Quebec introduces most consumer-friendly privacy law in Canada

Quebec introduced sweeping changes to its privacy regime, making it the most consumer-friendly privacy law in Canada by giving individuals much greater control over their privacy while compelling private and public sector organizations to implement onerous prescriptive obligations that will be challenging to fulfil within two years, according to privacy experts.

The major overhaul, heavily influenced by the 2018 European Union’s General Data Protection Regulation (GDPR), introduces new privacy rights such as data portability rights and the right to be forgotten, new accountability and governance requisites, and new rules for the outsourcing and transfer of information outside Quebec. It also institutes new mandatory breach notification requirements, mandatory privacy impact assessments, clarifies consent requirements for collection, use or release of personal information, and significantly raises potential fines for violations.

Continue reading “Quebec introduces most consumer-friendly privacy law in Canada”

Most U.S. & EU companies still not prepared for new privacy law

The majority of European and American firms are not yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), reveals a recent report.

Many organizations fail to give the GDPR the attention it deserves, according to Seizing the GDPR Advantage: From Mandate to High-Value Opportunity,” a report by France-based legal tech consultant Capgemini that surveyed 1,000 executives and 6,000 consumers.

The report notes that nearly one in five organizations fail to make the GDPR a top priority, 31 per cent feel that the sole purpose of their program is to comply with the mandate by the deadline, and only 28 per cent see the GDPR as an opportunity to gain consumer trust and competitive advantage, in addition to being a compliance mandate. Moreover, it reveals that 51 per cent of organizations are either lagging or feel they will be only partially compliant by the deadline.

The report underscores that there is a “significant perception gap” between organizations and consumers around consumer data privacy and security performance. A staggering 80 per cent of executives believe that consumers trust their organization with the privacy and security of personal data. Consumers have a different take: only 52% of consumers agree with executives.

“This overconfidence can blind organizations to the improvements they need to make in data practices and prevent sufficient investment,” said the report. “Such organizations will eventually lose out as consumers increasingly demand a best in-class data protection experience.”

The global tech consultant leader strongly argues that GDPR is in fact a new opportunity waiting to be tapped but only for “organizations that get it right.” Besides enhancing employee loyalty, it maintains that consumers are “more willing to engage with organizations that protect data.”

When consumers are convinced that an organization is protecting their personal data in line with the GDPR mandate, nearly half would share their positive experiences with friends and family. Just as importantly, more than one in three consumers (39 per cent) will spend more with an organization when convinced that the organization protects their personal data.

More ominously, over 70 per cent of consumers said they are prepared to decrease spend and stop doing business with organizations in breach of GDPR compliance. In addition, 64 per cent of consumers said they are likely to request non-EU companies to delete their data if they find organizations non-compliant once the GDPR comes into effect.

Monetizing data, without consent

You can still download the application if you want. But if you believe what Kyle Zak has to say about it, it’s not something you would do. Not unless you don’t mind the trade-off between ease-of-use and the reams of information you will allegedly provide to the popular audio maker Bose Corp.

The lawsuit filed by Zak against Bose is the latest to allege companies of surreptitiously tracking consumers, without their consent, to collect data and then to either solicit more business or sell it to third parties. Early this year Ottawa-based sex toy maker We-Vibe settled a privacy lawsuit for $5 million after a line of its vibrators were found to have secretly collected and transmitted “highly sensitive information” about consumers without their knowledge or consent. In February 2017, Vizio Inc., one of the world’s largest television maker manufacturers and sellers of internet-connected “smart” televisions, agreed to pay US$2.2 million to settle charges by the Federal Trade Commission that it installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent.

The proposed class action against Bose alleges that the popular Boston-based audio manufacturer secretly collected, transmitted and disclosed its customers’ private music and audio selection to third parties, including a data mining company, The suit seeks an injunction to stop and prohibit Bose’s “wholesale disregard for consumer privacy rights” who download the companion app. Zak is also seeking millions of dollars in damages for consumers who purchased Bose’s wireless headphones and speakers.

“I have Bose headphones, and I love them,” said Ann Cavoukian, former Ontario privacy commissioner. “But if this proves to be true, I will be throwing them out. I will not tolerate this kind of activity that is taking place without the consent of the users.”

Introduced in 2016, the app, called Connect, allows customers to remotely control their Bose wireless products, and ostensibly makes it easier to pair different music sources such as an iPhone with Bose speakers and headphones. The proprietary software allegedly is programmed to continuously record in real time the music and audio tracks played through Bose wireless products.

“The music and audio tracks that people listen to reveal sensitive information about themselves,” alleges the suit in Kyle Zak v. Bose Corp. Case No. 17-cv-2918. “In other words, knowing what music, radio broadcasts, lectures, and podcasts a person chooses to listen to is enough to make accurate judgments and predictions about their personalities and behaviors.”

