After years of false starts, Industry Minister James Moore last week unveiled the Digital Privacy Act, the long-awaited reform package of Canada’s private sector privacy law. While the government promised that the bill “will provide new protections for Canadians when they surf the web and shop online”, buried within Bill S-4 is a provision that threatens to massively expand warrantless disclosure of personal information.
The centrepiece reforms within the bill are much-needed security breach disclosure requirements that would force organizations to disclose breaches that put Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue. The Canadian rules include notification to the federal privacy commissioner, the prospect of wider notices to affected individuals, and tough penalties for organizations that fail to comply with these obligations.
While security breach disclosure requirements are a welcome addition to the Canadian privacy framework (as is the introduction of compliance orders that may help hold organizations to account where violations occur), the expansion of warrantless personal information disclosure raises enormous concerns.
The law currently entrusts companies such as telecom companies and Internet providers with a gatekeeper role in law enforcement cases since it permits them to either voluntarily disclose personal information as part of a lawful investigation or to demand that law enforcement first obtain a court order. Bill C-13, the cyber-bullying bill, creates an incentive for companies to voluntarily disclose to law enforcement by granting them full immunity from any civil or criminal liability for doing so. In light of recent revelations that they already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision has raised significant fears in the privacy community that the practice will become even more commonplace.
Yet the voluntary disclosure to law enforcement rules pale in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).
When might this be used?
Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy, a leading Internet provider, to disclose the names and addresses of thousands of subscribers. The federal court responded by establishing numerous safeguards to protect privacy and to discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers.
If the Digital Privacy Act were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy to voluntarily disclose the subscriber information (including details that go far beyond just name and address) without any court order and without informing the affected customers.
In fact, the potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (including telecom companies, social media sites, and local businesses) might resist disclosing information without a court order, the law would not require them to do so.
The end result makes a mockery of the notion that Canadian privacy laws are premised on consent and court oversight. Organizations would be permitted to voluntarily disclose personal information to law enforcement as part of a lawful investigation (with legal immunity) and to voluntarily disclose to private organizations if they are investigating a contract breach or alleged legal violation. Moreover, the disclosures would be kept secret from the affected individuals and the disclosing organizations would be under no obligation to publicly report on their practices.
The government may be promising new protections, but the troubling reality is that legislation currently before Parliament will expose all Canadians to the prospect of widespread warrantless disclosure of their personal information.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at firstname.lastname@example.org or online at www.michaelgeist.ca.