Post Tagged with: "pipeda"

Equifax Key by GotCredit (CC BY 2.0) https://flic.kr/p/TqZ2V2

Into the Breach: How Canada’s Security Breach Disclosure Regulations Fall Short

With security breaches regularly affecting millions (or even billions) of people, effective security breach disclosure rules are an essential part of a modern privacy law framework. It may surprise many to learn that Canada still does not have mandatory security breach disclosure rules that require companies to notify affected individuals in effect. Rules were passed in 2015, but the accompanying regulations were puzzlingly slow to emerge. The government finally released proposed regulations late in the summer with a consultation that closed earlier this week. My submission, which focused on implementation, content of notices, and proposed “indirect” notification, is posted below.

Read more ›

October 4, 2017 3 comments News
Privacy Is Not A Crime by Kent Lins (CC BY-NC 2.0) https://flic.kr/p/SdZhmU

Fixing PIPEDA: My Appearance Before the Access to Information, Privacy & Ethics Committee

Last week I appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics as part of its review of PIPEDA, Canada’s private sector privacy law. The ETHI study is expected to last several months and may provide the foundation for potential reforms. My opening remarks are posted below:

Read more ›

March 28, 2017 2 comments News
Five Data Privacy Principles from Mozilla (Put on a museum wall) 2014 by Ann Wuyts (CC BY 2.0) https://flic.kr/p/pVKYKn

Do You Consent? Four Ways to Strengthen Digital Privacy

Privacy laws around the world may differ on certain issues, but all share a key principle: the collection, use and disclosure of personal information requires user consent. The challenge in a digital world where data is continuously collected and can be used in a myriad of previously unimaginable ways is how to ensure that the consent model still achieves the objective of giving the public effective control over their personal information.

The Office of the Privacy Commissioner of Canada released a discussion paper earlier this year that opened the door to rethinking how Canadian law addresses consent. The paper suggests several solutions that could enhance consent (greater transparency in privacy policies, technology-specific protections), but also raises the possibility of de-emphasizing consent in favour of removing personally identifiable information or establishing “no-go” zones that would regulate certain uses of information without relying on consent.

My weekly technology law column (Toronto Star version, homepage version) notes that the deadline for submitting comments concludes this week and it is expected that many businesses will call for significant reforms to the current consent model, arguing that it is too onerous and that it does not serve the needs of users or businesses. Instead, they may call for a shift toward codes of practice that reflect specific industry standards alongside basic privacy rules that create limited restrictions on uses of personal information.

Read more ›

August 2, 2016 4 comments Columns
Police telephone by Marcin Wichary (CC BY 2.0) https://flic.kr/p/4nidee

Why the New Canadian Telecom Transparency Rules Fall Short

Canadians have become increasingly troubled by reports revealing that telecom and Internet companies receive millions of requests for subscriber data from a wide range of government departments. In light of public concern, some Internet and telecom companies have begun to issue regular transparency reports that feature aggregate data on the number of requests they receive and the disclosures they make.

The transparency reports from companies such as Rogers, Telus, and TekSavvy have helped shed light on government demands for information and on corporate disclosure practices. However, they also paint an incomplete picture since companies have offered up inconsistent data and some of the largest, including Bell, have thus far refused to come clean on past requests and disclosures.

Read more ›

July 7, 2015 10 comments Columns
Facebook by Franco Bouly (CC BY-ND 2.0) https://flic.kr/p/6rk2Qf

B.C. Court of Appeal Rules Facebook’s Fine Print Trumps Privacy Law

One week after the B.C. Court of Appeal ruled that it could order Google to remove websites from its global index, the same court (but different judges) ruled that a privacy class action lawsuit against Facebook could not proceed in the province because the Facebook terms and conditions provide that all disputes must be resolved in a court in Santa Clara, California. The decision should provide a wake-up call to users and policy makers because an absolute approach to terms and conditions not only means that Canadian courts may be unable resolve consumer disputes involving companies like Facebook, but that Canadian law will not apply either.

The current Facebook terms and conditions state:

You will resolve any claim, cause of action or dispute (claim) you have with us arising out of or relating to this Statement or Facebook exclusively in the U.S. District Court for the Northern District of California or a state court located in San Mateo County, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating all such claims. The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions.

While this appears to be slightly different from the terms that governed the dispute before the B.C. courts (it referenced courts in Santa Clara county), the key takeaway from the decision goes well beyond a proposed class action lawsuit over a Facebook “sponsored stories” program that no longer exists. The trial judge rightly noted that the heart of the case is whether online terms and conditions override domestic legal protections (in this case, the B.C. Privacy Act).

Read more ›

June 22, 2015 9 comments News