Bill C-58 – Flaws in the government’s access to information reform

Freedom of information nerds may be interested in following the debate on reforms to Canada’s Access to Information Act proposed by the Liberal government. The Government is making enemies of lawyers (through the perceived incursion on solicitor-client privilege) and judges (by subjecting their expenses to proactive disclosure).

I’ve written a summary of the debate for the International Association of Privacy Professionals that you can find here.

Does the OPC really need a massive increase in funding?

In a recent letter to the Standing Committee on Access to Information, Privacy and Ethics, Daniel Therrien, the Privacy Commissioner of Canada, suggested that a 90% increase in funding for the Office of the Privacy Commissioner (OPC) was required to have a “true impact in protecting Canadians’ privacy rights”.

OPC receives $25 million already

The OPC’s current funding is approximately $25 million per year. The Commissioner considered a $23 million increase to be “realistic”. However, the Commissioner added that it had only sought a more “modest” $8 million increase, which represented a 30% increase to permanent funding. The Commissioner cited “rapidly evolving privacy threats” for the budgetary increases and noted that a 90% increase in funding would be in-line with increases to the UK Information Commissioner’s Office.

What a 90% increase buys

The Commissioner argues that a 30% increase would allow for a “limited number of proactive promotion and compliance activities”. The backlog of existing complaints would be “reduced” but not eliminated.

However, with a 90% increase, the Commissioner says that the OPC could provide more advisory services to businesses than it does at present. The increase in funding would also be used to engage in “targeted advertising to bring individuals to our site when they are about to make a decision on whether to disclose their personal information.” Backlogs could be reduced and more proactive activities could be undertaken.

Is a 90% increase necessary?

One of the justifications for a 90% increase is the desire to provide more advisory services. However, the OPC has not demonstrated that it has explored available options to work with stakeholders when developing guidance. The Personal Information Protection and Electronic Documents Act (PIPEDA) was borne out of a voluntary industry code. Quite literally, the main substantive protections in PIPEDA are in Schedule 1 to the legislation, which was that industry code. Arguably, PIPEDA has stood the test of time precisely because the provisions of Schedule 1 were developed by industry stakeholders with an understanding of the operational impacts of the provisions they were drafting.

The OPC could take a lesson from that success. The OPC could increase the use of working groups of stakeholders to draft guidance on important topics. This shared responsibility model would have the benefit of developing industry and consumer group buy-in.  It would also shift the expense of developing that advisory guidance to stakeholders. It would be more likely to produce guidance that is relevant and attuned to operational realities.

The OPC also wants money for advertising. In particular, the OPC wants to “use contextual advertising to bring individuals to [the OPC’s] site when they are about to make a decision on whether to disclose their personal information”. There is a certain irony in the OPC wanting to engage in targeted online advertising of individuals when the OPC has been so hostile to the interest-based advertising industry.

The fact that the OPC feels the need to engage in this type of advertising is an indictment of its resistance to developing model privacy notices. The OPC missed an opportunity during the consultations on consent to modernize and standardize how disclosures are made.

The OPC could have identified types and uses of data that a reasonable person would expect when engaging in online activities. Disclosures regarding these uses could have been done in a short-form manner and only those uses falling outside of these categories would need to be highlighted.

In exchange for using the short-form disclosure, the organization could have been required to link back to educational material at the OPC website. While large, international organizations may not have adopted this approach due to potential operational complexities, this would have solved a problem for numerous small and medium-sized enterprises.

No, the OPC does not need a 90% increase in funding. It needs to work more creatively with industry.

Check out Commissioner Therrien’s letter here.

Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.

Trains, Voice and Video Recorders, and PIPEDA

In a late move, the Office of the Privacy Commissioner of Canada has raised concerns with the privacy exceptions in Bill C-49 regarding the use of locomotive voice and video recorders (LVVRs). The exceptions would diminish the protections of railway engineers under the Personal Information Protection and Electronic Documents Act, according to Commissioner Therrien. The Bill has already passed third reading before the House of Commons. When asked by the Senate Committee studying the Bill whether the OPC had raised the concerns before the House of Commons, Commissioner Therrien frankly admitted that the OPC had missed the significance of the amendments until they saw the debates in Parliament.

The LVVR Initiative

In 2015, the Transportation Safety Board of Canada (TSB) conducted a study on the potential use of LVVRs. The study was conducted in the wake of several high-profile railroad accidents in Canada. The TSB ultimately included that LVVR technology would enhance rail safety if implemented.

