Teresa Scassa - Blog

 

Research for this article was made possible with the support of the Heinrich Boell Foundation Washington, DC.

This piece was originally published by Heinrich Boell Stiftung as part of their series on the broad impacts of the COVID-19 pandemic. The original publication can be found here.

 

 

A strong sense of regional sovereignty in the Canadian health care system may lead to different choices for technologies to track and contain the spread of the coronavirus. A multiplicity of non-interoperable apps could put their effectiveness in question and could create regional differences in approaches to privacy..

By Teresa Scassa

Canada’s national capital Ottawa is located in the province of Ontario but sits on the border with Quebec. As soon as restrictions on movement and activities due to the coronavirus begin to lift, the workforce will once again flow in both directions across a river that separates the two provinces. As with other countries around the world, Canada is debating how to use technology to prevent a second wave of infections. Yet as it stands right now, there is a chance that commuters between Ontario and Quebec could have different contact-tracing apps installed on their phone to track their movements, and that these apps might not be fully interoperable.

Innovation in contact-tracing apps is happening in real time, and amid serious concerns about privacy and security. In Canada, many provinces are on the threshold of adopting contact-tracing apps. Canadian app developers, building on technologies adopted elsewhere, will be offering solutions that rely on decentralized, centralized, or partially centralized data storage. At least one Canadian-built app proposes broader functionalities, including AI-enhancement. And, as is so often the case in Canada, its federal structure could lead to a multiplicity of different apps being adopted across the country. Similar challenges may be faced in the United States.

One app to rule them all?

Canada is a federal state, with 10 provinces and 3 territories. Under its constitution, health care is a matter of provincial jurisdiction, although the federal government regulates food and drug safety. It has also played a role in health care through its spending power, often linking federal health spending to particular priorities. However, when it comes to on-the-ground decision-making around the provision of health care services and public health on a regional level, the provinces are sovereign. Canadian federalism has been tested over the years by Quebec’s independence movement, and more recently by dissatisfaction from Western provinces, particularly Alberta. These tensions mean that co-operation and collaboration are not always top of mind.

When it comes to adoption of contact tracing apps, there is the distinct possibility in Canada that different provinces will make different choices. On May 1 Alberta became the first Canadian province to launch a contact tracing app. There have been reports, for example that New Brunswick is considering a contact tracing app from a local app developer, and the government of Newfoundland and Labrador has also indicated it is considering an app. Other governments contemplating contact tracing apps include Manitoba and Saskatchewan. The possibility that multiple different apps will be adopted across the country is heightened by reports that one municipal entity – Ottawa Public Health – may also have plans to adopt its own version of a contact-tracing app.

Although different contact-tracing apps may not seem like much of an issue with most Canadians under orders to stay home, as restrictions begin to loosen, the need for interoperability will become more acute. If non-interoperable contact-tracing apps were to be adopted in Ontario and Quebec (or even in Ontario, Quebec and Ottawa itself), their individual effectiveness would be substantially undermined. Similar situations could play out in border areas across the country, as well as more generally as Canadians begin to travel across the country.

On May 5, 2020, Doug Ford, the premier of Ontario, Canada’s most populous province, called for a national strategy for contact tracing apps in order to prevent fragmentation. His call for cohesion no doubt recognizes the extent to which Canada’s sometimes shambolic federalism could undermine collective public health goals. Yet with so many provinces headed in so many different directions, often with local app developers as partners, it remains to be seen what can be done to harmonize efforts.

Privacy and contact tracing in Canada

The international privacy debate around contact-tracing apps has centred on limiting the ability of governments to access data that reveals individuals’ patterns of movement and associations. Attention has focused on the differences between centralized and decentralized storage of data collected by contact-tracing apps. With decentralized data storage, all data is locally stored on the app user’s phone; public health authorities are able to carry out contact-tracing based on app data only through a complex technological process that keeps user identities and contacts obscure. This model would be supported by the Google/Apple API, and seems likely to be adopted in many EU states. These apps will erase contact data after it ceases to be relevant, and will cease to function at the end of the pandemic period.

By contrast, with centralized data storage, data about app registrants and their contacts is stored on a central server accessible to public health authorities. A compromise position is found with apps in which data is initially stored only on a user’s phone. If a user tests positive for COVID-19, their data is shared with authorities who then engage in contact-tracing. As an additional privacy protection, express consent can be required before users upload their data to central storage. This is a feature of both the Australian and Alberta models.

Decentralized storage has gained considerable traction in the EU where there are deep concerns about function creep and about the risk that user contact data could be used to create ‘social graphs’ of individuals. The European privacy debates are influenced by the General Data Protection Regulation (GDPR) and its shift toward greater individual control over personal data. In Canada, although the federal privacy commissioner has been advancing a ‘privacy as a human right’ approach to data protection, and although there has been considerable public frustration over the state of private sector data protection, little public sentiment seems to have galvanized around contact-tracing apps. Although Canadians have reacted strongly against perceived overcollection of personal data by public sector bodies in the past, in the pandemic context there seems to be a greater public willingness to accept some incursions on privacy for the public good. What incursions will be acceptable remains to be seen. The federal, provincial and territorial privacy commissioners (with the notable exception of the Alberta commissioner whose hands have been somewhat tied by the launch of the Alberta app) have issued a joint statement on the privacy requirements to be met by contact-tracing apps.

