Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh

Privacy

Proposed Data Breach Disclosure Rules Leave Too Many Canadians in the Dark

News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.

My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.

While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.

June 9, 2014 — Comments are Disabled — Columns

Proposed Data Breach Disclosure Rules Leave Too Many Canadians in the Dark

Appeared in the Toronto Star on June 7, 2014 as Digital Privacy Act Should Be a Lot Stronger on Data Breach Reporting News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. […]

June 8, 2014 — Comments are Disabled — Columns Archive

BlackBerry Bold 9700 by Roozbeh Rokni (CC BY-NC-ND 2.0) https://flic.kr/p/7izAwF

Rogers’ Shocking Admission: It Does Not Track Disclosures of Subscriber Information to Authorities

Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.

Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities’ requests were granted, the company stated:

June 6, 2014 — 7 comments — News

Diving Into the Digital Privacy Act: My Appearance Before Senate Transport & Comm Committee on S-4

Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill’s shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.

The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.

Appearance before the Senate Transport and Communications Committee, June 4, 2014

June 5, 2014 — 2 comments — Committees, News

Surveillance: America's Pastime by Jared Rodriguez / t r u t h o u t; Adapted: naixn, Jason Smith / feastoffun.com) (CC BY-NC-SA 2.0)

Why Has the Canadian Government Given Up on Protecting Our Privacy?

In recent years, it has become fashionable to argue that Canadians no longer care about their privacy. Supporters of this position note that millions of people voluntarily post personal information and photos about themselves on social media sites, are knowingly tracked by Internet advertising giants, and do not opt-out of “targeted” advertising from telecom companies. Yet if the past few months are any indication, it is not Canadians that have given up on privacy. It is the Canadian government.

My weekly technology law column (Toronto Star version, homepage version) notes the public response to the tidal wave of stories regarding widespread surveillance, the 1.2 million government requests to telecom companies for customer information, and the growing number of security breaches suggest that many Canadians are deeply concerned about the protection of their privacy. However, many feel helpless in the face on recent revelations and wonder whether the government is prepared to tighten privacy rules and establish stronger oversight.

June 3, 2014 — 10 comments — Columns