News

CIPPIC has been awarded a grant from the Office of the Privacy Commissioner of Canada, through its Contributions Program, for a research project analyzing the activities of data brokers in Canada.

The project, titled Back on the Data Trail, examines the evolution of the Canadian data broker industry over the past decade. The project picks up CIPPIC’s prior OPC-funded work in this field: in 2006, CIPPIC published a study of Canada’s data broker industry: On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. Over a decade later, and despite radical structural changes in Canada’s data broker industry, this report continues to be the leading analysis of the industry. Indeed, the Research Group of the Office of the Privacy Commissioner of Canada’s 2015 discussion paper on the industry, Data Brokers: A Look at the Canadian and American Landscape (September 2014), relied heavily on CIPPIC’s now-dated 2006 report. It is past time to update this important research.

A NAFTA Arbitration Panel has dismissed Eli Lilly's claim for compensation from the Canadian government for the invalidation of two of its patents by the Supreme Court of Canada.  Lilly claimed that Canada's utility standard under patent law failed to meet its NAFTA obligations, and that the invalidation of its patents amounted to an expropriation that entitled it to a remedy under NAFTA's investor protection provisions.

Lilly's argument sought to leverage international trade investor protection provisions to shape the general contours of substantive intellectual property law.  The Panel rejected that invitation, declining to challenge courts' supervisory role over patentability in the Canadian patent system, stating that "a NAFTA Chapter Eleven tribunal is not an appellate tier" and that it would be inappropriate for a NAFTA tribunal to assess judicial conduct against NAFTA obligations other than in "exceptional circumstances, in which there is clear evidence of egregious and shocking conduct."   

Decision:

• Eli Lilly v Canada 

Previously:

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners. The government’s framing of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools. 

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts authored in conjunction with Christopher Parsons at the Citizen Lab, beginning with today's installment (after the jump, or in PDF format) regarding the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

UPDATE: In December 2016, ETHI released the results of its study in a report entitled "Protecting the Privacy of Canadians: Review of the Privacy Act". The Report adopts many of CIPPIC's recommendations.