The Alberta contact-tracing app has received the cautious endorsement of the province’s Privacy Commissioner who described it as a “less intrusive” approach (presumably than full centralized storage). She noted that she had reviewed the Privacy Impact Assessment (PIA) (a study done to assess the privacy implications of the app), and was still seeking assurances that collected data would not be used for secondary purposes. She also indicated that the government had committed to the publication of a summary of the Privacy Impact Assessment, although no date was provided for its eventual publication.

Given the attention already paid to privacy in Europe and elsewhere, and given that Australia’s similar app was launched in conjunction with the public release of its full PIA, the Alberta launch should set off both privacy and transparency alarms in Canada. In a context in which decisions are made quickly and in which individuals are asked to sacrifice some measure of privacy for the public good, sound privacy decision-making, supported by full transparent PIAs, and an iterative process for rectifying privacy issues as they emerge, seems a minimum requirement. The release of the Alberta app has also created a gap in the common front of privacy commissioners, and raises questions about the interoperability of contact-tracing apps across Canada. It remains to be seen whether Canada’s federal structure will lead not just to different apps in different provinces, but to different levels of transparency and privacy as well.

 

Published in Privacy

Clearview AI and its controversial facial recognition technology have been making headlines for weeks now. In Canada, the company is under joint investigation by federal and provincial privacy commissioners. The RCMP is being investigated by the federal Privacy Commissioner after having admitted to using Clearview AI. The Ontario privacy commissioner has expressed serious concerns about reports of Ontario police services adopting the technology. In the meantime, the company is dealing with a reported data breach in which hackers accessed its entire client list.

Clearview AI offers facial recognition technology to ‘law enforcement agencies.’ The term is not defined on their site, and at least one newspaper report suggests that it is defined broadly, with private security (for example university campus police) able to obtain access. Clearview AI scrapes images from publicly accessible websites across the internet and compiles them in a massive database. When a client provides them with an image of a person, they use facial recognition algorithms to match the individual in the image with images in its database. Images in the database are linked to their sources which contain other identifying information (for example, they might link to a Facebook profile page). The use of the service is touted as speeding up all manner of investigations by facilitating the identification of either perpetrators or victims of crimes.

This post addresses a number of different issues raised by the Clearview AI controversy, framed around the two different sets of privacy investigations. The post concludes with additional comments about transparency and accountability.

1. Clearview AI & PIPEDA

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use and disclosure of personal information by private sector organizations engaged in commercial activities. Although Clearview AI is a U.S. company, PIPEDA will still apply if there is a sufficient nexus to Canada. In this case, the service clearly captures data about Canadians, and the facial recognition services are marketed to Canadian law enforcement agencies. This should be enough of a connection.

The federal Privacy Commissioner is joined in his investigation by the Commissioners of Quebec, B.C. and Alberta. Each of these provinces has its own private sector data protection laws that apply to organizations that collect, use and disclose personal information within the borders of their respective province. The joint investigation signals the positive level of collaboration and co-operation that exists between privacy commissioners in Canada. However, as I explain in an earlier post, the relevant laws are structured so that only one statute applies to a particular set of facts. This joint investigation may raise important jurisdictional questions similar to those raised in the Facebook/Cambridge Analytica joint investigation and that were not satisfactorily resolved in that case. It is a minor issue, but nonetheless one that is relevant and interesting from a privacy governance perspective.

The federal Commissioner’s investigation will focus on whether Clearview AI complied with PIPEDA when it collected, used and disclosed the personal information which populates its massive database. Clearview AI’s position on the legality of its actions is clearly based on U.S. law. It states on its website that: “Clearview searches the open web. Clearview does not and cannot search any private or protected info, including in your private social media accounts.” In the U.S., there is much less in the way of privacy protection for information in ‘public’ space. In Canada however, the law is different. Although there is an exception in PIPEDA (and in comparable provincial private sector laws) to the requirement of consent for the collection, use or disclosure of “publicly available information”, this exception is cast in narrow terms. It is certainly not broad enough to encompass information shared by individuals through social media. Interestingly, in hearings into PIPEDA reform, the House of Commons ETHI Committee at one point seemed swayed by industry arguments that PIPEDA should be amended to include websites and social media within the exception for “publicly available personal information”. In an earlier post, I argued that this was a dangerous direction in which to head, and the Clearview AI controversy seems to confirm this. Sharing photographs online for the purposes of social interaction should not be taken as consent to use those images in commercial facial recognition technologies. What is more, the law should not be amended to deem it to be so.

To the extent, then, that the database contains personal information of Canadians that was collected without their knowledge or consent, the conclusion will likely be that there has been a breach of PIPEDA. The further use and disclosure of personal information without consent will also amount to a breach. An appropriate remedy would include ordering Clearview AI to remove all personal information of Canadians that was collected without consent from its database. Unfortunately, the federal Commissioner does not have order-making powers. If the investigation finds a breach of PIPEDA, it will still be necessary to go to Federal Court to ask that court to hold its own hearing, reach its own conclusions, and make an order. This is what is currently taking place in relation the Facebook/Cambridge Analytica investigation, and it makes somewhat of a mockery of our privacy laws. Stronger enforcement powers are on the agenda for legislative reform of PIPEDA, and it is to be hoped that something will be done about this before too long.

 

2. The Privacy Act investigation

The federal Privacy Commissioner has also launched an investigation into the RCMP’s now admitted use of Clearview AI technology. The results of this investigation should be interesting.

