Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh

Privacy

System Lock by Yuri Samoilov (CC BY 2.0) https://flic.kr/p/mjhubJ

You’re on Your Own: How the Government Wants Canadians To Sacrifice Their Personal Security

Another week, another revelation originating from the seemingly unlimited trove of Edward Snowden documents. Last week, the CBC reported that Canada was among several countries whose surveillance agencies actively exploited security vulnerabilities in a popular mobile web browser used by hundreds of millions of people. Rather than alerting the company and the public that the software was leaking personal information, they viewed the security gaps as a surveillance opportunity.

My weekly technology law column (Toronto Star version, homepage version) notes that in the days before Snowden, these reports would have sparked a huge uproar. More than half a billion people around the world use UC Browser, the mobile browser in question, suggesting that this represents a massive security leak. At stake was information related to users’ identity, communication activities, and location data – all accessible to telecom companies, network providers, and surveillance agencies.

May 28, 2015 — 2 comments — Columns

Anti Doping by Richard Masoner / Cyclelicious (CC BY-SA 2.0) https://flic.kr/p/5ZWsUT

Government’s Expansion of PIPEDA in Budget Bill Raises Constitutional Questions

The government’s omnibus budget implementation bill (Bill C-59) has attracted attention for its inclusion of copyright term extension for sound recordings and the retroactive changes to the Access to Information Act. Another legislative reform buried within the bill is a significant change to PIPEDA, Canada’s private sector privacy law. The bill adds a new Schedule 4 to PIPEDA, which allows the government to specify organizations in the schedule to which PIPEDA applies. Bill C-59 immediately adds one organization: the World Anti-Doping Agency (WADA), which is based in Montreal.

The change to PIPEDA is designed to address European criticism that WADA is not subject to privacy laws that meet the adequacy standard under EU law. WADA is currently subject to Quebec’s private sector privacy law, which meets the “substantial similarity” standard under Canadian law, but has not received an adequacy finding from Europe. In June 2014, the EU Working Party that examines these issues released an opinion that raised several concerns with the provincial law. The goal of the criticism appears to be to deem Montreal unfit to host WADA and transfer its offices to Europe. The Canadian government wants to stop the privacy criticisms by deeming PIPEDA applicable to WADA. Since PIPEDA has received an adequacy finding, presumably the hope is that the legislative change will address the European concerns.

May 27, 2015 — 1 comment — News

back to drawing board by Michael Kötter (CC BY-NC-SA 2.0) https://flic.kr/p/dqQzTn

Back to the Drawing Board: Bell Drops Opt-Out Targeted Ad Program

Days after the Office of the Privacy Commissioner of Canada released its decision that found that Bell was violating Canadian privacy law with its targeted ad program, the communications giant advised that it is withdrawing its program and deleting all customer profiles. A company spokesperson stated yesterday that Bell plans to re-introduce the program using an opt-in consent approach. That would likely require more than just a change to the privacy policy since the company would need to provide customers with incentives or compensation to get much acceptance to be voluntarily tracked.

My weekly technology law column (Toronto Star version, homepage version) notes that Bell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

April 14, 2015 — 2 comments — Columns

fuzzy copyright by Nancy Sims (CC BY-NC 2.0) https://flic.kr/p/37jCsU

The Copyright Notice Flood: What to Consider If You Receive a Copyright Infringement Notification

For the past few months, I’ve received daily emails from people who have been sent a copyright infringement notification as part of Canada’s notice-and-notice system. Most of the notifications come from CEG-TEK, a U.S.-based anti-piracy firm. Canadian Internet providers are now required by law to forward these notifications and CEG TEK has been taking advantage of a loophole in the system to include a settlement demand within the notification. Some of the recipients claim that the notification has been sent in error. Others say that they have received multiple notifications for a single download. In some cases, the recipient has clicked on the settlement demand link, while in others the person has called the company and revealed their identity. In virtually every case, they are looking for advice on what to do.

My typical response has been to point to my earlier posts on the issue that have explained Canada’s notice-and-notice system, the misuse of the system by rights holders in sending misleading information about Canadian copyright law, the government’s failure to stop the inclusion of settlement demands within the notices, and the massive expansion in the number of notices with the arrival of CEG TEK. I also point to Industry Canada’s page on the notice-and-notice system, which provides the government’s perspective on the issue. These resources can be helpful, but what most people really want to know is whether they should pay the settlement or ignore it. I don’t condone infringement but I believe that the misuse of the notice and notice system is extremely problematic. Moreover, I certainly think people that did not infringe copyright should not pay a settlement demand. I’m unable to provide specific legal advice, but I can provide more information that may assist in making a more informed decision about a system that was designed to discourage infringement, not create a loophole to facilitate settlement demands.

April 13, 2015 — 33 comments — News

The Bell Telephone Company of Canada Building by Billy Wilson (CC BY-NC 2.0) https://flic.kr/p/9ESABT

Privacy Commissioner of Canada Rules Bell’s Targeted Ad Program Violates Canadian Law

The Privacy Commissioner of Canada has released the long-awaited decision on Bell’s targeted ads program. The Commissioner’s press release soft-pedals the outcome – “Bell advertising program raises privacy concerns” – but the decision is clear: Bell’s so-called relevant ads program violates Canadian privacy law. As I wrote earlier this year, the key issue in the case centered on whether Bell should be permitted to use an opt-out consent mechanism in which its millions of customers are all included in targeted advertising unless they take pro-active steps to opt-out, or if an opt-in consent model is more appropriate. Given the detailed information collected and used by Bell, I argued that opt-in consent was the right approach.

The Privacy Commissioner of Canada agrees:

In our view, for the reasons expressed above, the RAP clearly involves the use of sensitive personal information. As such, the sensitivity of the information at issue leads us to the conclusion that Bell must obtain express consent for the RAP in the circumstances. This conclusion is further supported by our assessment of the reasonable expectations of Bell Customers, which is set out below.

April 7, 2015 — 10 comments — News