Privacy - News

  • – 2017-06-23 –

    In a 4-3 decision, the Supreme Court of Canada ruled in Douez v Facebook Inc, 2017 SCC 33, that Facebook’s efforts in its terms of service to require Canadians to pursue grievances with Facebook in California courts instead of Canadian courts is unenforceable.

    The case involved a class action against Facebook alleging violations of BC's Privacy Act. The class action could not proceed, however, as Facebook argued that its terms of service require disputes to be resolved in California courts and under California law. Historically, the Supreme Court of Canada's jurisprudence favoured enforcement of these “forum selection clauses” on the rationale that holding sophisticated commercial parties to their jurisdictional choices advances the underlying principles that private international law seeks to achieve.

    However, online platforms now routinely impose non-negotiable choice of forum and law clauses in their terms of service, which consumers must accept on a take it or leave it basis. This places a heavy burden on individuals, who are left with no option but to enforce their rights in foreign courts and under foreign laws. This is especially problematic where the laws in question implicate constitutionally protected rights are invoked, as different jurisdictions must have leeway to apply different standards of freedom of expression and privacy to their denizens. CIPPIC's intervention therefore argued that enforcing forum selection clauses imposed onto online customers on a non-negotiable basis will undermine the principles of order, fairness and comity which private international law seeks to achieve.

  • – 2017-06-01 –

    CIPPIC has been awarded a grant from the Office of the Privacy Commissioner of Canada, through its Contributions Program, for a research project analyzing the activities of data brokers in Canada.

    The project, titled Back on the Data Trail, examines the evolution of the Canadian data broker industry over the past decade. The project picks up CIPPIC’s prior OPC-funded work in this field: in 2006, CIPPIC published a study of Canada’s data broker industry: On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. Over a decade later, and despite radical structural changes in Canada’s data broker industry, this report continues to be the leading analysis of the industry. Indeed, the Research Group of the Office of the Privacy Commissioner of Canada’s 2015 discussion paper on the industry, Data Brokers: A Look at the Canadian and American Landscape (September 2014), relied heavily on CIPPIC’s now-dated 2006 report. It is past time to update this important research.

  • – 2016-09-19 –

    CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

    CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

    UPDATE: In December 2016, ETHI released the results of its study in a report entitled "Protecting the Privacy of Canadians: Review of the Privacy Act". The Report adopts many of CIPPIC's recommendations.

  • – 2016-08-25 –

    CIPPIC's application for leave to intervene has been granted in Douez v Facebook Inc, SCC File No 36616, an appeal that raises fundamental questions regarding the nature of online jurisdiction, e-consumer protection and privacy. Specifically at issue is a forum selection clause imposed by Facebook onto all of its customers, on a take it or leave it basis, mandating that all disputes be brought against it in California. On the basis of this clause, it was held that a class action launched against Facebook in BC and alleging violations of BC privacy laws cannot proceed.

    Managing online jurisdiction-where services can have significant global presence and impact on a largely virtual basis-has strained digital policy since the early days of the world wide web. However, CIPPIC's proposed intervention intends to argue that forum selection clauses are ill-suited as a means of navigating the challenges posed by global online services. A mandatory, non-negotiable forum selection clause effectively opts a service provider out of Canadian standards and laws as foreign courts tend to apply their own rules and standards. As forum selection clauses are ubiquitous and non-negotiable in online services, their universal enforcement could effectively deprive Canadians from domestic protections in relation to digital activities that are increasingly critical to their daily lives. In addition, it could force any Canadian individual embroiled in a dispute with a global online platform to undertake the expense and inconvenience of suing in a foreign court.

  • – 2015-05-18 –

    CIPPIC has joined over 65 civil society organizations from around the world in an open letter to Mark Zuckerberg regarding its Internet.org initiative. Internet.org is Facebook's portal for mobile Internet access in developing countries. The portal is essentially a mobile app through which individuals can access other Internet sites, after first passing through Facebook's servers. The portal is zero rated, meaning that Facebook has entered into deals with wireless providers around the world that exclude Internet.org usage from data charges. While Facebook presents this as an altruistic initiative designed to get the next 3 billion Internet users connected, many have questioned whether it is truly altruistic or simply an attempt to place Facebook at the centre of the future Internet, establishing it as gatekeeper to downstream content and innovation. Meanwhile, the initiative detracts from other charitable efforts designed to provide true connectivity capacity in developing countries and, as domestic telcos are forced to shoulder the costs of the initiative, it is not clear what benefit Facebook provides to developing countries at all.

    Regardless of its motivation, Facebook's Internet.org leaves much to be desired. Where it is active, individuals already think of Facebook as 'the Internet'. However, the Internet provided by Facebook is a highly curated environment, which only allows sites pre-approved by Facebook that operate on Facebook's terms. In this sense, it threatens the expressive and innovative force of the Internet, which has always relied on the capacity to innovate and express without permission. It is, indeed, this 'innovation without permission' model that allowed Facebook itself to supplant MySpace as the world's leading social networking site - Facebook's ability to reach its audience was not dependent on MySpace's (or anyone else's) permission. Additionally, all Internet.org traffic passes through Facebook's servers, raising concerns it will in time feed into Facebook's broader profiling activities while acting as a one-stop hub for state censorship initiatives. Internet.org simply comes with too many strings attached.

