Bills C-13 and S-4, the two major privacy bills currently working their way through the legislative process, both reached clause-by-clause review yesterday, typically the best chance for amendment. With Daniel Therrien, the new privacy commissioner, appearing before the C-13 committee and the sense that the government was prepared to compromise on the controversial warrantless disclosure provisions in S-4, there was the potential for real change. Instead, the day was perhaps the most disastrous in recent memory for Canadian privacy, with blown chances for reform, embarrassingly bogus claims from the government in defending its bills, and blatant hypocrisy from government MPs who sought to discredit the same privacy commissioner they were praising only a few days ago.
Archive for June, 2014
Blown Chances, Bogus Claims & Blatant Hypocrisy: Why Yesterday Was a Disastrous Day for Canadian Privacy
The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.
My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.
Appeared in the Toronto Star on June 7, 2014 as Digital Privacy Act Should Be a Lot Stronger on Data Breach Reporting News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. […]
Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.
Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities’ requests were granted, the company stated: