Privacy

Litigation

PIPEDA Complaints

Law Reform

The Federal Court granted CIPPIC leave to intervene in a Reference, FC File No T-1779-18, that could have wide-ranging impact on the scope of protection offered by PIPEDA, Canada's primary federal privacy law. The Reference questions whether core features of the digital economy will continue within PIPEDA's jurisdiction.

PIPEDA, Canada's premiere e-commerce privacy legislation, primarily applies to data processing carried out in the course of 'commercial activity'. The arguments advanced in this Reference would exclude platforms such as Google and Facebook from PIPEDA's protection on the basis that data collection of user-generated activity such as search querying or clicking on social media posts on Facebook does not constitute 'commercial activity'. Yet many e-commerce platforms are explicitly designed to maximize data collection from user-generated activities as the primary core of their commercial enterprise. These platforms regularly offer services at low or no cost as a means of incentivizing user activity on their platform, specifically so the data created by that activity can be collected and monetized. As this business model is endemic throughout the digital economy, the proposed definition of PIPEDA could have far-reaching implications for privacy in Canada. In its proposed intervention, CIPPIC will argue that this outcome ignores the text and purpose of PIPEDA, which has been described as 'consumer protection legislation for the digital age'.

Image Source: Learntek, "big-data-analytics", April 23, 2018, Flickr, CC-0 1.0

In partnership with our fellow Samuelson-Glushko Clinic at the University of Colorado, CIPPIC today submitted comments to the Office of the Privacy Commissioner regarding two of its proposals for reforming PIPEDA—Canada's federal private-sector privacy statute—to deal with the challenges posed by artificial intelligence. Our submissions on behalf of 25 privacy scholars from Canada, the United States, and Europe—led by Prof. Margot Kaminski of the University of Colorado and CIPPIC Director Vivek Krishnamurthy—respond to OPC's proposals to amend PIPEDA to “[p]rovide individuals with a right to explanation and increased transparency when they interact with, or are subject to, automated processing” (Proposal 4), and “[r]equire the application of Privacy by Design and Human Rights by Design in all phases of processing, including data collection” (Proposal 5).

Specifically, our submissions suggest that a revised PIPEDA should include:

1. An individual right to an explanation of an algorithmic decision with significant effects on individuals;

2. Legal requirements for the application of Privacy and Human Rights by Design in all phases of data processing;

The Supreme Court of Canada today its decision in R v Jarvis, voyeurism case where a high school teacher used a pen cam to surreptitiously record multiple videos focused mainly of the chest and cleavage area of several female students and one female colleague.

The majority of the Ontario Court of Appeal acquitted the defendant2017 ONCA 778, finding that while the photos were taken for a sexual purpose, the young women he targeted did not have a reasonable expectation of privacy in the school setting where the photos were taken, an essential element of the voyeurism offense.

The Supreme Court of Canada is set to release its decision on a much anticipated case addressing privacy, equality and sexual violence this Thursday, February 14, 2019.

On the day of its release, the University of Ottawa’s Faculty of Law will host a discussion on the decision at 4:00 pm in Room 570, Fauteux Hall, 57 Louis-Pasteur Private. All are welcome to attend.

On April 20, 2018 the Supreme Court heard R v Jarvis, SCC file number 37833 a voyeurism case where a high school teacher used a pen cam to surreptitiously record multiple videos focused mainly of the chest and cleavage area of several female students and one female colleague. Jarvis was acquitted at trial. The Court of Appeal upheld that acquittal in R v Jarvis, 2017 ONCA 778, finding that while the photos were taken for a sexual purpose, the young women he targeted did not have a reasonable expectation of privacy in the school setting where the photos were taken, an essential element of the voyeurism offence.

The central question before the Supreme Court was when do people have a reasonable expectation of privacy? Is it only when they are shielded from public view? When they are dressed modestly? Or can privacy be understood in a more nuanced way?

CIPPIC has joined Mozilla, Access, Reporters Without Borders, and several other organizations in an open letter calling on Facebook to live up to its transparency promises. The letter calls out Facebook for blocking transparency tools employed by ProPublica, demanding that the platform provide API access to its promised political transparency tools.  As is now widely acknwoledged, Facebook and its various communications platforms have been leveraged by a wide range of political actors-both foreign and domestic-in their efforts to disrupt democratic processes in a number of jurisdictions around the world. Disinformation campaigns have become an instrumental force, evident in the UK's 'Vote Leave' referendum, the 2016 US Presidential elections, and the 2018 Brazilian elections which propelled far-right candidate Jair Bolsonaro to the presidency.

Against this backdrop, Facebook has undertaken various efforts to address these challenges. This has included a third-party academic body empowered to provide select academic researchers with access to elements of its content under controlled conditions. Among these is a novel 'open advertisement' mechanism designed to let individuals see all advertisements sent by a single entity through its platform. This tool is designed in part to address so-called 'dark advertising', where political actors send highly individualized and micro-targeted messages to different people based on their data-intensive profiling. Currently, only intended recipients see any given advertisement, allowing political actors to send conflicting or even discriminatory messaging with relative impunity. The problem is that Facebook has refused to provide API access to its open advertising platform, making it functionally difficult if not impossible to conduct the type of meaningful analysis necessary to meet the challenges posed by its services to democratic processes. Not only has Facebook refused to provide API access, but it has actively blocked existing tools used by ProPublica to supplement the shortcomings of its own transparency mechanisms. Meanwhile, a recent CBC study, which leveraged Twitter's API-enabled political messaging transparency tool, analyzed over 9 million tweets to demonstrate significant foreign influence in Canadian discussions surrounding pipelines and immigration. With upcoming federal elections in 2019, Canada cannot afford to be complacent about this issue.

UPDATE: Facebook has responded by committing to develop and roll out an open API for its political advertising archive. This positive step towards transparency has been met with cautious optimism.

Image Source: Yomare, "Hand Puppet Snowman", May 22, 2015, Pixabay, Pixabay License

How do we measure bicycle traffic in a way that respects citizens' privacy? CIPPIC's team working on a Sidewalk Labs Small Grant presented its findings today. Great work, Keri Grieman, Johann Kwan and Stephanie Williams! Key findings on best practices:

  • Use technologies that limit the collection of personal information
  • Store data securely
  • Limit data collection to only that which is needed
  • Ensure that partners or contractors follow collection restrictions
  • Notify individuals that their data is being collected.
  • Install counting devices when creating a new space
  • Hide or mask sensitive locations

Office of the Privacy Commissioner's Office, 2010 Consultation on Online Privacy

The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.

On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information.  In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants.  CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.

CIPPIC actively participated in a multidisciplinary research project funded by the Social Sciences and Humanities Research Council (SSHRC) Initiatives on the New Economy (INE) Program that focuses on issues of anonymity and authentication.

In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes.  As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.

Privacy in domain name registration (CIRA & ICANN)

Open Smart Cities FAQ

Introduction 

“Smart” city technologies collect, analyse, and use data to improve city life. Data collection can be active or passive, and data analysis can reveal patterns in how people work, live, and travel. Many cities use sensors to passively collect data about how people use bridges and roads, while some cities actively collect data about residents, using cameras to gather traffic data or “smart” meters to show how people use water and electricity.

Smart city initiatives are often public-private partnerships, involving two or more public and private sector organizations working together towards a long-term goal. For example, in 2016, Ottawa and Gatineau partnered with Strava, a fitness tracker company, to gather information about how residents use urban bike infrastructure. The cities intend to use this data to make the nation’s capital region more bike-friendly. Larger scale projects, such as Sidewalk Labs’ proposal for a connected community on Toronto’s Eastern waterfront, engage complex legal issues and involve dozens of public and private stakeholders.

FAQ on privacy and copyright issues raised by photography-related activities.

Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.

Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.

Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.

The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.

National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.

Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.

Regulators provide guidance on mobile privacy, tracking & advertising

Voltage v. Doe, Federal Court, 2013

A.B. v. Bragg Communications, 2012 SCC 46, SCC File No. 34240, Anonymity in judicial proceedings

Warman v. Fournier, 2010 ONSC 2126, [2010] 100 O.R. (3d) 648, 319 D.L.R. (4th) 268 (Ont. Div. Ct.)

CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.

On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. This finding was in response to CIPPIC's complaint against Abika.com.

Royal Bank of Canada - Refusal to deal for secondary purposes

CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.

PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI

CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick

PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.

Winners/Homesense (collection minimization & disclosure for secondary purposes)

Sony/BMG Rootkit

Canadian Banks and SWIFT

Ticketmaster (November 2005)

CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.

We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.

Resources

CIPPIC's letter, Nov.17,2005.

 

InfoCanada (July 2005)

On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.

In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.

Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry.

Abika.com and National Locator Services (June 2004)

In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, Abika.com and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the Abika.com "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that "While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."

Bank's wrongful access to and disclosure of individual's credit report (May 2004)

CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.

CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.

Resources

Privacy Commissioner, letter, July 13,2005.

 

MBNA Mastercard (Blanket consent to unlimited & unnecessary use/disclosure)

Houst of Commons ETHI Committee Study: Privacy & Social Media Sites

Industry Canada: Questionnaire on Updating OECD Privacy Guidelines

Modernizing Convention 108: the Council of Europe's Privacy Framework

OPC Consultations on Online Tracking, Behavioural Targeting & Cloud Computing

In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

Canada's 2010 Digital Economy Consultation

Data Breach Notification

The Privacy Act is a federal statute governing the federal government's treatment of personal information.  It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats.  The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).

APEC Cross Border Privacy Rules

In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.