Privacy and Text Messages

In December, the Supreme Court of Canada issued two important decisions on the reasonable expectation of privacy in text messages.

The decisions relate to two issues. First, does the sender of a text message continue to have a privacy interest in the content of the text message after the message has been sent? The court said that the sender could have a continuing privacy interest depending on the circumstances. Second, what are the obligations of law enforcement obligations to obtain judicial authorization to obtain copies of  past text messages through production orders to telecommunications service providers. The court concluded that there was a difference between seeking past message and future messages. This meant that law enforcement could obtain past messages from the telecommunications service provider under a lower standard of care.

You can find my analysis of these cases in an article Defining privacy in text messages – a step forward and maybe a step back for the International Association of Privacy Professionals.

Consent and the Connected Car – Is this the right choice?

Recently, Daniel Therrien, the Privacy Commissioner of Canada, made a written submission to the Standing Senate Committee on Transport and Communications on the privacy issues relating to connected vehicles. This submission supplemented the Commissioner’s oral remarks to the Committee on March 28, 2017.

The Commissioner’s written submission follows the release of the Office of the Privacy Commissioner’s draft guidelines on consent. Unsurprisingly, the Commissioner focused on the role of consent in protecting the privacy interests of consumers. The Commissioner allowed that “there may be some collections, uses or disclosures in which it might be inappropriate for the driver to control how the information is used.” The Commissioner cited the situation of  the use or disclosure of data is “necessary” for road safety as an example. However, overall, the Commissioner’s emphasis is on consent and meaningful user choice.

The Commissioner’s room to manoeuvre is constrained by the requirements of the governing legislation that the Commissioner must enforce — the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires meaningful, informed consent for the collection, use and disclosure of personal information. The Commissioner’s emphasis on consent is understandable. pexels-photo-409701.jpeg

However, if we think beyond PIPEDA, would we really design a consent-based model for the features of a connected car? Would this be the right way to balance the interests of vehicle manufacturers, vehicle owners/lessees, rental car companies, passengers, insurers, law enforcement, urban planners, cyclists, pedestrians, and others stakeholders? Given the stakeholders and the context — driving is a licensed activity — is this an area where there might be more room to apply a broader set of policy considerations instead of focusing on consumer choice? Should the focus really be on notice and consent?

A multi-faceted approach would acknowledge that certain interests may take priority over consumer choice when engaging in a licenced activity. For example, manufacturers and Transport Canada have a legitimate interest in detecting vehicle flaws that could endanger passengers and others. Manufacturers and environmental protection agencies also have a legitimate interest in continual improvement of the longevity and energy efficiency of vehicles. Moreover, city planners and transportation managers have legitimate interests in affecting traffic flows in real time and understanding driving behaviour with greater precision using larger data sets. Do these interests rise to the level of “necessity” as the Commissioner would suggest might be required in order to jettison a notice and consent model? Should they have to?

There are also other means to regulate uses of information in order to mitigate harms to individuals without focusing on consumer choice. Manufacturers and others could be encouraged to implement privacy enhancing features by eliminating the need for consent when the collection, use and disclosure of information falls within a socially acceptable zone that involves few risks. Using technology to limit harm could be supplemented with targeted regulatory protections that do not prohibit the collection of data but rather discriminatory or other harmful uses of the data. Long before we had statutory privacy laws in most of the country, we had human rights legislation prohibiting certain harmful, discriminatory uses of personal information.

Just a thought.

Click to read the Commissioner’s Submission to the Standing Committee.

Click to read the draft Guidelines on Consent.

Employees, Non-Profits and Privacy

Canada is not a bastion of  employee privacy rights. In fact, many provinces provide no statutory privacy protections to private sector employees. However, even where employees have been included in provincial privacy legislation – such as in Alberta – the law can still by patchy. pexels-photo-533189.jpeg

Let’s take the interesting case of Castledowns Bingo Association (Order P2017-07) in Alberta. The key issue for the adjudicator was whether Alberta’s Personal Information Protection Act (PIPA) applied to the employee-complainant. Spoiler alert – the employee won the battle on the application of PIPA but lost the war as to whether PIPA had been breached.

So why is this case interesting? PIPA only applies to non-profit organizations to the extent that organization is collecting, using or disclosing personal information “in connection with a commercial activity.” So is collecting, using and disclosing information about an employee “in connection with a commercial activity”? Here’s the problem: it is well-established that managing an employment relationship is not a commercial activity. The fact that the employee is paid does not make the employment relationship a commercial activity.

That should have been the end of it. However, the adjudicator clearly was not satisfied by leaving non-profit employees outside of PIPA and so contorted the meaning of “in connection with”. Without directly rejecting the idea that the management of an employment relationship is not a commercial activity, the adjudicator concluded that the real issue was whether the employee was performing a commercial activity. If so, then then the collection, use or disclosure of personal information was “in connection with” a commercial activity. This involved reading “in connection with” as meaning “in relation to” or “in association with” – instead of sticking with the words as enacted by the Legislature.

