Columns

There Will Be No Privacy Reform. Get Over It

My weekly Law Bytes column (Toronto Star version, homepage version) examines the Standing Committee on Access to Information, Privacy and Ethics' much-anticipated report on the reform of Canada’s private sector privacy law released earlier this month.  Despite hearing from 67 witnesses, the Committee followed the lead of Industry Minister Maxime Bernier and Privacy Commissioner Jennifer Stoddart – neither of whom argued forcefully for reform – by issuing a tepid report that rejects the changes that many privacy advocates believe are necessary to improve the effectiveness of the current legal framework.

Instead, the final report, which includes separate dissenting opinions from the Conservative and Bloc Quebecois MPs, features 25 recommendations that at best represent little more than tinkering with the law and at worst undermine privacy protections in several key areas, most notably the use of privacy law to counter the mounting spam problem. Most of the major issues presented to the Committee, including beefing up the Privacy Commissioner's powers, adopting a "name and shame" approach for privacy violators, and safeguarding Canadian data that is outsourced to other jurisdictions, were met with indifference, as the Committee recommended no further reforms. In fact, even a mandatory security breach notification requirement – widely expected as a response to the massive data security breaches involving retail giants Winners and Homesense – was tempered with a recommendation to require notification to the Privacy Commissioner, not necessarily to the individuals affected by the breach.

In fairness to the Committee, many of their recommendations appear to have been shaped by the inexplicably weak responses from Industry Minister Bernier (who is responsible for the legislation) and Privacy Commissioner Stoddart. 
Officials from Industry Canada, who were the first to appear before the Committee, came completely empty handed, surprising Committee members by conceding that they had no authority to recommend reforms and could not comment on the effectiveness of specific provisions within the law.  While there was some speculation that Bernier would come before the Committee, a personal appearance never materialized.

Stoddart followed soon after, but to the dismay of many in the privacy community, cautioned against major reform.  When asked about the prospect for order making power to match her provincial counterparts or enhanced power to name privacy violators, she indicated that such changes were premature.  Committee members concerned about the effectiveness of the current law in the face of cross-border data transfers were similarly assured that further reforms were unnecessary (despite the fact that Stoddart was recently ordered by the Federal Court of Canada to investigate a case involving a U.S. organization after refusing to even launch an investigation). Even on the hot button issue of the day – mandatory notification of security breaches that place Canadians at risk of identity theft – the Commissioner offered only mild support.  Indeed, it was the Committee, not Bernier or Stoddart, that vigorously promoted the desirability of a mandatory notification system.

In light of that testimony – combined with the fact that only one other Canadian privacy commissioner even bothered to appear before the Committee – the report is a disappointment, though not much of a surprise. Moreover, the two dissenting opinions reinforce the challenge of gaining all-party support for privacy reform.  The Conservative MPs on the Committee issued a dissenting opinion to emphasize their desire to avoid changes "that would unduly increase the compliance burden on the small business community." The Bloc Quebecois MPs went further, noting for the record their "complete disagreement with this Act." The Bloc dissent provided a powerful reminder that Quebec has launched a constitutional challenge that contests the validity of federal privacy legislation.

Scott McNealy, the CEO of Sun Microsystems, is well known for having once dismissed consumer privacy concerns by stating that "You have no privacy. Get over it."  The Committee report and the dissenting opinions send a similar message to Canadians. There will be no significant privacy reform.  Get over it.

4 Comments

  1. DerekHill says:

    M. Geist,
    I thought you might like to see the effects of our passive Privacy Act administration in 2007.

    This is a complaint I just filed last week outlining flagrant,numerous and substantial Privacy Act breaches by CanWestGlobal media resulting from their outsourcing of their @canada.com email operations to a no-name US outfit in the USA 3 months ago.

    Derek

    _______________________________

    To: Privacy Commisioner of Canada May 17,2007

    COMPLAINT

    This is a complaint against CanWestGlobal’s Canada.com division with regard to numerous PIPEDA contraventions