Photo by Irina Kostenich from Pexels

The Government of Canada included the mandatory use of LVVR in the Bill C-49, which promises to modernize aspects of Canada’s legislation governing rail, air and marine transportation. Unions have raised concerns regarding the privacy implications of the LVVR technology. Apart from the general objection to the constant surveillance that employees would be under in the locomotive, unions have objected to employers having access to LVVR recordings. Unions fear the data could be used against employees if it could be routinely reviewed by railway companies. They argue that the data should only be available to the TSB during an incident investigation.

The OPC’s Concerns

For privacy advocates, there is another aspect of Bill C-49 that is of interest and was the subject of concerns raised by the Privacy Commissioner of Canada, Daniel Therrien, when he appeared before the Senate Committee on Transportation and Communications to discuss Bill C-49. The role of the OPC in overseeing the privacy practices of the railway companies in connection with the LVVRs will be diminished, given the way that the Bill C-49 has been drafted.

It appears that the intention was to protect against the OPC scrutinizing the use of LVVR data by railway companies. To accomplish this, Bill C-49 provides explicit carve-outs from the application of the Personal Information Protection and Electronic Documents Act (PIPEDA). These carve-outs disturb the Commissioner. In particular:

  • Railway companies do not have to comply with section 7 of PIPEDA, which restricts the ability to collect, use or disclose personal information without consent
  • Railway companies do not have to comply with the principles in Schedule 1 of PIPEDA regarding the collection, use, disclosure and retention of information

The Commissioner is concerned that the OPC’s jurisdiction to investigate complaints under PIPEDA may be in doubt. Naturally, if a railway company may collect, use and disclose personal information in the LVVRs without regard to the section 7 of PIPEDA and Schedule 1 of PIPEDA, they will argue that the OPC has no jurisdiction to hear complaints on these issues.

Further, the OPC is concerned that an individual may not have a right of access to the personal information in the LVVRs as would otherwise be required by PIPEDA in light of section 28 of the Canadian Transportation Accident Investigation and Safety Board Act, which restricts to whom the LVVR data could be disclosed.

Find Bill C-49 on LegisInfo here.

Read the TSB Railway Safety Issues Investigation Report R16H0002 here.

Read the transcript of Commissioner Therrien’s remarks before the Senate Committee here.

ETHI Report on PIPEDA is Coming Soon

The Standing Committee on Access to Information, Privacy and Ethics will be tabling its report sometime soon following the resumption of Parliament on Monday, February 26th. The Report title will be “Towards Privacy by Design: A Review of the Personal Information Protection and Electronic Documents Act.” The title provides a strong hint that the report will be advocating including an express obligation in PIPEDA to require organizations to adopt privacy by design and by default. If adopted, this would bring Canada’s laws one step closer to Europe’s General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. Privacy by Design is a made-in-Canada concept and so it would be fitting for it to “come home”.

Read my article for the International Association of Privacy Professionals (IAPP) titled “Legislating privacy by design in Canadahere.

Learn about Privacy by Design here.

Using the Criminal Code to Require News Media to “Un-Publish” Fails

In Canada, s. 486.4(2.1) of the Criminal Code to make an order protecting a victim of a crime from having any information that could identify the victim from being “published in any document or broadcast or transmitted in any way.” The victim has to be under 18 years of age.

A recent decision of the Supreme Court considered a case in which the Crown wanted information published online prior to a publication ban to be “un-published” by the news organization.

R. v. Canadian Broadcasting Corp, dealt with an application for an interim injunction to require the CBC to “un-publish” a story about a murder. Essentially, the facts of the case were: An individual was charged with the murder of a person under the age of 18. The CBC reported on the case and published the victim’s name before the Crown obtained a publication ban regarding the name of the victim. The Crown wanted the CBC to remove the information on the CBC’s website. The CBC refused. The Crown sought an interlocutory order requiring the CBC to remove the name of the victim until the hearing to decide whether the CBC was in criminal contempt for failing to remove the name of the victim.

The Crown was obliged to establish that it had a “strong prima facie case” in order to obtain the interlocutory order requiring the CBC to remove the identifying information of the victim. This is because the order would compel the CBC to “do” something. If the order simply required the CBC to refrain from doing something, the test would be lower.

The key issue was whether the Crown had a strong prima facie case that the CBC was intentionally disobeying a court order. The Crown attempted to argue that publishing on the CBC website was a continuous activity. On this theory, the CBC was directly and intentionally violating the publication ban, even if the original publication occurred prior to the publication ban. The Supreme Court did not rule out the possibility that the Crown would be successful. However, the court concluded that the Crown did not have a strong prima facie case that the publication was a continuous activity. The result was that the CBC did not have to remove the identifying information.

