the findings. One of the companies involved in processing data from Facebook is Aggregate IQ, a BC-based analytics company. There is an ongoing joint investigation between the BC and federal Privacy Commissioners into the actions of Aggregate IQ. However, this particular report of findings is in relation to the activities of Facebook, and not Aggregate IQ. While that other joint investigation will raise similar jurisdictional questions, this one deals with Facebook, a company over whose activities the federal Privacy Commissioner has asserted jurisdiction in the past.

There is precedent for a joint investigation of a privacy complaint. The federal privacy commissioners of Australia and Canada carried out a joint investigation into Ashley Madison. But I that case each Commissioner clearly had jurisdiction under their own legislation. This, I will argue, is not such a case. Within Canada, only one privacy Commissioner will have jurisdiction over a complaint arising from a particular set of facts. In this case, it is the federal Privacy Commissioner.

Unsurprisingly, Facebook raised jurisdictional issues. It challenged the jurisdiction of both commissioners. The challenge to the federal Commissioner’s jurisdiction was appropriately dismissed – there is a sufficient nexus between Facebook and Canada to support the investigation under PIPEDA. However, the challenge to the jurisdiction of the BC Commissioner was more serious. Nevertheless, it was summarily dismissed in the findings.

Uneasiness about the constitutional reach of PIPEDA in a federal state has meant that the law, which relies on the federal trade and commerce power for its constitutional legitimacy, applies only in the context of commercial activity. It applies across Canada, but it carves out space for those provinces that want to enact their own data protection laws to assert jurisdiction over the intra-provincial collection, use and disclosure of personal information. To oust PIPEDA in this sphere, these laws have to be considered “substantially similar” to PIPEDA (s. 26(2)(b)). Three provinces – BC, Alberta and Quebec, have substantially similar private sector data protection laws. Even within those provinces, PIPEDA will apply to the collection, use or disclosure by federally-regulated businesses (such as banks or airline companies). It will also apply to cross-border activities by private sector actors (whether international or inter-provincial). This split in jurisdiction over privacy can be complicated for individuals who may not know where to direct complaints, although the different commissioners’ offices will provide assistance. This does not mean there is no room for collaboration. The federal and provincial Commissioners have taken common positions on many issues in the past. These instances are conveniently listed on the website of Alberta’s privacy commissioner.

What has happened in this case is quite different. This is described as a joint investigation between the two Commissioners, and it has resulted in a joint set of recommendations and findings. Both PIPEDA and BC’s PIPA are cited as being applicable laws. In response to the challenge to the BC Privacy Commissioner’s jurisdiction, the Report tersely states that “PIPA (Personal Information Protection Act (British Columbia)) applies to Facebook’s activities occurring within the province of BC”. Yet no information is given as to what specific activities of Facebook were exclusively within the province of BC. No distinction is made at any point in the report between those activities subject to PIPA and those falling under PIPEDA. In this respect, it seems to me that Facebook is entirely correct in challenging the BC Privacy Commissioner’s jurisdiction. Facebook collects, uses and discloses personal information across borders, and its activities with respect to Canadians are almost certainly covered by PIPEDA. If that is the case, then they are not also subject to PIPA. The Exemption Order that finds PIPA BC to be substantially similar to PIPEDA provides:

1. An organization, other than a federal work, undertaking or business, to which the Personal Information Protection Act, S.B.C. 2003, c. 63, of the Province of British Columbia, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act, in respect of the collection, use and disclosure of personal information that occurs within the Province of British Columbia.

Section 3(2) of the Personal Information Protection Act provides:

(2) This Act does not apply to the following:

(c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

The “federal Act” is defined in s. 1 of PIPA to mean PIPEDA. The scheme is quite simple: if PIPEDA applies then PIPA does not. If the federal Commissioner has jurisdiction over the activities described in the Report, the provincial Commissioner does not. The only way in which the BC Commissioner would have jurisdiction is if there are purely local, provincial activities of Facebook that would not be covered by PIPEDA. Nothing in the Findings suggests that there are. At a minimum, if there are separate spheres of legislative application, these should be made explicit in the Findings.

Jurisdictional issues matter. We already have a complex mosaic of different data protection laws (federal, provincial, public sector, private sector, health sector) in Canada. Individuals must muddle through them to understand their rights and recourses; while organizations and entities must likewise understand which laws apply to which of their activities. Each statute has its own distinct sphere of operation. We do not need the duplication that would result from the adjudication of the same complaint under two (or more) different statutes; or the confusion that might result from different results flowing from different complaint resolutions. If there are separate sets of facts giving rise to separate breaches under different statutes, this has to be spelled out.

Federal-provincial cooperation on data protection is important; it is also valuable for the different privacy commissioners to reach consensus on certain principles or approaches. But creating overlapping jurisdiction over complaints flies in the face of the law and creates more problems than it solves. We have enough data protection challenges to deal with already.

Published in Privacy

Schedule 31 and Schedule 41 of Ontario’s new omnibus Budget Bill amend the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) respectively. One change to both statutes will expand the ability of public sector bodies to share personal information with law enforcement without consent. A more extensive set of amendments to FIPPA constitute another piece of the government’s digital and data strategy, which is further developed in the Simpler, Faster, Better Services Act, another piece of the budget bill discussed in my post here.

