Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
The Globe and Mail reports that Passport Canada has suffered a massive privacy breach that resulted in online availability of applicant information. I argue that this again highlights the need for mandatory security breach notification legislation.
Update: The incident is raised during Question Period on the floor of the House of Commons.
My weekly technology law column (Toronto Star version, The Tyee version, Ottawa Citizen version, homepage version) begins by recounting that this past September, the U.S. Drug Enforcement Agency launched "Operation Raw Deal", an initiative that targeted people purchasing raw steroid materials through the Internet from China and repackaging the steroids as drugs for domestic sale. Tyler Strumbo, a 23-year old California resident, was among the 124 people arrested. The Strumbo case is of particular interest because of an important Canadian connection. The foundation of the DEA's case rested on hundreds of encrypted emails stored on the computer servers of Hush Communications, a company based in Vancouver. A British Columbia court ordered the company to decrypt the emails and to send them to the U.S. law enforcement officials. Faced with a valid court order, the company complied, shipping 12 CDs filled with unencrypted personal email to investigators in California.
Hush Communications has developed corporate policies that seek to balance the privacy interests of their users with the reality that their services may be used for criminal purposes. While the company has a global customer base, it only accepts court orders focused on specific user accounts issued by the British Columbia Supreme Court. Indeed, company officials note that they receive requests from law enforcement around the world, yet many are abandoned after they learn of the need for Canadian court oversight. In the Strumbo case, U.S. officials relied on the U.S.-Canada Mutual Legal Assistance Treaty, which is used by law enforcement agencies to expedite investigations that run across national borders. Investigators allegedly placed several steroid orders with Strumbo via email and then asked the court to mandate the disclosure of the Strumbo's email correspondence.
Reaction to the case has been sharply divided. Some have criticized the company, arguing that it professes to protect the privacy of its users and that it failed to do so in this instance. Others have expressed support, noting that it has established a reasonable policy that includes notification to users of the potential disclosure risks along with strict court oversight.
More interestingly, the case challenges several myths that have developed about privacy, law enforcement, and the Internet. First, the use of the MLAT serves as a timely reminder that U.S. law enforcement wields a wide range of investigative tools to compel disclosure of private information held in Canada. While the USA Patriot Act has garnered the lion share of attention - including last year's controversial debate over possible access to Canadian census data - the reality is that there are multiple mechanisms to force organizations to hand over private information.
Second, the case counters law enforcement claims that it requires additional powers in order to conduct online investigations. Canadian law enforcement officials have lobbied for years for new "lawful access" provisions that would require Internet service providers to install new surveillance capabilities and grant the police new powers to compel ISPs to disclose customer information. Notwithstanding those lobbying efforts, the Strumbo case provides a compelling illustration of the effectiveness of the laws already in place.
Third, the case highlights how Canadian companies can navigate the privacy minefield by adhering to two key principles - insisting on court oversight before disclosing customer information and providing full public disclosure about the privacy protections associated with their services. Hush Communications has faced some heat from the Strumbo case, yet its approach is a textbook example of how to balance privacy interests with the legitimate needs of law enforcement.
The federal government yesterday introduced much-needed identity theft legislation. Bill C-27 includes several important provisions focusing on identity theft such as trafficking in documents and identity information. Key provisions include:
making, possessing, transferring, or selling "identity documents" of another person becomes an offence punishable with up to five years in jail. This is subject to exceptions such as good faith, genealogical purposes, consent of the person, or law enforcement purposes. Identity documents include SIN cards, driver's license, health insurance card, birth certificate, passport, or citizenship document.
knowlingly obtaining or possessing another person's "identity information" with the inference that the intent is to commit a crime such as fraud. Moreover, it is an offence to transmit, make available, distribute, sell or offer to sell such information knowing that it will be used to commit an offence. Identity information includes any information commonly used to identify a person. Examples in the legislation include fingerprint, voiceprint, retina or iris image, DNA profile, name, address, date of birth, written, electronic or digital signature, user name, credit or debit card number, bank account number, passport, SIN, health insurance number, driver's license, or password. The penalty for these offences is up to five years in jail.
identity fraud, namely fraudulently impersonating another person with the intent for personal gain.
fraudulent use or possession of credit card data is added to the Criminal Code as is a provision for up to 10 years in jail for knowingly possessing, importing or exporting devices that can be used to fraudulently copy credit card data.
theft or redirection of postal mail
using forged documents as if they were genuine, selling/making available forged documents, possessing forged documents with the intent to sell carries a penalty of up to ten years in jail. Dealing in devices used to create forged documents brings a possible penalty of 14 years in jail.
up to five years in jail for falsely representing oneself as a peace office or public officer.
This is good and long overdue legislation. It is not a complete solution, however. While penalties for identity theft are needed, Canada also needs to take steps to allow Canadians to self-protect against identity theft, to create incentives for companies to safeguard personal information against the prospect of identity theft, and to address some of the activities used to facilitate identity theft. There are two obvious issues that should be addressed. First, anti-spam legislation, which would include phishing and spyware, is similarly long overdue. Second, Canada needs a mandatory security breach notification law so that Canadians are advised when their personal information may be at heightened risk for identity theft.
The government's response to the PIPEDA review included a promise to consult on possible reforms to the law, including the creation of a mandatory data breach notification requirement. On Friday, Industry Canada published the promised consultation in the Canada Gazette, asking Canadians for comments on the data breach requirement along with a series of smaller changes to Canada's national privacy law. For those that don't have PIPEDA consultation fatigue - this is effectively the third consultation on these issues in the past 18 months (the Privacy Commissioner consultation, the Ethics Committee hearings, and now the Industry Canada consultation) - the deadline for responses is January 15, 2008.
posted
on Mon. Oct. 29/07
Site Last Updated: 2007-10-11 Copyright (c) 2003 Michael Geist
First (12/06/2007)
Previous
#2 of 27
Next 
Last (12/01/2009) 
