You Might be Interested In

Our Office understands the challenges faced by law enforcement and national security authorities in fighting online crime at a time of rapidly changing communications technologies and the need to modernize their tactics and tools accordingly.

We’re not necessarily opposed to legislation that modernizes police powers online – but it must demonstrably help protect the public, respect fundamental privacy principles established in Canadian law and be subject to proper oversight.

Upon a preliminary review following the tabling of Bill C-30, the Office of the Privacy Commissioner recognizes the government has made improvements to this Bill from previous iterations. On balance, however, significant privacy concerns remain. 

We recognize that the government has reduced the number of data elements which could be accessed by authorities without a warrant or prior judicial authorization.  At the same time, by requiring authorities to conduct regular audits and to provide them both to the relevant Minister and oversight bodies, including our Office, this appears to help address past concerns about a lack of oversight.

On the balance however, the new Bill still contains serious privacy concerns, similar to past versions.

In particular, we are concerned about access, without a warrant, to subscriber information behind an IP address.  Since this broad power is not limited to reasonable grounds to suspect criminal activity or to a criminal investigation, it could affect any law-abiding citizen.

Going forward, we will be reviewing this Bill in full to determine:

How the Government justifies this warrantless access in a free and democratic society?;

How does “after the fact” review by ministerial and non-judicial bodies compare with “up front” oversight by the courts?;

Whether the new powers proposed by the legislation are demonstrably necessary, proportionate and effective?; and

Are there less privacy-invasive alternatives to achieve the desired outcomes?

It is through this lens that our Office will undertake a thorough review of the Bill.  We look forward to sharing our views with Parliament.

Entry written by Scott Hutchinson, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.” 

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

Two countries negotiating a perimeter security agreement can easily be compared to two individuals drastically redefining their relationship. 

Without question, Canada and the United States are certainly neighbours.  To some, a perimeter agreement means removing a fence; to others, it’s tantamount to a sort of marriage.

Regardless, before we take the plunge, we have to think about what we share and where we differ.

Without question, we have a lot in common.  We’re both democracies with enshrined respect for human rights. Canadians and Americans both strongly value their privacy and realize its importance to the vitality of our democracies.

As things stand today however, some key legislative differences on privacy protection exist between our countries. 

I want to explain these and show why, rather than jumping into a newly defined relationship with both feet, we should only do so with both eyes wide-open.

First of all, both of our countries have enacted legislation to protect citizens’ privacy from their governments. 

The U.S. Privacy Act of 1974 fulfils this function for the federal government south of the border, while Canada’s Privacy Act of 1983 does so for Canadians.

The U.S. law includes safeguards to secure Americans’ personal information in the hands of the federal government, but these extend only to citizens and permanent residents.

Conversely, personal information held in Canada is subject to the protection of Canadian privacy law. That said, Canada’s Privacy Act is far from perfect and in need of modernization (as I’ve noted in the past). 

Secondly, when it comes to protecting personal information in the private sector, there are American laws specific to certain sectors and the Federal Trade Commission’s consumer protection law provides some protection with regard to issues of fairness and deception. 

Unlike Canada however, there is no overarching national legislation applying to the private sector as a whole. 

In the Unites States a lack of private sector-wide coverage provides opportunities for commercial data brokers to assemble data bases.

Such databases are made available to subscribers, which include U.S. federal agencies.  There are already several dozen fusion centers across the country doing precisely this sort of search and analysis every day.

Consequently, government authorities can access information from privately-held databases with no strings attached.

It’s also worth noting that the USA PATRIOT Act, enacted weeks after the 9/11 attacks, has the ability to circumvent sector-specific privacy protections to facilitate national security investigations.  National security can be, and has been, defined quite broadly. 

Thirdly, there is a vast difference when it comes to privacy oversight between our two countries.  Law enforcement and national security authorities in the US simply do not operate under the privacy oversight structure that exists in Canada.

In Canada, my office reports directly to Parliament and not the Government, allowing autonomy in holding the Government to account.

In the United States there is no equivalent independent authority mandated to investigate privacy issues with regard to government data-handling.

While the Privacy and Civil Liberties Oversight Board could theoretically fulfill this function, it remains inoperative.

Finally, Canada’s approach to privacy centers on protecting individuals’ right to control their personal information except where limits can be demonstrably justified in a free and democratic society.

This is an approach which should not be compromised or watered-down in order to reach a perimeter security agreement.  

This isn’t to say that Americans value privacy any less than Canadians.  It’s just that our respective legislative frameworks to protect it are very different. 

This all goes to say that if we compare a security perimeter agreement to a marriage and Canadian negotiators wish to enable Canadians to keep control of their personal information, a clear line on privacy needs to be written into a strong “pre-nup.”

There has been a long-standing debate between privacy advocates and government officials about the extent of government interest in the information transmitted across domestic and international networks. The passage of USA PATRIOT Act intensified this debate and prompted concern from a more general audience as well. Ever since, the digerati and online crowd have been whispering and wondering about the interface between search engines, particularly Google, and law enforcement and national security bodies.

In brief, this comes up in classrooms and at conferences in roughly the following exchange:

Q. “So, should I worry about what Google knows about me?”

A. “Maybe, but I’d worry more about what the government gets out of Google, then matches with what they already know about you.”