Bose disputes the allegations. “We’ll fight the inflammatory, misleading allegations made against us through the legal system,” said Bose in its website on April 20th. Three days later, Bose stated that

“You’ll find that the Connect App collects standard things to make your experience, and our products, better — like device information, app performance, and app and product usage. That includes information about songs playing on the device, the volume they’re played at and other usage data.”

On April 25th, Bose underlined that its Connect app “will be updated” so that consumers can opt out of having it collect data. “Any information collected before the opt-out is available will be altered, so it can’t be linked to you or your device by anyone,” added Bose. On May 3rd, the Connect app was updated.

The Office of the Privacy Commissioner of Canada (OPC) is not investigating the matter. If the Office receives a complaint, then it could launch an investigation, said Tobi Cohen, a spokesperson with the OPC.

However, the OPC launched an investigation in 2015 into a similar matter involving Bell Canada. While the case is not about a company “directly selling people’s information, it is an example of monetizing personal data,” noted Cohen

In August 2013 Bell caused an uproar after it announced that it would use customers’ network usage and account information to enable the serving of targeted advertisements. Bell intended to track the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. By combining the information with demographic and account data already collected from customers, and creating highly detailed profiles, that enabled third parties to deliver targeted ads to Bell’s customers for a fee. The program involved combining customer information from several Bell affiliates offering a range of mobile, home phone, Internet and TV services. The OPC concluded that “Bell was not, via its opt-out model, obtaining adequate consent” for its “Relevant Advertising Program.” After the release of the OPC’s report, Bell decided to withdraw its program, stated that it would delete all existing customer profiles related to the program, and said that if it launches a similar program in the future, it would do so using express opt-in consent.

The crux of the problem is that companies and consumers and privacy commissioners do not see eye-to-eye over what constitutes personal information. Privacy policies shed a bit of light over what companies deem to be personal information. But as Pam Dixon, the executive director of the World Privacy Forum, noted recently, the definition of “personally identifiable” is usually up to the company.

“It should not be up to companies to determine what is personally identifiable,” said Cavoukian. “Personally identifiable information means any information linked directly or indirectly with personal identifiers that identify you. So we’re not just talking about names and addresses. There could be indirect linkages that when connected with some other information point to you.”

But data has become an extremely valuable commodity. When a subsidiary of the gambling group Caesars Entertainment filed for bankruptcy in 2015, its most valuable asset was considered to be the data it held on its 45 million customers who joined its customer-loyalty program. It was evaluated at $1 billion. Another example is Uber. Its worth is estimated at $68 billion, in part because of the data it has on drivers and passengers for personal transportation. Even Bell acknowledged the value of data. “Bell asserts that by providing targeted (and thus more relevant) ads to users and more powerful and effective functionality to advertisers, it can improve its customers’ overall online experience, better compete in a global online advertising market with strong international advertising players, and ultimately generate greater advertising revenue,” according to the OPC’s report.

The tension over privacy between companies and consumers is not likely to fade. Consumers will likely continue to be caught between a rock and a hard place. The terms and conditions outlined by privacy policies are impenetrable. On top of that, consumers often no choice to accept them if they want to use the app they have downloaded.

But consumers, at least in Europe, will have another weapon at their disposal to keep companies in line, said Cavoukian. As of May 2018, the European Union’s General Data Protection Regulation (GDPR) strengthens people’s control over their data as it requires companies to get explicit consent for how they use data. Fines for breaches under GDPR will be stiff – up to four per cent of global revenues or US$22 million.

That is an example that should be followed in North America, said Cavoukian. While unlikely, companies nevertheless doing business in Europe will have to pay attention. “You are going to see a lot of action next year on the heels of the GDPR,” said Cavoukian. “You are going to see changes because people are getting increasingly concerned about their privacy, and governments are responding.”

Ashley Madison agrees to US$1.7 million settlement

A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.

Just before the Christmas holidays, Toronto-based Avid Life Media Inc. (ALM) agreed to pay US$1.6 million and implement a comprehensive data-security program, including third-party assessments, to settle claims by the FTC who worked in collaboration with 13 U.S. states. According to the FTC complaint, until August 2014, operators of the site “lured” customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.

ALM, now known as ruby Corp., still faces a slew of class actions stemming from the data breach, and in a move to dismiss the claims, it is arguing that that plaintiffs agreed to an arbitration clause and a class action waiver when they signed up. Plaintiffs attorney counter that the arbitration provision is “buried after pages of legalese.” (Over the past decade thousands of U.S. businesses have used arbitration “to create an alternative system of justice” that tends to favour businesses, according to an investigation by the New York Times).

Closer to home, Canada’s privacy watchdog says that more enforcement powers would have been “useful” to deal with the numerous privacy violations committed by ALM.

A joint year-long probe by Canadian and Australian privacy commissioners, launched after the massive data breach, found that ALM had inadequate or nonexistent security safeguards and policies while marketing itself as a discreet and secure way for consenting adults to have affairs. The company even went so far as to use fictitious security trustmarks on Ashley Madison’s homepage to reassure users and convey the impression that that the website had a high level of security and discretion.