The federal Privacy Act was drafted for an era in which government institution generally collected the information they needed and used from individuals. Governments, in providing all manner of services, would compile significant amounts of data, and public sector privacy laws set the rules for governance of this data. These laws were not written for our emerging context in which government institutions increasingly rely on data analytics and data-fueled AI services provided by the private sector. In the Clearview AI situation, it is not the RCMP that has collected a massive database of images for facial recognition. Nor has the RCMP contracted with a private sector company to build this service for it. Instead, it is using Clearview AI’s services to make presumably ad hoc inquiries, seeking identity information in specific instances. It is not clear whether or how the federal Privacy Act will apply in this context. If the focus is on the RCMP’s ‘collection’ and ‘use’ of personal information, it is arguable that this is confined to the details of each separate query, and not to the use of facial recognition on a large scale. The Privacy Act might simply not be up to addressing how government institutions should interact with these data-fuelled private sector services.

The Privacy Act is, in fact, out of date and clearly acknowledged to be so. The Department of Justice has been working on reforms and has attempted some initial consultation. But the Privacy Act has not received the same level of public and media attention as has PIPEDA. And while we might see reform of PIPEDA in the not too distant future, reform of the Privacy Act may not make it onto the legislative agenda of a minority government. If this is the case, it will leave us with another big governance gap for the digital age.

If the Privacy Act is not to be reformed any time soon, it will be very interesting to see what the Privacy Commissioner’s investigation reveals. The interpretation of section 6(2) of the Privacy Act could be of particular importance. It provides that: “A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.” In 2018 the Supreme Court of Canada issued a rather interesting decision in Ewert v. Canada, which I wrote about here. The case involved a Métis man’s challenge to the use of actuarial risk-assessment tests by Correctional Services Canada to make decisions related to his incarceration. He argued that the tests were “developed and tested on predominantly non-Indigenous populations and that there was no research confirming that they were valid when applied to Indigenous persons.” (at para 12). The Corrections and Conditional Release Act contained language very similar to s. 6(2) of the Privacy Act. The Supreme Court of Canada ruled that this language placed an onus on the CSC to ensure that all of the data it relied upon in its decision-making about inmates met that standard – including the data generated from the use of the assessment tools. This ruling may have very interesting implications not just for the investigation into the RCMP’s use of Clearview’s technology, but also for public sector use of private sector data-fueled analytics and AI where those tools are based upon personal data. The issue is whether, in this case, the RCMP is responsible for ensuring the accuracy and reliability of the data generated by a private sector AI system on which they rely.

One final note on the use of Clearview AI’s services by the RCMP – and by other police services in Canada. A look at Clearview AI’s website reveals its own defensiveness about its technologies, which it describes as helping “to identify child molesters, murderers, suspected terrorists, and other dangerous people quickly, accurately, and reliably to keep our families and communities safe.” Police service representatives have also responded defensively to media inquiries, and their admissions of use come with very few details. If nothing else, this situation highlights the crucial importance of transparency, oversight and accountability in relation to these technologies that have privacy and human rights implications. Transparency can help to identify and examine concerns, and to ensure that the technologies are accurate, reliable and free from bias. Policies need to be put in place to reflect clear decisions about what crimes or circumstances justify the use of these technologies (and which ones do not). Policies should specify who is authorized to make the decision to use this technology and according to what criteria. There should be record-keeping and an audit trail. Keep in mind that technologies of this kind, if unsupervised, can be used to identify, stalk or harass strangers. It is not hard to imagine someone use this technology to identify a person seen with an ex-spouse, or even to identify an attractive woman seen at a bar. They can also be used to identify peaceful protestors. The potential for misuse is enormous. Transparency, oversight and accountability are essential if these technologies are to be used responsibly. The sheepish and vague admissions of use of Clearview AI technology by Canadian police services is a stark reminder that there is much governance work to be done around such technologies in Canada even beyond privacy law issues.

Published in Privacy

An interesting case from Quebec demonstrates the tension between privacy and transparency when it comes to public registers that include personal information. It also raises issues around ownership and control of data, including the measures used to prevent data scraping. The way the litigation was framed means that not all of these questions are answered in the decision, leaving some lingering public policy questions.

Quebec’s Enterprise Registrar oversees a registry, in the form of a database, of all businesses in Quebec, including corporations, sole corporations and partnerships. The Registrar is empowered to do so under the Act respecting the legal publicity of enterprises (ALPE), which also establishes the database. The Registrar is obliged to make this register publicly accessible, including remotely by technological means, and basic use of the database is free of charge.

The applicant in this case is OpenCorporates, a U.K.-based organization dedicated to ensuring total corporate transparency. According to its website, OpenCorporates has created and maintains “the largest open database of companies in the world”. It currently has data on companies located in over 130 jurisdictions. Most of this data is drawn from reliable public registries. In addition to providing a free, searchable public resource, OpenCorporates also sells structured data to financial institutions, government agencies, journalists and other businesses. The money raised from these sales finances its operations.

OpenCorporates gathers its data using a variety of means. In 2012, it began to scrape data from Quebec’s Enterprise Register. Data scraping involves the use of ‘bots’ to visit and automatically harvest data from targeted web pages. It is a common data-harvesting practice, widely used by journalists, civil society actors and researchers, as well as companies large and small. As common as it may be, it is not always welcome, and there has been litigation in Canada and around the world about the legality of data scraping practices, chiefly in contexts where the defendant is attempting to commercialize data scraped from a business rival.

