Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.

Trains, Voice and Video Recorders, and PIPEDA

In a late move, the Office of the Privacy Commissioner of Canada has raised concerns with the privacy exceptions in Bill C-49 regarding the use of locomotive voice and video recorders (LVVRs). The exceptions would diminish the protections of railway engineers under the Personal Information Protection and Electronic Documents Act, according to Commissioner Therrien. The Bill has already passed third reading before the House of Commons. When asked by the Senate Committee studying the Bill whether the OPC had raised the concerns before the House of Commons, Commissioner Therrien frankly admitted that the OPC had missed the significance of the amendments until they saw the debates in Parliament.

The LVVR Initiative

In 2015, the Transportation Safety Board of Canada (TSB) conducted a study on the potential use of LVVRs. The study was conducted in the wake of several high-profile railroad accidents in Canada. The TSB ultimately included that LVVR technology would enhance rail safety if implemented.

Photo by Irina Kostenich from Pexels

The Government of Canada included the mandatory use of LVVR in the Bill C-49, which promises to modernize aspects of Canada’s legislation governing rail, air and marine transportation. Unions have raised concerns regarding the privacy implications of the LVVR technology. Apart from the general objection to the constant surveillance that employees would be under in the locomotive, unions have objected to employers having access to LVVR recordings. Unions fear the data could be used against employees if it could be routinely reviewed by railway companies. They argue that the data should only be available to the TSB during an incident investigation.

The OPC’s Concerns

For privacy advocates, there is another aspect of Bill C-49 that is of interest and was the subject of concerns raised by the Privacy Commissioner of Canada, Daniel Therrien, when he appeared before the Senate Committee on Transportation and Communications to discuss Bill C-49. The role of the OPC in overseeing the privacy practices of the railway companies in connection with the LVVRs will be diminished, given the way that the Bill C-49 has been drafted.

It appears that the intention was to protect against the OPC scrutinizing the use of LVVR data by railway companies. To accomplish this, Bill C-49 provides explicit carve-outs from the application of the Personal Information Protection and Electronic Documents Act (PIPEDA). These carve-outs disturb the Commissioner. In particular:

  • Railway companies do not have to comply with section 7 of PIPEDA, which restricts the ability to collect, use or disclose personal information without consent
  • Railway companies do not have to comply with the principles in Schedule 1 of PIPEDA regarding the collection, use, disclosure and retention of information

The Commissioner is concerned that the OPC’s jurisdiction to investigate complaints under PIPEDA may be in doubt. Naturally, if a railway company may collect, use and disclose personal information in the LVVRs without regard to the section 7 of PIPEDA and Schedule 1 of PIPEDA, they will argue that the OPC has no jurisdiction to hear complaints on these issues.

Further, the OPC is concerned that an individual may not have a right of access to the personal information in the LVVRs as would otherwise be required by PIPEDA in light of section 28 of the Canadian Transportation Accident Investigation and Safety Board Act, which restricts to whom the LVVR data could be disclosed.

Find Bill C-49 on LegisInfo here.

Read the TSB Railway Safety Issues Investigation Report R16H0002 here.

Read the transcript of Commissioner Therrien’s remarks before the Senate Committee here.

ETHI Report on PIPEDA is Coming Soon

The Standing Committee on Access to Information, Privacy and Ethics will be tabling its report sometime soon following the resumption of Parliament on Monday, February 26th. The Report title will be “Towards Privacy by Design: A Review of the Personal Information Protection and Electronic Documents Act.” The title provides a strong hint that the report will be advocating including an express obligation in PIPEDA to require organizations to adopt privacy by design and by default. If adopted, this would bring Canada’s laws one step closer to Europe’s General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. Privacy by Design is a made-in-Canada concept and so it would be fitting for it to “come home”.

Read my article for the International Association of Privacy Professionals (IAPP) titled “Legislating privacy by design in Canadahere.

Learn about Privacy by Design here.

Chasing the Autonomous Vehicle – International Trade Matters

What influence will the United States have on the public policy choices available to federal and provincial governments in Canada regarding autonomous and connected vehicles? That issue was not explored in any depth in the Canadian Senate’s important report on automated and connected vehicles (released January 29, 2018).  True, one of the Senate’s 16 recommendations focused on international cooperation with the United States. However, this recommendation was focused on making sure that vehicles “worked” in both countries from a technical perspective. However, this is simply table-stakes. International trade with the United States may be a critical factor in demarcating what practical option are available to Canadian regulators in important areas such as privacy and cybersecurity.

