access to information Ambush Marketing big data citizen science confidential information copyright data protection ecommerce and internet law Electronic Commerce electronic commerce and internet law Extraterritoriality fair use freedom of expression Geospatial geospatial data intellectual property Internet internet law invasion of privacy IP open courts open data open government personal information Privacy proactive disclosure takings trademark law trademarks transparency
Monday, 20 June 2016 07:10
The federal government has just released for public comment its open government plan for 2016-2018. This is the third such plan since Canada joined the Open Government Partnership in 2012. The two previous plans were released by the Conservative government, and were called Canada’s Action Plan on Open Government 2012-2014 and Canada’s Action Plan on Open Government 2014-2016. This most recent plan is titled Canada’s New Plan on Open Government (“New Plan”). The change in title signals a change in approach.
The previous government structured its commitments around three broad themes: Open Data, Open Information and Open Dialogue. It is fair to say that it was the first of these themes that received the greatest attention. Under the Conservatives there were a number of important open data initiatives: the government developed an open data portal, an open government licence (modeled on the UK Open Government Licence), and a Directive on Open Government. It also committed to funding the Open Data Exchange (ODX) (a kind of incubator hub for open data businesses in Canada), and supported a couple of national open data hackathons. Commitments under Open Information were considerably less ambitious. While important improvements were made to online interfaces for making access to information requests, and while more information was provided about already filled ATIP requests, it is fair to say that improving substantive access to government information was not a priority. Open dialogue commitments were also relatively modest.
Canada’s “New Plan” is considerably different in style and substance from its predecessors. This plan is structured around 4 broad themes: open by default; fiscal transparency; innovation, prosperity and sustainable development; and engaging Canadians and the world. Each theme comes with a number of commitments and milestones, and each speaks to an aspirational goal for open government, better articulating why this is an initiative worth an investment of time and resources.
Perhaps because there was so great a backlash against the previous government’s perceived lack of openness, the Liberals ran on an election platform that stressed openness and transparency. The New Plan reflects many of these election commitments. As such, it is notably more ambitious than the previous two action plans. The commitments are both deeper (for example, the 2014-2016 action plan committed to a public database disclosing details of all government contracts over $10,000; the New Plan commits to revealing details of all contracts over $1), and more expansive (with the government committing to new openness initiatives not found in earlier plans).
One area where the previous government faced considerable criticism (see, for example Mary Francoli’s second review of Canada’s open government commitments) was in respect of the access to information regime. That government’s commitments under “open information” aimed to improve access to information processes without addressing substantive flaws in the outdated Access to Information Act. The new government’s promise to improve the legislation is up front in the New Plan. Its first commitment is to enhance access to information through reforms to the legislation. According to the New Plan, these include order-making powers for the Commissioner, extending the application of the Access to Information Act to the Prime Minister and his Ministers’ Offices, and mandatory 5-year reviews of the legislation. Although these amendments would be a positive step, they fall short of those recommended by the Commissioner. It will also be interesting to see whether everything on this short list comes to pass. (Order-making powers in particular are something to watch here.) The House of Commons Standing Committee on Access to Information, Privacy and Ethics has recently completed hearings on this legislation. It will be very interesting to see what actually comes of this process. As many cynics (realists?) have observed, it is much easier for opposition parties to be in favour of open and transparent government than it is for parties in power. Whether the Act gets the makeover it requires remains to be seen.
One of the interesting features of this New Plan is that many of the commitments are ones that go to supporting the enormous cultural shift that is required for a government to operate in a more open fashion. Bureaucracies develop strong cultures, often influenced by long-cherished policies and practices. Significant change often requires more than just a new policy or directive; the New Plan contains commitments for the development of clear guidelines and standards for making data and information open by default, as well as commitments to training and education within the civil service, performance metrics, and new management frameworks. While not particularly ‘exciting’, these commitments are important and they signal a desire to take the steps needed to effect a genuine cultural shift within government.
The New Plan identifies fiscal transparency as an overarching theme. It contains several commitments to improve fiscal transparency, including more extensive and granular reporting of information on departmental spending, greater transparency of budget data and of fiscal analysis, and improved openness of information around government grants and other contributions. The government also commits to creating a single portal for Canadians who wish to search for information on Canadian businesses, whether they are incorporated federally or in one of the provinces or territories.
On the theme of Innovation, Prosperity and Sustainable Development, the New Plan also reflects commitments to greater openness in relation to federal science activities (a sore point with the previous government). It also builds upon a range of commitments that were present in previous action plans, including the use of the ODX to stimulate innovation, the development of open geospatial data, the alignment of open data at all levels of government in Canada, and the implementation of the Extractive Sector Transparency Measures Act. The New Plan also makes commitments to show leadership in supporting openness and transparency around the world.
The government’s final theme is “Engaging Canadians and the World”. This is the part where the government addresses how it plans to engage civil society. It plans to disband the Advisory Panel established by the previous government (of which I was a member). While the panel constituted a broad pool of expertise on which the government could draw, it was significantly under-utilized, and clearly this government plans to try something new. They state that they will “develop and maintain a renewed mechanism for ongoing, meaningful dialogue” between the government and civil society organizations – whatever that means. Clearly, the government is still trying to come up with a format or framework that will be most effective.
The government also commits in rather vague terms to fostering citizen participation and engagement with government on open government initiatives. It would seem that the government will attempt to “enable the use of new methods for consulting and engaging Canadians”, and will provide support and resources to government departments and agencies that require assistance in doing so. The commitments in this area are inward-looking – the government seems to acknowledge that it needs to figure out how to encourage and enhance citizen engagement, but at the same time is not sure how to do so effectively.
