Privacy - News

  • – 2018-11-27 –

    How do we measure bicycle traffic in a way that respects citizens' privacy? CIPPIC's team working on a Sidewalk Labs Small Grant presented its findings today. Great work, Keri Grieman, Johann Kwan and Stephanie Williams! Key findings on best practices:

    • Use technologies that limit the collection of personal information
    • Store data securely
    • Limit data collection to only that which is needed
    • Ensure that partners or contractors follow collection restrictions
    • Notify individuals that their data is being collected.
    • Install counting devices when creating a new space
    • Hide or mask sensitive locations
  • – 2018-10-18 –

    The Electronic Frontier Foundation (EFF) released a timely white paper this week examining the negative implications and chilling effects that various cybercrime provisions throughout the Americas can have on coder's rights and specifically on security researchers. Entitled "Protecting Security Researcher's Rights in the Americas", the analysis explores a range of cybercrime regimes nominally intended in principle to criminalize unauthorized access to or disruption of computer systems. However, these laws have been framed so broadly as to impose a serious chilling effect on vital activity of security researchers. Drawing on the Inter-American human rights framework (of which Canada is a partial adherent), some national jurisprudence, and principles of criminal law, the paper argues for cybercrime regimes that accommodate beneficial security work. There must be latitude for non-malicious security testing, for the dissemination of critical security tools and for the responsible publication of discovered security breaches.

    Sadly, current laws are framed so broadly that they have had a serious chilling effect on socially beneficial security work. Those who discover security breaches face severe legal threats and sometimes even criminal consequences for attempting to bring these to host organization's attention. The result is that security breaches are increasingly likely to remain unresolved until they are discovered by someone seeking to exploit, rather than to merely expose. The paper, to which CIPPIC provided substantive contributions, calls for clearer standards to remedy this situation.

  • – 2018-09-13 –

    The Supreme Court of Canada issued its ruling in Rogers Communications Inc v Voltage Pictures LLC, 2018 SCC 38, today, the latest installment in a long series of ongoing efforts by Voltage to establish a controversial mass copyright litigation model in Canada and the first decision to meaningfully interpret Canada's notice-and-notice regime. As CIPPIC argued in its intervention, which was ably prepared by our external counsel, Jeremy de Beer and Bram Abramson, the decision under appeal discouraged ISPs from conducting rigorous quality assurance checks necessary to reduce mis-identification of customers accused of copyright infringement. It also placed the cost burden of increasingly expansive copyright litigation models on customers of ISPs. All this, in turn, jeopardizes privacy rights of mis-identified customers; exposes innocent individuals to legal threats and costly lawsuits; raises Canada's Internet access fees (already amongst the highest in the world) even higher; and undermines competition by disproportionately impacting smaller ISPs who are less able to diffuse the costs of robust quality assurance.

    The ruling narrowed a prohibition, imposed by the Federal Court of Appeal, on any cost recovery for quality assurance protocols employed by ISPs when compelled to identify customers in the context of a copyright lawsuit. The court held that ISPs will be permitted to recover some (but not all) of these costs, sending the matter back to the Federal Court for determination of what specific quality assurance protocols are reasonable and non-duplicative. This, in turn, removes cost-based disincentives to adopt robust quality assurance protocols by ISPs.

    Image credits (left to bottom right): smileycreek, "Don't Feed The Trolls", October 4, 2014, Flickr, CC-BY-NC-SA 2.0; h0us3s, "Hazard Warning-Electricity", September 11, 2006, OpenClipart, CC-0 1.0; jaschon, "Padlock Icon", July 25, 2010, OpenClipart, CC-0 1.0.

  • – 2018-04-05 –

    CIPPIC has filed its factum in R. v. Jarvis, SCC Case No. 27833, the voyeurism case involving the high school teacher charged with voyeurism under s. 162(1)(c) of the Criminal Code for using a camera pen to surreptitiously take videos of female students which focused on their chests and cleavage area. The Ontario Court of Appeal concluded that the videos were not taken in "circumstances" in which students had "a reasonable expectation of privacy", a necessary element of the offense. 