In 2016 the Registrar changed the terms of service for the Enterprise Register. These changes essentially prohibited web scraping activities, as well as the commercialization of data extracted from the site. The new terms also prohibit certain types of information analyses; for example, they bar searches for data according to the name and address of a particular person. All visitors to the site must agree to the Terms of Service. The Registrar also introduced technological measures to make it more difficult for bots to scrape its data.

Opencorporates Ltd. C. Registraire des entreprises du Québec is not a challenge to the Register’s new, restrictive terms and conditions. Instead, because the Registrar also sent OpenCorporates a cease and desist letter demanding that it stop using the data it had collected prior to the change in Terms of Service, OpenCorporates sought a declaration from the Quebec Superior Court that it was entitled to continue to use this earlier data.

The Registrar acknowledged that nothing in the ALPE authorizes it to control uses made of any data obtained from its site. Further, until it posted the new terms and conditions for the site, nothing limited what users could do with the data. The Registrar argued that it had the right to control the pre-2016 data because of the purpose of the Register. It argued that the ALPE established the Register as the sole source of public data on Quebec businesses, and that the database was designed to protect the personal information that it contained (i.e. the names and addresses of directors of corporations). For example, it does not permit extensive searches by name or address. OpenCorporates, by contrast, permits the searching of all of its data, including by name and address.

The court characterized the purpose of the Register as being to protect individuals and corporations that interact with other corporations by assuring them easy access to identity information, including the names of those persons associated with a corporation. An electronic database gives users the ability to make quick searches and from a distance. Quebec’s Act to Establish a Legal Framework for Information Technology provides that where a document contains personal information and is made public for particular purposes, any extensive searches of the document must be limited to those purposes. This law places the onus on the person responsible for providing access to the document to put in place appropriate technological protection measures. Under the ALPE, the Registrar can carry out more comprehensive searches of the database on behalf of users who must make their request to the Registrar. Even then, the ALPE prohibits the Registrar from using the name or address of an individual as a basis for a search. According to the Registrar, a member of the public has right to know, once one they have the name of a company, with whom they are dealing; they do not have the right to determine the number of companies to which a physical person is linked. By contrast, this latter type of search is one that could be carried out using the OpenCorporates database.

The court noted that it was not its role to consider the legality of OpenCorporates’ database, nor to consider the use made by others of that database. It also observed that individuals concerned about potential privacy breaches facilitated by OpenCorporates might have recourse under Quebec privacy law. Justice Rogers’ focus was on the specific question of whether the Registrar could prevent OpenCorporates from using the data it gathered prior to the change of terms of service in 2016. On this point, the judge ruled in favour of OpenCorporates. In her view, OpenCorporates’ gathering of this data was not in breach of any law that the Registrar could rely upon (leaving aside any potential privacy claims by individuals whose data was scraped). Further, she found that nothing in the ALPE gave the Registrar a monopoly on the creation and maintenance of a database of corporate data. She observed that the use made by OpenCorporates of the data was not contrary to the purpose of the ALPE, which was to create greater corporate transparency and to protect those who interacted with corporations. She ruled that nothing in the ALPE obligated the Registrar to eliminate all privacy risks. The names and addresses of those involved with corporations are public information; the goal of the legislation is to facilitate digital access to the data while at the same time placing limits on bulk searches. Nothing in the ALPE prevented another organization from creating its own database of Quebec businesses. Since OpenCorporates did not breach any laws or terms of service in collecting the information between 2012 and 2016, nothing prevented it from continuing to use that information in its own databases. Justice Rogers issued a declaration to the effect that the Registrar was not permitted to prevent OpenCorporates from publishing and distributing the data it collected from the Register prior to 2016.

While this was a victory for OpenCorporates, it did not do much more than ensure its right to continue to use data that will become increasingly dated. There is perhaps some value in the Court’s finding that the existence of a public database does not, on its own, preclude the creation of derivative databases. However, the decision leaves some important questions unanswered. In the first place, it alludes to but offers no opinion on the ability to challenge the inclusion of the data in the OpenCorporates database on privacy grounds. While a breach of privacy argument might be difficult to maintain in the case of public data regarding corporate ownership, it is still unpredictable how it might play out in court. This is far less sensitive data that that involved in the scraping of court decisions litigated before the Federal Court in A.T. v. Globe24hr.com; there is a public interest in making the specific personal information available in the Registry; and the use made by OpenCorporates is far less exploitative than in Globe24hr. Nevertheless, the privacy issues remain a latent difficulty. Overall, the decision tells us little about how to strike an appropriate balance between the values of transparency and privacy. The legislation and the Registrar’s approach are designed to make it difficult to track corporate ownership or involvement across multiple corporations. There is rigorous protection of information with low privacy value and with a strong public dimension; with transparency being weakened as a result. It is worth noting that another lawsuit against the Register may be in the works. It is reported that the CBC is challenging the decision of the Registrar to prohibit searches by names of directors and managers of companies as a breach of the right to freedom of expression.

Because the terms of service were not directly at issue in the case, there is also little to go on with respect to the impact of such terms. To what extent can terms of service limit what can be done with publicly accessible data made available over the Internet? The recent U.S. case of hiQ Labs Inc. v. LinkedIn Corp. raises interesting questions about freedom of expression and the right to harvest publicly accessible data. This and other important issues remain unaddressed in what is ultimately an interesting but unsatisfying court decision.