There were an estimated 263 million registered passenger vehicles in the United States in 2015. By comparison, Statistics Canada tells us that there were 24 million registered road motor vehicles in Canada in 2106. The total number of vehicles in Canada follows the general rule when comparing Canada and the United States. We have 1/10 the population. So, it won’t be surprising that we have very roughly 1/10 the number of passenger vehicles on the road. pexels-photo-799443.jpeg

The size of the Canadian market compared to that of the United States is an important context for determining design priorities for auto manufacturers. Another related factor is the speed with which the U.S. has moved in developing a regulatory environment. The U.S. Department of Transportation has already developed a voluntary code of safety design elements. It has also issued cybersecurity best practices.  The Senate noted that 21 U.S. States and Washington D.C. have enacted automated vehicle legislation. Federal U.S. legislation is likely inevitable. Although the U.S. Department of Transportation has not taken a prescriptive approach to safety design elements, it is likely only a matter of time before it does so. Once the technology matures, the U.S. regulatory approach is to be much more prescriptive than its Canadian counterparts. As between designing for a prescriptive standard and designing for a “principled-based” standard, the prescriptive standard wins.

The Senators clearly recognized the importance of cooperation with the United States. Recommendation 3 was for Transport Canada to strengthen its work on automated and connected vehicles with the United States through the Regulatory Cooperation Council “to ensure that these vehicle will work seamlessly in both countries.” However, there are many other areas in which cooperation might be required, in order to achieve public policy goals. For example, five of the Senate’s 16 recommendations related to privacy and cybersecurity

Recommendation 6: Transport Canada to work with the Communications Security Establishment and Public Safety Canada to develop cybersecurity guidance.

Recommendation 7: Transport Canada to work with Public Safety Canada, the Communications Security Establishment and industry stakeholders to address cybersecurity issues and a real-time crisis connect network.

Recommendation 8: Strengthen the powers of the Office of the Privacy Commissioner of Canada to proactively and enforce industry compliance with the Personal Information Protection and Electronic Documents Act.

Recommendation 9: The Government of Canada to continue to assess the need for privacy regulations specific to the connected Car.

Recommendation 10: Transport Canada to bring together stakeholders to develop a connected car framework, with privacy protection as one of its key drivers.

Apart from Recommendation 8, the question is whether deep “privacy-by-design” and “security-by-design” features can be embedded in automated and connected vehicles without close cooperation between Canada and the United States. This spans more than transportation regulatory authorities. It requires cooperation from multiple regulators — who have responsibilities for privacy – the Federal Trade Commissioner, U.S. State Attorneys General, Canadian federal and provincial Privacy Commissioners, and many others.

Read the Senate Report: Driving Change: Technology and the future of the automated vehicle.

Canada and the Right to be Forgotten

It may be surprising that, until this past Friday, there was considerable doubt about whether Canada’s federal private sector privacy law to online search engines. The Office of the Privacy Commissioner of Canada (OPC) had previously skirted deciding this issue.

This changed with the release of the draft OPC Position on Online Reputation. The OPC decided not only that online search engines (such as Google search, Bing and others) are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), but also that search engines may be required to “de-index” search results about an individual in some cases. In other words, the OPC has introduced a limited type of “right to be forgotten” in Canada.

It will be interesting to watch whether search engines accede to the OPC’s interpretation of PIPEDA. Certainly, we should expect to see some vigorous debate before the OPC finalizes its Guidelines. After that, perhaps the OPC will need to find a case and take it to court. The OPC’s “position” does not have the force of law. And, until the OPC completes an investigation, the OPC cannot take a search engine to court for a ruling.

Are search engines engaged in a “commercial activity”?

Search engines form an indispensable tool through which most individuals navigate the world wide web. However, in order for a search engine to be subject to PIPEDA, it must be performing a commercial activity and not be engaged in journalism or a literary activity. read-reading-book-reader-159623.jpeg

The OPC concluded that the search engine is not performing a “journalistic” or “literary” function. A search engine operator indexes content, applies proprietary algorithms to that content, and then displays results based on relevance, as predicted by those algorithms. The relevance of the search results are to some extent customized depending on the user and the user’ location. The OPC concluded that in many cases the search engines display advertising along with the search results and that this sale of advertising is “inextricably linked” to the search function. In this way, the OPC concluded that search engines are engaged in a commercial activity.