Under a compliance agreement with the Office of the Privacy Commissioner of Canada (OPC) and an enforceable undertaking with the Office of the Australian Information Commissioner (OAIC), the company agreed to conduct a comprehensive review of its information security systems,  strengthen its security framework, document its efforts, ensure adequate training of staff, and provide a report from an independent third party documenting the measures it has taken to come into compliance.

“Theoretically this is the kind of case where additional enforcement powers would have been useful,” said federal Privacy Commissioner Daniel Therrien. “It’s not that in the absence of these powers we do not have influence. But other jurisdictions in the U.S. and Europe have order-making powers and can impose fines so clearly the question whether the OPC should have these powers arises.”

At present, under the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy commissioner can only make non-binding recommendations and has no power to make orders unlike provincial privacy commissioners in Alberta, British Columbia, Ontario and Quebec.

Ann Cavoukian, a three-term Ontario privacy commissioner, is in favour of granting the federal privacy commissioner with more enforcement powers. “When I was Commissioner I felt so grateful and fortunate that I had order-making powers because that gave me the stick I never had to use,” said Cavoukian, the executive director of the Privacy and Big Data Institute at Ryerson University. “Having the stick allowed me to get an organization to agree to things informally because they knew I could pursue this in a much more serious manner.”

But while Ottawa privacy lawyer Kris Klein too bemoans the fact that the OPC does not have powers that have “bite,” he commends the federal privacy watchdog for using the high profile case as a springboard to serve a strong reminder to business and organizations that they must put in place safeguards that take into account the sensitivity and amount of information that they collect and use. The comprehensive report, unlike the vast majority of reports penned by the OPC, also provides solid guidance that will help privacy lawyers, added Klein. “The report is extremely helpful as it helps privacy practitioners better understand what the privacy commissioner expects in terms of information security standards,” said Klein of Nnovation LLP. “So going forward I’ve got a lot more concrete things to point to when I’m advising clients as to what should and shouldn’t be done from a security perspective when it comes to dealing with personal information.” That is a harbinger of things to come, said Therrien. “One of my objectives is to increase the privacy of Canadians and to give practical guidance to companies as we have done here,” added Therrien.

Privacy experts are however concerned that many organizations will not pay heed to the findings and guidance yielded by the report because they don’t manage personal information as sensitive as the one collected and used by Ashley Madison. That would be a mistake, said Cavoukian. “Many companies obviously won’t be exactly in the same situation in terms of the sensitivity of the data collected in this site but in this day and age of cybersecurity attacks that occur almost on a daily basis, if you are dealing with any personal information, meaning any data that contains personal identifiers either directly or indirectly, security has to be top of mind,” said Cavoukian.

The report was “careful to point out” that a data breach or a security compromise does not necessarily mean that an organization failed to establish adequate safeguards under PIPEDA, noted Klein. In order to determine whether a PIPEDA contravention took place, the OPC will perform a contextual analysis that will examine whether the safeguards in place at the time of the data breach were “sufficient” given the sensitivity of the information. That is a finding that will reassure organizations, particularly American ones, as many are wary of having to deal with a regulator when a data breach occurs, “particularly in situations where they feel they have been victimized,” said Klein.

Organizations should also be aware that the OPC’s definition of harm is broad, extending beyond financial loss to individuals due to fraud or identify theft, said Fazila Nurani, a privacy and information management lawyer. The OPC also takes into account subjective types of harm such as reputational harm as it could potentially have a profound impact on an individual’s ability to access and maintain employment, relationships or even safety depending on the information, said the report. “This is such an important point,” noted Nurani. “The courts have started to recognize that privacy is a right in and of itself regardless of whether you have been financially impacted or not – and the regulator in this case is on the same wavelength.”

Retention policies were also examined by the OPC in the report. ALM’s practice was to keep all information contained in inactive or deactivated profiles indefinitely in case an individual wished to reactivate their profile in the future, despite the fact that 99.9 per cent of people who did reactivate their account did so within 29 days of deactivation. The OPC makes it clear that retention policies should be based on a “demonstrable rationale” and timeline. “A lot of organizations just don’t put enough time into developing retention policies,” remarked Nurani. “They just keep the information indefinitely on an electronic system so the guidance about retention is a really big takeaway for business.”

But perhaps the most important lesson that can be drawn from the Ashley Madison case is the importance of adopting clear and appropriate processes, procedures and systems to handle information security risks, supported by internal or external expertise, said Therrien. Organizations whose business model rely on vast amounts of personal information should “think hard” about what kind of information it collects, assess the risks it poses – and plan accordingly, said Therrien. Documenting security policies and procedures is key as it provides clarity around security-related expectations for staff as is conducting regular and documented risk assessments, added Therrien.

