Privacy - News

  • – 2018-03-06 –

    CIPPIC has been granted leave to intervene in R. v. Jarvis, SCC Case No. 27833. The case is an appeal of an Ontario Court of Appeal decision acquitting a teacher of a charge under the voyeurism provisions of the Criminal Code.  The accused had used a camera pen to surreptitiously take videos of the chests and cleavage of female students.  The decision under appeal determined that the videos were not taken in "“circumstances giving rise to a reasonable expectation of privacy”, an element necessary to establish the offense of voyeurism. 

    CIPPIC will argue that the Court should interpret “circumstances giving rise to a reasonable expectation of privacy” consistently with the Court’s well-established jurisprudence on privacy: privacy is normative, contextual, and not risk-based.

  • – 2017-12-21 –

    CIPPIC has filed its intervention factum in Her Majesty the Queen in Right of British Columbia v. Philip Morris International, Inc., SCC No. 37524. The case presents the Supreme Court with a conflict of values: do the privacy interests of third parties bar a defendant to an action from accessing large health datasets in order to challenge the results of the plaintiff’s analysis of that data?

    CIPPIC argues that this conflict between privacy and transparency will be mediate by the dual protections of anonymization procedures, implemented in accordance with guidelines familiar to the health industry, and flexible judicial safeguards embedded in disclosure orders.

    The case raises important issues about the right to challenge the outcomes of analytics performed on large data sets. As we increase our reliance on big data and algorithmic decision-making technologies, privacy and accountability will be increasingly at issue.

  • – 2017-12-06 –

    CIPPIC has been granted leave to intervene in Her Majesty the Queen in Right of British Columbia v. Philip Morris International, Inc., SCC No. 37524. The case involves the defendant's pre-trial discovery of the health-related databases of B.C. in the province's action against for recovery of the health care costs to the province caused by Philip Morris' tobacco products. CIPPIC's intervention will address (1) privacy and the risks of re-identification, (2) the need for those affected by government decisions based on large dataset to be able to challenge the data itself and to test (and contest) the algorithms used to arrive at its analyses, and (3) how to balance privacy with accountability in this context.

    The case raises important issues about the right to challenge the outcomes of analytics performed on large data sets. As governments increase their reliance on big data and algorithmic decision-making technologies, privacy and government accountability will be increasingly at issue and, at times, at odds.

  • – 2017-06-23 –

    In a 4-3 decision, the Supreme Court of Canada ruled in Douez v Facebook Inc, 2017 SCC 33, that Facebook’s efforts in its terms of service to require Canadians to pursue grievances with Facebook in California courts instead of Canadian courts is unenforceable.

    The case involved a class action against Facebook alleging violations of BC's Privacy Act. The class action could not proceed, however, as Facebook argued that its terms of service require disputes to be resolved in California courts and under California law. Historically, the Supreme Court of Canada's jurisprudence favoured enforcement of these “forum selection clauses” on the rationale that holding sophisticated commercial parties to their jurisdictional choices advances the underlying principles that private international law seeks to achieve.

    However, online platforms now routinely impose non-negotiable choice of forum and law clauses in their terms of service, which consumers must accept on a take it or leave it basis. This places a heavy burden on individuals, who are left with no option but to enforce their rights in foreign courts and under foreign laws. This is especially problematic where the laws in question implicate constitutionally protected rights are invoked, as different jurisdictions must have leeway to apply different standards of freedom of expression and privacy to their denizens. CIPPIC's intervention therefore argued that enforcing forum selection clauses imposed onto online customers on a non-negotiable basis will undermine the principles of order, fairness and comity which private international law seeks to achieve.

  • – 2017-06-01 –

    CIPPIC has been awarded a grant from the Office of the Privacy Commissioner of Canada, through its Contributions Program, for a research project analyzing the activities of data brokers in Canada.

    The project, titled Back on the Data Trail, examines the evolution of the Canadian data broker industry over the past decade. The project picks up CIPPIC’s prior OPC-funded work in this field: in 2006, CIPPIC published a study of Canada’s data broker industry: On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. Over a decade later, and despite radical structural changes in Canada’s data broker industry, this report continues to be the leading analysis of the industry. Indeed, the Research Group of the Office of the Privacy Commissioner of Canada’s 2015 discussion paper on the industry, Data Brokers: A Look at the Canadian and American Landscape (September 2014), relied heavily on CIPPIC’s now-dated 2006 report. It is past time to update this important research.

  • – 2016-09-20 –

    CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

    CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

    UPDATE: In December 2016, ETHI released the results of its study in a report entitled "Protecting the Privacy of Canadians: Review of the Privacy Act". The Report adopts many of CIPPIC's recommendations.

