#CyberFLASH: Do You Consent? Four Ways to Strengthen Digital Privacy

CPT500317455_highPrivacy laws around the world may differ on certain issues, but all share a key principle: the collection, use and disclosure of personal information requires user consent. The challenge in a digital world where data is continuously collected and can be used in a myriad of previously unimaginable ways is how to ensure that the consent model still achieves the objective of giving the public effective control over their personal information.

The Office of the Privacy Commissioner of Canada released a discussion paper earlier this year that opened the door to rethinking how Canadian law addresses consent. The paper suggests several solutions that could enhance consent (greater transparency in privacy policies, technology-specific protections), but also raises the possibility of de-emphasizing consent in favour of removing personally identifiable information or establishing “no-go” zones that would regulate certain uses of information without relying on consent.

My weekly technology law column (Toronto Star version, homepage version) notes that the deadline for submitting comments concludes this week and it is expected that many businesses will call for significant reforms to the current consent model, arguing that it is too onerous and that it does not serve the needs of users or businesses. Instead, they may call for a shift toward codes of practice that reflect specific industry standards alongside basic privacy rules that create limited restrictions on uses of personal information.

Suggestions from Canadian business that stronger consent rules are too difficult or costly is nothing new. During the heated debate over anti-spam legislation, the business community claimed that an “opt-in” model of consent that would require a more explicit, informed agreement from users would be expensive to implement and would create great harm to electronic commerce. Yet the reality is that the opt-in model is used in many other countries to provide better privacy protection and improve the effectiveness of electronic marketing.

Read more here

#CyberFLASH: Canada’s privacy law ‘ill-suited’ to 21st century, watchdog warns Trudeau

1297658073661_ORIGINALOTTAWA—Canada’s privacy watchdog has warned Prime Minister Justin Trudeau that federal privacy protections are “ill-suited” for the 21st century.

In a letter obtained by the Star, Privacy Commissioner Daniel Therrien told Trudeau the rules around government’s handling of private information has not kept up with technological advances or society’s expectations.

The Privacy Act, which governs how the federal government uses Canadians’ personal information, has not been substantially changed since it was introduced in 1983.

When the law was introduced, most government business was conducted on paper. Now, government departments and agencies increasingly hold vast sums of information electronically — bringing a new set of issues, challenges, and vulnerabilities.

“One of the biggest changes in the privacy realm is technology, Canadians’ relationship to it, and the desires by government and industry to harness its power for various purposes,” Therrien wrote in a Nov. 10 letter, obtained under access to information law.

“In this complex, new environment, modernization of our privacy framework and the pressing need for greater transparency around how technology is used is critical to maintaining citizens’ trust in government and the digital economy.”

The Star requested an interview with Therrien but he was unavailable.

This isn’t the first time the issue has been raised with Parliamentarians. In a March 22 letter to the House of Commons committee on privacy issues, Therrien provided 16 recommendations to modernize the Privacy Act — and warned that the legislation is becoming increasingly irrelevant.

Read more here

#CyberFLASH: Using Big Data for targeted advertising could violate Canadian privacy law


BCE Beats Profit Estimates as Smartphone Subscribers GainOn April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act(PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act(Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).

The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.

The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:

  • Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
  • demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
  • information generated or inferred (e.g. customer interest categories).

Read more here

#CyberFLASH: Fredericton company’s new app helps parents monitor kids’ driving

pdphonejpg-jpg-size-xxlarge-letterboxFREDERICTON — A new smartphone app means parents can now be backseat drivers to their kids, without having to leave home, and an Internet and privacy lawyer says its use raises some interesting questions.

Fredericton-based GeodeTech has released its GeodeVu tracking app that records a driver’s route along with driving behaviours, such as speeding, hard braking, and even distracted driving.

“We call our product a solution for driver analysis and behaviour coaching,” said Michel Chiasson, the company’s CEO.

“As you start driving around, what’s going to happen is you will see the true behaviours coming through,” he said.

The app can be downloaded for free on Android, iOS and Blackberry 10 phones, while the tracking service will cost you a monthly rate of $9.95.

The app uses the GPS and other functions in the driver’s phone to track its location, and whether it’s used for calls or texting while the car is in motion.

Parents concerned with ongoing driver training can log into a website to see where and how their child has been driving.

“What are the great behaviours that we want to reinforce and what are things that we want to change?” said Chiasson.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.