News

Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure

Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation. 

The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.

Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.

The government is already working to expand warrantless disclosure of subscriber information to law enforcement with Bill C-13 (the “cyber-bullying bill”) including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant. The law currently entrusts companies with a gatekeeper role since it permits them to either voluntarily disclose personal information as part of a lawful investigation or demand that law enforcement first obtain a court order. The immunity provision makes it more likely that disclosures will occur without a warrant since the legal risks associated with such disclosures are removed.

In light of revelations that telecom companies and Internet companies already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision is enormously problematic. Yet it pales in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. Bill S-4 proposes that:

“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

When might this apply? 

Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy to disclose the names and addresses of thousands of subscribers. The federal court established numerous safeguards to protect privacy and discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers. If Bill S-4 were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy for the subscriber information, which could be legally disclosed (including details that go far beyond just name and address) without any court order and without informing their affected customer.

In fact, the potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (telecom companies, social media sites, local businesses) might resist disclosing information without a court order, the law would not require them to do so. 

The resulting framework from C-13 and S-4 is stunning from an anti-privacy perspective:

  • organizations could disclose subscriber or customer personal information without a court order to law enforcement with full legal immunity from liability
  • organizations could disclose subscriber or customer personal information without a court order to any other organization claiming investigation of an actual or potential contractual breach or legal violation
  • the disclosures would be kept secret from the affected individuals
  • the disclosing organizations would be under no obligation to report on their practices or past disclosures

The government claims the Digital Privacy Act “will provide new protections for Canadians when they surf the web and shop online”. What it does not say that the same bill will open the door to massive warrantless disclosure of their personal information.

41 Comments

  1. David Collier-Brown says:

    Business agreements may no longer be a reason
    David Frazer’s red-line markup suggests it’s been removed in the current round…

    http://blog.privacylawyer.ca/2014/04/updates-to-canadian-federal-privacy-law.html

  2. Define
    “Another Organzation”

    If this means what I think it means. This is not limited to law enforcement entities. This is worse than lawful access.

  3. A Very Frustrated Canadian says:

    Have they lost their minds?
    This is complete insanity and not at all what any reasonable human being should expect from a Government that claims to serve freedom, liberty, and the best interest of the public. Time to get a VPN and use it for EVERYTHING folks.

  4. Peter MacKay says:

    Everyone should be using a VPN for ALL internet activities!

  5. Attack on Whistleblowers?
    During the hearings on CSEC’s spying a few months ago, Conservative senators seem to be looking for ways to stop a Canadian version of Snowden. I’m wondering how much this is connected to that and in trying to undermine media’s confidential sources, and whistleblowers in general?

  6. Another thing to think about here, about a year ago I entered a debate on the blogosphere regarding the role of private industry protecting our privacy regarding the Teksavvy situation. A lot of people in that debate and comments on forums etc, strongly suggested that it’s not ISP’s jobs to protect the privacy rights of Canadians. The way TSI did things, they gave what a week’s notice on the court hearings to notify customers they needed to be in court to protect their privacy.

    I don’t know how many times I heard from TSI supporters through the online debate that it’s not ISPs job to stand up for the privacy rights of Canadians even from my co-founder of the Canadian Gamers Organization. I position I starkly disagreed with. We’re now faced with legislation that enshrines that in law. I find that interesting and need to question how much support this bill is going to receive in the telecom industry as a result. Telus I think hinted at this change a few weeks ago, and fully supports it:

    http://bit.ly/1eiczkw

  7. “Voluntarily”
    You said:
    “The law currently entrusts companies with a gatekeeper role since it permits them to either voluntarily disclose personal information as part of a lawful investigation or demand that law enforcement first obtain a court order.”

    I’m still not sure that’s actually an appropriate reading of the current version of PIPEDA. The Supreme Court of Canada will probably tell us one way or the other in the next few months when it decides R. v Spencer.

  8. Hendrik Boom says:

    Since when does the federal government have anything to say about civil law? Such as exempting people from civil liability?

  9. Andrew Daley says:

    @andrewdaley
    What is happening to to my beloved country? The concerns me deeply, and forces me to consider how I handle my personal information not just on the internet, but everywhere … It almost feels Orwellian.

