I talked to Rob Breakenridge on his show on News Talk 770 to about the Supreme Court of Canada’s landmark ruling in Spencer where it eviscerated voluntary disclosure of internet subscriber data.
Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh
Privacy
Blown Chances, Bogus Claims & Blatant Hypocrisy: Why Yesterday Was a Disastrous Day for Canadian Privacy
Bills C-13 and S-4, the two major privacy bills currently working their way through the legislative process, both reached clause-by-clause review yesterday, typically the best chance for amendment. With Daniel Therrien, the new privacy commissioner, appearing before the C-13 committee and the sense that the government was prepared to compromise on the controversial warrantless disclosure provisions in S-4, there was the potential for real change. Instead, the day was perhaps the most disastrous in recent memory for Canadian privacy, with blown chances for reform, embarrassingly bogus claims from the government in defending its bills, and blatant hypocrisy from government MPs who sought to discredit the same privacy commissioner they were praising only a few days ago.
The Fear-Free Guide to Canada’s Anti-Spam Legislation: Answers to Ten Common Questions
The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
Proposed Data Breach Disclosure Rules Leave Too Many Canadians in the Dark
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.
My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.
Proposed Data Breach Disclosure Rules Leave Too Many Canadians in the Dark
Appeared in the Toronto Star on June 7, 2014 as Digital Privacy Act Should Be a Lot Stronger on Data Breach Reporting News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. […]
Recent Posts
Another Canadian Digital Policy Own Goal: Corporate TikTok Ban Leads to Millions in Lost Cultural Group Support 
The Law Bytes Podcast, Episode 239: The Rise and Fall of Canada’s Digital Services Tax 
Canada’s DST Debacle a Case Study of Digital Strategy Trouble 
Canadian Government Caves on Digital Services Tax After Years of Dismissing the Risks of Trade Retaliation 
The Law Bytes Podcast, Episode 238: David Fraser on Why Bill C-2’s Lawful Access Powers May Put Canadians’ Digital Security At Risk