In this respect, the New Plan offers perhaps a case in point. This is a detailed and interesting plan that covers a great deal of territory and that addresses many issues that should be of significant concern to Canadians. It was released on June 16, with a call for comments by June 30. Such a narrow window of time in which to comment on such a lengthy document does not encourage engagement or dialogue. While the time constraints may be externally driven (by virtue of OGP targets and deadlines), and while there has been consultation in the lead up to the drafting of this document, it is disappointing that the public is not given more time to engage and respond.
For those who are interested in commenting, it should be noted that the government is open to comments/feedback in different forms. Comments may be made by email, or they can be entered into a comment box at the bottom of the page where the report is found. These latter comments tend to be fairly short and, once they pass through moderation, are visible to the public.
Published in Geospatial Data/Digital Cartography
Wednesday, 15 June 2016 08:46
Yesterday I appeared before the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, along with Professor David Lyon of Queen’s University and Professor Lisa Austin of the University of Toronto. The Committee is considering long overdue reform of the Privacy Act, and we had been invited to speak on this topic.
All three of us urged the Committee to take into account the very different technological environment in which we now find ourselves. Professor Lyon cogently addressed the changes brought about by the big data context. Although the Privacy Act as it currently stands largely address the collection, use and disclosure of personal information for “administrative purposes” all three of us expressed concerns over the access to and use by government of information in the hands of the private sector, and the use of information in big data analytics. Professor Austin in particular emphasized the need to address not just the need for accuracy in the data collected by government but also the need to assess “algorithmic accuracy” – the quality/appropriateness of algorithms used to analyse large stores of data and to draw conclusions or predictions from this data. She also made a clear case for bringing Charter considerations into the Privacy Act – in other words, for recognizing that in some circumstances information collection, disclosure or sharing that appears to be authorized by the Privacy Act might nevertheless violate the Canadian Charter of Rights and Freedoms. There was also considerable discussion of information-sharing practices both within government and between our government and other foreign or domestic governments.
The Committee seemed very interested and engaged with the issues, which is a good sign. Reform of the Privacy Act will be a challenging task. The statute as a public sector data protection statute is sorely out of date. However, it is also out of context – in other words, it was drafted to address an information context that is radically different from that in which we find ourselves today. Many of the issues that were raised before the Committee yesterday go well beyond the original boundaries of the Privacy Act, and the addition of a few provisions or a few tweaks here and there will not come close to solving some of these privacy issues – many of which overlap with issues of private sector data protection, criminal law and procedure, and national security.
The notes related to my own remarks to the Committee are available below.
Written Notes for Comments by Professor Teresa Scassa to the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, June 14, 2016
Thank you for the opportunity to address this Committee on the issue of reform of the Privacy Act.
I have reviewed the Commissioner’s recommendations on Privacy Act reform and I am generally supportive of these proposals. I will focus my remarks today on a few specific issues that are united by the theme of transparency. Greater transparency with respect to how personal information is collected, used and disclosed by government enhances privacy by exposing practices to comment and review and by enabling appropriate oversight and accountability. At the same time, transparency is essential to maintaining public confidence in how government handles personal information.
The call for transparency must be situated within our rapidly changing information environment. Not only does technology now enable an unprecedented level of data collection and storage, enhanced analytic capacity has significantly altered the value of information in both public and private sectors. This increased value provides temptations to over-collect personal information, to share it, mine it or compile it across departments and sectors for analysis, and to retain it beyond the period required for the original purposes of its collection.
In this regard, I would emphasize the importance of the recommendation of the Commissioner to amend the Privacy Act to make explicit a “necessity” requirement for the collection of personal information, along with a clear definition of what ‘necessary’ means. (Currently, s. 4(1) of the Privacy Act requires only that personal information “relate directly to an operating program or activity of the institution”.) The goal of this recommendation is to curtail the practice of over-collection of personal information. Over-collection runs counter to the expectations of the public who provide information to government for specific and limited purposes. It also exposes Canadians to enhanced risks where negligence, misconduct or cyberattack result in data breaches. Data minimization is an important principle that is supported by data protection authorities around the world and that is reflected in privacy legislation. The principle should be explicit and up front in a reformed Privacy Act. Data minimization also has a role to play in enhancing transparency: not only do clear limits on the collection of personal information serve transparency goals; over-collection encourages the re-purposing of information, improper use and over-sharing.
The requirement to limit collection of information to specific and necessary purposes is tied to the further requirement on government to collect personal information directly from the individual “where possible” (s. 5(1)). This obviously increases transparency as it makes individuals directly aware of the collection. However, this requirement relates to information collected for an “administrative purpose”. There may be many other purposes for which government collections information, and these fall outside the privacy protective provisions of the Privacy Act. This would include circumstances that is disclosed to a government investigative body at its request in relation to an investigation or the enforcement of any law, or that is disclosed to government actors under court orders or subpoenas. Although such information gathering activities may broadly be necessary, they need to be considered in the evolving data context in which we find ourselves, and privacy laws must adapt to address them.
Private sector companies now collect vast stores of personal information, and this information often includes very detailed, core-biographical information. It should be a matter of great concern, therefore, that the permissive exceptions in both PIPEDA and the Criminal Code enable the flow of massive amounts of personal information from the private sector to government without the knowledge or consent of the individual. Such requests/orders are often (although not always) made in the course of criminal or national security investigations. The collection is not transparent to the individuals affected, and the practices as a whole are largely non-transparent to the broader public and to the Office of the Privacy Commissioner (OPC).
We have heard the most about this issue in relation to telecommunications companies, which are regularly asked or ordered to provide detailed information to police and other government agents. It should be noted, however, that many other companies collect personal information about individuals that is highly revelatory about their activities and choices. It is important not to dismiss this issue as less significant because of the potentially anti-social behaviour of the targeted individuals. Court orders and requests for information can and do encompass the personal information of large numbers of Canadians who are not suspected of anything. The problem of tower dump warrants, for example, was recently highlighted in a recent case before the Ontario Supreme Court (R. v. Rogers Communication (2016 ONSC 70))(my earlier post on this decision can be found here). The original warrant in that case sought highly detailed personal information of around 43,000 individuals, the vast majority of whom had done nothing other than use their cell phones in a certain area at a particular time. Keep in mind that the capacity to run sophisticated analytics will increase the attractiveness of obtaining large volumes of data from the private sector in order to search for an individual linked to a particular pattern of activity.