  10. CEO
    Sounds good, we then also have the right to ask for disclosure of all politicians…. as we have a “agreement” with them for honest dealing and representing us in parliament… thus all their PRIVATE data suddenly becomes available to ALL citizens… sounds about fair, as this also give us immunity for releasing government requests (It is a dispute if I say it is), police files, court documents and other filings, with the immunity from prosecution there is no longer incentive to keep the secret.
    IF they want it this way, I say all is fair. Change the law and protect all data, or join the ranks of the masses. I really want to see tax, internet surfing and other activities of our elected officials

  11. Thought canada was somewhat sensible
    “Have they lost their minds?
    This is complete insanity and not at all what any reasonable human being should expect from a Government that claims to serve freedom, liberty, and the best interest of the public. Time to get a VPN and use it for EVERYTHING folks.”
    That seems to be the case. Can’t think of any reason why anyone would want this. This plan is insanely stupid.

  12. VPN user comments
    Make sure the VPN server is not subject to Canadian law, otherwise the VPN service provider will receive the request for disclosure and may reveal the originating IP.

  13. Bill Link?
    The S-4 link in the article points to Bill C-12 from Sept. 2011. Is this a relevant article, or should the link be to http://www.parl.gc.ca/content/hoc/Bills/412/Government/S-4/S-4_1/S-4_1.PDF ?

  14. :reply to CEO
    CEO how do we get the data on BELL and ROGERS executives? They essentially are responsible for handing over their own data. Sounds to me like this system is a total mess. With those who work for telecoms having special privileges over and beyond any law enforcement agency.

    As for you being able to spy on politicians, why do I think its going to be the other way around?

  15. CEO
    Apply for it, and when they refuse to grant it , publicize it that the have the authority and the forms are filled in correctly, but they refuse to supply. The point is make enough of a stink and the law will be reformatted pretty quick.
    My belief is to make hay while the sun shines, elections are coming up soon, and I see no ethical, moral or other reason why voters should not have the same access that politicians have to our data with regards to their data, oh splash it round so we can have a few trials by media especially on those oh so important towers of ethics and morals….
    Personally I find it hard to believe that they are truly saints, but their tax records, internet browsing history (personal and work), their banking records and most importantly their communications meta data(as this is not private any way) will prove it.
    Prove to me you are a saint and I will vote for you, don’t and I will publicly say you have something to hide…. otherwise why not share!

  16. A joke
    Such a joke, when the Tekksavy thing happened, I was proud of our juridicial system, now this, seems like a slap in the face to every citizen, it basically means, we just want to ruin your life in order to give out favors to our corporate friends in America.

  17. That Old Guy in the CornerNews says:

    Doublespeak
    So in short, the Data Privacy Act would make our data less private. Giving a proposed law a name completely at odds with its actual intent is so typical of The Harper Gummintâ„¢. The most recent one being The Fair Elections Act, which will ensure that elections are less fair.

    http://en.wikipedia.org/wiki/Doublespeak

  18. A duty to protect the public, government legislating hacking for corporations?
    The government having a duty to protect the public could easily compel that ISP encrypt all traffic both residential and commercial in a such a way to reduce fraud, identify theft, improve telecommunication security throughout the nation.

    The Internet has been known to be an area where criminals try to exploit the inherent weak security of the network traffic and limited knowledge of most users.

    Encrypt it all. Enveloppes are early forms of encryption. You can’t read the letter without ‘breaking’ the encryption.

    It’s long overdue that ISP be held accountable as accessories to fraud and identity information theft as the capabilities to encrypt and protect user traffic exists but these capabilities are not employed merely due to complacency or unwillingness.

    With such a encrypted traffic security framework in place legal trolls and prying eyes would be hard pressed to spy on the lives of others. Peeping through encrypted internet traffic would then constitute hacking and the costs would skyrocket rendering it an ineffective tactic.

  19. Who needs the police
    Will we see more cases like this minus the police officer:

    http://bit.ly/1oVdoEy

  20. MPs
    Well I guess it’s time to let my conservative MP hear another earful about her party’s abusive behaviors and outrageous violations of privacy.

  21. @Martin
    I’ve been brought in as an adviser by a few victims groups regarding the cyber bullying legislation to help these groups understand the digital rights issues involved with warrentless disclosure. Quite a few of them are being pressed by government to come out and support this bill in public and within committee hearings, which a lot are being extremely cautious about now due to the warrentless disclosures provisions within the bill and how that could impact the confidentiality of victims and victims rights going forward.

    The changes to privacy law, I think solidify those concerns on victims rights. I had a 2 hour meeting with a few of these groups last week, before the details of these changes were known. I was very concerned that the new cyber bullying bill would be stuck down on constitutional grounds, citing the BCCLA’s current efforts in courts regarding CSEC’s abilities to track users without a warrant and that the BCCLA is expecting that the BC Supreme Court would rule that unconstitutional.