 

Published in Privacy

In October 2016, the data analytics company Geofeedia made headlines when the California chapter of the American Civil Liberties Union (ACLU) issued the results of a major study which sought to determine the extent to which police services in California were using social media data analytics. These analytics were based upon geo-referenced information posted by ordinary individuals to social media websites such as Twitter and Facebook. Information of this kind is treated as “public” in the United States because it is freely contributed by users to a public forum. Nevertheless, the use of social media data analytics by police raises important civil liberties and privacy questions. In some cases, users may not be aware that their tweets or posts contain additional meta data including geolocation information. In all cases, the power of data analytics permits rapid cross-referencing of data from multiple sources, permitting the construction of profiles that go well beyond the information contributed in single posts.

The extent to which social media data analytics are used by police services is difficult to assess because there is often inadequate transparency both about the actual use of such services and the purposes for which they are used. Through a laborious process of filing freedom of information requests the ACLU sought to find out which police services were contracting for social media data analytics. The results of their study showed widespread use. What they found in the case of Geofeedia went further. Although Geofeedia was not the only data analytics company to mine social media data and to market its services to government authorities, its representatives had engaged in email exchanges with police about their services. In these emails, company employees used two recent sets of protests against police as examples of the usefulness of social media data analytics. These protests were those that followed the death in police custody of Freddie Gray, a young African-American man who had been arrested in Baltimore, and the shooting death by police of Michael Brown, an eighteen-year-old African-American man in Ferguson, Missouri. By explicitly offering services that could be used to monitor those who protested police violence against African Americans, the Geofeedia emails aggravated a climate of mistrust and division, and confirmed a belief held by many that authorities were using surveillance and profiling to target racialized communities.

In a new paper, just published in the online, open-access journal SCRIPTed, I use the story around the discovery of Geofeedia’s activities and the backlash that followed to frame a broader discussion of police use of social media data analytics. Although this paper began as an exploration of the privacy issues raised by the state’s use of social media data analytics, it shifted into a paper about transparency. Clearly, privacy issues – as well as other civil liberties questions – remain of fundamental importance. Yet, the reality is that without adequate transparency there simply is no easy way to determine whether police are relying on social media data analytics, on what scale and for what purposes. This lack of transparency makes it difficult to hold anyone to account. The ACLU’s work to document the problem in California was painstaking and time consuming, as was a similar effort by the Brennan Center for Justice, also discussed in this paper. And, while the Geofeedia case provided an important example of the real problems that underlie such practices, it only came to light because Geofeedia’s employees made certain representations by email instead of in person or over the phone. A company need only direct that email not be used for these kinds of communications for the content of these communications to disappear from public view.

My paper examines the use of social media data analytics by police services, and then considers a range of different transparency issues. I explore some of the challenges to transparency that may flow from the way in which social media data analytics are described or characterized by police services. I then consider transparency from several different perspectives. In the first place I look at transparency in terms of developing explicit policies regarding social media data analytics. These policies are not just for police, but also for social media platforms and the developers that use their data. I then consider transparency as a form of oversight. I look at the ways in which greater transparency can cast light on the activities of the providers and users of social media data and data analytics. Finally, I consider the need for greater transparency around the monitoring of compliance with policies (those governing police or developers) and the enforcement of these policies.

A full text of my paper is available here under a CC Licence.

Published in Privacy

As part of Right to Know week, I participated in a conference organized by Canada’s Office of the Information Commissioner. My panel was asked to discuss Bill C-58, an Act to amend the Access to Information Act. I have discussed other aspects of this bill here and here. Below are my thoughts on the Commissioner’s order-making powers under that Bill.

Bill C-58, the Act to amend the Access to Information Act will, if passed into law, give the Information Commissioner order-making powers. This development has been called for repeatedly over the years by the Commissioner as well as by access to information advocates. Order-making powers transform the Commissioner’s recommendations into requirements; they provide the potential to achieve results without the further and laborious step of having to go to the Federal Court. This is, at least the theory. For many, the presence of order-making powers is one of the strengths of C-58, a Bill that has otherwise been criticized for not going far enough to reform a badly outdated access to information regime.

Before one gets too excited about the order-making powers in Bill C-58, however, it is worth giving them a closer look. The power is found in a proposed new s. 36.1, which reads:

36.‍1 (1) If, after investigating a complaint described in any of paragraphs 30(1)‍(a) to (d.‍1), the Commissioner finds that the complaint is well-founded, he or she may make any order in respect of a record to which this Part applies that he or she considers appropriate, including requiring the head of the government institution that has control of the record in respect of which the complaint is made

(a) to disclose the record or a part of the record; and

(b) to reconsider their decision to refuse access to the record or a part of the record.

Although this appears promising, there is a catch. Any such order will not take effect until after the expiry of certain periods of time. The first of these is designed to allow the head of the institution to ask the Federal Court to review “the matter that is the subject of the complaint.” The second time period is to allow third parties (for example, someone whose personal information or confidential commercial information might be affected by the proposed order) or the federal Privacy Commissioner to apply to the Federal Court for a review. (The reason why the Privacy Commissioner might be seeking a review is the subject of an earlier post here).

The wording of these provisions makes it clear that recourse to the Federal Court is neither an appeal of the Commissioner’s order, nor an application for judicial review. Instead, the statute creates a right to request a hearing de novo before the Federal Court on “the matter that is the subject of the complaint”. As we know from experience with the Personal Information Protection and Electronic Documents Act, such a proceeding de novo does not require any deference to be given to the Commissioner’s report, conclusions or order.

