Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
The Toronto Star features a masthead editorial on the do-not-call list, arguing that it is losing credibility and noting that if the CRTC waits much longer it will become "an invitation to harassment."
The Electronic Commerce Protection Act includes a noteworthy change to Canada's private sector privacy legislation (earlier posts on anti-spam provisions, enforcement, do-not-call). PIPEDA includes specific provisions dealing with the issue of consent for the collection of personal information, including the possibility of collecting personal information without knowledge or consent in certain circumstances. The ECPA adds a new provision that effectively overrides this exception - ie. it requires consent. The provisions are designed to target both spyware and the harvesting of email addresses or other collection of personal information without consent (a practice known as dictionary attacks).
The new PIPEDA Section 7.1(2) states: Section 7 and the exception set out in clause 4.3 of Schedule 1 [ie. consent exception] do not apply in respect of:
(a) the collection of an individual's electronic address, if the address is collected by the use of a computer program that is designed or marketed for use in generating or searching for, and collecting, electronic addresses; or
(b) the use of an individual's electronic address, if the address is collected by the use of a computer program described in (a).
Section 7.1(3) creates a similar prohibition against collecting personal information through any means of telecommunications, if the collection is made by accessing a computer system without authorization. There is a parallel provision for the use of this information.
In addition to these new provisions, the ECPA makes changes to PIPEDA's investigative provisions. While Canadians may file a complaint under these new provisions, the Privacy Commissioner may decline to investigate if the Commissioner is of the view that it can be dealt with by the CRTC or the Competition Bureau. The ECPA also opens the door to provincial involvement, granting the Federal Privacy Commissioner the power to consult with their provincial privacy counterparts, coordinate activities, and share information. The same sharing of information powers can be used to provide information to foreign authorities.
Earlier today, I posted on how one of the most significant aspects the anti-spam bill introduced on Friday was not reported or discussed in government briefing materials. Namely, that buried at the very end of the 69-page bill, are provisions that lay the groundwork to kill the National Do-Not-Call list. I noted that the proposed approach is very complicated, but boils down to the government repealing the provisions that establish and govern the do-not-call list. In its place, the Electronic Commerce Protection Act approach of requiring an opt-in would apply, meaning that Canadians would no longer need to register their phone numbers on a do-not-call list.
My weekly technology law column (homepage version, Ottawa Citizen version, Toronto Star version) provides some reasons why that the change cannot come fast enough. The column reports that while misuse of the do-not-call list remains a concern, a review of thousands of pages of internal government documents released under the Access to Information Act reveal that it is only the tip of the iceberg. In addition to lax list distribution policies, the enforcement side of the do-not-call list raises serious alarm bells with the majority of complaints being dismissed as invalid without CRTC investigation, the appearance of a conflict of interest in sorting through complaints, and a regulator that has been content to issue to "warnings" rather than levying the tough penalties contained in the law.
The CRTC documents obtained under Access to Information include a list of companies that have downloaded the do-not-call list. Given the broad exceptions under the law, virtually no charities, survey companies, political parties, or newspapers have acquired it. Instead, real estate agents, car dealers, financial advisors, and lawn care companies dominate the list of over one thousand organizations. Many of those organizations are identifiable, yet there are also over a hundred provincial numbered companies for which little is known, as well as cryptic names such as “My broker office” or “Michele.” It is unclear whether the CRTC invoked further verification before granting access to unknown organizations.
The proliferation of the do-not-call list is certainly disconcerting, but picture that emerges about its enforcement is even more troubling. The documents reveal that the CRTC receives over 20,000 telemarketing complaints each month, many involving the do-not-call list (some complaints may relate to other telecommunications rules that cover automated dialers or curfews).
The initial evaluation of complaints is handled by Bell, which manages the do-not-call list, rather than the CRTC. Bell reviews each complaint and provides a prima facie evaluation of whether it is valid, invalid, or indeterminate (which require further investigation). Despite tens of thousands of complaints, very few have been categorized by Bell as a prima facie violation of the do-not-call list. For example, in January, Bell reported that there were only 42 valid prima facie national do-not-call violations, while 3,033 national do-not-call complaints were ruled invalid (an unknown number of do-not-call complaints were treated as indeterminate).
The situation was much the same in prior months. In December 2008, Bell reported only 32 valid do-not-call complaints, while dismissing 2,748 complaints as invalid. In November 2008, there were 44 valid complaints as opposed to 3,981 complaints dismissed as invalid.
Not only are the vast majority of do-not-call complaints dismissed as invalid without any further investigation, but a complete list of consumer complaints lodged on the CRTC's website reveals that a who's who of the Canadian business community has been the target of complaints.
Alongside a steady of stream of complaints about vacation offers and duct cleaning, leading retailers such as the Bay and Zellers, financial institutions such as MBNA, telecommunications companies such as Rogers, Telus, and Bell, as well as newspapers and charities regularly appear on the complaints list. Under the current system, this means that Bell adjudicates whether complaints about its own telemarketing practices (and those of its competitors) are prima facie valid or invalid, a procedure that raises obvious concerns about conflict of interest.
Complaints that survive Bell's initial round of scrutiny go to the CRTC for further investigation. To date, the CRTC has sent out approximately 70 warning letters where it believes there are reasonable grounds to conclude that the organization is not in compliance with the do-not-call list legislation. Recipients of the letters are asked to take "corrective action" to address the concerns and warned that failure to do so could lead to penalties of up to $15,000 per violation for corporations. Notwithstanding that threat, the CRTC has yet to levy any fines.
Given the ongoing concerns around list misuse, enforcement, and overbroad exceptions that may be leading to the dismissal of the majority of complaints without further investigation, Industry Minister Tony Clement’s decision to open the door to the do-not-call reform is much needed. The complicating factor is that the ECPA provisions related to the do-not-call list are exceptionally complicated and could be delayed for years. If the DNCL is to be fixed - as it should be - better to avoid delays and get on with the job.
Industry Minister Tony Clement has placed an anti-spam bill on the Notice Paper, suggesting that the Government could introduce the bill as early as tomorrow. The bill carries the unwieldly name of "An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act." The title obviously indicates that the anti-spam bill will feature a multi-pronged approach to fighting spam with a role for the CRTC, the Competition Bureau, and the Privacy Commissioner of Canada.
Update: Sources have confirmed that barring a last minute change of heart, the bill will be introduced tomorrow (Friday).
My colleague Ian Kerr appeared on CBC's The Current on Friday to discuss privacy and anonymity issues. The podcast is here. His book - free to download - here.
Several B.C. groups have launched the B.C.'s Big Opt-Out, a response to fears about the privacy protection associated with personal health information management. The initiative provides the tools to allow residents to opt-out by providing opt-out requests to various health care professionals.
For the past several years, my colleague Ian Kerr has led a remarkable project focusing on anonymity, privacy and identity in a networked society. The project - one of the largest funded SSHRC grants in history - brought together dozens of experts from across Canada and around the world. It was incredibly productive with books, articles, conferences, blog postings, and unparalleled intellectual energy.
Today that project effectively comes to an end with the launch of the book Lessons from The Identity Trail: Anonymity, Privacy and Identity in a Networked Society at an event being hosted by the Privacy Commissioner of Canada. The book is the first to be published by Oxford University Press under a Creative Commons licence, with the entire book to be made freely available over the course of the next month. Divided into the three main focus areas of privacy, identity, and anonymity, the 28 contributions cover a wide range of cutting edge issues including surveillance, copyright, data mining, and identity cards. Perhaps most timely is a five chapter comparative analysis of anonymity and the law which contrasts the rules in the U.S., Canada, U.K., the Netherlands, and Italy. This is a terrific achievement by an exceptional colleague. Whether you download the book or buy it (20% discount), what is most important is that people read the book and become informed about these critically important issues.
Update: Coverage on the launch from the CBC and Canwest.
posted
on Wed. Apr. 8/09
Site Last Updated: 2009-03-11 Copyright (c) 2003 Michael Geist
First (12/06/2007)
Previous
#18 of 27
Next 
Last (12/01/2009) 
