[CivicAccess-discuss] Fwd: Update on Privacy From Canada

Tue Jun 3 22:55:03 AEST 2014

fyi

---------- Forwarded message ----------
From: Kevin Chan <kevin.chan20 at gmail.com>
Date: Tue, Jun 3, 2014 at 12:40 PM
Subject: Update on Privacy From Canada
To: "Kevin Chan (kevin.chan20 at gmail.com)" <kevin.chan20 at gmail.com>

Dear friends and colleagues,

I thought you might find my latest entry for Stanford's Center for Internet
and Society of interest, which provides an update on privacy matters in
Canada.  Please feel free to share with others. Your thoughts and feedback,
as always, are welcome.

https://cyberlaw.stanford.edu/blog/2014/06/update-privacy-canada

Best regards,

Kevin

 ---
Kevin Chan
Deputy Secretary-General and Secretary-General Designate, McGill University
and
Non-Residential Fellow, Stanford Law School, Center for Internet and Society
http://cyberlaw.stanford.edu/about/people/kevin-chan

*Update on Privacy From Canada*

In unveiling its Speech From the Throne
<http://www.speech.gc.ca/eng/full-speech> (SFT) last October, the
Government spelled out its priorities and governing agenda leading up to
the next federal election, scheduled for fall 2015.  At the time, I
identified
<https://cyberlaw.stanford.edu/blog/2013/10/privacy-and-canadian-speech-throne>
a
few areas in the policy document that could have implications for privacy,
and since then there have been significant developments for many of them.
Below, I provide an update on the state of privacy in Canada, including the
nomination of Daniel Therrien as the new Privacy Commissioner of Canada.

*Cyberbullying*

At it committed to do in the SFT, on November 20, 2013, the Government
introduced in Parliament Bill C-13, *The Protecting Canadians from Online
Crime Act*
<http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Mode=1&DocId=6311444>.
Prior to its introduction, I had written
<http://www.theglobeandmail.com/globe-debate/canada-needs-a-sweeping-strategy-to-fight-cyberbullying/article15505007/>
in
the *Globe and Mail* about some of the key considerations for such a bill
with my colleague Shaheen Shariff of McGill University.  The Bill, still
before Parliament, is designed to update Canadian criminal law to address
the issue of cyberbullying, among other things creating a new criminal
offence for the non-consensual distribution of intimate images.

Bill C-13 also includes various provisions concerning lawful access that
had proven contentious
<http://www.theglobeandmail.com/news/politics/how-the-toews-sponsored-internet-surveillance-bill-quietly-died/article4179310/>
when
the Government previously introduced them in 2012 in the form of Bill C-30,
and they did not become law.  These additional provisions allow for various
means of communication access and interception by law enforcement agencies,
but jettisons the most controversial amendments of C-30 related to
warrantless access to basic subscriber information.

At the time of writing, Bill C-13 is set for passage through the House of
Commons, despite calls by some
<http://www.cbc.ca/news/politics/cyberbullying-victims-parents-divided-over-privacy-concerns-in-online-bill-1.2641104>
–
including the parent of one prominent cyberbullying victim – to sever the
legislation into two parts, allowing the cyberbullying portions to be
passed while holding back the lawful access components for further study.
Should it be approved by the House of Commons by majority vote this spring,
the Bill will then be referred to the Senate for further consideration.

*Government Surveillance and Lawful Access*

While the debate on the appropriate balance between public security and
privacy remains much more acute in the US, the issue has spilled into the
public realm in Canada.  In addition to the ongoing debate around Bill
C-13, in January 2014, the Office of the Privacy Commissioner (OPC) tabled
a special report
<http://www.priv.gc.ca/information/sr-rs/201314/sr_cic_e.asp> to Parliament
that assessed the current oversight mechanisms for government surveillance
and made ten recommendations on how to strengthen transparency and
accountability in the system.

Subsequently, in April 2014, it was revealed
<http://www.huffingtonpost.ca/2014/04/30/warrantless-disclosure-telecoms-canada_n_5233399.html>
through
an access to information request that telecommunications companies
operating in Canada responded to almost 1.2 million requests by law
enforcement agencies in 2011 for basic subscriber information, without the
consent or notification of these subscribers.  The voluntary sharing of
this information is allowed for under Canada’s private-sector privacy
legislation, the *Personal Information Protection and Electronic Documents
Act* <http://laws-lois.justice.gc.ca/eng/acts/P-8.6/> (PIPEDA).

The resulting concern over these voluntary disclosures and the broader use
of signals intelligence has led to significant public debate, with the *Globe
and Mail*, Canada’s national newspaper, calling
<http://www.theglobeandmail.com/globe-debate/editorials/we-need-a-royal-commission-on-spying/article18786038/>
for
a Royal Commission on the matter of lawful access and privacy.  As new
technologies and business models have the potential to permanently reshape
the balance between public safety and privacy, the general matter of
privacy in the digital age is turning out to be one of the defining public
policy challenges of our time.  A non-partisan, independent and expert
group struck to study and make recommendations on this issue might indeed
be a wise course of action.

*Digital Privacy Act*

One important development that was not identified in the Speech From the
Throne was the Government’s introduction earlier this spring of Bill S-4,
the *Digital Privacy Act*
<http://www.parl.gc.ca/HousePublications/Publication.aspx?DocId=6524312>, a
signature element in its new digital economy strategy
<http://www.ic.gc.ca/eic/site/028.nsf/eng/home>.  The legislation is the
latest attempt at PIPEDA reform, which dates back to 2006.