Without adequate transparency regarding the collection of personal information from the private sector, there is no way for the public to be satisfied that such powers are not abused. Recent efforts to improve transparency (for example, the Department of Innovation, Science and Economic Development’s voluntary transparency reporting guidelines) have focused on private sector transparency. In other words, there has been an attempt to provide a framework for the voluntary reporting by companies of the number of requests they receive from government authorities, the number they comply with, and so on. But these guidelines are entirely voluntary, and they also only address transparency reporting by the companies themselves. There are no legislated obligations on government actors to report in a meaningful way – whether publicly or to the OPC – on their harvesting of personal information from private sector companies. I note that the recent attempt by the OPC to audit the RCMP’s use of warrantless requests for subscriber data came to an end when it became clear that the RCMP did not keep specific records of these practices.
In my view, a modernization of the Privacy Act should directly address this enhanced capacity of government institutions to access the vast stores of personal information in the hands of the private sector. The same legislation that permits the collection of personal information from private sector companies should include transparency reporting requirements where such collection takes places. In addition, legislative guidance should be provided on how government actors who obtain personal information from the private sector either by request or under court order should deal with this information. Specifically, limits on the use and retention of this data should be imposed.
It is true that both the Criminal Code and PIPEDA enable police forces and investigative bodies under both federal and provincial jurisdiction to obtain personal information from the private sector under the same terms and conditions, and that reform of the Privacy Act in this respect will not address transparency and accountability of provincial actors. This suggests that issues of transparency and accountability of this kind might also fruitfully be addressed in the Criminal Code and in PIPEDA, but this is no reason not to also address it in the Privacy Act. To the extent that government institutions are engaged in the indirect collection of personal information, the Privacy Act should provide for transparency and accountability with respect to such activities.
Another transparency issue raised by the Commissioner relates to information-sharing within government. Technological changes have made it easier for government agencies and departments to share personal information – and they do so on what the Commissioner describes as a “massive” scale. The Privacy Act enables personal information sharing within and between governments, domestically and internationally, in specific circumstances – for investigations and law enforcement, for example, or for purposes consistent with those for which it was collected. (Section 8(2)(a) allows for sharing “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”). Commissioner Therrien seeks amendments that would require information-sharing within and between governments to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with the legislation, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another – or whether and under what conditions their personal information may be shared with provincial or foreign governments.
Another important transparency issue is mandatory data breach reporting. Treasury Board Secretariat currently requires that departments inform the OPC of data security breaches; yet the Commissioner has noted that not all comply. As a result, he is asking that the legislation be amended to include a mandatory breach notification requirement. Parliament has recently amended PIPEDA to include such a requirement. Once these provisions take effect, the private sector will be held to a higher standard than the public sector unless the Privacy Act is also amended. Any amendments to the federal Privacy Act to address data security breach reporting would have to take into account the need for both the Commissioner and for affected individuals to be notified where there has been a breach that meets a certain threshold for potential harm, as will be the case under PIPEDA. The PIPEDA amendments will also require organizations to keep records of all breaches of security safeguards regardless of whether they meet the harm threshold that triggers a formal reporting requirement. Parliament should impose a requirement on those bodies governed by the Privacy Act to both keep and to submit records of this kind to the OPC. Such records would be helpful in identifying patterns or trends either within a single department or institution or across departments or institutions. The ability to identify issues proactively and to address them either where they arise or across the federal government can only enhance data security – something which is becoming even more urgent in a time of increased cybersecurity threats.
Tuesday, 07 June 2016 15:29
The social sciences research community has been buzzing over the announcement on May 17, 2016 that the Social Sciences Research Network (SSRN) has been acquired by Elsevier Publishing Group.
SSRN is a digital repository that was created in order to enable researchers in the social sciences to share their work in advance of its publication. Prior to the launch of SSRN, long delays between submission and print publication of papers had been a significant problem for researchers – particularly those working in rapidly changing and evolving fields. In addition, it was not always easy to find out who was working in similar areas or to be aware of developing trends in research as a result of the long publication delays. SSRN allows researchers to publish working papers, conference papers, and pre-print versions of accepted papers – as well as (where permitted by journals) published versions of papers. Access to the database is free to anyone with an Internet connection. This too is important for sharing academic research more broadly – many published academic journals sit behind digital paywalls making broader public access impractical or impossible. SSRN has been a game-changer, and it is now widely used by academics around the world as a vehicle for sharing research.
Elsevier is a commercial publisher which has, in the past, focused primarily on the fields of science, technology and health. It publishes over 2000 international journals. In recent years it has developed other information “solutions”. These include not only digital publishing platforms, but also data analytics, as well as tools to enhance and facilitate collaboration among researchers.
The controversy over the acquisition of SSRN lies in the deep distrust many researchers seem to have about the willingness of a commercial publisher known for its top-dollar subscriptions and generally restrictive access policies to maintain a publicly accessible information dissemination service that is free to both academics and the broader public. The founders of SSRN maintain that Elsevier, which also publishes open access journals, understands the need for broad sharing of research and has no intention of placing the site behind a paywall. They argue that SSRN’s acquisition by Elsevier will only enhance the services it can offer to scholars.
Critics of the sale of SSRN to Elsevier raise a number of concerns. One of these is, of course, whether SSRN will genuinely continue to be available as a free resource for sharing research. The reassurances of both Elsevier and SSRN’s founders are firm in this respect. Nevertheless, there are concerns that Elsevier might more strictly police what content is available on SSRN. It is likely the case that some academics post articles to which their publishers hold the copyright on the view that enough time has passed since publication to make free dissemination normatively if not legally acceptable.