One need only compare these order-making powers with those of some of the Commissioner’s provincial counterparts to see how tentative the drafters of Bill C-58 have been. Alberta’s Freedom of Information and Protection of Privacy Act states simply “An order made by the Commissioner under this Act is final.”(s. 73) British Columbia’s statute takes an approach which at first glance looks similar to what is in C-58. Section 59 provides:

59. (1) Subject to subsection (1.1), not later than 30 days after being given a copy of an order of the commissioner, the head of the public body concerned or the service provider to whom the order is directed, as applicable, must comply with the order unless an application for judicial review of the order is brought before that period ends.

Like C-58, s. 59 of B.C.’s Freedom of Information and Protection of Privacy Act provides for a delay in the order’s taking effect depending on whether the head of the institution seeks to challenge it. However, unlike C-58, the head of the institution must seek judicial review of the order (not the matter more generally). Judicial review is based on the record that was before the original adjudicator. It is also a process that requires some deference to be shown to the Commissioner.

A report on the modernization of Canada’s access to information regime compared the current ombuds model with the order-making model. It found that the order making model was preferable for a number of cogent reasons. Two of these were:

  • It gives a clear incentive to institutions to apply exemptions only where there is sufficient evidence to support non-disclosure and then put this evidence before the adjudicator, as judicial review before the Court is based on the record that was before the adjudicator.
  • The grounds on which the order can be set aside are limited and the institution cannot introduce new evidence or rely on new exemptions, as it is the adjudicator’s, and not the institution’s, decision that is under review before the Court.

These are very sound reasons for moving to an order-making model. Unfortunately, the model provided in Bill C-58 does not provide these advantages. Because it allows for a hearing de novo, there is no incentive to put everything before the adjudicator – new evidence and arguments can be introduced before the Federal Court. This will do nothing to advance the goals of accountability and transparency; it might even help to obstruct them.

Published in Privacy

Toronto Star journalist Theresa Boyle has just won an important victory for access to information rights and government transparency – one that is likely to be challenged before the Ontario Court of Appeal. On June 30, 2017, three justices of the Ontario Divisional Court unanimously upheld an adjudicator’s order that the Ministry of Health and Long-Term Care disclose the names, annual billing amounts and fields of medical specialization of the 100 top-billing physicians in Ontario. The application for judicial review of the order was brought by the Ontario Medical Association, along with many of the doctors on the disputed list (the Applicants).

The amount that the Ontario Health Insurance Program (OHIP) pays physicians for services rendered is government information. Under the Freedom of Information and Protection of Privacy Act (FOIPPA), the public has a right of access to government information – subject to specific exceptions that serve competing issues of public interest. One of these is privacy – a government institution can refuse to disclose information if it would reveal personal information. The Ministry had been willing to disclose the top 100 amounts billed to OHIP, but it refused to disclose the names of the doctors or some of the areas of specialization (which might lead to their identification) on the basis that this was the physicians’ personal information. The Adjudicator disagreed and found that the billing information, including the doctors’ names, was not personal information. Instead, it identified the physicians in their professional capacity. FOIPPA excludes this sort of information from the definition of personal information.

The Applicants accepted that the physicians were named in the billing records in their professional capacity. However, they argued that when those names were associated with the gross amounts, this revealed “other personal information”. In other words, they argued that the raw billing information did not reflect the business overhead expenses that physicians had to pay from their earnings. As a result, this information, if released, would be misinterpreted by the public as information about their net incomes. They argued that this made converted it into “other personal information relating to the individual” (s. 2(1)(h)). How much doctors bill OHIP should be public information. The idea that the possibility that such information might be misinterpreted could be a justification for refusal to disclose it is paternalistic. It also has the potential to stifle access to information. The argument deserved the swift rejection it received from the court.

The Applicants also argued that the adjudicator erred by not following earlier decisions of the Office of the Information and Privacy Commissioner (OIPC) that had found that the gross billing amounts associated with physician names constituted personal information. Adjudicator John Higgins ruled that “Payments that are subject to deductions for business expenses are clearly business information.” (at para 18) The Court observed that the adjudicator was not bound to follow earlier OIPC decisions. Further, the issue of consistency could be looked at in two ways. As the adjudicator himself had noted, the OIPC had regularly treated information about the income of non-medical professionals as non-personal information subject to disclosure under the FOIPPA; but for some reasons had treated physician-related information differently. Thus, while one could argue that the adjudicator’s decision was inconsistent with earlier decisions about physician billing information, it was entirely consistent with decisions about monies paid by government to other professionals. The Court found no fault with the adjudicator’s approach.

The Applicants had also argued that Ms Boyle “had failed to establish a pressing need for the information or how providing it to her would advance the objective of transparency in government.” (para 31). The court gave this argument the treatment it deserved – they smacked it down. Justice Nordheimer observed that applicants under the FOIPPA are not required to provide reasons why they seek information. Rather, the legislation requires that information of this kind “is to be provided unless a privacy exception is demonstrated.” (at para 32) Justice Nordheimer went on to note that under access to information legislation, “the public is entitled to information in the possession of their governments so that the public may, among other things, hold their governments accountable.” He stated that “the proper question to be asked in this context, therefore, is not “why do you need it?” but rather is “why should you not have it.”” (at para 34).

