Privacy

Litigation

PIPEDA Complaints

Law Reform

How do we measure bicycle traffic in a way that respects citizens' privacy? CIPPIC's team working on a Sidewalk Labs Small Grant presented its findings today. Great work, Keri Grieman, Johann Kwan and Stephanie Williams! Key findings on best practices:

  • Use technologies that limit the collection of personal information
  • Store data securely
  • Limit data collection to only that which is needed
  • Ensure that partners or contractors follow collection restrictions
  • Notify individuals that their data is being collected.
  • Install counting devices when creating a new space
  • Hide or mask sensitive locations

The Electronic Frontier Foundation (EFF) released a timely white paper this week examining the negative implications and chilling effects that various cybercrime provisions throughout the Americas can have on coder's rights and specifically on security researchers. Entitled "Protecting Security Researcher's Rights in the Americas", the analysis explores a range of cybercrime regimes nominally intended in principle to criminalize unauthorized access to or disruption of computer systems. However, these laws have been framed so broadly as to impose a serious chilling effect on vital activity of security researchers. Drawing on the Inter-American human rights framework (of which Canada is a partial adherent), some national jurisprudence, and principles of criminal law, the paper argues for cybercrime regimes that accommodate beneficial security work. There must be latitude for non-malicious security testing, for the dissemination of critical security tools and for the responsible publication of discovered security breaches.

Sadly, current laws are framed so broadly that they have had a serious chilling effect on socially beneficial security work. Those who discover security breaches face severe legal threats and sometimes even criminal consequences for attempting to bring these to host organization's attention. The result is that security breaches are increasingly likely to remain unresolved until they are discovered by someone seeking to exploit, rather than to merely expose. The paper, to which CIPPIC provided substantive contributions, calls for clearer standards to remedy this situation.

The Supreme Court of Canada issued its ruling in Rogers Communications Inc v Voltage Pictures LLC, 2018 SCC 38, today, the latest installment in a long series of ongoing efforts by Voltage to establish a controversial mass copyright litigation model in Canada and the first decision to meaningfully interpret Canada's notice-and-notice regime. As CIPPIC argued in its intervention, which was ably prepared by our external counsel, Jeremy de Beer and Bram Abramson, the decision under appeal discouraged ISPs from conducting rigorous quality assurance checks necessary to reduce mis-identification of customers accused of copyright infringement. It also placed the cost burden of increasingly expansive copyright litigation models on customers of ISPs. All this, in turn, jeopardizes privacy rights of mis-identified customers; exposes innocent individuals to legal threats and costly lawsuits; raises Canada's Internet access fees (already amongst the highest in the world) even higher; and undermines competition by disproportionately impacting smaller ISPs who are less able to diffuse the costs of robust quality assurance.

The ruling narrowed a prohibition, imposed by the Federal Court of Appeal, on any cost recovery for quality assurance protocols employed by ISPs when compelled to identify customers in the context of a copyright lawsuit. The court held that ISPs will be permitted to recover some (but not all) of these costs, sending the matter back to the Federal Court for determination of what specific quality assurance protocols are reasonable and non-duplicative. This, in turn, removes cost-based disincentives to adopt robust quality assurance protocols by ISPs.

Image credits (left to bottom right): smileycreek, "Don't Feed The Trolls", October 4, 2014, Flickr, CC-BY-NC-SA 2.0; h0us3s, "Hazard Warning-Electricity", September 11, 2006, OpenClipart, CC-0 1.0; jaschon, "Padlock Icon", July 25, 2010, OpenClipart, CC-0 1.0.

CIPPIC has filed its factum in R. v. Jarvis, SCC Case No. 27833, the voyeurism case involving the high school teacher charged with voyeurism under s. 162(1)(c) of the Criminal Code for using a camera pen to surreptitiously take videos of female students which focused on their chests and cleavage area. The Ontario Court of Appeal concluded that the videos were not taken in "circumstances" in which students had "a reasonable expectation of privacy", a necessary element of the offense. 

CIPPIC disagrees.  We argue that the phrase, "circumstances giving rise to a reasonable expectation of privacy", must be interpreted consistently with other areas of law that see privacy as equality-enhancing, normative, contextual, and non-risk based.  Our colleague Jane Bailey took the pen and makes a strong case for a robust vision of privacy - one that enhances equality and the ability to assert control over sexual and bodily integrity.