Around this issue, researchers like Chris Soghoian in the US (as well as Ben Hayes and Simon Davies overseas) have been pushing for greater transparency from both companies and government on the use of broad data production powers.  Last week, to their great credit, Google took a big first step and published an interactive map on the numbers and types of data requests they recieve from governments around the world.  This coincides with another important US private sector push – Digitaldueprocess.org – that is asking for clear, consistent and accountable measures to be put in place when government ask companies to ‘check up’ on their customers.

We commend Google and others involved for this significant first step, look forward to improvements and more details as they tweak the reporting model and sincerely hope other companies (and, ahem! governments) follow suit.

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.

Once again, folks from the Office attended “Canada’s web conference”, MESH 2009, in Toronto – a place where flacks, marketers, hackers, people with money to spend, people looking for money, and activists gather and talk about how the web is “affecting media, marketing, business and society as a whole”.

Just ten minutes at this conference is a lesson in how much human communication has changed. People don’t generally put up their hands to ask questions – instead they send messages to the organizers through Twitter. When Toronto Mayor, David Miller (who is known for using the web to get information out to citizens) gave his keynote, and was subsequently interviewed onstage, he paused several times to either tweet or to read new messages he was receiving. And gone are the days of hanging around after a presentation to fill out a feedback form – at this conference people send tweets about the quality of a speaker or session as it’s unfolding, causing others to abandon simultaneously-running sessions to join the one that’s getting all the attention.

All it takes is a quick glance at some of the sessions that were offered (“managing your persona online”; how to integrate social media into your marketing plan”; and “using online word of mouth” are just a few examples) to see how privacy is intertwined with the new online reality. One keynote speaker, Jessica Jackley, co-founder of kiva.org, the world’s first peer-to-peer online micro-lending web site, is living proof of how the Internet can be used for good. But isn’t privacy also a theme here, what with the online financial transactions that make the whole thing possible, not to mention the protection of the personal details of both the lenders and entrepreneurs?

The MESH conference tagline is “connect, share and inspire” and one of the themes is while social media can be “a difficult reality for some companies, it also offers tremendous opportunities for both businesses and individuals to communicate, collaborate, entertain and inform”. These are exciting words and ideas – as long as we don’t forget the important privacy implications that go hand-in-hand with them.

Speaking at the Canadian Bar Association Conference earlier this week, the Privacy Commissioner talked about the privacy implications of courts and administrative tribunals posting to the web decisions and other documents containing personal information.

While her speech generated a handful of articles, her comments created a bit of a stir when one newspaper article misinterpreted what she had said, suggesting that the Commissioner was proposing that all court decisions be scrubbed of personal information before being made widely available.  Of course, neither the Privacy Act nor the Commissioner’s mandate applies to the courts.  In her speech, the Commissioner was actually discussing the legal obligations of government institutions subject to the Privacy Act. (You can read the transcript of her speech here.)  These institutions have tended to evoke the practices of the courts as a justification for the disclosure of personal information, a tendency that inspired the Commissioner’s remarks.  Other interpretations of the Commissioner’s comments better capture her concerns.

Below is the commissioner’s letter to the Toronto Star which appeared yesterday morning.

Re: Hide IDs in court rulings, privacy chief says, Aug. 20

I am writing to correct a false impression left by the article. My mandate does not extend to the courts. However, it is interesting to note that they, like my office, have been wrestling with the issue of posting personal information online. My role is to ensure that federal administrative tribunals respect the privacy rights of Canadians.

Ordinary Canadians provide their personal information to these tribunals for various reasons. They may, for instance, be seeking access to a government benefit or reparation for an alleged government mistake.

A law-abiding citizen fighting for a government benefit should not be forced to expose her medical history or other highly sensitive personal information to public scrutiny. They should not have to abandon their privacy rights.

My office has recently investigated complaints about the online posting of personal information by several administrative tribunals. We expect to release our findings in these cases in the fall.

Jennifer Stoddart, Privacy Commissioner of Canada

Last week, after months of speculation from critics and the media, the Minister of Industry unveiled new amendments to Canada’s intellectual property law, the Copyright Act.  Previous attempts to revamp the legislation in 2005 dropped off the radar when Parliament went into election mode.  This largely extinguished public debate of the bill, which Canada’s privacy champions had spoken out against.  At the time, the privacy commissioners of Canada, Ontario and British Columbia all expressed similar concern over the government’s direction.

Two years later, it looks as though opposition is igniting again – with a host of opposition critics, legal experts, consumer advocates, IT professionals, educators and media weighing in on the repercussions to be felt if various provisions of the new law actually come into force.  One advocacy group, organized online through Facebook, has attracted tens of thousands of members, all opposed to the legislative provisions.

Parliament is to adjourn for the summer this week, so lawmakers will not examine the bill in depth until the fall – after they’ve had time to digest months of feedback from constituents, industry and others.  With the bill’s new emphasis on customer monitoring by Internet service providers, being rolled out at the same time as deep packet inspection, the increasing behavioural targeting of advertising and new provisions for government investigators to access internet customer data, we expect MPs will be hearing from their constituents – whether at barbeques or by mail – over issues ranging from consumer profiling to citizen surveillance, from online anonymity rights to questions of intellectual freedom.

To get more information on this summer’s debate over the future of the Internet in Canada, check the links.

Last week, Al Kamen of the Washington Post published an ironic article lightly criticizing his Homeland Security Chief Michael Chertoff about his statement that fingerprints aren’t personal information.

Any thoughts?

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.