“To be systematic about it means that you’re more likely to take effective measures to reduce the risk of a privacy breach,” said Therrien. “If you are not systematic then things will fall through the cracks, and you will be more at risk of these privacy breaches. Hopefully people will listen because clearly this is not (an) isolated (case).”

Federal privacy watchdog examines consent model

The consent model, the cornerstone behind the federal legislation that governs how private sector organizations may collect, use or disclose personal information in the course of commercial activities, is under the microscope after the Office of the Privacy Commissioner of Canada (OPC) published a consultation paper that examines its viability in today’s digital information ecosystem.

The mind-boggling pace of technological advances and the advent of cloud computing, big data analytics and the Internet of Things (IoT) has spurred the collection of such unprecedented amounts of personal information — often shared among invisible players — that it has placed the consent model under strain. Against this backdrop, business find it increasingly challenging to fulfil their privacy obligations under Personal Information Protection and Electronic Documents Act (PIPEDA) while individuals face the impossible task figuring out what organizations are processing their data and for what purposes, noted the OPC’s discussion paper. That has prompted some to advocate the easing of consent requirements around the collection of personal information while others argue for measures to strengthen it.

“There is concern that technology and business models have changed significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent,” observed the OPC’s discussion paper entitled Consent and Privacy. The discussion paper, which sought comments until the end of July, explores different options to enhance consent under PIPEDA.

But privacy experts are skeptical that the consultation will lead to any tangible actions in the future. They point to the Digital Privacy Act, which received royal assent more than a year ago, yet is still not in force because the federal government has yet to complete the drafting of data breach notification and reporting regulations. “I know that some people are hopeful that it will result in more meaningful change down the road, and maybe these are the beginning steps that will result in that but I am not going to hold my breath,” said Kris Klein, an Ottawa-based privacy lawyer who is the managing director of the International Association of Privacy Professionals (IAPP) Canada. “Things in the privacy world in Canada seem to move at a snail’s pace. Canada is falling behind.”

The consent model was forged at a time when transactions had “clearly defined moments” in which information was exchanged, points out the discussion paper. Transactions, be it an individual doing business with a financial institution or making an insurance claim, were often routine, predictable, transparent and for a limited purpose. Individuals knew the identity of the organizations they were dealing with and how the information was collected and used.

That is no longer the case, particularly since the emergence of big data and the IoT. Through the use of complex algorithms, big data analyzes enormous data sets to reveal patterns, trends and associations to solve problems and generate value. Its ability to draw correlations between individual pieces of data can also pose risks that personal data will be used in ways that individuals did not consent to nor would have ever “reasonably expected to consent” to at the time the information was collected, said the discussion paper. IoT, while still in its infancy, is a development that allows for products such as smart thermostats, connected cars, and health and fitness trackers to collect data using sensors that is shared over telecommunication networks. A U.S. Federal Trade Commission staff report found that ubiquitous data collection and the potential for unexpected uses of data are the two most serious privacy risks of IoT. “A major challenge in this environment is how to convey meaningful information about privacy risks in order to inform the user’s decision whether or not to provide consent,” said the discussion paper.

“Consent is not a meaningful concept when it comes to defining people’s privacy rights,” said Daniel Michaluk, a Toronto privacy and data security lawyer with Hicks Morley Hamilton Stewart Storie LLP. “It does tend to under protect because we do have a problem with properly digesting what we are consenting to. It is just too complicated and there are too many data flows to keep track of and we can’t do it. That’s a problem.”

Éloïse Gratton, the national co-leader of the privacy and data security practice group at Borden Ladner Gervais LLP in Montreal, concurs. “We have a lot of upcoming technologies that are going to challenge this consent model even more,” said Gratton, who has published several books on privacy . “The consent model makes sense in theory but it’s no longer realistic. The technologies are too complex. It’s hard to use consent as a tool to make sure that people’s privacy and personal information is protected.”

The OPC proposes a series of “solutions” to deal with the challenges facing the current consent model, none of which will likely be a panacea, said the discussion paper. A combination of mechanisms that take into account that consent should not be a burden for individuals or organizations nor a barrier to innovation will likely be contemplated. Many of the proposed solutions focus on making consent “more meaningful” and making it easier for individuals to understand so that they can make informed choices. The current consent-based model of privacy protection for instance could strengthened by ensuring that there is greater transparency in privacy policies and notices. The use of third-party intermediaries who could set privacy preference profiles may be worth a look as are technology specific safeguards that have built-in compliance mechanisms, said the OPC. The internationally-recognized Privacy by Design (PbD) concept, which imposes obligations to account for privacy when creating products and systems, too is an option – and is a route chosen by the European parliament after it approved this spring tougher data privacy rules that enshrine the right to be forgotten. The new General Data Protection Regulation (GDPR), which governs the use and privacy of European Union citizens’ data, compels organizations to incorporate PbD principles into the development of business processes for products and services.