Unlike past iterations of legislative change, amendments contained in S-4
are in many cases new and significant.  As contemplated under the Bill,
private sector companies that experience a data breach that “creates a real
risk of significant harm” must notify individuals and report such breaches
to the Privacy Commissioner.

S-4 also clarifies the definition of consent for the collection, use or
disclosure of personal information to ensure that such consent is only
valid “if it is resasonable to expect that an individual to whom the
organization’s activities are directed would understand the nature, purpose
and consequences of the collection, use or disclosure….”  This
clarification should help address the challenges of obtaining meaningful
consent from younger individuals and the elderly.

Finally, S-4 would introduce a new innovation in the form of compliance
agreements between the Privacy Commissioner and private-sector companies.
Such agreements would allow the Commissioner to work with companies to
address deficient privacy practices without resorting to lengthy and costly
legal action, and to seek compliance from the courts to enforce the
agreements if necessary.

While these are certainly all positive developments for federal privacy law
in Canada, some had hoped for more and bolder reforms
<http://www.priv.gc.ca/parl/2013/pipeda_r_201305_e.asp>, including monetary
penalties for privacy breaches and order-making powers for the Commissioner
without need to refer to the courts.  Michael Geist, an expert on digital
issues at the University of Ottawa, has raised concerns
<http://www.michaelgeist.ca/content/view/7106/125/> that provisions in S-4
may further expand the voluntary sharing of personal information with more
governmental agencies.

Two other points are worth noting here.  The mandatory breach notification
obligation as contemplated under S-4 does not extend to the public sector.
Under the Treasury Board Secretariat’s current Guidelines for Privacy
Breaches <http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=26154&section=text>,
governmental departments “should consider notifying individuals whose
personal information has been wrongfully disclosed, stolen or lost”, but
this is not required.  Given the fact that governmental agencies are
amassing significant amounts of personal information, it would seem
incongruous that mandatory breach notification should exist for the private
sector but not for the public sector.

The second point has to do with the resourcing that will likely be required
for the Office of the Privacy Commissioner to effectively take on its new
responsibilities.  If as expected the OPC receives significantly more
notifications under a new mandatory breach notification requirement than it
has in the past, it will likely need to develop new protocols and processes
to deal specifically with this new function within the office. This will
put pressure on existing resource levels and staff.

*Nomination of a New Privacy Commissioner*

On May 28, the Prime Minister nominated
<http://pm.gc.ca/eng/news/2014/05/28/pm-nominates-next-privacy-commissioner>
Daniel
Therrien as the new Privacy Commissioner of Canada.  A career civil
servant, Mr. Therrien is currently Assistant Deputy Attorney General for
Public Safety, Defence and Immigration at the Department of Justice, and
was the co-lead on negotiations with the US for the privacy principles
<http://actionplan.gc.ca/en/backgrounder/bap-paf/statement-privacy-principles-united-states-and-canada>
governing
the exchange of information between Canada and the US under the Beyond the
Border Action Plan.  As the position enjoys the status of an independent
Agent of Parliament, the nomination is subject to a vote in the House of
Commons and in the Senate.

Reaction to the nomination has been strong, garnering significant
mainstream media attention.  While the governing party and the Leader of
the Liberal Party, the second opposition party in Parliament, supports
<http://www.cbc.ca/news/politics/liberals-ndp-disagree-on-daniel-therrien-pm-s-choice-for-privacy-job-1.2658481>
the
nomination, some Canadian privacy advocates have written
<https://openmedia.ca/sites/openmedia.ca/files/Privacy_Letter_to_PM_Harper_140530.pdf>
to
the Prime Minister expressing their concern over the appointment, as has
the Leader of the Opposition
<http://www.cbc.ca/news/politics/pm-s-pick-of-daniel-therrien-as-privacy-watchdog-alarms-ndp-1.2657639>.
With a majority of Members of Parliament and Senators supportive of the
nomination, the appointment is expected to be approved.

The first new Privacy Commissioner in ten years, coming at a time of
significant change in the world of privacy, is an exciting prospect.  As
Mr. Therrien settles into his new position, he will surely have many issues
to grapple with.  Some of the key, strategic questions he could consider
are:

-  What is the appropriate balance between public safety/national security
and privacy in the digital age?

-  What is the appropriate balance between innovation/economic growth and
privacy in the digital age?

-  How should the capable staff of the Office of the Privacy Commissioner
be best aligned to safeguard the privacy of Canadians in a time of such
unprecedented technological change?

Privacy watchers will no doubt be keenly watching to see how these and
other questions are addressed in the coming months.

*Kevin Chan* <http://cyberlaw.stanford.edu/about/people/kevin-chan>*, a
Non-Resident Fellow at Stanford’s Center for Internet and Society, was
previously Director of Policy, Parliamentary Affairs and Research in the
Office of the Privacy Commissioner of Canada (OPC).  His thoughts and
writings are his own, and do not represent the views of the OPC.  He can be
reached at **kevin_chan at actioncanada.ca* <kevin_chan at actioncanada.ca>

-- 
Tracey P. Lauriault
http://traceyplauriault.wordpress.com/2013/07/23/moving-to-ireland/
https://gcrc.carleton.ca/confluence/display/GCRCWEB/Lauriault
http://datalibre.ca/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://civicaccess.ca/pipermail/civicaccess-discuss/attachments/20140603/ecdbb733/attachment.html>