The potential that access to some content might be limited is only one of the issues that should be on scholars’ radar – and it is probably not the most important one. By acquiring SSRN, Elsevier will enhance its expanding analytics capability – and data analytics are an important part of its business model. Researchers should consider the nature and extent of these analytics and how they might impact on the publication, dissemination, valuation and support for research in other venues and other contexts. For example, how might granting agencies or governments use proprietary data analytics to make decisions about what research to fund or not fund? Will universities purchase data from Elsevier to use in the evaluation of their researchers for tenure, promotion, or other purposes? Does it serve the academic committee to have so much data – and its analytic potential – in the hands of a single private sector organization? Given that this data might have important ramifications for scholars, and, by extension, for society, are there any governance, accountability or oversight mechanisms that will provide insight into how the data is collected or analyzed?
Essentially, the noble project that was SSRN has evolved into a kind of Facebook for academics. Researchers post their articles and conference papers to share with the broader community – and will continue to do so. While for researchers these works are what define them and are the “value” that they contribute to the site, the real commercial value lies in the data that can be mined from SSRN. Who collaborates with whom? How many times is a paper read or downloaded? Who cites whom, and how often? The commercialization of SSRN should be of concern to academics, but it is data governance and not copyright that should be the focus of attention.
Thursday, 26 May 2016 09:48
What is the status of copyright protected documents or data sets that are provided to government institutions as part of regulatory, judicial or administrative processes? In my previous blog post I considered one instance where a court decided that a regulatory regime effectively expropriated the copyrights in works submitted to certain federal regulatory boards. In early May of this year, an Ontario court considered a similar issue: what happens to the copyright of land surveyors in the documents and drawings they prepare when these are submitted to Ontario’s electronic land registry system.
Keatley Survey Ltd. v. Teranet Inc was a class action law suit brought by a group of Ontario land surveyors against the private sector company authorized by the government to run its electronic land registry system – Teranet. Teranet recovers its costs of creating and operating the system by charging fees for access to and reproduction of the documents contained in the registry. The plaintiffs in this case argued that they had copyright in those documents, and that they were entitled to fees or royalties from the commercial use of these documents by Teranet.
It was undisputed by the defendants that there was copyright in the survey plans created by the plaintiffs. What was more contentious was the issue of ownership of that copyright. The defendants argued that copyright in the plans was owned by the Crown (in this case, the Ontario government). Under section 12 of the Copyright Act, Crown copyright subsists in works that are “prepared or published by or under the direction or control of Her Majesty or any government department. . . .”. The court rejected the argument that the plans were “prepared” under the control of government. Instead, Justice Belobaba ruled that the plans were produced independently of government by the surveyors at the requests of their clients. The fact that the plans might need to conform with regulatory requirements did not mean that they were prepared under the direction or control of the Crown. Justice Belobaba noted that if this argument were accepted, then “lawyers who file pleadings or facta at court registries would lose the copyright in their work simply because they complied with the statutory filing requirements about form or content.” (at para 33).
Teranet also argued that Crown copyright applied because the plans were “published” under the control of government. Justice Belobaba expressed doubts on this point, finding that the reference to publication in s. 12 of the Copyright Act did not independently create a basis for Crown copyright. He stated: “Just because the federal or provincial government publishes or directs the publication of someone else’s work (as opposed to governmental material) cannot mean that the government automatically gets the copyright in that work under s. 12 of the Copyright Act.” (at para 37) Nevertheless, he did not decide the matter on this point. Instead, he found that the legislation relating to the land registry system specifically establishes that any copyrights in surveys are automatically transferred to the Crown when they are filed.
Section 165(1) of the Land Titles Act and section 50(3) of the Registry Act both provide that “all plans of survey submitted for deposit or registration at a land registry office become “the property of the Crown”.” (at para 6). While this might simply refer to ownership of the physical property in the documents, Justice Belobaba found that other provisions in the statutes addressed the rights of the government to copy, computerize and distribute the documents, and to do so for a fee. He wrote: “The statutory prescription and authorization for copying the plans of survey strongly suggests a legislative intention that “property of the Crown” as used in these statutory provisions includes copyright.” (at para 7).
If copyright in these documents becomes the property of the Crown, how does this come about? The Copyright Act requires that any assignment of copyright must be in writing and signed by the owner of copyright. Justice Belobaba found that the declaration required of surveyors to certify that their plans are correct and in accordance with the legislation did not amount to an assignment of copyright. This is an interesting point. Ultimately, the court finds that copyright is “transferred to the province” when plans are deposited, but that there is no signed assignment in writing. This must, therefore, be a form of regulatory expropriation of the copyright in the surveys and plans. Here, any such expropriation is implicit, not explicit. Since copyright is a matter of federal jurisdiction, it is fair to ask whether a provincial government’s expropriation of copyrights is an improper interference with federal jurisdiction over copyrights. Certainly, a provincial government might require an assignment of copyright as a condition of the filing of documents; what is less clear is whether it can actually override the Copyright Act’s provision which requires assignments to be signed and in writing. There is an interesting jurisdictional question below the surface here.
Because the court concludes that the plaintiffs did not retain copyright in their surveys or plans, there was no need to consider other interesting issues in the case relating to fair dealing or whether there was a public policy exception permitting copying and distribution of the documents.
This decision combined that that in Geophysical Services Inc., strongly suggests that courts in Canada are open to arguments around the regulatory expropriation of copyrights by governments in the public interest. In both cases, the courts found support for the expropriation in legislation, although in neither case was it clear on the face of the legislation that expropriation of copyrights was specifically contemplated. As digital dissemination of information, public-private partnerships, and new forms of commercialization of data may impact the commercial value of information submitted to governments by private actors, governments may need to be more explicit as to the intended effects of their regulatory schemes on copyrights.