The OPC discussion paper also contemplates alternatives to the traditional approach to consent, such as the de-identification of data and types of information that may not necessarily require consent or “no-go zones” which prohibit the collection, use or disclosure of personal information in certain circumstances. The OPC would also consider the notion that consent is not always practical in some situations, as is the case in the new European Union framework. In the EU legitimate business interests can be cited as grounds for lawful processing without consent, except in cases where fundamental rights come into play. Also on the table are codes of practice that provide practical guidance to industry best practices, privacy accountability seals, and greater enforcement powers for the OPC.

“What we ultimately need is some sort of model that tells us what is and what is not permissible,” said Michaluk. “We have suggestions on how we might structure our thinking about it but there are no suggestions in the paper that talk about what that model might look like. That’s what we need. I don’t know what it looks like, and I don’t think anybody really does. It is the fundamental problem.”

But Gratton warned that before amending PIPEDA on consent, one should make sure that changes will not be “detrimental or problematic” following the emergence of new technologies. PIPEDA’s wording towards consent is flexible, maintained Gratton. It can accommodate new technologies and business models as well new social norms that may arise in connection with upcoming technologies or business practices, added Gratton. She raises the possibility of using a risk-based approach that focuses on the risk of harm which would reduce the burden of the notification obligation and concurrently the consent obligation. While it would “imply some rethinking to some extent” of PIPEDA’s current consent model, the risk-based approach could be incorporated into PIPEDA, said Gratton.

Klein leans towards an approach that would both ease consent requirements and strengthen them. A good example are Canadian banks which are governed by a robust regulatory regime that has earned the confidence and trust of consumers. “If we developed in the privacy field a robust and mature set of legislative principles overseen by a robust regulatory regime then maybe we can sort of start getting that same sense of comfort and confidence in organizations,” added Klein.

This story was originally published in The Lawyers Weekly.

Health & life insurance industry intend to ignore privacy commissioner’s recommendations over genetic testing

A call by Canada’s privacy watchdog to the life and health insurance industry to voluntarily refrain from requesting clients for access to existing genetic test results is going to be ignored, setting the stage for a divisive debate over access and the use of such personal information.

After consulting stakeholders, commissioning research papers, and holding roundtables in the area of genomics and privacy, the Office of the Privacy Commissioner of Canada issued an eight-page policy statement asking the health and life insurance industry to extend their decade-long voluntary ban against asking applicants or existing policy holders to undergo genetic testing. More controversially, the OPC is also asking the industry to extend the moratorium to applicants who have already taken genetic tests. But the OPC’s policy statement is not definitive. Recognizing that the state of medical technology is changing rapidly, it admits that its position should be reviewed periodically.

“The thing that really jumped at me is that the OPC’s finding is preliminary, qualified, and based on its own research,” noted Daniel Michaluk, chair of information management and privacy practice group at Hicks Morley Hamilton Stewart Storie LLP in Toronto. “If the industry thinks it has a different justification, based on evidence or facts, that may in fact justify the use of genetic testing, that may change the (OPC’s) conclusion.”

With genetic testing becoming quicker, more affordable, and more readily available, growing number of Canadians are turning to genetic testing for reproductive planning, to explore their ancestry, or to find out whether they have a genetic predisposition to diseases. Others still undergo genetic testing to participate in long-term research projects such as Canada’s ambitious Personal Genome Project, which is recruiting volunteers willing to share their genome sequence with scientists to study.

Canada is the only G-8 country without a policy or legislation on the use and collection of genetic information for non-research or health purposes. The legislative absence has spurred privacy concerns and fears that individuals will be discriminated against because of genetic markers and be denied coverage or be charged prohibitively expensive rates.

“This is a strongly-worded recommendation,” said Carman Baggaley, senior international strategic policy analyst at the OPC. “We certainly hope that the industry will take it seriously. We’ve had what we thought was a positive dialogue with representatives of the industry.”

But the life and health insurance sector intends to stand its ground. While it will not “under any circumstances” ask applicants or existing policy holders to undergo genetic testing, the industry does expect clients who have already taken genetic tests to share those results with life and health insurers, said Frank Zinatelli, vice-president and general counsel to the Canadian Life and Health Insurance Association Inc., a non-profit industry group.

“I don’t think it is a proper call,” remarked Zinatelli. “The privacy commissioner says that you shouldn’t use these tests until they are necessary and effective. We think that many tests are already effective and necessary.

The notion of “good faith” and “material information” lies at the heart of the conflicting positions. The industry maintains that insurance contracts are based on good faith, and that both parties have an obligation to disclose any information that may be relevant to the contract – a principle that is entrenched in insurance legislation in each province. Genetic test results are deemed by the industry to be material information because it allows insurers to be able to properly assess risks associated with clients and to charge “correct levels” of premiums, said Zinatelli. “The insurance industry has been dealing with sensitive information from the very beginning,” added Zinatelli. “We have in place safeguards and protections so that information is maintained consistent with all privacy rules now in place.”