  • – 2015-03-23 –

    Bill S-4, the Digital Privacy bill, introduces amendments to PIPEDA, Canada's federal commercial sector privacy law. The Bill, a result of PIPEDA's first five year review conducted in 2006, introduces some far overdue improvements to Canada's privacy protection toolset at a time when privacy has never faced greater challenges. These include the adoption of a breach notification regime which would obligate companies to notify customers (as well as the Privacy Commissioner) whenever a privacy breach can place affected individuals at risk of significant harm, and the adoption of more robust consent obligations. However, as CIPPIC pointed out in its testimony and response to follow-up questions, the framework adopted by Bill S-4 in addressing these issues is flawed. The data breach notification regime in particular will fail to instill incentives for better security safeguards as it only applies to breaches that pose a significant threat of harm to affected individuals. Yet the reality of security breaches is that it will often be highly uncertain whether data was even exposed, meaning many serious breaches will go unreported. Moreover, even trivial breaches that do not pose a specific risk to individuals are often indicative of a general laxity in technical safeguards. These too will remain unreported.

    Of greater concern, the Bill also includes a number of troubling exceptions that would expand the conditions under which organizations can hand over sensitive customer information to third parties. One exception would allow ISPs, online blogging discussion fora, social media sites and others to help companies trying to sue their customers by handing over sensitive customer information. It also allows for nigh unlimited information-sharing in the context of a cybersecurity breach. Such breaches often implicate immense amounts of sensitive data. The PIPEDA amendments fail to impose any obligations for companies dealing with a breach to minimize privacy impact when handing over these data troves. Additionally, our national security agencies are increasingly implicated in domestic security breaches, yet Bill S-4 does nothing to prevent them from repurposing the data troves they receive for security breaches into general security information and keeping it indefinitely. As such, there is serious concern that the emails, financial/banking information, health data, and other sensitive information that is commonly implicated in data breaches will simply be rolled in to these security agencies general profiling activities and ultimately used against the individuals who the data breach notification regimes is supposed to protect. Indeed, Bill C-51, currently being rushed through both houses of parliament at once, will make it even easier by removing barriers to 'all of government' information sharing for cybersecurity purposes.

  • – 2015-01-28 –

    Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.

    Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!

  • – 2014-06-02 –

    CIPPIC testified today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics on the growing problem of identity theft. As CIPPIC highlighted in its testimony, identity theft is, in many ways, the crime of the digital age. It exploits the immense amounts of information about individuals that is available on digital networks in order to exploit them through an increasingly profitable range of fraudulent activities. The cost, time and trauma inherent in the identity recovery process make identity theft a serious social problem. CIPPIC's testimony highlighted the need for stronger privacy laws as a means of minimizing identity theft. PIPEDA, Canada's data protection law, is the primary mechanism for empowering individuals to better control their personal information. It also obligates organizations to properly safeguard their customers' personal information. However, PIPEDA lacks the most basic features of any effective regulatory regime -- enforceability and compliance incentives. These shortcomings must be addressed as part of any meaningful attempt to address the problems of identity theft. In addition, attention entities such as the Canadian Identity Theft Support Centre, which play a crucial role in the victim recovery process, need to be fostered and developed further. Overall, CIPPIC called for the development and adoption of a national strategy on identity theft that would adopt these and other measures in a comprehensive response to this growing problem.

  • – 2014-05-30 –

    A large coalition of Canada's leading privacy experts and civil society groups wrote to Prime Minister Stephen Harper Friday regarding the federal government's increasing failure to protect the privacy of Canadians. The letter points to the government's efforts to increase the ability of law enforcement and other state agencies' ability to exploit new technologies in order to invade Canadians' privacy (pointing specifically to Bill C-13, currently being rushed through parliamentary committee under the guise of 'cyber bullying' legislation), while steadfastly refusing to address long-standing privacy problems raised by the same technological developments. The letter specifically points to the unchecked surveillance activities of Canada's foreign intelligence agency, CSEC, and the steadfast refusal to update ageing but central privacy and transparency statutes as indication of some of the long-standing privacy problems the government has refused to act on. It calls on the government to take its review of the privacy-invasive elements of Bill C-13 seriously, and to establish a commission to examine privacy and state surveillance in the digital age. Finally, the letter decries the controversial nomination of a government official as Privacy Commissioner of Canada, a nomination which was made in direct contradiction to the government's own selection committee. Specifically, the letter noted the problematic timing of this appointment, which arrives at a time when fundamental decisions that will affect the privacy of Canadians for decades are being made and leaves Canada without a privacy watchdog to weigh in on these formative debates.

  • – 2013-03-29 –

    CIPPIC participated in a consultation held by the Assemblée nationale du Québec on the Province's data protection and right to information framework. The consultation sought input on a set of recommendations issued by the the Commission d'accès à l'information du Québec and designed to update Québec's freedom of information statute and privacy statute in light of technological changes.

    CIPPIC's submission addressed a number of the Commission's recommendations, including issues arising from risks of re-identification, the need for data minimization obligations, the need for a right to information that extends to data that must be processed before it can be released, and the need to impose an obligation on the government to proactively disclose data useful to the public in interoperable formats.