Monday, 16 May 2016 07:37
Can a government cut short the term of copyright protection in the public interest through a regulatory scheme? This question was considered in the recent decision in Geophysical Services Inc. v. Encana. In my previous blog post I discussed the part of the decision that dealt with whether the works at issue in the case were capable of copyright protection. In this post, I consider the regulatory expropriation issues.
Geophysical Services Inc (GSI) had argued that the government had violated its copyright in its compilations of seismic data and in its information products based on this data, when it released them to the public following a relatively short confidentiality period. The data had been submitted as part of a regulatory process relating to offshore oil and gas exploration. GSI also argued that the oil and gas companies which then used this data in their operations, without paying license fees, also violated their copyright. As discussed in my previous post, Justice Eidsvik of the Alberta Court of Queen’s Bench found that both the compilation of data and the related analytics were original works and were the product of human authorship.
The infringement issue, however, did not end with a finding of copyright in the plaintiff’s works. The outcome of the case turned on whether the government was entitled to release the information after the end of the 5-15 year confidentiality period established by the regulatory regime – and, by extension – whether anyone was then free to use this material without need for permission. The normal term of copyright protection for such a work would be for the life of the author plus an additional 50 years.
GSI was engaged in geological surveying, using seismic testing to create charts of the ocean floor. In order to engage in this activity it needed a permit from the relevant provincial and federal authorities: the National Energy Board, the Canada Newfoundland and Labrador Offshore Petroleum Board and/or the Canada Nova Scotia Offshore Petroleum Board. It was also required, as part of the regulatory process to submit its data to the relevant Boards. The process of mapping the ocean floor using seismic testing is time and resource intensive, and requires considerable human expertise. Once it was collected and compiled, GSI would license its data to offshore oil and gas exploration companies who relied upon the quality and accuracy of the GSI product to carry out their activities.
According to the regulatory regime any data or information submitted to a Board must be kept confidential by the Board for a specified period. Disclosure is governed by the Canada Petroleum Resources Act (CPRA). Section 101 of the CPRA provides that documentation submitted as part of the regulatory process is privileged and shall not be disclosed except for purposes related to the regulatory regime. In the case of data or information related to geophysical work, the period of privilege is 5 years. It was agreed by the parties that this meant that the data could not be disclosed without consent for at least 5 years. However, the plaintiff argued that its copyright in the materials meant that even if the privilege expired, the plaintiff’s copyrights would prevent the publication of its information without its consent.
In reviewing the legislative history, Justice Eidsvik concluded that it was the government’s clear intention to stimulate oil and gas exploration by ensuring that exploration companies could get access to the relevant seismic data after a relatively short period of privilege. The proprietary rights of GSI (and other such companies) could be asserted within the privilege period. According to the legislative history, this period was set as the amount of time reasonable to permit such companies to recoup their investment by charging licence fees before the data was made public. Justice Eidsvik found a clear intention on the part of the legislature to limit the copyright protection available in the public interest. The 5-year privilege period was designed to balance the rights of the copyright holder with the broader public interest in oil and gas exploration. She also found that the publication of the data was a form of compulsory licence – oil and gas exploration companies were free to make use of this data once it was released by the Boards. Essentially, therefore, the legislative regime provided for an expropriation – without compensation – of the remainder of the term of copyright protection. According to Justice Eidsvik, the inclusion of a no-compensation clause in the statute “acknowledges Parliament’s intent to confiscate private property in return for a policy it believed to be in the public interest to promote early exploration of its resources in the offshore and frontier lands.” (at para 237)
GSI argued that changes in technology combined with the high cost of collecting and processing the data had disrupted any balance that might have been contemplated in setting the original 5-year privilege period. In fact, although the legislation allows for the publication of the data after 5 years, the practice of the Boards has been to delay the release of the data anywhere up to 15 years. However, GSI still maintained that the balance was no longer fair or appropriate. Justice Eidsvik was clearly sympathetic to GSI’s arguments, but she found that as a matter of statutory interpretation the legislation was clear in its effect. She noted that it would be for Parliament to change the legislation if it needs to be adapted to changing circumstances.
The issues raised by this case are interesting. Copyright law already contains many provisions that aim to balance the public interest against the rights of the copyright holder. Fair dealing is just one example of these. In fact, the term of protection (currently life of the author plus 50 years) is another one of these balancing mechanisms. What the court recognizes in Geophysical Services Inc. v. Encana is that other federal legislation can limit the term of copyright protection in order to advance a specific public interest.
This is not the only circumstance in which copyright may be limited by laws other than the Copyright Act. Another case which has recently been settled without being resolved on the merits (Waldman v. Thompson Reuteurs Canada Ltd.—discussed in my blog post here) raised the issue of whether the open courts principle effectively creates an implied public licence to use any materials submitted to the courts as part of court proceedings. This would include documents authored by lawyers such as statements of claim, factums, and other such documents. In Waldman, these materials had been taken from court records and included in a pay-per-use database by a legal publisher.
There are other contexts in which materials are submitted to regulators and later made public as part of that process. (Consider, for example, patent disclosures under the Patent Act). The legislation in such cases may not be as explicit as the CPRA – Justice Eidsvik found this statute to be very clear in its intent to make this data open and available for reuse after the statutory confidentiality period. In particular, she cited from the parliamentary debates leading up to its enactment in which disclosure in the interest of stimulating oil and gas exploration was explicitly contemplated.
One question going forward is in what circumstances and to what extent do legislated requirements to disclose data or documents terminate copyright protection in these materials. Another interesting issue is whether a provincial government could establish a regulatory regime that effectively brings to an end the term of copyright protection (since copyright falls within federal jurisdiction). In an environment where intellectual property rights are increasingly fiercely guarded, Parliament (and the legislatures?) may need to be more explicit about their intentions to cut short IP rights in the public interest.