    The question posed at that meeting, was if CSEC is found to have acted unconstitutionally, would that mean ISP’s would be responsible as well? I found that question interesting. I left that open ended for now, but outside of the regular telecom folk who have come out defending these private interests and deflecting attention towards the government (includes Geist) rather than the roll all telecom providers are playing on this (not just the big guys), I have a feeling we will find the answer to that question within probably before the next election.

    It’s funny how some are still supporting Teksavvy in these comments, since when questioned on government spying and their roll in it, they refuse to answer. Interesting…..

  22. @Martin
    These changes with respect to privacy law could be also as a result of victims rights groups expressing concern on the lawful access provisions of the cyber bullying bill behind closed doors. From political moved behind the scene’s with the cyber bullying legislation and from responses by high ranking government official’s I’ve seen, they have been grasping at straws and despite to find any support within the bullying advocacy community on the bill due to warrantless disclosure.

    A lot of government communications I’ve seen sent out to victim’s rights groups have been more based on stopping a Canadian version of Snowden (the government has been very direct with these groups on that), than actually dealing with the real problems facing cyber bullying.

    Changes to privacy law could indicate government will eventually drop warrantless spying on the cyber bullying legislation to get it passed (which is a good thing) and deal with warrantless disclosure without democratic debate through the senate.

  23. I said: they have been grasping at straws and despite

    Should be: “they have been grasping at straws and desperate.”

  24. @MG
    I hope the info posted helps. It’s now you’re turn to help with the public interest in this. Ditch the telecom influences pls. All telecom providers are at risk of liability here. Let’s get answers for the Canadian public instead of CNOC spin.

  25. the threat implied in this bill is “Should you (the sitizen) dare speak out against us (the governemnt), we will look into everything you do, and will use whatever we find against you.”.

    That in a nutshell, is the whole reason for this section being included in the bill.

    Any governemnt into that kind of implied intimidation deserves to be utterly destroyed come election time.

  26. ssl + michaelgeist.ca
    I am a big fan of this site. But with the online world being what it is. I am curious why michaelgeist.ca does not have ssl enabled?

  27. Jason K : It’s funny how some are still supporting Teksavvy in these comments
    Which ISP *should* we support? For various reasons I cannot support the big guys out here (I’d rather go without internet than go back to Telus, Bell, Rogers, Shaw, et al) …

  28. warrantless spying says:

    other organizations
    NSA , FBI, DHS, MPAA, RIAA, etc….

    they want to hand over all our privacy to foreigners in an attack on our rights…..

    pretty darn close to saying they are commiting a willful act of treason

  29. warrantless spying says:

    lets put isps out of business law
    we shall form a organization and constantly put every person under investigation daily requiring teksavvy and other isps to constaly give us data all on aspects of your doings…..

    ENJOY a police state folks it has arrived

  30. @maebnoom
    The issue is systemic with all ISPs. I think the onus would lie with the smaller ISPs here to break the ranks with how the bigger ISPs have been acting, since consumer rights, and customer service seems to be a main selling point with the indie ISPs. Essentially on this issue, they are indistinguishable from their bigger counter parts.

    If Indie ISP’s were that concerned on consumer rights, why are none of these ISPs fighting against this, and refusing to answer questions on warrentless spying? Why are “consumer” rights groups like “Openmedia” not taking a much stronger stand on who they support in telecom, when they are supporting fighting against warrentless spying?

  31. Yeah, didn’t think there was any real difference. It sucks to have no real option to go with. (yet, anyway) I’ll stick to my encryption methods, and do what I can to get the word out.

  32. @maebnoom
    “Yeah, didn’t think there was any real difference. It sucks to have no real option to go with. (yet, anyway) I’ll stick to my encryption methods, and do what I can to get the word out.”

    What’s most likely going to happen considering the responses from the telecom industry on whole is the bigger ISPs who’ve had their hands in the cookie jar on this issue will be singled out due to the amount of consumers impacted. Then the little guys (who are just as guilty) will use this as a selling point to “switch” telecom providers. When money is involved in business, morality seems to be too often then not, thrown out the window. If we were to speak to meaningful change in regards to digital and consumer rights in law and legislation, that has to change.

  33. Glen Gorman says:

    DBA
    seems to fid the act under reasonable to ask for all teh personal information they have so shoe that they dont have any on you, meeting the requirements of other security legislation.

  34. Canada finally is in paralel with North Korea
    Wow, how crazy can this get with this dictator we got in power. I am not ashamed of being Canadian, but ashamed of having a dictator who give full access to any organization, mafia or anything to have access to our privacy. Here now we can have an agency that can spy on anything.