We should be cautious in suggesting that the court’s decision is relevant to the current debate in Canada regarding the type of “right to be forgotten” that Office of the Privacy Commissioner of Canada (OPC) has suggested exists under Canada’s private sector privacy law. I discussed this “right to be forgotten” in a recent post on the OPC’s draft Position on Online Reputation. In that draft Position paper, the OPC suggested that individuals have the right, in certain circumstances, to have inaccurate online information about them removed and could even require search engines remove or suppress search results for an individual’s name on the basis that the information about the individual was not accurate.

There is a fairly wide gulf between the CBC case and the type of “right to be forgotten” discussed by the OPC. Nevertheless, there is one intriguing point of relevance. The court seemed quite skeptical that the mere fact that information remained available online meant that it was being “continuously” published. Provided that the “story” was not “updated” (i.e. “republished”), perhaps the court might be reticent to require the editing of historical documents. It is too soon to tell but not too soon to think about. 

Read R. v. Canadian Broadcasting Corp, 2018 SCC 5.

Chasing the Autonomous Vehicle – International Trade Matters

What influence will the United States have on the public policy choices available to federal and provincial governments in Canada regarding autonomous and connected vehicles? That issue was not explored in any depth in the Canadian Senate’s important report on automated and connected vehicles (released January 29, 2018).  True, one of the Senate’s 16 recommendations focused on international cooperation with the United States. However, this recommendation was focused on making sure that vehicles “worked” in both countries from a technical perspective. However, this is simply table-stakes. International trade with the United States may be a critical factor in demarcating what practical option are available to Canadian regulators in important areas such as privacy and cybersecurity.

There were an estimated 263 million registered passenger vehicles in the United States in 2015. By comparison, Statistics Canada tells us that there were 24 million registered road motor vehicles in Canada in 2106. The total number of vehicles in Canada follows the general rule when comparing Canada and the United States. We have 1/10 the population. So, it won’t be surprising that we have very roughly 1/10 the number of passenger vehicles on the road. pexels-photo-799443.jpeg

The size of the Canadian market compared to that of the United States is an important context for determining design priorities for auto manufacturers. Another related factor is the speed with which the U.S. has moved in developing a regulatory environment. The U.S. Department of Transportation has already developed a voluntary code of safety design elements. It has also issued cybersecurity best practices.  The Senate noted that 21 U.S. States and Washington D.C. have enacted automated vehicle legislation. Federal U.S. legislation is likely inevitable. Although the U.S. Department of Transportation has not taken a prescriptive approach to safety design elements, it is likely only a matter of time before it does so. Once the technology matures, the U.S. regulatory approach is to be much more prescriptive than its Canadian counterparts. As between designing for a prescriptive standard and designing for a “principled-based” standard, the prescriptive standard wins.

The Senators clearly recognized the importance of cooperation with the United States. Recommendation 3 was for Transport Canada to strengthen its work on automated and connected vehicles with the United States through the Regulatory Cooperation Council “to ensure that these vehicle will work seamlessly in both countries.” However, there are many other areas in which cooperation might be required, in order to achieve public policy goals. For example, five of the Senate’s 16 recommendations related to privacy and cybersecurity

Recommendation 6: Transport Canada to work with the Communications Security Establishment and Public Safety Canada to develop cybersecurity guidance.

Recommendation 7: Transport Canada to work with Public Safety Canada, the Communications Security Establishment and industry stakeholders to address cybersecurity issues and a real-time crisis connect network.

Recommendation 8: Strengthen the powers of the Office of the Privacy Commissioner of Canada to proactively and enforce industry compliance with the Personal Information Protection and Electronic Documents Act.

Recommendation 9: The Government of Canada to continue to assess the need for privacy regulations specific to the connected Car.

Recommendation 10: Transport Canada to bring together stakeholders to develop a connected car framework, with privacy protection as one of its key drivers.

Apart from Recommendation 8, the question is whether deep “privacy-by-design” and “security-by-design” features can be embedded in automated and connected vehicles without close cooperation between Canada and the United States. This spans more than transportation regulatory authorities. It requires cooperation from multiple regulators — who have responsibilities for privacy – the Federal Trade Commissioner, U.S. State Attorneys General, Canadian federal and provincial Privacy Commissioners, and many others.

Read the Senate Report: Driving Change: Technology and the future of the automated vehicle.