Wednesday, 11 May 2016 08:04
A Canadian court has just handed down a decision in a case that interweaves interesting issues about copyright in data with issues around how the government can limit the scope of these rights in its view of the public interest. The case is complex – it involves a large number of defendants and is tied to a range of other law suits relating to the regulatory regime for oil and gas exploration in Canada. The complexity of the case is such that I will divide my analysis over two blog posts. This – the first – will address the issues around whether there is copyright in the data submitted to the regulator; the second blog post will deal with the issues relating to the curtailment of the copyright within the context of the regulatory regime.
The plaintiff in this case and in the mass of related litigation is Geophysical Service Inc. (GSI). GSI is a Canadian company that is in the business of carrying out marine seismic surveys and licensing the data that it collected and a compiled as a result of its activities. It claims that its flood of litigation around the copyright and regulatory regime issues resulted from the fact that the government’s approach is driving it out of business. As copyright is often touted as providing incentives to create and innovate, GSI’s precarious status as an innovator in this area sets an interesting context for the issues raised in the litigation.
In a nutshell, GSI – like other companies in this field – had to obtain a licence from the national regulator to conduct its expensive, time and labour intensive work. A condition of the licence was that the data it generated and processed into information products would be submitted to the appropriate regulatory bodies that oversee offshore oil and gas exploration. It is this data and the related information products that GSI claims is protected by copyright law. Under the statutes governing the regulatory process, data submitted to the regulator can be made public after a 5 year period. GSI was in the business of selling its data and information products to companies engaged in oil and gas exploration. GSI argued that the fact that the same data and analysis could be released to the public after 5 years, and was, as a matter of policy released between 5 and 15 years after its submission made its business ultimately unsustainable. They argued, therefore, that they had copyright in the data they collected and in the analytics they carried out on the data. They then argued that the regulator, by releasing this data to the public before the expiration of the copyright term, infringed its copyrights. They also maintained that the other private sector companies which made use of their data obtained from the public sources, violated their copyrights.
The first issue, therefore, was whether the seismic data and related information products produced by GSI amounted to original works that could be protected by copyright law. It is a basic principle of copyright law that there can be no copyright in facts – facts are in the public domain. At the same time, however, it is possible to have copyright in a compilation of facts – so long as that compilation meets the requirements of originality. According to the Supreme Court of Canada in CCH Canadian v. Law Society of Upper Canada, originality requires that a work: a) is not copied; b) reflects an exercise in skill and judgment and 3) can be attributed to a human author. In this case, the defendants argued that the GSI data was ‘copied’ from the environment (i.e. it was factual material not protected by copyright law); that its collection and compilation did not involve sufficient skill and judgment because it was in part automated, and in part collected and compiled according to industry standards; and that the technology-assisted and highly human- and other resource-intensive process involved in its collection and compilation meant that it did not originate from an identifiable human author.
Justice Eidsvik of the Alberta Court of Queen’s Bench found resoundingly for the plaintiffs on the copyright issues. She carefully considered the manner in which the seismic data was both collected and processed. She found that both the raw data and the processed data constituted “works” within the meaning of the Copyright Act. She analogized the raw seismic data to a literary work or a literary compilation. She also found that some of the seismic sections – data represented as squiggly lines – would fall within the definition of an artistic work. Both “works” in this case met the necessary threshold for originality. She noted that the creation and compilation of the seismic data required significant levels of skill, noting that “The data is created, not merely collected, through the intervention of human skill” (at para 79). The collection of this seismic data requires a complex series of choices. She accepted the analogy that it was like taking a photograph. Justice Eidsvik observed:
In this case, the photograph is not just a quick snapshot; rather, it is one that requires careful selection of the location, angle of technological instruments (e.g. the size and depth of the airguns, the length and depth of the streamers, and the number and placement of hydrophones), and finally the filtering and refining of the product. (at para 80)
She also found apt an analogy from one of the expert witnesses between the creation of the data and the conducting of a symphony, where the conductor “ensures that some instruments are played louder, or softer, or faster or slower, to make a beautiful creation. The same types of decisions are made on board the seismic acquisition ship to obtain “beautiful” raw seismic data.” (at para 81)
Having found copyright in the compilation of raw data, it is not surprising that the judge also found copyright in the processed data as well. She found that substantial skill and judgment went into the processing of the data, stating that “The raw data is not simply pumped into a computer and a useful product comes out.” (at para 83) She found that the quality of the processed data is very much dependent upon the participation of a skilled processor, and that different companies would produce different processed data from the raw data depending upon the skill of the processor involved.
Justice Eidsvik also found that the requisite human author was present. In doing so, she addressed the Telstra decision from the Australian High Court which had found no copyright in a telephone director in part because it was created following a largely automated process in which there was relatively little human input. In this case, she found the human input to be a significant factor in determining the quality of the output at both the stage of acquisition of the data and the processing stage. She reviewed the few Canadian cases involving compilations of data, noting that in cases where human input is more significant in terms of the choices made in arranging the facts, the courts accept that the compilation is original.
Justice Eidsvik rejected the argument that it is necessary to identify a specific human author in order to find copyright in a complex factual work. She accepted that a team of “authors” could create a factual compilation. Nevertheless, she was also prepared to identify in this case the head of the seismic crew on the ship as the author of the raw data and the person in charge of the computing as the author of the processed data. She noted as well that in this case the actual owner of the copyright would be the employer of both of these individuals – GSI.
In finding copyright in both the raw and the processed data, Justice Eidsvik was careful to note that she was not deviating from the principle that there could be no copyright in facts or ideas. She found that the “seismic data is an expression of GSI’s views of what the image of the subsurface of the surveyed areas represents.” (at para 97). The raw facts – the features of the subsurface – are there for anyone to see and are in the public domain – but the data collected about those facts is authored. Critical data theorists will recognize in here the seeds of the essential subjectivity of collected data, where choices are made as to how to collect the data, and according to what parameters.