  35. After reading everything
    @Jason K
    I really appreciated seeing your responses gave another side of the issue.

    I feel this bill over all has been rushed… again. It’s like someone found a small thing to jump on and thought “This works great let’s push it!” Without analyzing it. Much to the chagrin of those affected by Cyber-Bullying and other such acts. It shows a certain level of disinterest in the actual value that a well thought out well executed bill would provide. And more to a level of “I want to be the person that solves this problem FIRST!”

    My issue stems from the problem that this bill is obviously going to be misused… and without them needing to go through any due process how is it that the Commissioner is going to see that EVERY case is seen it’s fair use and not just been blanketed by the larger companies.

    Someone above was right as well in saying that it’s not the ISPs job to worry about our privacy they are a company. That means their job is to their shareholders first. However, if they are Canadian, than their job should be to fight for this to be properly executed for the rights of all Canadians.

    From the stand point of the governments watching our moves on the internet, understand something, it’s happening. Period. If you fool yourself into thinking it’s not than you are just that. But they don’t care what we do or say in our jests. Not truly they are specifically targeting certain criteria in our messages and visits. Unless you’re mentioning actions against the country in detail, searching up blueprints for buildings, and bomb materials, or the likes. I wouldn’t worry too much over it.

    At least this is what I see when looking at it.

  36. When they came for me, there was no one left…
    @ Robert S

    “Unless you’re mentioning actions against the country in detail, searching up blueprints for buildings, and bomb materials, or the likes. I wouldn’t worry too much over it.”

    First they came for the terrorists, and I didn’t stand up for them, because I was not a terrorist. Then they came for the pirates, and I didn’t stand up for them because I wasn’t a pirate. Then they came for the protestors and I didn’t stand up for them, because I was not a protestor.

  37. @Robert S
    “Someone above was right as well in saying that it’s not the ISPs job to worry about our privacy they are a company. That means their job is to their shareholders first. ”

    I strongly disagree (as most do I’ve spoken too in Business about this) that it’s not a company’s job to protect the privacy of the people they do business with. In fact I know quite a few in the business community I’ve spoken too privately on this that are getting increasingly fed up with the “hands off” approach to protecting their business clients, especially after the NSA disclosures and CSEC’s involvement. In fact most “companies” right now are very concerned about protecting the privacy of their customers from unreasonable search. Business 101: your customers are your life bread, not shareholders, and some of our “privately” owned indie telecom providers don’t have shareholders to answer too. So what is this about, decreasing liability of telecom providers. The recent move of data to US telecom providers from the NSA, liability is on the forefront of most telecom providers as a result.

    In my experience with following this issue it seems only those in telecom that have an issue with actually protecting users private data, That essentially leaves all of our data at risk over the lines from exploitation. This bill is representative of that fact and most likely due to the lobbying of the telecom industry to try and get them out of liability when collecting this data for exploiters, rather than actually protecting their customers data priority #1 like most businesses are as of late.

    I don’t think it has anything to do with being Canadian, more of an issue of the law of the land, and a right we have against unreasonable search and seizure that’s at the core issue here. From my conversations within the business community on this, it’s the ISPs who are mostly blamed regarding our unsecured state of our telecom networks as a result of dodging liability’ not government. It’ll be very interesting to see if this law passes if that liability will swing back to bite them. I don’t think it’ll be long until this would be challenged on constitutional grounds, not just by customers but also put to the test against ISPs as well by the business community. A lot of businesses now having to pay extra to protect their lines from preying eyes due to ISPs actions to date. I wouldn’t be surprised to see those costs being recouped in the future if this continues.

  38. I said: “In fact most “companies” right now are very concerned about protecting the privacy of their customers from unreasonable search. ”

    Should be: “In fact most “companies” right now are very concerned about protecting the privacy of their customers from unreasonable search and disclosure”

    It also doesn’t help that there are some fighting to protect against this, supporting telecom providers who are enabling it!

  39. wildlifecontrol says:

    Canada
    This seems rubbish. How are some still supporting them…?
    We should be united to bring a change.

    http://www.tarzanwildlife.ca/

  40. tony sisto says:

    is there a reason?
    I don’t get it. Does the government think nobody will read the bill? What concern does warantless disclosure address?
    Did the government give a reason why this is included in the bill?

  41. Albert Kieda says:

    Governing for the people or presiding over the people?
    We Canadians worry about immigrants destroying our way of life but the bigger worry is the very same governments whom we place our trust. We are quickly devolving from a democracy to a plutocracy (defines a society or a system ruled and dominated by the small minority of the wealthiest citizens). If we aren’t already there. Does the average Joe or Jane really feel the government is representing our best interests or do they represent the interests of big business and the wealthy?!