The privacy watchdog is far from convinced. The policy statement asserts that the industry association does not define what constitutes material information. Nor does the industry differentiate between different types of genetic tests or the purposes for which the testing was done, according to the statement. “Where we disagree is around the issue of what’s material,” said Baggaley. “It would certainly appear that all of these tests are not material, and that from a consumer’s perspective it would be desirable if there was clarity around the concept of what is material.”

The OPC has yet more concerns, principally centering around the notion of reasonableness. After examining the issue through the use of a four-pronged test, the OPC concluded that the collection and use of existing genetic test results does not appear to be necessary at present, that the validity and accuracy of individual genetic tests cannot always be guaranteed, that its collection and use is not proportionate to the benefits the industry would gain from using test results, and that there are other less privacy invasive alternatives available to the industry. (See sidebar).

“The four-point test is a bit of a sticky point for organizations, and the OPC has applied it differently at different times,” said Michaluk. “It’s not about consent at all. It’s about reasonableness and proportionality. The fourth part of the test, involving less privacy invasive alternatives, is the one that organizations view as the most aggressive because it tends to rule out better means that are more intrusive – and it has been applied in a very strict manner.”

Other privacy experts, while sympathetic to the industry’s position, warn life and health insurers that to ignore the OPC’s policy statement is to do so at their peril. The Privacy Commissioner has very broad investigative powers and the ability to take organizations to court, said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. While the Privacy Commissioner can only make recommendations, and not orders, under the Personal Information Protection and Electronic Documents Act (PIPEDA) the Commissioner may apply to the Federal Court for a hearing. The Federal Court in turn can order an organization to change its practices and award damages to a complainant.

“There is also a potential public relations fallout if it ends up in the media that the Privacy Commissioner specifically told you not to do this, and you went out and did it anyway,” said Fraser. “So they should be cautious and prudent and think twice before they went out against the statement.”

That the OPC forged ahead with a policy statement without launching an investigation into the matter is unusual and revealing, said Kris Klein, a privacy lawyer with NNovation LLP in Ottawa. The OPC has long complained that they do not have enough powers to compel organizations to comply, pointed out Klein. “When you read their statute, they do have the power to conduct research but it is the way that they are sort of using it as an enforcement tool that I think is quite interesting,” said Klein, who has advised the Privacy Commissioner. “It is an indication that they are frustrated with their own powers, and they are really pushing the envelope when it comes to trying to find other ways to get compliance.”

Privacy experts are concerned about the reach of genetic testing and its privacy implications, but they are also mindful that life and health insurance companies need to make fully informed decisions based on risk, which is why all have praised the OPC for demonstrating “sensible flexibility.”

“They want to reserve for themselves freedom of action in the event that they are presented with a case,” said Fraser. “The amount of information you can get from genetic material is going to change over time, and so too is its reliability. Under PIPEDA, you can only collect information that is reasonable and necessary, and because PIPEDA is principle-based, what is reasonable and necessary can change over time. Their conclusion shows some sensible flexibility.”



The OPC used a four-point test to analyze the issue of whether genetic test results should be used by health and life insurance industry:

  • Is the collection and use of this personal information necessary to achieve a business legitimate business purpose?
  • Is the personal information likely to be effective in achieving that purpose?
  • Is the collection and use proportionate to the benefits gained?
  • Are there less privacy-invasive alternatives?



Open data: The value of openness

When Bing Thom Architects set out to investigate the effects of rising sea levels in Vancouver, the firm decided to gather crucial information about the shoreline from the city’s open data web portal. The study ultimately painted a sobering view of the potential impact of climate change: more than $25-billion in Vancouver real estate would be “negatively affected” by a rise in the sea level in the 21st century, excluding infrastructure such as roads, sewers, and electrical facilities. But the research also underscored the value of open government data: information that is collected by government for its own purpose and made available to the public for its own use.

Open data is essentially information that is free for anyone to use, reuse and redistribute. Proponents of making government data available to the public identify two main benefits: First, innovators of all kinds can use the information to build useful applications and services, and second, it promotes government transparency and accountability and encourages citizen participation in public policy debates. As Andy Yan, the urban planner involved in the Vancouver project observes, “when you have this type of transparency and governments release their databases to the public, you can have these kinds of discussions about public policy out in the open instead of being captured in little clubhouses.”

There is no question that governments are under growing pressure to remove any barriers to accessing its public records, and some — led by the United States, Britain and Australia — are embracing the open data movement. Others, including Canada and its provinces, lag behind but are beginning to overcome their apprehension at making some — if not all — data available to the public.

But first, governments must agree on a legal framework that will govern any move to open up public data for use in different jurisdictions and address issues ranging from IP rights to the use of personal data and respect of people’s privacy. For the most part, reuse and distribution of open data is subject to licences requiring attribution and share-alike provisions.