Of course, this resulted in some arbitrary results for the adjudicator, which were essentially left unresolved. An employee in the bingo hall would not be covered (not performing a commercial activity), but an employee in the lounge would be. The employee in the lounge would be covered, but, according to the adjudicator, the back office employee would not be (because bookkeeping is not directly performing a commercial activity even if the funds came from a commercial activity).

You can read the Castledowns Bingo Association case here.

Guide to PIPEDA 2018

The 2018 Edition of the Guide to the Personal Information Protection and Electronic Documents Act is available.

PIPEDA Cover
New Edition

You can find it at the LexisNexis Online Store. The new edition contains information on cases up to the last quarter of 2017. The edition includes discussion of:

  • – the privacy breach regulations
  • – the Supreme Court of Canada’s decision on implied consent
  • – how PIPEDA compares with the GDPR
  • – how to address international data transfers

It could have been worse – Canada’s Breach Regulations

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguard Regulations. These Regulations fill in some missing elements of Canada’s federal data breach law that was enacted as part of the Digital Privacy Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

For the most part, ISED came through with manageable requirements for organizations. Here’s my take on the good stuff:

  • The Regulations track the Alberta requirements. For the most part ISED has followed the Alberta requirements for the content of the regulatory reports and for individual notifications.
  • Organizations don’t need to speculate in writing about the “risk of harm” to individuals. The Alberta law that requires organizations to report to the Alberta Office of the Information and Privacy Commissioner (OIPC) whenever a “reasonable person” would consider there to be a “real risk of significant harm” from the loss of or unauthorized access to personal information. The OIPC then decides whether the organization must notify individuals by second guessing the organization’s real risk of significant harm analysis. This is a quirky feature of the Alberta law. Thankfully, that same quirk wasn’t carried over into PIPEDA. Perhaps as a result, the federal Regulations do not require organizations to engage in this speculative analysis in their reports to the OPC. Yay!
  • The Regulations contain some consumer-friendly enhancements to the individual notification requirements. Organizations must include a toll-free number or email address to ask questions about the incident. In addition, organizations must tell individuals about the organization’s internal complaints process and the right of affected individuals to complain to the OPC.
  • The Regulations provide for flexibility in terms of how organizations may notify affected individuals – email or other secure electronic methods (provided the individual has consented) or traditional means such as by a letter to the last known address, by phone or in person are all permitted. The Regulations also provide that indirect notification through posting on the organization’s website (conspicuously) for 90 days or more or by publishing advertisements that are likely to come to the attention of the individual are acceptable in some circumstances. Those circumstances include where the cost of direct notification would be prohibitive,  the organization doesn’t have current contact information, or direct notification could cause harm to the individual.
  • The record-keeping requirements are much less onerous than feared. Organizations are required to keep a record of every loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards. On its plain reading, this does not mean a record of every suspected or possible loss or unauthorized access or unauthorized disclosure. In terms of the content of the records, ISED has left that to the organization to decide provided that the records contain sufficient information for the OPC to assess whether the organization is meeting its obligations under the data breach provisions of PIPEDA. Records must be kept only for 2 years.

There is one area of major disappointment. ISED had an opportunity to short-circuit the long-running feud between the Canadian Commissioners who see the ghost of significant harm everywhere and organizations trying to apply the test of “real risk of significant harm” in a sensible way. The ISED could have decided, for example, that the unauthorized access to properly encrypted data did not create a real risk of significant harm. Frankly, the loss of a credit card number that has been reported to the card issuers hardly constitutes a risk of harm (once reported). Alas, the feud will continue unless the Commissioners take a more realistic approach.

The draft Regulations are subject to change, so check the final version! Read the draft here. There is a 30 day comment period. After that, ISED can either publish amended regulations or register the final version and specify a date on which they will come into force.

De-Identification, Intermediary Liability & Gender Stereotypes – Friday Files

This week’s resources for weekend reading!

  • De-identification Guidelines. ICYMI the Ontario Information and Privacy Commissioner has developed a resource page for de-identification, which includes the IPC’s June 2016 De-identification Guidelines for Structured Data. The International Conference of Data Protection & Privacy Commissioners have shortlisted the Guidelines for the Global Privacy and Data Protection Awards 2017 in the Research Category. Read the De-identification Guidelines here.
  • Intermediary Liability and Online Marketing. Do social media platforms that display advertising have any potential liability for deceptive advertising? In the United States, section 230 of the Communications Decency Act provides that the a website or other Internet publisher will not be deemed to be the publisher of content that is provided by another information content provider. This is a key part of Google’s claim that the Canadian Supreme Court went to far in its world wide injunction (discussed in my blog post here). In Canada, the conventional wisdom has been that platforms are unlikely to be liable if it is clear from placement and context that the advertisement is a third-party advertisement and the platform has not had any involvement in the content of the advertisement or knowledge that it is deceptive. However, if there is actual knowledge (e.g. by being put on notice), the situation could change. If you are interested in these questions, Lavery, de Billy has an interesting discussion of this topic that you can locate here.
  • Gender Stereotypes. The UK Advertising Standards Authority has issued a report Depictions, Perceptions and Harm calling for stronger regulation of advertising containing stereotypical gender roles or characteristics. The report is based on qualitative research on the harms created by gender stereotyping. You can find the report here. Advertising Standards Canada has had guidelines on Gender Portrayal in one form or another since 1981. The current Guidelines contain six basic principles: (1) women and men should have equal representation in roles of authority; (2) women and men should be portrayed as decision-makers for purchases; (3) there should not be inappropriate use or exploitation of sexuality; (4) no sexual violence or domination; (5) women and men should be portrayed “in the full spectrum of diversity” and equally competent in activities; and (5) advertising should avoid language that misrepresents or offends or excludes men or women.

