Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
As expected, the Government has taken another shot at lawful access legislation today, introducing a legislative package called the Investigative Powers for the 21st Century (IP21C) Act that would require mandated surveillance capabilities at Canadian ISPs, force ISPs to disclose subscriber information such as name and address, and grant the police broad new powers to obtain transmission data and force ISPs to preserve data. Although I can only go on government releases (here, here), the approach appears to be very similar to the Liberal lawful access bill of 2005 that died on the order paper (my comments on that bill here) [update: Bill C-46 and C-47]. It is pretty much exactly what law enforcement has been demanding and privacy groups have been fearing. It represents a reneging of a commitment from the previous Public Safety Minister on court oversight and will embed broad new surveillance capabilities in the Canadian Internet.
The lawful access proposal is generally divided among two sets of issues - ISP requirements and new police powers.
1. ISP requirements
There are two key components here. First, ISPs will be required to install surveillance capabilities in their networks. This feels a bit like a surveillance stimulus package, with ISPs making big new investments and the government cost-sharing by compensating for changes to existing networks. The bill again exempts smaller ISPs for three years from these requirements. While that is understandable from a cost perspective, it undermines the claims that this is an effective solution to online crime since it will result in Canadians at big ISPs facing surveillance while would-be criminals seek out smaller ISPs without surveillance capabilities.
Second, the bill requires all ISPs to surrender customer name, address, IP address, and email address information upon request without court oversight. In taking this approach, Public Safety Minister Peter Van Loan has reneged on the promise of his predecessor and cabinet colleague Stockwell Day, who pledged not to introduce mandated subscriber data disclosure without court oversight.
2. New Police Powers
There are several new police powers that come with the lawful access approach. First, police will be able to obtain transmission data about Internet-based messaging. The government says this does not cover the content of a private communication, but it will cover information about what a person is doing online (what sites they visit, who they communicate with, etc.). This will be subject to a judicial order that will allow for obtaining real time data (a warrant) or historical data (a production order).
Second, police can obtain a preservation order that would require ISPs to preserve (ie. not delete) data related to a particular subscriber or even a specific communication. Third, there is an expansion of the police power to obtain a tracking warrant, by allowing police to "remotely activate existing tracking devices that are found in certain types of technologies such as cell phones." Fourth, the law expands the computer virus provision in the Criminal Code and opens the door to greater international cooperation of cybercrime enforcement.
As for what is not in the lawful access package, there is nothing on data retention, a controversial issue in Europe. It is also not clear what reporting requirements the Government envisions to ensure that there is transparency in the process.
I'll have more to say in the days ahead, but it should be stated that everyone wants to ensure that police have the ability to deal with serious crime. Lawful access has been on the public agenda for years, with law enforcement has demanded new powers but not providing compelling evidence that the current system has created serious barriers to their investigations. For example, last year CIRA caved to law enforcement pressure for a backdoor to WHOIS domain name registrant information. More than a year later, law enforcement has never once used this backdoor. Given the potential for misuse (Greece, U.S. telcos), the onus should be on law enforcement to demonstrate how the current system has harmed investigations and then we should work on ensuring that there is always - including for customer name and address information - appropriate court oversight.
A Canadian labour arbitrator has ruled that Lakehead University can outsource its email system from an internal system to Google's Gmail (coverage from the Chronicle of Higher Education; note that I served as an expert witness in the case). The Lakehead University Faculty Association (LUFA) argued that Lakehead violated the privacy rights and academic freedom of its members in making the switch to Gmail. LUFA maintained that the switch raised concerns about the prospect of surveillance by U.S. authorities under laws such as the USA Patriot Act. The arbitrator dismissed the claim, arguing that the collective agreement did not create an obligation to provide an email system nor guarantee absolute privacy. The arbitrator concludes:
While I am sympathetic to their plight and the fact that big brother could be watching over their e-mail communications, it simply brings to the fore the caution advanced by Mr. Pawlowski when he commented upon e-mail systems generally before the Senate. One should consider e-mail communications as confidential as are postcards.
The Industry Committee held two days of hearings on C-27, the Electronic Commerce Protection Act, this week with Industry Minister Tony Clement appearing on Tuesday and my appearance (together with CAUCE executives) on Thursday. The line of questioning on both days was very similar and it is clear that some groups are seeking to sow seeds of doubt about the legislation. I tried to address some of the misconceptions and inaccuracies during my appearance, but it is worth taking these claims head on (I will update as needed):
Messaging Provisions
Will the ECPA mean that businesses can't send newsletters, email updates, or other promotional materials to other businesses?