Creating value

Perhaps the best argument for making public records more readily accessible is: Why not? Advocates say it doesn’t cost much to open up raw government data and it has the potential to increase in value when it’s made easily accessible. So why not allow citizens to access and analyze it themselves? This idea has emerged as one of the building blocks for Government 2.0, a term coined to describe the integration of new-generation digital media technologies into government structure and operations.

“Open government, Government 2.0 and open data are very interrelated, and feed into each other,” says Tamir Israel, a staff lawyer with the Canadian Internet Policy and Public Interest Clinic (CIPPIC). “Having open data makes Government 2.0 initiatives more compelling, more valuable and more likely to succeed. They are both in response to technology, and both have the same motivation which is to be more transparent and interactive with its citizens through online mediums.”

Take the initiatives of Open North, a new Canadian non-profit devoted to building online tools to help citizens interact with government. The outfit is working to get cities across Canada to adopt an interactive tool which educates citizens about the budget-making process by asking for their input.

opengovThe shift towards open data also can cut costs for government and make it more efficient, says Guy Michaud, chief information officer for the City of Ottawa. Since the launch of its open data portal, the city has received fewer access-to-information requests, since data is often readily available for the public to download and use.

Open data applications can be civic minded, ranging from garbage collection timetables to the reporting and repairing of potholes. They can also generate economic value when business adds value to data by creating their applications.

Ottawa sponsored a $50,000 software application contest for smart phones and websites to encourage “meaningful and innovative” uses of its open data collection. The contest spawned 99 application  submissions and more than 100 ideas. The winner was OttawaGuide, a free tour guide mobile software application that uses new technology to superimpose digital information about your current location on objects as seen through the “eyes” of your smart phone’s camera in real time.

“Getting 99 applications for an investment of $50,000?” Michaud asked rhetorically earlier this year when he appeared before a parliamentary standing committee examining open government and open data. “There’s no way you could get even one application developed for that cost. So we may not have savings, but we sure have a nice return on our investment.”

Keeping an open mind

Open data 2Open data is not just a niche interest for policy and tech geeks. About 40 per cent of adult internet users have gone online in search of raw data about government spending and activities, according to a report by the Pew Research Center’s Internet & American Life Project.

Governments are beginning to pay attention. At last count, there were more than 50 government open data catalogs worldwide. Closer to home, a growing number of municipalities are following in the footsteps of Vancouver, Toronto, Edmonton and Ottawa, with Montreal, Fredericton and Waterloo launching open data web portals in the fall. The federal government launched its own open data portal last year.

Missing in action, however, are the provinces, with the exception of British Columbia, which launched its portal last summer. According to a 2011 IDC Canada survey of 150 federal, provincial and local government entities, half said they have no mandate or plans to open data to the public, and barely seven per cent of respondents said their government is planning an open data initiative.

Still, David Eaves, an open data expert who has advised several governments on open government and open data, remains convinced that Canada is making headway. “What we are seeing now is a growing interest in open data, especially at the municipal level, but increasingly at the federal level,” he said. “As for the provinces, there we have a tougher story. Only B.C. has shown up.”

In truth, many governments resist making raw data truly available to the public. Some of it has to do with resistance from within. Eaves fears that in order to ward off public pressure, some will launch portals with a few datasets, and frame it as a transparency initiative. “They will be missing out,” he adds.

The devil’s in the details

Even for governments eager to implement open data initiatives, there are a number of legal challenges. Copyright protection standards vary from one jurisdiction to another. Licensing terms may carry more weight in some areas than in others. And there are privacy concerns.

Most lawyers will reflexively craft licences to protect their clients by drafting onerous terms for licensees. But this could be a deterrent to sharing information. To achieve open data policy objectives, governments must adopt “easy to use” licences, says David Fewer, director of CIPPIC. “The objective here is to facilitate democratic governance, to facilitate innovation in the marketplace, and to facilitate the dynamic provision of services in ways that governments are not well-suited to do,” he says. “Lawyers have to take a real sanguine look at the real risks and understand that they are relatively minor. If they craft licences that are all about minimization, lawyers are going to get in the way and undermine the policy objectives.”

Currently, open data web portals in Canada are mostly subject to licences requiring attribution and share-alike provisions. The Vancouver portal, like most Canadian open data web portals, states that the terms of use are intended to protect and promote the city’s commitment to open data, and ensure that users freely share their own work on the applicable data. But share-alike clauses could prove to be a disincentive for the private sector to invest the time, energy and resources if they cannot “reap what they have sown,” says Fewer. While they make sense for some open source software projects built around a single community of developers, Fewer says that limiting the ways that people can use open data is “a failure in policy instruction” that makes no sense when trying to build a platform for innovation.

Fewer would prefer to see Canadian open datasets licensed under something akin to the U.K.’s Open Government License (OGL), which has the advantage of being written in plain language. It is also meant to be compatible with widely used models such as Creative Commons and Open Data Commons licences.

Open data 3More importantly, though, government information licensed under the OGL can be re-used for both commercial and non-commercial purposes, provided licensees include an attribution statement, usually specified by the information provider.