  • – 2016-08-26 –

    CIPPIC's application for leave to intervene has been granted in Douez v Facebook Inc, SCC File No 36616, an appeal that raises fundamental questions regarding the nature of online jurisdiction, e-consumer protection and privacy. Specifically at issue is a forum selection clause imposed by Facebook onto all of its customers, on a take it or leave it basis, mandating that all disputes be brought against it in California. On the basis of this clause, it was held that a class action launched against Facebook in BC and alleging violations of BC privacy laws cannot proceed.

    Managing online jurisdiction-where services can have significant global presence and impact on a largely virtual basis-has strained digital policy since the early days of the world wide web. However, CIPPIC's proposed intervention intends to argue that forum selection clauses are ill-suited as a means of navigating the challenges posed by global online services. A mandatory, non-negotiable forum selection clause effectively opts a service provider out of Canadian standards and laws as foreign courts tend to apply their own rules and standards. As forum selection clauses are ubiquitous and non-negotiable in online services, their universal enforcement could effectively deprive Canadians from domestic protections in relation to digital activities that are increasingly critical to their daily lives. In addition, it could force any Canadian individual embroiled in a dispute with a global online platform to undertake the expense and inconvenience of suing in a foreign court.

  • – 2015-05-18 –

    CIPPIC has joined over 65 civil society organizations from around the world in an open letter to Mark Zuckerberg regarding its Internet.org initiative. Internet.org is Facebook's portal for mobile Internet access in developing countries. The portal is essentially a mobile app through which individuals can access other Internet sites, after first passing through Facebook's servers. The portal is zero rated, meaning that Facebook has entered into deals with wireless providers around the world that exclude Internet.org usage from data charges. While Facebook presents this as an altruistic initiative designed to get the next 3 billion Internet users connected, many have questioned whether it is truly altruistic or simply an attempt to place Facebook at the centre of the future Internet, establishing it as gatekeeper to downstream content and innovation. Meanwhile, the initiative detracts from other charitable efforts designed to provide true connectivity capacity in developing countries and, as domestic telcos are forced to shoulder the costs of the initiative, it is not clear what benefit Facebook provides to developing countries at all.

    Regardless of its motivation, Facebook's Internet.org leaves much to be desired. Where it is active, individuals already think of Facebook as 'the Internet'. However, the Internet provided by Facebook is a highly curated environment, which only allows sites pre-approved by Facebook that operate on Facebook's terms. In this sense, it threatens the expressive and innovative force of the Internet, which has always relied on the capacity to innovate and express without permission. It is, indeed, this 'innovation without permission' model that allowed Facebook itself to supplant MySpace as the world's leading social networking site - Facebook's ability to reach its audience was not dependent on MySpace's (or anyone else's) permission. Additionally, all Internet.org traffic passes through Facebook's servers, raising concerns it will in time feed into Facebook's broader profiling activities while acting as a one-stop hub for state censorship initiatives. Internet.org simply comes with too many strings attached.

  • – 2015-03-24 –

    Bill S-4, the Digital Privacy bill, introduces amendments to PIPEDA, Canada's federal commercial sector privacy law. The Bill, a result of PIPEDA's first five year review conducted in 2006, introduces some far overdue improvements to Canada's privacy protection toolset at a time when privacy has never faced greater challenges. These include the adoption of a breach notification regime which would obligate companies to notify customers (as well as the Privacy Commissioner) whenever a privacy breach can place affected individuals at risk of significant harm, and the adoption of more robust consent obligations. However, as CIPPIC pointed out in its testimony and response to follow-up questions, the framework adopted by Bill S-4 in addressing these issues is flawed. The data breach notification regime in particular will fail to instill incentives for better security safeguards as it only applies to breaches that pose a significant threat of harm to affected individuals. Yet the reality of security breaches is that it will often be highly uncertain whether data was even exposed, meaning many serious breaches will go unreported. Moreover, even trivial breaches that do not pose a specific risk to individuals are often indicative of a general laxity in technical safeguards. These too will remain unreported.

    Of greater concern, the Bill also includes a number of troubling exceptions that would expand the conditions under which organizations can hand over sensitive customer information to third parties. One exception would allow ISPs, online blogging discussion fora, social media sites and others to help companies trying to sue their customers by handing over sensitive customer information. It also allows for nigh unlimited information-sharing in the context of a cybersecurity breach. Such breaches often implicate immense amounts of sensitive data. The PIPEDA amendments fail to impose any obligations for companies dealing with a breach to minimize privacy impact when handing over these data troves. Additionally, our national security agencies are increasingly implicated in domestic security breaches, yet Bill S-4 does nothing to prevent them from repurposing the data troves they receive for security breaches into general security information and keeping it indefinitely. As such, there is serious concern that the emails, financial/banking information, health data, and other sensitive information that is commonly implicated in data breaches will simply be rolled in to these security agencies general profiling activities and ultimately used against the individuals who the data breach notification regimes is supposed to protect. Indeed, Bill C-51, currently being rushed through both houses of parliament at once, will make it even easier by removing barriers to 'all of government' information sharing for cybersecurity purposes.

  • – 2015-01-29 –

    Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.

    Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!