Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
My weekly technology law column (Toronto Star version, Ottawa Citizen version, homepage version) revisits the disappointment with CIRA's implementation of its new whois policy. While dot-ca registrants across the country were being advised of the new policy last April, special interests representing law enforcement and trademark holders were quietly pressuring CIRA to create a backdoor that will enable these two groups to have special access to registrant information. Just days before the new policy took effect, CIRA caved to the behind-the-scenes pressure and took a major step backward in the implementation of its policy.
CIRA has defended the changes by arguing that the policy will be reviewed in 12 months and that it falls to the government to provide legal protection for whistleblowers. Yet CIRA could just have easily retained the no-exception policy and reviewed its effect one year later. Moreover, it is CIRA's policies - not government law and policy - that leaves online activists stuck between the proverbial "rock and a hard place." The CIRA whois database is one of the largest publicly-accessible databases of personal information in the country. The agency's last minute about-face represents a significant setback for those registrants who were promised better privacy protection.
Earlier this year, I wrote glowingly about the new CIRA whois policy, which took effect today and which I described as striking the right balance between access and privacy. The policy was to have provided new privacy protection to individual registrants - hundreds of thousands of Canadians - by removing the public disclosure of their personal contact information (though the information is collected and stored by domain name registrars).
Apparently I spoke too soon. Faced with the prospect of a privacy balance, special interests representing law enforcement and trademark holders quietly pressured CIRA to create a backdoor that will enable these two groups (and these two groups alone) to have special access to registrant information. In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (ie. denial-of-service attacks) and CIRA will hand over registrant information without court oversight. In the case of trademark holders (as well as copyright and patent owners), claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information.
This represents a stunning about-face after years of public consultation on the whois policy. While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access. For example, consider a Canadian that registers companysucks.ca (name your company) as a whistleblower site about a particular company. They understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions. Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the backdoor exception means that the trademark holder can easily smoke out the identity of the registrant as CIRA will simply hand over this information.
Just over six weeks ago, CIRA celebrated its one millionth domain name registration and claimed world class status. Today, the organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members.
Students at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic have filed a privacy complaint against Facebook. The complaint alleges 22 violations of Canada's national privacy law.
All About Information notes a recent B.C. Privacy Commissioner decision which ruled that 41 days is too long to notify affected individuals of a security breach.
The Canadian Press covers the upcoming CIRA Whois change, with CIRA President Byron Holland promoting the fact that the policy will put CIRA at the forefront internationally and acknowledging that the current approach is not consistent with the spirit of the law (I think a strong case can be made that it is not consistent with the law itself).
The Canadian government's lack of action against spam has been one of the most puzzling policy failures in recent years. While addressing a problem that has grown from a mere nuisance to a costly scourge that raises criminal concerns would seem like a no-brainer, successive Industry Ministers have failed to prioritize the issue. The need for Canadian anti-spam legislation was the unanimous recommendation of the 2005 National Task Force on Spam, which included members from the Internet, marketing, and consumer communities (I was a member of the task force). The final report, which was received with approval from the current Conservative (then Liberal) Minister David Emerson, noted that Canada was quickly becoming one of the only Western countries to neglect the issue and was at risk of developing into a haven for spammers seeking refuge in countries with lax anti-spam regulations.
While a government-backed anti-spam bill is still nowhere to be seen, my weekly technology law column (Toronto Star version, homepage version) focuses on the fact that earlier this month Senator Yoine Goldstein quietly stepped into the policy void by introducing the Anti-Spam Act (ASA). Modeled after widely lauded Australian anti-spam legislation, the ASA is the most comprehensive Canadian anti-spam proposal floated to date and even if it languishes in the Senate (private member's bill rarely become law) it promises to place additional pressure on the government to reveal its own anti-spam plan. The bill targets spam by creating new form and content requirements for commercial electronic messages as well as establishing prohibitions on common spamming techniques. The content requirements include the need to clearly identify the sender of the message, provide accurate "header" information, avoid misleading subject lines, and include information on how recipients can contact the sender directly. Commercial email senders must also establish a functional unsubscribe facility that enables recipients to easily opt-out of future messages.
The ASA also establishes a broad prohibition against "the sending of a commercial electronic message unless the recipient has consented to receive the message." This provision contains several key exceptions, however, since political parties, charities, not-for-profit businesses, survey companies, educational institutions, and any business with a prior business relationship are all entitled to presume to that they have the necessary consents unless recipients expressly "opt-out."
Senator Goldstein's bill also targets common spamming technologies. It prohibits the use of address-harvesting software that spammers use to gather email addresses, outlaws "dictionary attacks" in which spammers send millions of messages without regard for whether the email addresses are valid, and bans the creation of phishing websites that are used by identity thieves to fraudulently obtain personal information.
While many of these provisions match those found in other jurisdictions, the most noteworthy aspect of the ASA is its tough penalties. First time offenders face a fine of up to $500,000 and any repeat offences could result in fines of up $1.5 million. Moreover, the bill includes possible prison terms of up to five years for violating the core anti-spam provisions and grants the private sector the right to seek injunctions to block further spamming activity.
Unlike some prior bills that sought to hold Internet service providers responsible for the spam on their networks, the ASA creates incentives for ISPs to cut off spamming activity by granting ISPs the right to cancel the service of known spammers without fear of liability. The ASA has reached second reading in the Senate and now awaits the prospect of committee hearings. Even if it goes no further, the bill marks an important step forward in the fight against spam after years of disappointing inaction.
posted
on Mon. May. 19/08
Site Last Updated: 2008-06-03 Copyright (c) 2003 Michael Geist
First (12/06/2007)
Previous
#8 of 27
Next 
Last (12/01/2009) 