    Dear Commisioner,
    My complaint is basically twofold and is based upon Canada.com’s methodology and customer notification procedures related to their recent subcontracting of their email operations to an American company inside the USA;
    1: It’s reasonable for customers of “Canada.com” to not expect that their emails are under the jurisdiction of the USA’s Patriot Act (e.g. the Patriot Act allows access to personal emails without a court order and also prohibits anyone from advising the affected customers when customers’ emails are accessed…neither Canada.com nor the customers would be advised of the access).
    This should be clearly stated on Canada.com’s new customer signup form and existing customers should be notified of this (that their personal email content at Canada.com is now subject to the provisions of the U.S. Patriot Act).
    A reasonable Canadian would assume that an email service called “canada.com” would be provided by a company inside Canada. Canada.com is not currently overtly advising on new customer applications that their email operations are being handled in the USA by an american company nor of the associated privacy effects (e.g. under the Patriot Act customers CAN NOT be told when their electronic correspondence has been accessed by US government agencies). It is quite likely most new customers will sign up without realizing their email service is being operated outside the country by a company (Velocity) subject to foreign access and privacy laws. There is a reference to the fact of foreign servicing within Canada.com’s lengthy “terms and conditions” (available by link) but it should be upfront on the signup form itself. Furthermore, on the signup page Canada.com makes new customers check off that they have read Canada.com’s “Privacy Statement” yet Canada.com’s FAQ #6 states that because of the foreign location their privacy statement and also PIPEDA are not in effect for the email accounts.
    2:Canada.com transferred email content to the foreign location without the prior consent of its existing customers.
    I will briefly outline the sequence of events, the current status, and underneath each subsection being contravened I will specify how it’s being contravened and which exhibit supports my assertion of contravention.
    Sequence of events:
    Feb. 20,2007, my email service provider, Canada.com, sent me an email advising that all their customers’ email accounts would be operated by a company based in the USA and they further advised that customers’ email content (saved personal emails and folders) would be “automatically” transferred to the new location without customer consent.
    Exhibit “A”
    I immediately made numerous attempts to make telephone contact with the Canada.com privacy officer and eventually was put in touch with Mr. Desautels of Can West Global’s Legal affairs. Mr. Desautels eventually confirmed that customers’ email content had indeed been sent without prior consent to the US location.
    Exhibit “Bs”
    He and I had a telephone conversation wherein we discussed some of the issues regarding the privacy ramifications of a change of email processing to a US location. He mentioned that one difference is that under Canadian law, customers must usually be told when government agencies access our email content whereas , he said that, under the Patriot Act, it is specifically illegal for the customer to be advised when government access has occurred.
    He stated that PIPEDA and Canada.com’s Privacy Statement are not in effect for these email accounts and that position is stated in Canada.com’s FAQ #6.
    Exhibit “C”
    We further discussed the widely reported current illegal and rampant misuse of National Security Letters without court orders inside the USA whereby tens of thousands of non-suspects have had their personal email content accessed inappropriately.
    Exhibit “D”
    He feels that since the email content is “deleted” upon customer request that there is no problem. I tried to convey the fact that once the information goes into the Velocity computers there is no assurance that it won’t be accessed and copied immediately.

    Schedule 1”Section 5
    4.1.3
    An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
    The provisions of the patriot act which supercedes PIPEDA within the US and the widespread misuse of National Security Letters within the US make this section mute.
    Exhibit “E”

    4.3.1
    Consent is required for the collection of personal information and the subsequent use or disclosure of this information.
    There was no consent asked for nor given before saved messages,folders and other email content was disclosed to the third party Velocity Services Inc.
    Exhibit B:1

    4.3.5
    In obtaining consent, the reasonable expectations of the individual are also relevant.
    It’s reasonable for customers of “Canada.com” to not expect their emails are under the jurisdiction of the USA’s Patriot Act. This should be clearly stated on Canada.com’s new customer signup form.
    4.4.2
    The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected.
    Canada.com’s entire process is misleading; most blatantly by referencing their own Privacy Statement on their new customer sign up form and then stating on their FAQ#6 that the statement is not in effect.
    Exhibit “F” and “G”

    4.7.1
    The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
    The US patriot Act and it’s recently reported abuse renders this null and void.
    Exhibit “D”
    4.7.2
    The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
    Personal emails often include the most personal information within family and financial correspondence. The safeguards should be at the highest level whereas under the Patriot Act foreign and inappropriate access is admittedly rampant.
    Exhibit: “D”
    4.8.1
    Organizations shall be open about their policies and practices with respect to the management of personal information.
    The existing sign-up form does not disclose the fact of U.S. Patriot Act authority over the email accounts.
    Exhibit “F”

    4.9.3
    In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.
    The US Patriot Act prohibits disclosure to email customers or to anyone at all that when customer information has been accessed. If Velocity provides access neither Canada.com not its customers will ever be told.
    Sincerely,
    Derek Hill

  2. Derek Hill says:

    This Associated Press article provides facts verifying the validity of the privacy concern when the email operations are being performed within the USA and when the email content(saved emails etc.) are held in the USA.

    [ link ]

  3. Derek Hill, Mute 🙂 ? You mean moot, I think.

    It’s a good complaint, but who did you complain to? If you’re going to make a complaint, it might be best to use a lawyer. Otherwise, if you make a mistake (not a spelling mistake, but a mistake in form), your complaint could just go to the trashbin of whatever government or corporate office you’re sending it to.

    The people who run Canada.com email sure sound incompetent. Maybe because Canwest has never decided whether they’re a media company, or a political action committee acting on behalf of their owners. So the company’s products’ quality and attention to detail suffer. (My pet peeve, not as serious as Derek Hill’s complaint, is that they keep screwing up the nytimes crossword: rerunning last week’s, cutting off clues, forgetting to print the title, or bafflingly replacing accented characters with fractions. Maybe that sounds trivial: but if they don’t get the small, obvious things right, it is indicative that the attention to detail, even important details, in the rest of their work is probably just as lackadaisical.)

  4. Privacy Fan says:

    New hyperlink to HoC Cttee report
    [ link ]