Where is the “right to be forgotten” in PIPEDA?

The OPC constructed a right to challenge search engine results by combining three principles in Schedule 1 to PIPEDA to develop an individual’s right to request de-indexing. These are the “accuracy”, “individual access”, and “challenging compliance” principles. Essentially, the OPC concluded that if the de-indexed result is inaccurate, incomplete or not up-to-date, then the search engine must balance the interests of the individual against the public interest of the web page continuing to be indexed and displayed in the search results.

Stay tuned for further debate

The OPC’s guidance is in draft. We should expect that the coming weeks will see considerable debate. The OPC has itself called for Parliament to consider the issues, and whether the OPC has “struck the ight balance”.

There will be supporters and critics of the OPC’s activism. Supporters of the OPC’s approach may cite the role of search engines in driving traffic to content. They will argue that the algorithms deployed by search engines are not transparent or neutral. If the information being returned by the algorithm does not accurately reflect information about the individual, they may rightly ask what the overriding interest is in making inaccurate information prominent in the search results or even displaying it at all if the harm to the individual exceeds other interests.

Nevertheless, there will be many critics of the OPC’s approach. It places the burden on search engines to arbitrate what results should be de-indexed or shown. Moreover, the OPC’s suggestion that search engines will need to geo-block results is a remarkable interference with the ability of individuals to obtain access to information and interferes with the freedom of expression of the authors of the underlying information. If the underlying information is the problem, there are a variety of tools for dealing with that information, such as the law of defamation, torts of invasion of privacy, and other legal remedies.

Read the full OPC Position on Online Reputation.

Professor Michael Geist penned a response to the OPC decision in the Globe and Mail, which can be found here.

Consent and the Connected Car – Is this the right choice?

Recently, Daniel Therrien, the Privacy Commissioner of Canada, made a written submission to the Standing Senate Committee on Transport and Communications on the privacy issues relating to connected vehicles. This submission supplemented the Commissioner’s oral remarks to the Committee on March 28, 2017.

The Commissioner’s written submission follows the release of the Office of the Privacy Commissioner’s draft guidelines on consent. Unsurprisingly, the Commissioner focused on the role of consent in protecting the privacy interests of consumers. The Commissioner allowed that “there may be some collections, uses or disclosures in which it might be inappropriate for the driver to control how the information is used.” The Commissioner cited the situation of  the use or disclosure of data is “necessary” for road safety as an example. However, overall, the Commissioner’s emphasis is on consent and meaningful user choice.

The Commissioner’s room to manoeuvre is constrained by the requirements of the governing legislation that the Commissioner must enforce — the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires meaningful, informed consent for the collection, use and disclosure of personal information. The Commissioner’s emphasis on consent is understandable. pexels-photo-409701.jpeg

However, if we think beyond PIPEDA, would we really design a consent-based model for the features of a connected car? Would this be the right way to balance the interests of vehicle manufacturers, vehicle owners/lessees, rental car companies, passengers, insurers, law enforcement, urban planners, cyclists, pedestrians, and others stakeholders? Given the stakeholders and the context — driving is a licensed activity — is this an area where there might be more room to apply a broader set of policy considerations instead of focusing on consumer choice? Should the focus really be on notice and consent?

A multi-faceted approach would acknowledge that certain interests may take priority over consumer choice when engaging in a licenced activity. For example, manufacturers and Transport Canada have a legitimate interest in detecting vehicle flaws that could endanger passengers and others. Manufacturers and environmental protection agencies also have a legitimate interest in continual improvement of the longevity and energy efficiency of vehicles. Moreover, city planners and transportation managers have legitimate interests in affecting traffic flows in real time and understanding driving behaviour with greater precision using larger data sets. Do these interests rise to the level of “necessity” as the Commissioner would suggest might be required in order to jettison a notice and consent model? Should they have to?

There are also other means to regulate uses of information in order to mitigate harms to individuals without focusing on consumer choice. Manufacturers and others could be encouraged to implement privacy enhancing features by eliminating the need for consent when the collection, use and disclosure of information falls within a socially acceptable zone that involves few risks. Using technology to limit harm could be supplemented with targeted regulatory protections that do not prohibit the collection of data but rather discriminatory or other harmful uses of the data. Long before we had statutory privacy laws in most of the country, we had human rights legislation prohibiting certain harmful, discriminatory uses of personal information.

Just a thought.

Click to read the Commissioner’s Submission to the Standing Committee.