CIPPIC has been granted leave to intervene in R. v. Jarvis, SCC Case No. 27833. The case is an appeal of an Ontario Court of Appeal decision acquitting a teacher of a charge under the voyeurism provisions of the Criminal Code.  The accused had used a camera pen to surreptitiously take videos of the chests and cleavage of female students.  The decision under appeal determined that the videos were not taken in "“circumstances giving rise to a reasonable expectation of privacy”, an element necessary to establish the offense of voyeurism. 

CIPPIC will argue that the Court should interpret “circumstances giving rise to a reasonable expectation of privacy” consistently with the Court’s well-established jurisprudence on privacy: privacy is normative, contextual, and not risk-based.

CIPPIC has filed its intervention factum in Her Majesty the Queen in Right of British Columbia v. Philip Morris International, Inc., SCC No. 37524. The case presents the Supreme Court with a conflict of values: do the privacy interests of third parties bar a defendant to an action from accessing large health datasets in order to challenge the results of the plaintiff’s analysis of that data?

CIPPIC argues that this conflict between privacy and transparency will be mediate by the dual protections of anonymization procedures, implemented in accordance with guidelines familiar to the health industry, and flexible judicial safeguards embedded in disclosure orders.

The case raises important issues about the right to challenge the outcomes of analytics performed on large data sets. As we increase our reliance on big data and algorithmic decision-making technologies, privacy and accountability will be increasingly at issue.

Office of the Privacy Commissioner's Office, 2010 Consultation on Online Privacy

The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.

On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information.  In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants.  CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.

CIPPIC actively participated in a multidisciplinary research project funded by the Social Sciences and Humanities Research Council (SSHRC) Initiatives on the New Economy (INE) Program that focuses on issues of anonymity and authentication.

In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes.  As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.

Privacy in domain name registration (CIRA & ICANN)

Open Smart Cities FAQ

Introduction 

“Smart” city technologies collect, analyse, and use data to improve city life. Data collection can be active or passive, and data analysis can reveal patterns in how people work, live, and travel. Many cities use sensors to passively collect data about how people use bridges and roads, while some cities actively collect data about residents, using cameras to gather traffic data or “smart” meters to show how people use water and electricity.

Smart city initiatives are often public-private partnerships, involving two or more public and private sector organizations working together towards a long-term goal. For example, in 2016, Ottawa and Gatineau partnered with Strava, a fitness tracker company, to gather information about how residents use urban bike infrastructure. The cities intend to use this data to make the nation’s capital region more bike-friendly. Larger scale projects, such as Sidewalk Labs’ proposal for a connected community on Toronto’s Eastern waterfront, engage complex legal issues and involve dozens of public and private stakeholders.

FAQ on privacy and copyright issues raised by photography-related activities.

Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.

Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.

Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.

The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.

National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.

Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.

Regulators provide guidance on mobile privacy, tracking & advertising

Voltage v. Doe, Federal Court, 2013

A.B. v. Bragg Communications, 2012 SCC 46, SCC File No. 34240, Anonymity in judicial proceedings

Warman v. Fournier, 2010 ONSC 2126, [2010] 100 O.R. (3d) 648, 319 D.L.R. (4th) 268 (Ont. Div. Ct.)

CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.

On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. This finding was in response to CIPPIC's complaint against Abika.com.

Royal Bank of Canada - Refusal to deal for secondary purposes

CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.

PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI

CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick

PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.

Winners/Homesense (collection minimization & disclosure for secondary purposes)

Sony/BMG Rootkit

Canadian Banks and SWIFT

Ticketmaster (November 2005)

CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.

We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.

Resources

CIPPIC's letter, Nov.17,2005.

 

InfoCanada (July 2005)

On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.

In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.

Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry.

Abika.com and National Locator Services (June 2004)

In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, Abika.com and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the Abika.com "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that "While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."

Bank's wrongful access to and disclosure of individual's credit report (May 2004)

CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.

CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.

Resources

Privacy Commissioner, letter, July 13,2005.

 

MBNA Mastercard (Blanket consent to unlimited & unnecessary use/disclosure)

Houst of Commons ETHI Committee Study: Privacy & Social Media Sites

Industry Canada: Questionnaire on Updating OECD Privacy Guidelines

Modernizing Convention 108: the Council of Europe's Privacy Framework

OPC Consultations on Online Tracking, Behavioural Targeting & Cloud Computing

In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

Canada's 2010 Digital Economy Consultation

Data Breach Notification

The Privacy Act is a federal statute governing the federal government's treatment of personal information.  It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats.  The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).

APEC Cross Border Privacy Rules

In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.