The recent revelations regarding massive telecom and Internet provider disclosures of subscriber information has generated a political firestorm with pointed questions yesterday to Prime Minister Stephen Harper in the House of Commons. While Harper tried to provide reassurances that warrants were obtained where necessary, the reality is that the law […]
Post Tagged with: "s-4"
Every 27 seconds. Minute after minute, hour after hour, day after day, week after week, month after month. Canadian telecommunications providers, who collect massive amounts of data about their subscribers, are asked to disclose basic subscriber information to Canadian law enforcement agencies every 27 seconds. In 2011, that added up to 1,193,630 requests. Given the volume, most likely do not involve a warrant or court oversight (2010 RCMP data showed 94% of requests involving customer name and address information was provided voluntarily without a warrant).
In most warrantless cases, the telecommunications companies were entitled to say no. The law says that telecom companies and Internet providers may disclose personal information without a warrant as part of a lawful investigation or they can withhold the information until law enforcement has obtained a warrant. According to newly released information, three telecom providers alone disclosed information from 785,000 customer accounts in 2011, suggesting that the actual totals were much higher. Moreover, virtually all providers sought compensation for complying with the requests.
These stunning disclosures, which were released by the Office of the Privacy Commissioner of Canada, comes directly from the telecom industry after years of keeping their disclosure practices shielded from public view. In fact, the industry was reluctant to provide the information to even the Privacy Commissioner.
According to correspondence I obtained under the Access to Information Act, after the Commissioner sent letters to the 12 biggest telecom and Internet providers seeking information on their disclosure practices, Rogers, Bell and RIM proposed aggregating the information to keep the data from individual companies secret. The response dragged on for months, with Bell admitting at one point that only four providers had provided data and expressing concern about whether it could submit even the aggregated response since it would be unable to maintain anonymity [I’ve released the full ATIP I received here].
Appeared in the Toronto Star on April 12, 2014 as Why the Government’s New Digital Privacy Act Puts Your Privacy at Risk After years of false starts, Industry Minister James Moore last week unveiled the Digital Privacy Act, the long-awaited reform package of Canada’s private sector privacy law. While the […]
My post and column on the expansion of warrantless disclosure under Bill S-4, the misleadingly named Digital Privacy Act, has attracted some attention and a response from Industry Canada. The department told iPolitics:
“Companies who share personal information are required to comply with the rules to ensure that information is only disclosed for the purpose of conducting an investigation into a contravention of a law or breach of an agreement. For example, self-regulating professional associations, such as a provincial law society, may wish to investigate allegations of malpractice made by a client. When organizations are sharing private information, the Privacy Commissioner can investigate violations and may take legal action against companies who do not follow the rules. This is consistent with privacy laws in British Columbia and Alberta and was recommended by the Standing Committee Access to Information, Privacy and Ethics.”
The response may sound reassuring, but it shouldn’t be.
Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure
Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation.
The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.
Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.