Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
Students at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic have filed a privacy complaint against Facebook. The complaint alleges 22 violations of Canada's national privacy law.
All About Information notes a recent B.C. Privacy Commissioner decision which ruled that 41 days is too long to notify affected individuals of a security breach.
The Canadian Press covers the upcoming CIRA Whois change, with CIRA President Byron Holland promoting the fact that the policy will put CIRA at the forefront internationally and acknowledging that the current approach is not consistent with the spirit of the law (I think a strong case can be made that it is not consistent with the law itself).
The Canadian government's lack of action against spam has been one of the most puzzling policy failures in recent years. While addressing a problem that has grown from a mere nuisance to a costly scourge that raises criminal concerns would seem like a no-brainer, successive Industry Ministers have failed to prioritize the issue. The need for Canadian anti-spam legislation was the unanimous recommendation of the 2005 National Task Force on Spam, which included members from the Internet, marketing, and consumer communities (I was a member of the task force). The final report, which was received with approval from the current Conservative (then Liberal) Minister David Emerson, noted that Canada was quickly becoming one of the only Western countries to neglect the issue and was at risk of developing into a haven for spammers seeking refuge in countries with lax anti-spam regulations.
While a government-backed anti-spam bill is still nowhere to be seen, my weekly technology law column (Toronto Star version, homepage version) focuses on the fact that earlier this month Senator Yoine Goldstein quietly stepped into the policy void by introducing the Anti-Spam Act (ASA). Modeled after widely lauded Australian anti-spam legislation, the ASA is the most comprehensive Canadian anti-spam proposal floated to date and even if it languishes in the Senate (private member's bill rarely become law) it promises to place additional pressure on the government to reveal its own anti-spam plan. The bill targets spam by creating new form and content requirements for commercial electronic messages as well as establishing prohibitions on common spamming techniques. The content requirements include the need to clearly identify the sender of the message, provide accurate "header" information, avoid misleading subject lines, and include information on how recipients can contact the sender directly. Commercial email senders must also establish a functional unsubscribe facility that enables recipients to easily opt-out of future messages.
The ASA also establishes a broad prohibition against "the sending of a commercial electronic message unless the recipient has consented to receive the message." This provision contains several key exceptions, however, since political parties, charities, not-for-profit businesses, survey companies, educational institutions, and any business with a prior business relationship are all entitled to presume to that they have the necessary consents unless recipients expressly "opt-out."
Senator Goldstein's bill also targets common spamming technologies. It prohibits the use of address-harvesting software that spammers use to gather email addresses, outlaws "dictionary attacks" in which spammers send millions of messages without regard for whether the email addresses are valid, and bans the creation of phishing websites that are used by identity thieves to fraudulently obtain personal information.
While many of these provisions match those found in other jurisdictions, the most noteworthy aspect of the ASA is its tough penalties. First time offenders face a fine of up to $500,000 and any repeat offences could result in fines of up $1.5 million. Moreover, the bill includes possible prison terms of up to five years for violating the core anti-spam provisions and grants the private sector the right to seek injunctions to block further spamming activity.
Unlike some prior bills that sought to hold Internet service providers responsible for the spam on their networks, the ASA creates incentives for ISPs to cut off spamming activity by granting ISPs the right to cancel the service of known spammers without fear of liability. The ASA has reached second reading in the Senate and now awaits the prospect of committee hearings. Even if it goes no further, the bill marks an important step forward in the fight against spam after years of disappointing inaction.
CIPPIC has filed a privacy complaint with the Privacy Commissioner of Canada over Bell's deep packet inspection practices. With CAIP raising the privacy issue in its submission to the CRTC, it was only a matter of time before the Privacy Commissioner was asked to intervene. CIPPIC highlights several privacy concerns with Bell's network management practices including:
Bell's failure to obtain consent for the collection of personal information through DPI from customers of the independent ISPs
Bell's failure to obtain informed consent from its own customers given the lack of information on network management practices
Bell's violation of the principle of limiting collection, since the evidence "suggests that Bell can manage its network adequately without inspecting the content of user communications." CIPPIC notes that other providers do not engage in the same practice and that there are less privacy invasive means to address network congestion concerns.
Bell's violation of the openness principle, given its failure to disclose "in a clear and conspicuous manner to the public its use of DPI for traffic management purposes."
The case obviously has implications that extend beyond just Bell. Indeed, CIPPIC urges the Privacy Commissioner to also investigate DPI usage by other Canadian ISPs.
My weekly technology law column (Toronto Star version, homepage version) focuses this week on the new CIRA whois policy that is scheduled to take effect on June 10, 2008. The whois issue has attracted little public attention, yet it has been the subject of heated debate within the domain name community for many years. It revolves around the whois database, a publicly accessible, searchable list of domain name registrant information (as in "who is" the registrant of a particular domain name). When CIRA was first established, its whois policy permitted detailed disclosures about domain name registrants. A typical whois entry included the domain name itself, the name of the registrant, and comprehensive contact information including postal address, phone and fax numbers, as well as email addresses. The ready availability of such information proved useful to law enforcement, which often used whois information as part of cybercrime investigations. Similarly, the pursuit of intellectual property infringement claims, such as domain name cybersquatting cases, relied upon access to whois information to commence legal challenges to domain name registrations.
Notwithstanding these uses, CIRA recognized that its policy of publicly disclosing personal information was generating significant discomfort among many registrants. Citing privacy and spam concerns, many registrants preferred to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration would have access to the personal information). Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure.
As privacy and data protection commissioners began to express reservations about the legality of requiring domain name registrants to disclosure their personal information, CIRA proposed a new policy in 2004. After two major public consultations, mounting opposition from law enforcement about its loss to "unfettered" access to WHOIS data, and years of operational delays, CIRA last week began informing registrants that the new policy will take effect on June 10, 2008.
Under the new policy, CIRA will continue to collect the same contact information from registrants as under its current policy. However, it will no longer require that such information be publicly available through its whois directory. In its place, CIRA will only require the public disclosure of limited technical information, though individual registrants may voluntarily "opt-in" to providing more personal information.
While the CIRA policy protects the privacy of individual registrants, corporate or organizational registrants will typically have their full information publicly disclosed. The policy recognizes that corporate information does not raise specific privacy concerns since corporate information does not constitute personally identifiable information. Moreover, consumers may often want to access corporate whois information when judging the reliability of a website. In order to ensure that domain name registrants can still be contacted, CIRA has also established a unique message delivery system. CIRA will allow the public to contact domain name registrants without access to their personal information by relaying the message through a web-based submission form.
The Canadian changes may be long overdue, however, they also instantly catapult the dot-ca into a global leadership position. With more than a million Canadian domain name registrations, the resolution of the whois issue ensures that the Canadian domain name space is set for continued growth as it now features a "privacy advantage" over other domains struggling to strike a similar compromise.
First (12/06/2007)
Previous
#7 of 27
Next 
Last (12/01/2009) 
