#CyberFLASH: What your business has to know about the new privacy landscape

graph+tablet+data

Chantal Bernier is former interim privacy commissioner of Canada, counsel in the global privacy and cyber-security group at Dentons LLP Canada and a senior fellow in the Graduate School of Public and International Affairs at the University of Ottawa.

Canadian businesses suddenly find themselves contending with an unusually high number of significant privacy law developments.

In April, the Office of the Privacy Commissioner of Canada delineated the rules around online behavioural advertising. In June, Parliament adopted the Digital Privacy Act, amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to create mandatory breach notification and mandatory breach recording, broaden organizations’ right to share personal information between them and allow disclosure of personal information in instances of suspected financial abuse. Also, Canadian businesses operating in Europe are seeing stricter privacy obligations looming with the adoption by the Council of Ministers of a position on the Draft European Regulation on Data protection.

Here is an overview of the legal implications of these developments and the necessary adjustments for business.

Online behavioural advertising

OBA involves tracking consumers’ activities across sites and over time in order to deliver advertising based on their inferred interests. For example, we see ads for cellphones after researching phone upgrades on the Internet.

Read more here

#CyberFLASH: Using Big Data for targeted advertising could violate Canadian privacy law

 

BCE Beats Profit Estimates as Smartphone Subscribers GainOn April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act(PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act(Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).

The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.

The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:

  • Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
  • demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
  • information generated or inferred (e.g. customer interest categories).

Read more here

#CyberFLASH: Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

n-ONLINE-PRIVACY-largeJust prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

Read more here

#CyberFLASH: Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

images-126Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

Read more here

#CyberFLASH: Canada joins global sweep of kids’ online privacy

image-2Sometimes it can seem that kids are more digitally savvy than the adults around them. Children are playing games on mobile devices, watching videos online, and exploring various websites. But are those apps and websites taking enough precautions to protect children’s privacy?

That’s the question at the heart of a global investigation taking place this week involving privacy organizations in 21 countries, including the Office of the Privacy Commissioner of Canada (OPC).

These organizations will be examining the apps and websites that are most popular among children in each country. (In Canada, “children” means those under age 12, though this may differ in some places.)

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement.

The sweep, which began Monday and runs through Friday, was initiated by the members of the Global Privacy Enforcement Network, and includes countries such as the United States, the United Kingdom, China, Germany, France and Mexico.

Read more here

#CyberFLASH: We’re taking your Online Privacy concerns straight to the B.C. Legislature and we need to hear from you

li-zorn

Ever wanted to have your opinions heard by key decision makers in B.C.? Now’s your chance. Our own David Christopher has been invited to present the pro-Internet community’s concerns about privacy to key MLAs of the B.C. Legislature. David will be offering testimony about the privacy implications of B.C.’s Personal Information Privacy Act (PIPA).

PIPA is the provincial equivalent of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It sets out how many commercial entities in British Columbia should safeguard their customers’ privacy. There are a number of key concerns with PIPA in its current form:

   -It allows for your personal information to be handed to government authorities without a warrant, and without your consent.

   -It allows for your personal information to be handed to other organizations, in some circumstances without your consent.

   -Citizens don’t even get notified that their information has been handed over without their consent.

   -Warrantless requests for private information were recently ruled unconstitutional by the Supreme Court, and B.C.’s provincial legislation needs to be updated to reflect that.

Read more here

#CyberFLASH: For Canada’s Spies, Your Data Is Just a Phone Call Away

9020272

To access an unlimited trove of personal information, all a government spy has to do in Canada is pick up a phone and call your internet provider—no written request required.

That revelation, brought to light by three different Canadian lawyers who’ve dealt directly with the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, regional police, and the Communications Security Establishment Canada, comes amid a string of startling revelations on the privacy front in Canada. This comes just weeks before Bill C-13 will make it easier for police to access online information without judicial authorization.

While there has been much debate about Bill C-13 and the Harper government’s plans to aid data collection, it’s already relatively easy for law enforcement to collect data. Under Canadian voluntary disclosure law, police are free to request, obtain, and use personal data. ISPs are free to provide it. Bill C-13 promises to expand law enforcement’s data collection power while providing the ISPs with immunity from lawsuits and criminal charges.

Read more here

#CyberFLASH: Harper privacy amendments make things worse, says critic

Feature-Security-Privacy-2

The Harper government is touting its proposed Digital Privacy Act for offering new protections to Canadians surfing the Internet, shopping online and making it mandatory for organizations covered under the law to report data breaches.

However, Ottawa Internet lawyer and University of Ottawa law professor Michael Geist has a more critical view.

In a blog Thursday he agrees that the act – actually amendments to the Personal Information Protection and Electronics Document Act (PIPEDA) – has positive points, including the disclosure obligation.

However, he believes the bill also includes language that “could massively expand warrantless disclosure of personal information” to not just to law enforcement agencies but any other organization.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.