This decision of the Court is to be applauded for making such short work of arguments that contained little of the public interest and a great deal of private interest. Transparency within a publicly-funded health care system is essential to accountability. Kudos to Theresa Boyle and the Toronto Star for pushing this matter forward. The legal costs of $50,000 awarded to them make it clear that transparency and accountability often do not come cheaply or without significant effort. And those costs continue to mount as the issues must now be hammered out again before the Ontario Court of Appeal.

Published in Privacy

How does one balance transparency with civil liberties in the context of election campaigns? This issue is at the core of a decision just handed down by the Supreme Court of Canada.

B.C. Freedom of Information and Privacy Association v. Attorney-General (B.C.) began as a challenge by the appellant organization to provisions of B.C.’s Election Act that required individuals or organizations who “sponsor election advertising” to register with the Chief Electoral Officer. Information on the register is publicly available. The underlying public policy goals to allow the public to see who is sponsoring advertising campaigns during the course of elections. The Supreme Court of Canada easily found this objective to be “pressing and substantial”.

The challenge brought by the B.C. Freedom of Information and Privacy Association (BCFIPA) was based on the way in which the registration requirement was framed in the Act. The Canada Elections Act also contains a registration requirement, but the requirement is linked to a spending threshold. In other words, under the federal statute, those who spend more than $500 on election advertising are required to register; others are not. The B.C. legislation is framed instead in terms of a general registration requirement for all sponsors of election advertising. BCFIPA’s concern was that this would mean that any individual who placed a handmade sign in their window, who wore a t-shirt with an election message, or who otherwise promoted their views during an election campaign would be forced to register. Not only might this chill freedom of political expression in its own right, it would raise significant privacy issues for individuals since they would have to disclose not just their names, but their addresses and other contact information in the register. Thus, the BCFIPA sought to have the registration requirement limited by the Court to only those who spent more than $500 on an election campaign.

The problem in this case was exacerbated by the position taken by B.C.’s Chief Electoral Officer. In a 2010 report to the B.C. legislature, he provided his interpretation of the application of the legislation. He expressed the view that it did not “distinguish between those sponsors conducting full media campaigns and individuals who post handwritten signs in their apartment windows.” (at para 19). This interpretation of the Election Act was accepted by both the trial judge and at the Court of Appeal, and it shaped the argument before those courts as well as their decisions.

The Supreme Court of Canada took an entirely different approach. They interpreted the language “sponsor election advertising” to mean something other than the expression of political views by individuals. In other words, the statute applied only to those who sponsored election advertising – i.e., those who paid for election advertising to be conducted or who received such services as a contribution. The Court was of the view that the public policy behind registration requirements was generally sound. It found that a legislature could mitigate the impact on freedom of expression by either setting a monetary threshold to trigger the requirement (as is the case at the federal level) or by defining sponsorship to exclude individual expression (as was the case in B.C.). While it is true that the B.C. statute could still capture organized activities involving expenditures of less than $500, and might thus have some limiting effect, the Court found that this would not be significant for a number of reasons, and that such impacts were easily reconcilable with the benefits of the registration scheme.

The decision of the Supreme Court of Canada will be useful in clarifying the scope and impact of the Election Act and in providing guidance for similar statutes. It should be noted however, that the case traveled to the Supreme Court of Canada at great cost both to BCFIPA and to the taxpayer because of either legislative inattention to the need to clarify the scope of the legislation or because of an over-zealous interpretation of the statute by the province’s Chief Electoral Officer. The situation highlights the need for careful attention to be paid at the outset of such initiatives to the balance that must be struck between transparency and other competing values such as civil liberties and privacy.

 

Published in Privacy

The federal government has just released for public comment its open government plan for 2016-2018. This is the third such plan since Canada joined the Open Government Partnership in 2012. The two previous plans were released by the Conservative government, and were called Canada’s Action Plan on Open Government 2012-2014 and Canada’s Action Plan on Open Government 2014-2016. This most recent plan is titled Canada’s New Plan on Open Government (“New Plan”). The change in title signals a change in approach.

The previous government structured its commitments around three broad themes: Open Data, Open Information and Open Dialogue. It is fair to say that it was the first of these themes that received the greatest attention. Under the Conservatives there were a number of important open data initiatives: the government developed an open data portal, an open government licence (modeled on the UK Open Government Licence), and a Directive on Open Government. It also committed to funding the Open Data Exchange (ODX) (a kind of incubator hub for open data businesses in Canada), and supported a couple of national open data hackathons. Commitments under Open Information were considerably less ambitious. While important improvements were made to online interfaces for making access to information requests, and while more information was provided about already filled ATIP requests, it is fair to say that improving substantive access to government information was not a priority. Open dialogue commitments were also relatively modest.

Canada’s “New Plan” is considerably different in style and substance from its predecessors. This plan is structured around 4 broad themes: open by default; fiscal transparency; innovation, prosperity and sustainable development; and engaging Canadians and the world. Each theme comes with a number of commitments and milestones, and each speaks to an aspirational goal for open government, better articulating why this is an initiative worth an investment of time and resources.

Perhaps because there was so great a backlash against the previous government’s perceived lack of openness, the Liberals ran on an election platform that stressed openness and transparency. The New Plan reflects many of these election commitments. As such, it is notably more ambitious than the previous two action plans. The commitments are both deeper (for example, the 2014-2016 action plan committed to a public database disclosing details of all government contracts over $10,000; the New Plan commits to revealing details of all contracts over $1), and more expansive (with the government committing to new openness initiatives not found in earlier plans).

