Privacy - News

Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.

Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!

A large coalition of Canada's leading privacy experts and civil society groups wrote to Prime Minister Stephen Harper Friday regarding the federal government's increasing failure to protect the privacy of Canadians. The letter points to the government's efforts to increase the ability of law enforcement and other state agencies' ability to exploit new technologies in order to invade Canadians' privacy (pointing specifically to Bill C-13, currently being rushed through parliamentary committee under the guise of 'cyber bullying' legislation), while steadfastly refusing to address long-standing privacy problems raised by the same technological developments. The letter specifically points to the unchecked surveillance activities of Canada's foreign intelligence agency, CSEC, and the steadfast refusal to update ageing but central privacy and transparency statutes as indication of some of the long-standing privacy problems the government has refused to act on. It calls on the government to take its review of the privacy-invasive elements of Bill C-13 seriously, and to establish a commission to examine privacy and state surveillance in the digital age. Finally, the letter decries the controversial nomination of a government official as Privacy Commissioner of Canada, a nomination which was made in direct contradiction to the government's own selection committee. Specifically, the letter noted the problematic timing of this appointment, which arrives at a time when fundamental decisions that will affect the privacy of Canadians for decades are being made and leaves Canada without a privacy watchdog to weigh in on these formative debates.

CIPPIC welcomed the announcement of private member's Bill C-475, which proposed amendments to Canada’s federal privacy legislation, PIPEDA. The proposals will bring long overdue privacy protections for Canadians, including a comprehensive data breach notification regime and, critically, much needed enforcement powers for Canada’s privacy laws. A long-enduring and central gap in Canada’s privacy protections is the ongoing inability of the Privacy Commissioner to force non-compliant organizations to meet their privacy obligations. Even as our Courts, our provincial legislatures, and most of our international counterparts have recognized the increasing need to protect privacy in a digital era, our federal privacy regime remains toothless and our federal Privacy Commissioner lacks the basic power to enforce her own compliance orders. 

In addition, the lack of a comprehensive data breach notification regime puts Canadians personal information at great risk. Experience from jurisdictions around the world has demonstrated that a legal obligation to notify individuals when their data has been put at risk is an essential component of any privacy protection regime. Not only does this notification requirement provide an opportunity for individuals to take protective measures against privacy harms ranging from identity theft to great embarrassment, but it also provides a poignant incentive for organizations to put in place the practical and technical mechanisms necessary to avoid such breaches in the first place.

Last week, Voltage Pictures filed a motion to identify approximatel 2,000 IP addresses allegedly belonging to individuals who have infringed its copyrights by means of peer-to-peer file sharing mechanisms. CIPPIC is seeking to intervene in this matter to ensure that procedural safeguards and the privacy rights of the anonymous Does are respected.

On December 14, 2012, CIPPIC filed a letter with the Federal Court seeking to delay the hearing of Voltage's motion to compel Internet Service Provider Teksavvy Solutions to disclose the identities of its subscribers alleged to have downloaded movies the copyright to which Voltage owns. Although supporting evidence for the motion was only filed on Tuesday, December 11, it was scheduled to be heard today (only 6 days later). While CIPPIC is not yet a party to this proceeding, its letter was intended to ensure the Court was aware of the nuemrous legal and policy issues raised by Voltage's request. The letter asked the Court to provide more time for defendants to respond to the motion, as well as to provide time for CIPPICs own intended intervention. Today, in court, Teksavvy similarly asked the Court to extend timelines for this process, which it did. The next hearing date will be January 14, 2013.