Thoughts on the ECJ Passenger Name Record Data Decision

The European Court of Justice concluded that there were flaws in the agreement between the European Community and the Government of Canada regarding passenger name record data. The purpose of the agreement was to permit commercial airlines to send to the Canadian Board Services Agency (CBSA) information regarding passenger information on commercial flights departing the EU for Canada. The agreement was necessary, in part, because data can only be transferred from the EU to Canada if it is given adequate protection. An international commitment, such as the agreement between the EU and Canada, could form the basis of adequate protection.

So, what lessons can we learn from the ECJ’s July 26, 2017 opinion that the agreement provided inadequate protection to the personal information of European Union residents?

Lesson #1: Canada’s adequacy designation is limited

In recent week, there has been an uptick in “panic” over whether Canada’s adequacy designation will survive its next review when the EU’s General Data Protection Directive comes into force in May 2018. Calls for strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) are based on claims (so far unsubstantiated with any evidence) that Canada’s economy will be harmed by the loss of Canada’s adequacy ruling.

However, Canada’s adequacy ruling has always been limited, as the ECJ’s decision illustrates. It doesn’t cover data being transmitted to the CBSA and other Canadian governmental agencies. So the transfers needed to be legitimized by an agreement between the EU and Canada.

It isn’t just transfers of data to Canadian governmental agencies that fall outside of Canada’s adequacy ruling. The ruling only applies to transfers of data about European Union residents to organizations that are subject to PIPEDA. Since most employee data is not covered by PIPEDA, the ruling has always had a major hole in it. That hole was widened when the Article 29 Working Party (a group of EU Data Protection Authorities) declined to recommend Quebec for adequacy designation, even though Quebec’s privacy law has been declared by the Canadian government to be substantially similar to PIPEDA. This decision threw into doubt whether data can be transferred from the EU into Quebec and then used in Quebec under the adequacy ruling.

Lesson #2: Comity is the key issue

The ECJ’s issues with the passenger name record data transfers were essentially that the agreement just wasn’t precise enough. There is no suggestion that Canada has to change its laws.

Here’s where the agreement failed:

  • it did not specify the specific data fields that were going to be the subject of the data transfers
  • it failed to provide sufficient guarantees that the data would be used to fight terrorism and international crime
  • it failed to commit to the principle that the models that would be used by Canada to automatically process the data would be reliable and non-discriminatory
  • it failed to commit that the data would only be used during the passenger’s stay in Canada and for a limited period after departure
  • it failed to commit to destroy data for passengers after their departure if there was no objective evidence of being linked to terrorism or serious transnational crime
  • It failed to require the CBSA to notify passengers that their data had been used
  • it failed to commit to ensuring any onward transfer by the CBSA to other agencies would be subject to similar protections
  • it failed to commit to only sharing data with governmental authorities of other countries with whom the EU had an agreement or that had an adequacy designation covering the recipients
  • it failed to commit to Canada being subject to any oversight body with respect to its use of the data.

Fair enough. The EU wants to ensure that if it is authorizing the hand over of data, Canada will respect the EU’s interest in protecting its residents. This isn’t about Canada’s laws or the EU requiring Canada to “measure up”. It is about commitments that the EU has made to its own residents and ensuring that Canada respects EU laws with respect to the data Canada gets from the EU. That’s just asking for substantive comity.

Lesson #3: Comity is compatible with independence

Canada can respect the EU’s vision of privacy rights for its residents without the necessity of abandoning its own public policy choices. An international agreement is an appropriate way to reconcile the two views. It isn’t necessary for one country simply to cede to the public policy choices of the other.

Motivated governments will find solutions. Look south of the border to the United States. Despite ongoing disputes between the EU and Silicon Valley companies, data is still flowing. It is open for governments to negotiate agreements directly with the EU in order to permit data flows. This is exactly what the US government did with the Safe Harbor Program and when that fell due to insufficient safeguards, the US government negotiated the Privacy Shield. If that goes, there will be another agreement or companies can enter into model clauses or binding corporate rules – essentially, voluntarily agreeing to abide by EU rules to do business in the EU. That’s not at all unusual in the world of consumer protection.

Whether Canada should or should not amend its own privacy laws is a question that Canadians should engage in in the context of their own vision of privacy and their own balancing of various human rights. It shouldn’t and doesn’t depend on the promises the EU has made to its own residents.

Interested in the ECJ Opinion? You can find it here.