No. Section 6(5)(b) includes an exception for legitimate business-to-business email.
Will the ECPA mean that I can't send emails to friends or family asking if they're interested in buying something from me or using my services?
No. Section 6(5)(a) includes an exception for individual to individual email with a personal or family relationship.
Will the ECPA apply to non-commercial emails that I might send?
No. The bill only applies to commercial email.
Why has Australia targeted direct marketing, while Canada talks about commercial messages?
Australia has not done that. Both laws use commercial electronic messages.
Does the ECPA extend its jurisdictional reach too far beyond Canada's borders?
The law requires a connection to Canada to apply. This is consistent with jurisdictional law more generally that mandates a real and substantial connection.
Will universities be blocked from sending commercial messages to alumnae?
No. With opt-in consent, they can continue to send messages. Even without such consent, universities are typically registered charities and thus qualify under the Section 10(6) exception for 18 months without the need for opt-in consent.
Will companies be prevented from sending consumers warranty or product recall information?
No. In order to send consumers this information, companies must first obtain their contact information. This provides an easy opportunity to obtain consent for sending future warranty or product recall information. Alternatively, companies will still be able to send information even without this consent for 18 months, providing ample opportunities to obtain the necessary consents.
Will real estate agents be unable to contact prospective clients via referral?
No. Referrals can still take place as the personal relationship exception will allow for an individual to individual email that will facilitate a referral. Alternatively, friends can simply provide the contact information for the real estate agent (which is typically the preferred approach anyway).
Does a business always need explicit, opt-in consent to communicate with customers?
No. Businesses can imply consent for 18 months for any existing customer. That provides plenty of time to obtain an opt-in consent?
Does a business always need explicit, opt-in consent to communicate with potential customers?
No. Businesses can imply consent for six months for any potential customer that has made an inquiry with them.
Software Provisions
Will software vendors be required to obtain consent before installing software updates?
Yes. Software vendors should notify users what is they are installing on their computer and obtain consent before doing so. Past experience involving cases such as the Sony rootkit provide ample evidence for why this is a good thing.
Does the ECPA stop web sites from using cookies?
No. Cookies are text files and are not caught by the legislation.
Does the ECPA pose problems for the use of java or javascript on a webpage?
Possibly. I have proposed some language to address this issue and Industry Minister Tony Clement has indicated his willingness to amend the law to address this concern.
Penalty Provisions
Does the ECPA contain very tough liability provisions?
Yes. Experience in other countries shows that anti-spam law can only be effective with sufficiently tough penalties that create economic risk for spammers.
Is the private right of action really needed?
Yes. Creating a private right of action was a recommendation of the Spam Task Force. Given the ongoing concerns about the enforcement history of the CRTC, Competition Bureau, and the Privacy Commissioner of Canada, a private right of action will allow the private sector to launch lawsuits of their own against Canadian-based spammers. Previous lawsuits against Canadian-based spammers have been launched in the U.S., due to the absence of a Canadian private right of action.
Could the private right of action clog the courts?
Unlikely. Unlike the U.S., Canadian class action lawsuits are rarer and there are court costs that create disincentives against frivolous lawsuits.
Email Harvesting Provisions
Will law enforcement be impeded due to the restriction on email harvesting?
Unlikely. While the ECPA alters PIPEDA to address email harvesting, the numerous police powers to access far more than just an email address remain unchanged.
The Standing Committee on Access to Information, Privacy and Ethics has released its study on Privacy Act reform. The Committee only accepted a handful of the "quick fix" recommendations from the Privacy Commissioner of Canada. The NDP supported them all. I appeared before the committee as part of the study in May 2008.
CIRA has launched a public consultation on its new WHOIS rules. The consultation will include some direct consultations, a public forum, and an open consultation this summer.
The Office of the Federal Ombudsman for Victims of Crime has issued a new report calling on the government to introduce legislation to make it mandatory for ISPs to give law enforcement basic customer name and address information upon request.
Cinema Guzzo, a Montreal-based theatre chain, has been ordered to pay $10,000 in damages arising from the search of a patron's bag that violated their privacy rights. The lawsuit over the "abusive search" was first filed in July 2007. While this case has nothing to do with copyright, how long will it be before the case is cited by U.S. copyright lobby groups as further evidence that Canada is hostile to their interests.
posted
on Mon. Jun. 1/09
Site Last Updated: 2009-06-04 Copyright (c) 2003 Michael Geist
First (12/06/2007)
Previous
#20 of 27
Next 
Last (12/01/2009) 
