Welcome to PrivacyInfo.ca, a site maintained by Professor Michael Geist of the University of Ottawa, Faculty of Law. The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) . While those decisions are available in full-text on the Commissioner's site, this site provides additional search functionality, including full-text searches as well as searching by individual provisions, sector, and outcome.
The site also contains links to Canadian privacy legislation, privacy law news, and other resources. For regular updates of new decisions and additions to the site, click here.
This site is not affiliated in any way with the Canadian Privacy Commissioner's office. It is provided for informational purposes only and should not be treated or relied upon as legal advice.
The introduction last spring of Bill C-27 - the Electronic Commerce Protection Act - represented the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven. Industry Minister Tony Clement’s anti-spam bill has steadily made its way through the legislative process, with the Standing Committee on Industry likely to conduct its final "clause by clause" review over the next two weeks.
Although support for anti-spam legislation would seemingly be uncontroversial, my weekly technology law column (Toronto Star version, homepage version) notes that various business groups have mounted a spirited attack against the bill, claiming requirements to obtain to user consent before sending commercial email will create new barriers to doing business online. The Conservative MPs on the committee have remained supportive of the bill, yet Liberal MPs have expressed growing concern about some of the bill’s provisions.
A close examination reveals that the bill sets reasonable limits for online marketing consistent with laws found in countries such as Australia, New Zealand, and Japan. In fact, there are four major caveats to the consent requirement.
First, the bill includes a business-to-business exception so that businesses that send commercial email to other businesses are immediately exempt from the need to obtain consent.
Second, the bill only applies to commercial email. Non-commercial email between friends, family, and colleagues is excluded.
Third, a wide range of business-to-consumer commercial email is also outside the ambit of the bill. For example, businesses can rely on "implied consent" to contact existing customers for a full 18 months and even contact non-customers who merely make an inquiry for six months. In other words, simply inquiring about long distance plans or hotel room availability opens the door to six months of electronic messaging under the guise of implied consent.
Fourth, all other commercial messaging to consumers is permitted - there are no limits - so long as the business has obtained prior consent. There are some form requirements, but nothing that should be considered particularly onerous.
Notwithstanding the implementation of similar opt-in systems elsewhere, some Canadian businesses argue that obtaining prior consent is problematic. These groups would prefer an "opt-out" approach whereby they could continue to send electronic messages to consumers and force them to request that no further messages be sent.
Whenever such concerns are raised, politicians would do well to ask a simple question - is obtaining consumer consent really so unreasonable? It is unreasonable to obtain consent before sending a commercial message about a new service or product? Is it unreasonable to obtain consent before installing software on a personal computer? In most instances, the answer is no.
Canadians frustrated with the lobbying against the anti-spam bill can be forgiven for experiencing a sense of déjà vu since it bears a striking similarity to the efforts to water down Canada's do-not-call list. When the bill establishing the do-not-call list was first introduced, it featured strict limitations on unwanted telemarketing.
However, after weeks of business lobbying, the bill was gutted with new exceptions for business relationships, charities, political parties, polling companies, and newspapers. The end-result is that the majority of telemarketing calls remain perfectly legal, despite the inclusion of millions of phone numbers on the Canadian do-not-call list.
History may repeat itself this week with the anti-spam bill. While this should be a non-partisan issue, reservations from some opposition MPs about the content of the bill suggest that Canada’s contribution to the fight against spam is still far from a done deal.
The push for new Internet surveillance capabilities - dubbed the "lawful access" initiative - dates back to 1999, when government officials began crafting proposals to institute new surveillance technologies within Canadian networks along with additional legal powers to access surveillance and subscriber information. Over the past decade, lawful access has stalled despite public consultations, bills that have died on the order paper, and even a promise from former public safety minister Stockwell Day to avoid mandatory disclosure of personal information without court oversight. Last June, current Public Safety Minister Peter Van Loan tabled the latest lawful access legislative package. Much like its predecessors, the bill establishes new surveillance requirements for Internet service providers. In an about-face from the Day commitment however, it also features mandatory disclosure of customer information, including name, address, IP address, and email address upon request and without court oversight.
My weekly technology law column (Toronto Star version, Ottawa Citizen version, homepage version) notes that lawful access has long faced at least two significant barriers. The first involves ISP costs associated with installing new equipment and responding to disclosure requests. The government has attempted to address those concerns by promising to help pay the bills. It plans to provide some funding for new equipment and, in a little noticed provision, has opened the door to paying ISPs for providing customer name and address information to law enforcement authorities.
The second barrier involves lingering questions about the need for lawful access. Critics have pointed to the fact that Canadian law enforcement has successfully used the Internet in hundreds of investigations, including a high-profile Toronto terrorism case. Moreover, the law already grants ISPs the options to disclose customer name and address information.
Van Loan argues that the changes are long overdue, pointing to a kidnapping case in Vancouver earlier this year as evidence of the need for legislative change. In several interviews, he has described witnessing an emergency situation in which Vancouver police waited 36 hours to get the information they needed in order to obtain a warrant for customer name and address information.