A third legal challenge is privacy. Not surprisingly, the Office of the Privacy Commissioner of Canada (OPC) is keeping close tabs on developments on the open data front. While the privacy watchdog endorses government transparency, it cautions that it should not come at the expense of individuals’ statutory rights to privacy. The OPC is concerned that the line between identifiable and non-identifiable information is becoming increasingly blurred thanks to the emergence of new information technologies, says assistant commissioner Chantal Bernier. The danger is that seemingly anonymous information gets bundled with information from other sources and linked back to specific individuals. “It is a widespread concern because the technology allows deeper analysis but unfortunately re-identification and therefore de-anonymization is possible,” Bernier explains.

The OPC is urging governments to implement privacy by design, a preemptive approach that requires the integration of privacy considerations into new programs and databases from the outset, not as an afterthought.

Surprisingly, the federal government did not consult or provide the OPC with a privacy impact assessment when it launched its own open data web portal, “arguably because they have no intention to ever provide any personal information in that portal,” says Bernier.

“That argument means that you better have done your homework to make sure you have clear practices and policies as to what goes in the portal and that you have very secure mechanisms to make sure that the infrastructure is in place to protect personal information.”

Ultimately, it is crucial for governments to get the licensing of open data right and in an intelligent way that protects people’s privacy without being overly restrictive. Otherwise, little will happen and open data will fail to live up to its potential to benefit the public interest.

This story was originally published in the National magazine.

Man ordered to pay $39,000 for illicitly filming sexual escapades

A Quebecer who filmed and took pictures of sexual escapades with a 20-year old woman and then distributed it on the Internet was ordered to pay $39,000 in damages.

In a brief four-page ruling, Quebec Superior Court Judge Sylviane Borenstein held that the man breached her fundamental rights by intentionally and illicitly invading her privacy, and that his conduct cannot be tolerated or trivialized by the courts. “The actions were ignoble and the Court expresses its indignation over these actions. One can understand that the woman, who is only 20 years old, feels betrayed and humiliated,” said Justice Borenstein in J.G. c. M.B., 2009 QCCS 2765

The Court issued a publication order that forbids media from identifying the parties in order not to aggravate the harm she has suffered.

Judge Borenstein barred the man from communicating, distributing, publishing, reproducing, or transmitting pictures, e-mails or videos of the filmed events as well as prohibited him from reaching her in any way. Further, the Court prohibited him from having in his possession photographs and videos of the plaintiff.

He was also ordered to pay for costs stemming from an Anton Piller order that was issued. An Anton Piller order is a court order that provides the right to search premises and seize evidence without prior warning.

A Quebecer who filmed his sexual escapades with a 20-year old woman and then distributed it on the Internet was condemned to pay $39,000 in damages.In a brief four-page ruling, Quebec Superior Court Judge Sylviane Borenstein held that the man breached her fundamental rights by intentionally and illicitly invading her privacy, and that his conduct cannot be tolerated or trivialized by the courts. “The actions were ignoble and the Court expresses its indignation over these actions. One can understand that the woman, who is only 20 years old, feels betrayed and humiliated.”

The Court issued a publication order that forbids media from identifying the parties in order not to aggravate the harm she has suffered.

Judge Borenstein barred the man from communicating, distributing, publishing, reproducing, or transmitting pictures, e-mails or videos of the filmed events as well as prohibited him from reaching her in any way. Further, the Court prohibited him from having in his possession photographs and videos of the plaintiff.

He was also ordered to pay for costs stemming from an Anton Piller order that was issued. An Anton Piller order is a court order that provides the right to search premises and seize evidence without prior warning.

Privacy rights overlooked in bankruptcies and insolvencies

Eight years after the federal government introduced legislation that applies to the collection, use and disclosure of personal information in the course of any private sector commercial activity, corporate lawyers pay little heed to privacy rights in bankruptcy and insolvency proceedings.

“Candidly, we on the insolvency side pay lip service to privacy,” acknowledged Kenneth Kraft, a partner with the financial services group at Heenan Blaikie, specializing in insolvency and finance. “It’s not something that we give much thought to.”

But that is likely to change. The recent uproar that led popular social-networking website Facebook to back down from changing its terms of service, which would have given the company exclusive rights to all user content even if a user decided to delete their account, highlighted growing consumer awareness over privacy rights. Coupled with the economic downturn that is widely expected to see a flood of bankruptcies and insolvencies, and privacy experts expect that there will be increased focus on what will be done with the personal information in the hands of bankrupt entities.

“Privacy is an important consideration in a bankruptcy and insolvency situation because the laws applicable to personal information continue to apply to the assets of the bankrupt company,” noted Mike Fekete, a partner in the Business Law Department practicing in the Technology Business Group at Osler. “As a result, the receiver and trustee in bankruptcy needs to be sensitive to restrictions on dispositions of assets which include personal information.” Continue reading “Privacy rights overlooked in bankruptcies and insolvencies”