Click to read the draft Guidelines on Consent.

Thoughts on the ECJ Passenger Name Record Data Decision

The European Court of Justice concluded that there were flaws in the agreement between the European Community and the Government of Canada regarding passenger name record data. The purpose of the agreement was to permit commercial airlines to send to the Canadian Board Services Agency (CBSA) information regarding passenger information on commercial flights departing the EU for Canada. The agreement was necessary, in part, because data can only be transferred from the EU to Canada if it is given adequate protection. An international commitment, such as the agreement between the EU and Canada, could form the basis of adequate protection.

So, what lessons can we learn from the ECJ’s July 26, 2017 opinion that the agreement provided inadequate protection to the personal information of European Union residents?

Lesson #1: Canada’s adequacy designation is limited

In recent week, there has been an uptick in “panic” over whether Canada’s adequacy designation will survive its next review when the EU’s General Data Protection Directive comes into force in May 2018. Calls for strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) are based on claims (so far unsubstantiated with any evidence) that Canada’s economy will be harmed by the loss of Canada’s adequacy ruling.

However, Canada’s adequacy ruling has always been limited, as the ECJ’s decision illustrates. It doesn’t cover data being transmitted to the CBSA and other Canadian governmental agencies. So the transfers needed to be legitimized by an agreement between the EU and Canada.

It isn’t just transfers of data to Canadian governmental agencies that fall outside of Canada’s adequacy ruling. The ruling only applies to transfers of data about European Union residents to organizations that are subject to PIPEDA. Since most employee data is not covered by PIPEDA, the ruling has always had a major hole in it. That hole was widened when the Article 29 Working Party (a group of EU Data Protection Authorities) declined to recommend Quebec for adequacy designation, even though Quebec’s privacy law has been declared by the Canadian government to be substantially similar to PIPEDA. This decision threw into doubt whether data can be transferred from the EU into Quebec and then used in Quebec under the adequacy ruling.

Lesson #2: Comity is the key issue

The ECJ’s issues with the passenger name record data transfers were essentially that the agreement just wasn’t precise enough. There is no suggestion that Canada has to change its laws.

Here’s where the agreement failed:

  • it did not specify the specific data fields that were going to be the subject of the data transfers
  • it failed to provide sufficient guarantees that the data would be used to fight terrorism and international crime
  • it failed to commit to the principle that the models that would be used by Canada to automatically process the data would be reliable and non-discriminatory
  • it failed to commit that the data would only be used during the passenger’s stay in Canada and for a limited period after departure
  • it failed to commit to destroy data for passengers after their departure if there was no objective evidence of being linked to terrorism or serious transnational crime
  • It failed to require the CBSA to notify passengers that their data had been used
  • it failed to commit to ensuring any onward transfer by the CBSA to other agencies would be subject to similar protections
  • it failed to commit to only sharing data with governmental authorities of other countries with whom the EU had an agreement or that had an adequacy designation covering the recipients
  • it failed to commit to Canada being subject to any oversight body with respect to its use of the data.

Fair enough. The EU wants to ensure that if it is authorizing the hand over of data, Canada will respect the EU’s interest in protecting its residents. This isn’t about Canada’s laws or the EU requiring Canada to “measure up”. It is about commitments that the EU has made to its own residents and ensuring that Canada respects EU laws with respect to the data Canada gets from the EU. That’s just asking for substantive comity.

Lesson #3: Comity is compatible with independence

Canada can respect the EU’s vision of privacy rights for its residents without the necessity of abandoning its own public policy choices. An international agreement is an appropriate way to reconcile the two views. It isn’t necessary for one country simply to cede to the public policy choices of the other.

Motivated governments will find solutions. Look south of the border to the United States. Despite ongoing disputes between the EU and Silicon Valley companies, data is still flowing. It is open for governments to negotiate agreements directly with the EU in order to permit data flows. This is exactly what the US government did with the Safe Harbor Program and when that fell due to insufficient safeguards, the US government negotiated the Privacy Shield. If that goes, there will be another agreement or companies can enter into model clauses or binding corporate rules – essentially, voluntarily agreeing to abide by EU rules to do business in the EU. That’s not at all unusual in the world of consumer protection.

Whether Canada should or should not amend its own privacy laws is a question that Canadians should engage in in the context of their own vision of privacy and their own balancing of various human rights. It shouldn’t and doesn’t depend on the promises the EU has made to its own residents.

Interested in the ECJ Opinion? You can find it here.