FIPPA and MFIPPA set the rules for the collection, use and disclosure of personal information by the public sector. MFIPPA applies specifically to municipalities, and FIPPA to the broader public sector. Both statutes prohibit the disclosure of personal information under the custody or control of a public body unless such a disclosure falls under an exception. Currently, both statutes have an exception related to investigations which reads:

(g) if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

The Budget Bill will amend this exception by replacing it with:

(g)  to an institution or a law enforcement agency in Canada if,

(i)  the disclosure is to aid in an investigation undertaken by the institution or the agency with a view to a law enforcement proceeding, or

(ii)  there is a reasonable basis to believe that an offence may have been committed and the disclosure is to enable the institution or the agency to determine whether to conduct such an investigation;

Paragraph (g)(i) is essentially the same as the original provision. What is new is paragraph (g)(ii). It broadens the circumstances in which personal information can be shared with law enforcement. Not only that, it does so in the squishiest of terms. There must be a reasonable basis to believe that an offence may have been committed. This is different from a reasonable basis to believe that an offence has been committed. Not only does it lower the threshold in the case of individuals, it may also open the door to the sharing of personal information for law enforcement fishing expeditions. After all, if enough people file for certain benefits, it might be reasonable to believe that an offence may have been committed (there’s always someone who tries to cheat the system, right?). The exception could enable the sharing of a quantity of personal information to permit the use of analytics to look for anomalies that might suggest the commission of on offence. The presence of this amendment in an omnibus budget bill that will receive very little scrutiny or debate contradicts the government’s own statement, in its announcement of its data strategy consultation, that “Data privacy and protection is paramount.” This is not a privacy-friendly amendment.

The other set of amendments to FIPPA contained in the budget bill are aimed at something labelled “data integration”. This is a process meant to allow government to derive greater value from its stores of data, by allowing it to generate useful data, including statistical data, to government and its departments and agencies. It allows for the intra-governmental sharing of data for preparing statistics for the purposes of resource management or allocation, as well as the planning and evaluation of the delivery of government funded programs and services, whether they are funded “in whole or in part, directly or indirectly” (s. 49.2(b)).

Because these amendments contemplate the use of personal information, there are measures specifically designed to protect privacy. For example, under s. 49.3, personal information is not to be used for data integration unless other data will not serve the purpose, and no more personal information shall be used than is reasonably necessary to meet the purpose. Public notice of the indirect (i.e. not directly from the individual) collection of personal information must be provided under s. 49.4. Any collection of personal information can only take place after data standards provided for in s. 49.14 have been approved by the Privacy Commissioner (s. 49.5). Once collected, steps must be taken to deidentify the personal information. The amendments include a definition of deidentification, which involves the removal of direct identifiers as well as any information “that could be used, either alone or with other information, to identify an individual based on what is reasonably foreseeable in the circumstances” (s. 49.1). Section 49.8 specifically prohibits anyone from using or attempting to use “information that has been identified under this Part, either alone or with other information, to identify an individual”.

Provision is made for the disclosure of personal information collected through the data integration scheme in limited circumstances – this includes the unfortunately worded exception discussed above where “there is a reasonable basis to believe that an offence may have been committed”. (s. 49.9(c)(ii)).

In terms of transparency, a new s. 49.10 provides for notice to be published on a website setting out information about any collection of personal information by a ministry engaged in data integration. The information provided must include the legal authority for the collection; the type of personal information that may be collected; and the information sources, the purpose of any collection, use or disclosure, as well as the nature of any linkages that will be made. Contact information must also be provided for someone who can answer any questions about the collection, use or disclosure of the personal information. Contact information must also be provided for the Privacy Commissioner. Data standards developed in relation to data integration must also be published (s. 49.14(2)), and any data integration unit that collections personal information must publish an annual report setting out prescribed information (s. 49.13).

Section 49.11 mandates the safe storage and disposal of any personal information, and sets retention limits. It also provides for data breach notification to be made to affected individuals as well as to the Commissioner. The Commissioner has the power, under s. 49.12 to review the practices and procedures of any data integration unit if the Commissioner “has reason to believe that the requirements of this Part are not being complied with”. The Commissioner has power to make orders regarding the discontinuance or the modification of practices or procedures, and can also order the destruction of personal information or require the adoption of a new practice or procedure.

The amendments regarding data integration are clearly designed to facilitate a better use of government data for the development and delivery of programs and services and for their evaluation. These are important measures and seem to have received some careful attention in the amendments. Once again, however, these seem to be important pieces of the data strategy for which the government has recently launched a consultation process that seems to be becoming more irrelevant by the day. Further, as part of an omnibus budget bill, these measures will not receive much in the way of discussion or debate. This is particularly unfortunate for two reasons. First, as the furore over Statistics Canada’s foray into using personal information to generate statistical data shows, transparency, public input and good process are important. Second, the expansion of bases on which personal information shared with government can be passed along to law enforcement merits public scrutiny, debate and discussion. Encroachments on privacy slipped by on the sly should be particularly suspect.

Published in Privacy
<< Start < Prev 1 2 3 4 5 6 7 Next > End >>
Page 4 of 7

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law