THE ANNUAL INTERNATIONAL DATA PRIVACY Day (which was January 28) is often seen as a day when individuals are reminded ways they should stay safe online. However, Canadian corporate privacy and security officers are likely also reflecting today on a number of recent court and regulatory moves that are affecting their responsibilities.
These include:
- An Ontario judge last month expanding the scope of privacy protection under the common law by allowing a person to sue another for putting an explicit video of them on the Internet, an action one lawyer called "revenge porn”
- Then, another Ontario judge supported telecom carriers in their right to resist wide court orders for customer metadata;
- As well, the federal privacy commissioner recently started a public consultation on what rights individuals might have if their online reputation is smeared in social media or elsewhere, a move that could have implications for Internet service providers who could be sued or ordered to remove texts and images.
Online reputation "is going to be the big privacy issue for the next two years in Canada," said Halifax lawyer David Fraser.
- Juniper Research warned wireless carriers that selling so-called ‘homespot’ routers that create both public and private Wi-Fi hotspots to help reduce traffic on cellular networks could be an invasion of privacy unless buyers know of the dual use
- The expected adoption this year of the European Union's General Data Protection regulation, which extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Fraser said it could have an impact on European companies who use Canadian data centres for processing personal data.
Meanwhile Canadian organizations are still waiting for the Innovation Department (formerly Industry Canada) to publish draft regulations for the upcoming changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), which for the first time requires them to notify individuals of a data breach and to keep a record of every breach of security safeguards involving personal information under their control.
"We're continuing to see significant deficiencies and deficits in smaller organizations." – David Fraser, privacy lawyer
The awareness today of large organizations to privacy issues is "really quite good," Fraser said, in part because many are publicly-traded or regulated and have to comply with regulatory requirements. But, he added, "we're continuing to see significant deficiencies and deficits in smaller organizations." They may think privacy is an issue for large firms, he said. Education might resolve that.
Barry Sookman, an IT and privacy lawyer at McCarthy Tétrault, noted in an interview that a number of privacy-related class action lawsuits against organizations have been launched, and predicts they will increase after Ottawa proclaims the new PIPEDA regulations on reporting data breaches.
Ann Cavoukian, director of Ryerson University's privacy and big data institute (and former Ontario privacy commissioner), said in an interview most Canadian organizations are trying to be sensitive to pressures from customers. "So when I am asked to speak at some private sector function I no longer have to make the case on why it's important to protect your customers' information. They're asking me how to do it."
Cavoukian, who works with Telus on privacy issues, praised the carrier and Rogers Communications in fighting broad court orders for customer metadata.
Telus said a company official wasn't available for an interview on its privacy strategy, but in a statement Rogers said it fought the court order because the original request would have involved over 30,000 Rogers customers, "virtually all of whom would have had nothing to do with the [criminal] investigation. We thought that crossed the line and was too broad and intrusive. We went to court because we wanted to ensure our customers' privacy rights are protected and that there are ground rules for the scope of what law enforcement is able to request and access."
In a statement Bell Canada said the carrier is committed to protecting the privacy of our customer information. "All our employees are expected to know how to safeguard and properly use customer information, and customer-facing representatives – whose roles often involve access to confidential information – undergo privacy training to understand their obligations to protect customer information. We also have strict controls on the use of personal information within our systems and websites."
Still, the issue isn't completely resolved. While the Ontario judge set out guidelines police should follow when they seek a court order for Internet and wireless subscriber metadata, RCMP Commissioner Bob Paulson wants expanded warantless access to Internet and other data under certain circumstances.
That prompted federal privacy commissioner Daniel Therrien to write an op-ed in two newspapers last month urging the government to uphold the 2014 Supreme Court ruling in Spencer case, which said there's a narrow range of circumstances in which law enforcement can obtain subscriber information without a warrant.
Data Privacy Day is an important marker to recognize the growing of privacy and security in an increasingly online world, a Rogers spokesperson said. "We believe it’s important to promote privacy awareness and best practices."