    CIPPIC disagrees.  We argue that the phrase, "circumstances giving rise to a reasonable expectation of privacy", must be interpreted consistently with other areas of law that see privacy as equality-enhancing, normative, contextual, and non-risk based.  Our colleague Jane Bailey took the pen and makes a strong case for a robust vision of privacy - one that enhances equality and the ability to assert control over sexual and bodily integrity.

  • – 2018-03-06 –

    CIPPIC has been granted leave to intervene in R. v. Jarvis, SCC Case No. 27833. The case is an appeal of an Ontario Court of Appeal decision acquitting a teacher of a charge under the voyeurism provisions of the Criminal Code.  The accused had used a camera pen to surreptitiously take videos of the chests and cleavage of female students.  The decision under appeal determined that the videos were not taken in "“circumstances giving rise to a reasonable expectation of privacy”, an element necessary to establish the offense of voyeurism. 

    CIPPIC will argue that the Court should interpret “circumstances giving rise to a reasonable expectation of privacy” consistently with the Court’s well-established jurisprudence on privacy: privacy is normative, contextual, and not risk-based.

  • – 2017-12-21 –

    CIPPIC has filed its intervention factum in Her Majesty the Queen in Right of British Columbia v. Philip Morris International, Inc., SCC No. 37524. The case presents the Supreme Court with a conflict of values: do the privacy interests of third parties bar a defendant to an action from accessing large health datasets in order to challenge the results of the plaintiff’s analysis of that data?

    CIPPIC argues that this conflict between privacy and transparency will be mediate by the dual protections of anonymization procedures, implemented in accordance with guidelines familiar to the health industry, and flexible judicial safeguards embedded in disclosure orders.

    The case raises important issues about the right to challenge the outcomes of analytics performed on large data sets. As we increase our reliance on big data and algorithmic decision-making technologies, privacy and accountability will be increasingly at issue.

  • – 2017-12-06 –

    CIPPIC has been granted leave to intervene in Her Majesty the Queen in Right of British Columbia v. Philip Morris International, Inc., SCC No. 37524. The case involves the defendant's pre-trial discovery of the health-related databases of B.C. in the province's action against for recovery of the health care costs to the province caused by Philip Morris' tobacco products. CIPPIC's intervention will address (1) privacy and the risks of re-identification, (2) the need for those affected by government decisions based on large dataset to be able to challenge the data itself and to test (and contest) the algorithms used to arrive at its analyses, and (3) how to balance privacy with accountability in this context.

    The case raises important issues about the right to challenge the outcomes of analytics performed on large data sets. As governments increase their reliance on big data and algorithmic decision-making technologies, privacy and government accountability will be increasingly at issue and, at times, at odds.

  • – 2017-06-23 –

    In a 4-3 decision, the Supreme Court of Canada ruled in Douez v Facebook, Inc. 2017 SCC 33, that Facebook’s efforts in its terms of service to require Canadians to pursue grievances with Facebook in California courts instead of Canadian courts is unenforceable.

    The case involved a class action against Facebook alleging violations of BC's Privacy Act. The class action could not proceed, however, as Facebook argued that its terms of service require disputes to be resolved in California courts and under California law. Historically, the Supreme Court of Canada's jurisprudence favoured enforcement of these “forum selection clauses” on the rationale that holding sophisticated commercial parties to their jurisdictional choices advances the underlying principles that private international law seeks to achieve.

  • – 2017-06-01 –

    CIPPIC has been awarded a grant from the Office of the Privacy Commissioner of Canada, through its Contributions Program, for a research project analyzing the activities of data brokers in Canada.

    The project, titled Back on the Data Trail, examines the evolution of the Canadian data broker industry over the past decade. The project picks up CIPPIC’s prior OPC-funded work in this field: in 2006, CIPPIC published a study of Canada’s data broker industry: On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. Over a decade later, and despite radical structural changes in Canada’s data broker industry, this report continues to be the leading analysis of the industry. Indeed, the Research Group of the Office of the Privacy Commissioner of Canada’s 2015 discussion paper on the industry, Data Brokers: A Look at the Canadian and American Landscape (September 2014), relied heavily on CIPPIC’s now-dated 2006 report. It is past time to update this important research.

  • – 2016-09-19 –

    CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

    CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

    UPDATE: In December 2016, ETHI released the results of its study in a report entitled "Protecting the Privacy of Canadians: Review of the Privacy Act". The Report adopts many of CIPPIC's recommendations.