Post Tagged with: "digital privacy act"

Diving Into the Digital Privacy Act: My Appearance Before Senate Transport & Comm Committee on S-4

Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill’s shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.

The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.

Appearance before the Senate Transport and Communications Committee, June 4, 2014

Five Measures to Help Counter the Tidal Wave of Secret Telecom Disclosures

The House of Commons engaged in an extensive debate on privacy yesterday in response to an NDP motion that would require the government to disclose the number of warrantless disclosures made by telecom companies. I’ll have more on the debate shortly (it’s worth reading), but the government has made it clear that it will not be supporting the motion.

My weekly technology law column (Toronto Star version, homepage version) notes that the revelations of massive telecom and Internet provider disclosures of subscriber information generated a political firestorm with pointed questions to Prime Minister Stephen Harper in the House of Commons about how the government and law enforcement agencies could file more than a million requests for Canadian subscriber information in a single year.

The shocking numbers come directly from the telecom industry after years of keeping their disclosure practices shielded from public view. They reveal that Canadian telecom and Internet providers are asked to disclose basic subscriber information every 27 seconds. In 2011, that added up to 1,193,630 requests, the majority of which were not accompanied by a warrant or court order. The data indicates that telecom and Internet providers gave the government what it wanted – three providers alone disclosed information from 785,000 customer accounts.

The issue is likely to continue to attract attention, particularly since the government is seeking to expand the warrantless disclosure framework in Bill C-13 (the lawful access bill) and Bill S-4 (the Digital Privacy Act).

Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure

Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation.

The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.

Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.