Justice Eidsvik also rejected the idea that the works at issue lacked originality because their collection and compilation were dictated by “practical considerations, utility or externally imposed requirements.” (at para 105) Notwithstanding the presence of industry standards that would influence some of the decision-making involved in the collection and processing of the data, she found that “the original skill and judgment that comes to bear on the final product of the seismic work far outweighs the portion of “hard wired” industry standards in play.” (at para 105)
Based on the facts of this case it is not surprising that Justice Eidsvik would conclude that there was copyright in both the compilation of seismic data and in the processed data. Her extensive review of the process by which the data is first collected and then processed reveals a substantial amount of skill and judgment. In a “datified” society, the decision may give some comfort to those who collect and process all manner of data: their products – whether compilations of raw data or processed data (analytics) – are works that can be protected under copyright law. Such protection will be dependent upon an ability to show that the collection and/or processing involve choices motivated by skill and judgment, rather than mechanical decision-making or compliance with industry norms or standards.
While for GSI it was a victory to have copyright confirmed in its data products, the victory was largely pyrrhic. The second part of the decision – and the part that I will consider in a subsequent blog post – deals with the regulatory regime which the court ultimately finds to have effectively expropriated this copyright interest. Stay tuned!
Monday, 25 April 2016 07:06
A recent news story from the Ottawa area raises interesting questions about big data, smart cities, and citizen engagement. The CBC reported that Ottawa and Gatineau have contracted with Strava, a private sector company to purchase data on cycling activity in their municipal boundaries. Strava makes a fitness app that can be downloaded for free onto a smart phone or other GPS-enabled device. The app uses the device’s GPS capabilities to gather data about the users’ routes travelled. Users then upload their data to Strava to view the data about their activities. Interested municipalities can contract with Strava Metro for aggregate de-identified data regarding users’ cycling patterns over a period of time (Ottawa and Gatineau have apparently contracted for 2 years’ worth of data). According to the news story, their goal is to use this data in planning for more bike-friendly cities.
On the face of it, this sounds like an interesting idea with a good objective in mind. And arguably, while the cities might create their own cycling apps to gather similar data, it might be cheaper in the end for them to contract for the Strava data rather than to design and then promote the use of theirs own apps. But before cities jump on board with such projects, there are a number of issues that need to be taken into account.
One of the most important issues, of course, is the quality of the data that will be provided to the city, and its suitability for planning purposes. The data sold to the city will only be gathered from those cyclists who carry GPS-enabled devices, and who use the Strava app. This raises the question of whether some cyclists – those, for example, who use bikes to get around to work, school or to run errands and who aren’t interested in fitness apps – will not be included in planning exercises aimed at determining where to add bike paths or bike lanes. Is the data most likely to come from spandex-wearing, affluent, hard core recreational cyclists than from other members of the cycling community? The cycling advocacy group Citizens for Safe Cycling in Ottawa is encouraging the public to use the app to help the data-gathering exercise. Interestingly, this group acknowledges that the typical Strava user is not necessarily representative of the average Ottawa cyclist. This is in part why they are encouraging a broader public use of the app. They express the view that some data is better than no data. Nevertheless, it is fair to ask whether this is an appropriate data set to use in urban planning. What other data will be needed to correct for its incompleteness, and are there plans in place to gather this data? What will the city really know about who is using the app and who is not? The purchased data will be deidentified and aggregated. Will the city have any idea of the demographic it represents? Still on the issue of data quality, it should be noted that some Strava users make use of the apps’ features to ride routes that create amusing map pictures (just Google “strava funny routes” to see some examples). How much of the city’s data will reflect this playful spirit rather than actual data about real riding routes is a question also worth asking.
Another important issue – and this is a big one in the emerging smart cities context – relates to data ownership. Because the data is collected by Strava and then sold to the cities for use in their planning activities, it is not the cities’ own data. The CBC report makes it clear that the contract between Strava and its urban clients leaves ownership of the data in Strava’s hands. As a result, this data on cycling patterns in Ottawa cannot be made available as open data, nor can it be otherwise published or shared. It will also not be possible to obtain the data through an access to information request. This will surely reduce the transparency of planning decisions made in relation to cycling.
Smart cities and big data analytics are very hot right now, and we can expect to see all manner of public-private collaborations in the gathering and analysis of data about urban life. Much of this data may come from citizen-sensors as is the case with the Strava data. As citizens opt or are co-opted into providing the data that fuels analytics, there are many important legal, ethical and public policy questions which need to be asked.
Published in Geospatial Data/Digital Cartography
Monday, 04 April 2016 11:34
The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.
The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.
RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.
In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)
After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)
RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.
The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.
The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.
Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.
Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.
Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.
Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.
Tuesday, 15 March 2016 11:01
The department formerly known as Industry Canada (now Innovation, Science and Economic Development or ISED) has just released a discussion paper that seeks public input on the regulations that will accompany the new data breach notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA).
The need to require private sector organizations in Canada to report data breaches was first formally identified in the initial review of PIPEDA carried out in 2007. The amendments to the statute were finally passed into law in June of 2015, but they will not take effect until regulations are enacted that provide additional structure to the notification requirements. The discussion paper seeks public input prior to drafting and publishing regulations for comment and feedback, so please stop holding your breath. It will still take a while before mandatory data breach notification requirements are in place in Canada.
The new amendments to the legislation make it mandatory for organizations to report data breaches to the Privacy Commissioner if those breaches pose “a real risk of significant harm to an individual”. (s. 10.1) An organization must also notify any individuals for whom the breach poses “a real risk of significant harm (s. 10.1(3). The form and contents of these notifications remain to be established by the regulations. A new s. 10.2 of PIPEDA will also require an organization that has suffered a reportable breach to notify any other organization or government institution of the breach if doing so may reduce the risk of harm. For example, such notifications might include ones to credit reporting agencies or law enforcement officials. The circumstances which trigger this secondary notification obligation remain to be fleshed out in the regulations. Finally, a new s. 10.3 of PIPEDA will require organizations to keep records of all data breaches not just those that reach the threshold for reporting to the Privacy Commissioner. In theory these records might enable organizations to detect flaws in their security practices. They may also be requested by the Commissioner, providing potential for oversight of data security at organizations. The content of these records remains to be determined by the new regulations.
From the above, it is clear that the regulations that will support these statutory data breach reporting requirements are fundamentally important in setting its parameters. The ISED discussion paper articulates a series of questions relating to the content of the regulations on which it seeks public input. The questions relate to how to determine when there is a “real risk of significant harm to an individual”; the form and content of the notification that is provided to the Commissioner by an organization that has experienced a breach; the form, manner and content of notification provided to individuals; the circumstances in which an organization that has experienced a breach must notify other organizations; and the form and content or records kept by organizations, as well as the period of time that these records must be retained.
There is certain that ISED will receive many submissions from organizations that are understandably concerned about the impact that these regulations may have on their operations and legal obligations. Consumer and public interest advocacy groups will undoubtedly make submissions from a consumer perspective. Individuals are also welcome contribute to the discussion. Some questions are particularly relevant to how individuals will experience data breach notification. For example, if an organization experiences a breach that affects your personal information and that poses a real risk of harm, how would you like to receive your notification? By telephone? By mail? By email? And what information would you like to receive in the notification? What level of detail about the breach would you like to have? Do you want to be notified of measures you can take to protect yourself? Do you want to know what steps the organization has taken and will take to protect you?
Monday, 14 March 2016 07:53
Technology has enabled the collection and sharing of personal information on a massive scale, and governments have been almost as quick as the private sector to hoover up as much of it as they can. They have also been as fallible as the private sector – Canada’s federal government, for example, has a substantial number of data breaches in the last few years.
What has not kept pace with technology has been the legislation in place to protect privacy. Canada’s federal Privacy Act, arguably a ground-breaking piece of legislation when it was first enacted in 1983, has remained relatively untouched throughout decades of dramatic technological change. Despite repeated calls for its reform, the federal government has been largely unwilling to update this statute that places limits on its collection, use and disclosure of personal information. This may be changing with the new government’s apparent openness to tackling the reform of both this statute and the equally antiquated Access to Information Act. This is good news for Canadians, as each of these statutes has an important role to play in holding a transparent government accountable for its activities.
On March 10, 2016 Federal Privacy Commissioner Daniel Therrien appeared before the Standing Committee on Access to Information, Privacy and Ethics, which is considering Privacy Act reform. The Commissioner’s statement identified some key gaps in the statute and set out his wish list of reforms.
As the Commissioner pointed out, technological changes have made it easier for government agencies and departments to share personal information – and they do so on what he describes as a “massive” scale. The Privacy Act currently has little to offer to address these practices. Commissioner Therrien is seeking amendments that would require information sharing within the government to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with legal obligations to protect privacy, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another.
The Commissioner is also recommending that government institutions be explicitly required under the law to safeguard the personal information in their custody, and to report data breaches to the Office of the Privacy Commissioner. It may come as a surprise to many Canadians that such a requirement is not already in the statute – its absence is a marker of how outdated the law has become. Since 2014, the Treasury Board of Canada, in its Directive on Privacy Practices has imposed mandatory breach reporting for all federal government institutions, but this is not a legislated requirement, nor is there recourse to the courts for non-compliance.
The Commissioner is also seeking more tools in his enforcement toolbox. Under the Privacy Act as it currently stands, the Commissioner may make recommendations to government institutions regarding their handling of personal information. These recommendations may then be ignored. While he notes that “in the vast majority of cases, government departments do eventually agree to implement our recommendations”, it is clear that this can be a long, drawn out process with mixed results. Currently, the only matters that can be taken to court for enforcement are denials by institutions to provide individuals with access to their personal information. The Commissioner is not seeking the power to directly compel institutions to comply with its recommendations; rather, he recommends that an institution that receives recommendations from the Office of the Privacy Commissioner have two choices. They may implement the recommendations or they may go to court for a declaration that they do not need to comply. On this model, relatively prompt compliance would presumably become the default.
The Commissioner is also seeking an amendment that would require government institutions to conduct privacy impact assessments before the launch of a new program or where existing programs are substantially modified. Again, you would think this would be standard practice by now. It does happen, but the Commissioner diplomatically describes current PIAs as being “sometimes uneven” in both their quality and timeliness. The Commissioner would also like to see a legislated requirement that government bills that will have an impact on privacy be sent to the OPC for review before being tabled in Parliament.
The Commissioner seeks additional amendments to improve transparency in relation to the government’s handling of personal information. Currently, the Commissioner files an annual report to Parliament. He may also issue special reports. The Commissioner recommends that he be empowered under the legislation “to report proactively on the practices of government”. He also recommends extending the Privacy Act to all government institutions. Some are currently excluded, including the Prime Minister’s Office and the offices of Ministers. He also recommends allowing all individuals whose personal information is in the hands of a federal government institution to have a right of access to that information (subject, of course, to the usual exceptions). Currently on Canadian citizens and those present in Canada have access rights.
This suite of recommendations is so reasonable that most Canadians would be forgiven for assuming these measures were already in place. Given the new government’s pre- and post-election commitments to greater transparency and accountability, there may be reason to hope we will finally see the long-overdue reform of the Privacy Act.
Canadian Trademark Law
Published in 2015 by Lexis Nexis
Electronic Commerce and Internet Law in Canada, 2nd Edition
Published in 2012 by CCH Canadian Ltd.
Intellectual Property for the 21st Century
Intellectual Property Law for the 21st Century: