#CyberFLASH: Privacy watchdog takes part in global probe of connected devices

1297658073661_ORIGINALCanada’s federal privacy watchdog is participating in a global initiative that’s raising red flags about connected devices – everything from “smart” TVs to fitness-tracking wristbands and Internet-connected toys – and their failure to provide users with control over the personal information those gadgets collect.

The Office of the Privacy Commissioner of Canada (OPC) took part in the global “privacy sweep” in April, and is now releasing the results. The sweep involved 25 privacy authorities . It looked at 314 connected devices – often collectively referred to as the “Internet of Things” – and how they communicate their privacy practices. Canada’s focus was on 21 health and wellness devices that are popular among Canadians, including fitness trackers, smart watches, smart scales and blood pressure monitors.

They found that connected devices “fail to inform users about exactly what personal information is being collected and how it will be used” – including sensitive data such as health and financial information.

The OPC says that the concept of “the body as information” is a major focus, as health, genetic and biometric information is being tracked more than ever. During the sweep, staff used connected products and analyzed what information those devices asked for – and what privacy collection and protection information they provided to users. Nearly half of Canadian “sweepers” – OPC staff who tested the devices – and more than three-quarters of international sweepers were unable to find basic instructions on how to delete their data once they had begun using the devices.

The Global Privacy Enforcement Network, now in its fourth year, is a joint effort among privacy organizations in many countries, including the United States, Britain , members of the European Union and China, and has conducted such privacy sweeps before. By acting in tandem, the group is attempting to add global heft to major privacy concerns.

Read more here

#CyberFLASH: Update Canada’s privacy laws, but don’t look to Europe or the US for guidance, experts say

n-ONLINE-PRIVACY-largeEven Justin Trudeau thinks Canada needs to update its data privacy laws for the 21st century, but the recently passed E.U.-U.S. Privacy Shield probably isn’t providing the guiding light he might be hoping for, according to several privacy experts.

Instead, the current agreement highlights the need for an update: While our own federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was deemed “adequate” by the European Commission in the early 2000s, it’s scheduled to be revisited in the near future and might not meet the E.U.’s new standards – which many privacy advocates believe don’t go far enough anyway, the University of Ottawa’s chair of Internet and e-commerce law, Michael Geist, says.

“There’s a very real possibility that the E.U. could examine the adequacy finding for Canada and raise the same kinds of concerns that came up in the context of [Privacy Shield predecessor] Safe Harbour, potentially challenging whether Canada’s existing system – given some of the things we now know about surveillance and information sharing – is deserving,” he says.

That said, “there’s still a bit of an open question as to whether [Privacy Shield itself] meets E.U. law or not,” he continues. “There was a lot of political motivation to get a deal done, but I think there remains some ongoing concerns, particularly in the privacy community, which suggests that it still could be subject to challenges.”

Approved on July 12, the agreement, which E.U. member nations must incorporate into their national laws by May 6, 2018, establishes new regulations for data transfers between the U.S. and E.U., notably by imposing limitations on the access of U.S. public authorities to European consumers’ digital information; by requiring regular updates and reviews of companies that handle personal data; and by providing a clear method of conflict resolution for E.U. residents who feel their data has been misused without their consent.

Read more here

#CyberFLASH: What your business has to know about the new privacy landscape


Chantal Bernier is former interim privacy commissioner of Canada, counsel in the global privacy and cyber-security group at Dentons LLP Canada and a senior fellow in the Graduate School of Public and International Affairs at the University of Ottawa.

Canadian businesses suddenly find themselves contending with an unusually high number of significant privacy law developments.

In April, the Office of the Privacy Commissioner of Canada delineated the rules around online behavioural advertising. In June, Parliament adopted the Digital Privacy Act, amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to create mandatory breach notification and mandatory breach recording, broaden organizations’ right to share personal information between them and allow disclosure of personal information in instances of suspected financial abuse. Also, Canadian businesses operating in Europe are seeing stricter privacy obligations looming with the adoption by the Council of Ministers of a position on the Draft European Regulation on Data protection.

Here is an overview of the legal implications of these developments and the necessary adjustments for business.

Online behavioural advertising

OBA involves tracking consumers’ activities across sites and over time in order to deliver advertising based on their inferred interests. For example, we see ads for cellphones after researching phone upgrades on the Internet.

Read more here

#CyberFLASH: Using Big Data for targeted advertising could violate Canadian privacy law


BCE Beats Profit Estimates as Smartphone Subscribers GainOn April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act(PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act(Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).

The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.

The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:

  • Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
  • demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
  • information generated or inferred (e.g. customer interest categories).

Read more here

#CyberFLASH: When does protecting your child become invasion of privacy?

child-privacy22fo2At a time when there is outrage over government and corporate monitoring of our phone and Internet activities, as well as concerns about the omnipresence of security cameras recording our every move, there’s also a growing market for technology that helps parents monitor their kids.

Rogers, for example, has been pushing its home-monitoring video capabilities in a TV commercial that features a real Canadian mom. In the ad, Kelly Williamson is on vacation in Aruba when an alert on her smartphone tells her smoke has been detected back at her home in Newmarket, Ont. A quick check of her monitoring system’s live camera feed reveals not a kitchen in flames, but a pair of home-alone teenagers who have forgotten to flip their flapjacks.

“I know from the camera who it was,” Ms. Williamson says in the ad while her guilty 17-year-old son Ryan smiles sheepishly.

The price of that knowledge, though, is youth privacy. Surveillance whistleblower Edward Snowden said in a message delivered on Christmas Eve from Russia that “a child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves, an unrecorded, unanalyzed thought.”

Read more here


#Privacy: Lax security at Canada Revenue leads to privacy breaches

Privacy watchdog calls on federal agencies to better handle personal information

The privacy watchdog says weak security practices at the federal tax office led to thousands of files being inappropriately accessed for years without detection.

Privacy Commissioner Jennifer Stoddart has more than a dozen recommendations — including better monitoring of employee access rights — to ensure the Canada Revenue Agency protects sensitive information.

Canadians deserve to have their personal information protected, particularly when they provide it to the government under legal compulsion, Stoddart said in a news release Tuesday.

She tabled a special audit of the revenue agency along with her annual report on compliance with the Privacy Act, the law that governs how federal agencies handle personal information.

For the second year in a row, all-time highs were set for both privacy complaints about federal organizations as well as data breaches reported by departments and agencies.

From April 2012 to the end of March, Stoddart received 2,273 complaints from the public, up from 986 over the same period a year before.

Read more CBC

Facebook probe mulled by Canada’s privacy czar

CANADA — Canada’s privacy commissioner is considering a new investigation into Facebook after a report found several popular applications were sending personal user information to ad and internet tracking companies.

“If applications covered by [privacy law] are disclosing personal information without consent, that’s a significant concern to our office,” the office of Jennifer Stoddart said in a statement Monday to CBC News.

Read more on CBC dated October 18, 2010, here.

Privacy czar raps Government of Canada on wireless security

CANADA — The federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure, Privacy Commissioner of Canada Jennifer Stoddart has warned.

Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions,” Commissioner Stoddart said. “Whether they’re using a BlackBerry, shredding old papers or disposing of outdated computer equipment, public servants need to know that the security of people’s personal data is a top priority.

Read more by Office of Inadequate Security dated October 5, 2010, here.

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.