Privacy by Sebastien Wiertz (CC BY 2.0) https://www.flickr.com/photos/wiertz/6092000030/sizes/l/
Over the past few months, the Treasury Board of Canada has quietly been developing a government-wide policy on the use of cloud computing services. The initiative started with an industry engagement event in November that highlighted many of the issues faced by the government. Following that event, the government issued a cloud computing Request for Information that asked the industry to provide detailed information and recommendations on the government’s approach. The deadline for submissions to the RFI close today. Unfortunately, the public is unlikely to gain access to the submissions as the government has promised to keep confidential the information it receives.
The government’s cloud computing RFI provides considerable insight into its current thinking. Of particular interest are the privacy implications of using cloud computing services, particularly where the data is either hosted outside the country or by foreign-owned organizations. While the consultation asks the industry for its views on these questions, the document features proposed contractual clauses that address encryption and data storage. These include:
A new year is traditionally the time to refresh and renew personal goals. The same is true in the digital policy realm, where despite the conclusion of lawful access, anti-counterfeiting, and anti-spam rules in 2014, many other issues in Canada remain unresolved, unaddressed, or stalled in the middle of development.
With a new year – one that will feature a federal election in which all parties will be asked to articulate their vision of Canada’s digital future – there is a chance to hit the policy reset button on issues that have lagged or veered off course.
There is no shortage of possibilities, but my weekly technology law column (Toronto Star version, homepage version) notes the following four concerns should be top of mind for policy makers and politicians:
After years of failed bills, public debate, and considerable controversy, lawful access legislation received royal assent last week. Public Safety Minister Peter MacKay’s Bill C-13 lumped together measures designed to combat cyberbullying with a series of new warrants to enhance police investigative powers, generating criticism from the Privacy Commissioner of Canada, civil liberties groups, and some prominent victims rights advocates. They argued that the government should have created cyberbullying safeguards without sacrificing privacy.
While the bill would have benefited from some amendments, it remains a far cry from earlier versions that featured mandatory personal information disclosure without court oversight and required Internet providers to install extensive surveillance and interception capabilities within their networks.
The mandatory disclosure of subscriber information rules, which figured prominently in earlier lawful access bills, were gradually reduced in scope and ultimately eliminated altogether. Moreover, a recent Supreme Court ruling raised doubt about the constitutionality of the provisions.
My weekly technology law column (Toronto Star version, homepage version) notes the surveillance and interception capability issue is more complicated, however. The prospect of a total surveillance infrastructure within Canadian Internet networks generated an enormous outcry when proposed in Vic Toews’ 2012 lawful access bill. Not only did the bill specify the precise required surveillance and interception capabilities, but it also would have established extensive Internet provider reporting requirements and envisioned partial payments by government to help offset the costs for smaller Internet providers.
Supreme Court’s Privacy Streak Comes To End: Split Court Affirms Legality of Warrantless Phone Searches Incident to Arrest
The Supreme Court of Canada issued its decision in R. v. Fearon today, a case involving the legality of a warrantless cellphone search by police during an arrest. Given the court’s strong endorsement of privacy in recent cases such as Spencer, Vu, and Telus, this seemed like a slam dunk. Moreover, the U.S. Supreme Court’s June 2014 decision in Riley, which addressed similar issues and ruled that a warrant is needed to search a phone, further suggested that the court would continue its streak of pro-privacy decisions.
To the surprise of many, a divided court upheld the ability of police to search cellphones without a warrant incident to an arrest. The majority established some conditions, but ultimately ruled that it could navigate the privacy balance by establishing some safeguards with the practice. A strongly worded dissent disagreed, noting the privacy implications of access to cellphones and the need for judicial pre-authorization as the best method of addressing the privacy implications.
Earlier this year, Canada and the European Union announced that they had reached agreement on sharing airline passenger name record data. The data shared includes names, addresses, and credit card numbers of airline passengers. The agreement was signed in June (video of the signing here), but approval from the European Parliament was required. In light of growing privacy concerns, that approval has proven more difficult to obtain than previously anticipated.
Rather than simply grant approval, the European Parliament has narrowly voted to send the agreement to the European Court of Justice for review to ensure that it is compliant with European law including EU treaties and the European Charter of Rights and Freedoms (the final vote was 383 to 271 with 47 abstentions). The resolution notes that the European Data Protection Supervisor (effectively the Privacy Commissioner for the EU) issued an opinion in September 2013 that questioned the necessity and proportionality of agreements to transfer passenger information between jurisdictions. The EDPS opinion features an extensive review of the agreement and raises pointed questions about specific provisions along with numerous recommendations for reform.
The decision means that the Canada – EU data sharing agreement will be delayed by at least one to three years while the court conducts its review. The review will raise several important privacy issues including the effectiveness of exchanging passenger information in combating terrorism and the state of Canadian privacy law. The European Court of Justice has already struck down the European Data Retention Directive, suggesting that this agreement could also face tough scrutiny.