While that makes for a powerful example, a more detailed investigation into the specifics of the case reveals that Van Loan's rendition leaves out some important details. Over the summer, I launched Access to Information requests with the Ministry of Public Safety, the RCMP, and the Vancouver Police Department, seeking further information on the kidnapping case.
Both Public Safety and the RCMP responded that they had no additional information to provide other than the transcripts of the minister's interviews. The Vancouver Police identified the case as a February kidnapping (not March as suggested by Van Loan). The suspect was ultimately arrested and the case is currently before the courts, therefore limiting the department's ability to provide much detailed information.
However, in an admission that goes to the heart of Van Loan's claims, a legal adviser disclosed that no ISP records were sought during the investigation. In other words, the case the minister of public safety has presented as evidence of the need for mandatory disclosure of ISP customer records never involved a request for such records and yielded an arrest using the current law.
Without a doubt, society needs to ensure that police have the ability to deal with serious crime. Yet, public concern about lawful access comes directly from privacy fears and the absence of compelling evidence that the current system has created serious barriers to police investigations. The latest reliance on a case that did not even involve ISP records should only heighten skepticism about the government's proposed lawful access reforms.
The Privacy Commissioner of Canada has posted a February 2009 study completed by Jennifer Barrigar that compares the privacy practices of six leading social network sites.
The recent Canadian privacy case involving Facebook attracted international attention as the world's leading social networking site agreed to implement a series of changes that will affect 250 million users. While the case is widely viewed as a significant victory for Canadian privacy, my weekly technology law column (Toronto Star version, homepage version) notes the issue might never have been addressed but for a second, little-noticed privacy decision released two weeks later.
In December 2004, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa filed a complaint with the Privacy Commissioner of Canada against U.S.-based Abika.com, an online data broker that collects, uses and discloses the personal information of Canadians (I am an adviser to CIPPIC but was not involved directly in the case). The company offered a wide range of search services on individuals, purporting to dig up everything from past police reports to consumer preferences.
A year later, the Commissioner ruled that she could not investigate the complaint. The company refused to respond to questions and the Commissioner was of the view that there was no mechanism to further pursue the case given jurisdictional limits of Canadian privacy law.
CIPPIC asked the federal court to review the decision. In February 2007, it ruled that the Commissioner was mistaken - the law did not preclude conducting investigations of foreign entities even if subsequent enforcement of a finding might prove difficult.
In light of that ruling, the Commissioner resumed her investigation of Abika.com, releasing a new finding on July 31, 2009. Working together with the U.S. Federal Trade Commission, the Commissioner determined that "the American company disclosed the personal information of Canadians, without their knowledge or consent, to third parties" in violation of Canadian law.
During the nearly five years that the Abika.com case was winding its way through the Canadian legal system, CIPPIC filed a separate complaint against Facebook. Once again, the Commissioner spent about a year investigating the issue. Now armed with the Abika.com decision that conclusively determined that there was no legal barrier to investigating foreign companies on their compliance with Canadian law, the Commissioner conducted a comprehensive investigation of Facebook's privacy practices, identifying several areas in need of change.
Taken together, the two cases provide a powerful response to skeptics who doubted the ability of Canadian privacy law to influence foreign organizations. Canadian law will not always apply - there is no reason to follow Canadian rules if there is no connection to Canada or no Canadian data collection. However, organizations that do business in Canada or collect Canadians' personal information should recognize that a corporate office in Chicago will not shield it from the application of Canadian law in Calgary.
When the Canadian government introduced its private sector privacy law in 1998, the world was divided on best approach to address emerging privacy concerns. The European Union actively promoted its detailed, regulatory approach, while the U.S. sought market-driven solutions backed by tough penalties for violations of privacy promises.
Supporters touted the Canadian law as a middle ground alternative, featuring regulatory requirements and a privacy commissioner, but with greater marketplace flexibility. At the time, many thought Canada might serve as a model for other countries. Last month, the Privacy Commissioner demonstrated that it is not the Canadian privacy model that has been exported to other countries, but rather the law itself.
Canada's Privacy Commissioners have issued a resolution calling on the government to proceed with caution on its lawful access legislation. The resolution calls for evidence that the new provisions are needed, seeks alternatives, and sets conditions for striking the right balance.
Lots of coverage this morning on the remarkable Facebook settlement, which represents a major success for Canadian privacy and CIPPIC (which launched the case). The best source of information on the forthcoming changes come from the Privacy Commissioner's letter to CIPPIC. Podcast of the press conference available here.
The Privacy Commissioner of Canada will hold a news conference this morning at which she is expected to reveal that her office and Facebook have reached an agreement on privacy changes at the social networking site.
posted
on Thu. Aug. 27/09
Site Last Updated: 2009-08-02 Copyright (c) 2003 Michael Geist
First (12/06/2007)
Previous
#25 of 27
Next 
Last (12/01/2009) 