One area where the previous government faced considerable criticism (see, for example Mary Francoli’s second review of Canada’s open government commitments) was in respect of the access to information regime. That government’s commitments under “open information” aimed to improve access to information processes without addressing substantive flaws in the outdated Access to Information Act. The new government’s promise to improve the legislation is up front in the New Plan. Its first commitment is to enhance access to information through reforms to the legislation. According to the New Plan, these include order-making powers for the Commissioner, extending the application of the Access to Information Act to the Prime Minister and his Ministers’ Offices, and mandatory 5-year reviews of the legislation. Although these amendments would be a positive step, they fall short of those recommended by the Commissioner. It will also be interesting to see whether everything on this short list comes to pass. (Order-making powers in particular are something to watch here.) The House of Commons Standing Committee on Access to Information, Privacy and Ethics has recently completed hearings on this legislation. It will be very interesting to see what actually comes of this process. As many cynics (realists?) have observed, it is much easier for opposition parties to be in favour of open and transparent government than it is for parties in power. Whether the Act gets the makeover it requires remains to be seen.

One of the interesting features of this New Plan is that many of the commitments are ones that go to supporting the enormous cultural shift that is required for a government to operate in a more open fashion. Bureaucracies develop strong cultures, often influenced by long-cherished policies and practices. Significant change often requires more than just a new policy or directive; the New Plan contains commitments for the development of clear guidelines and standards for making data and information open by default, as well as commitments to training and education within the civil service, performance metrics, and new management frameworks. While not particularly ‘exciting’, these commitments are important and they signal a desire to take the steps needed to effect a genuine cultural shift within government.

The New Plan identifies fiscal transparency as an overarching theme. It contains several commitments to improve fiscal transparency, including more extensive and granular reporting of information on departmental spending, greater transparency of budget data and of fiscal analysis, and improved openness of information around government grants and other contributions. The government also commits to creating a single portal for Canadians who wish to search for information on Canadian businesses, whether they are incorporated federally or in one of the provinces or territories.

On the theme of Innovation, Prosperity and Sustainable Development, the New Plan also reflects commitments to greater openness in relation to federal science activities (a sore point with the previous government). It also builds upon a range of commitments that were present in previous action plans, including the use of the ODX to stimulate innovation, the development of open geospatial data, the alignment of open data at all levels of government in Canada, and the implementation of the Extractive Sector Transparency Measures Act. The New Plan also makes commitments to show leadership in supporting openness and transparency around the world.

The government’s final theme is “Engaging Canadians and the World”. This is the part where the government addresses how it plans to engage civil society. It plans to disband the Advisory Panel established by the previous government (of which I was a member). While the panel constituted a broad pool of expertise on which the government could draw, it was significantly under-utilized, and clearly this government plans to try something new. They state that they will “develop and maintain a renewed mechanism for ongoing, meaningful dialogue” between the government and civil society organizations – whatever that means. Clearly, the government is still trying to come up with a format or framework that will be most effective.

The government also commits in rather vague terms to fostering citizen participation and engagement with government on open government initiatives. It would seem that the government will attempt to “enable the use of new methods for consulting and engaging Canadians”, and will provide support and resources to government departments and agencies that require assistance in doing so. The commitments in this area are inward-looking – the government seems to acknowledge that it needs to figure out how to encourage and enhance citizen engagement, but at the same time is not sure how to do so effectively.

In this respect, the New Plan offers perhaps a case in point. This is a detailed and interesting plan that covers a great deal of territory and that addresses many issues that should be of significant concern to Canadians. It was released on June 16, with a call for comments by June 30. Such a narrow window of time in which to comment on such a lengthy document does not encourage engagement or dialogue. While the time constraints may be externally driven (by virtue of OGP targets and deadlines), and while there has been consultation in the lead up to the drafting of this document, it is disappointing that the public is not given more time to engage and respond.

For those who are interested in commenting, it should be noted that the government is open to comments/feedback in different forms. Comments may be made by email, or they can be entered into a comment box at the bottom of the page where the report is found. These latter comments tend to be fairly short and, once they pass through moderation, are visible to the public.

 

The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.

The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.

RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.

In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)

After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)

RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.

The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.

The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.

Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.

Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.

Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.

Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.

 

 

 

 

Published in Privacy

I was at the United Nations last week for an Expert Group Meeting on Moving from commitments to results in building effective, accountable and inclusive institutions at all levels. On February 18, 2016, I gave a presentation on balancing privacy with transparency in open government. This is a challenging issue, and one that is made even more so by digitization, information communication technologies and the big data environment.

Openness access to government information and data serve the goals of greater transparency and greater public trust in government. They are essential in fighting corruption, but they are also important in holding governments to account for their decision-making and for their spending of public funds. However, transparency must also be balanced against other considerations, including privacy. Privacy is a human right, and it protects the dignity, autonomy and integrity of individuals. Beyond this, however, the protection of privacy of personal information in the hands of governments also enhances public trust in governments and can contribute to citizen engagement.

How, then, does one balance privacy with transparency when it comes to information in the hands of government? There are no easy answers. My slides from my presentation can be found here, and these slides contain some links to some other publicly available work on this topic.

Published in Privacy
<< Start < Prev 1 2 Next > End >>
Page 1 of 2

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law