Privacy

Litigation

PIPEDA Complaints

Law Reform

Commentary

In a 2-1 decision, the Federal Court of Appeal has affirmed a lower court decision that found that Google Search did not qualify for an exception to PIPEDA for the collection, use, or disclosure of personal information for journalistic, artistic, or literary purposes.

The decision arises from a reference brought by the Privacy commissioner of Canada in respect of whether Google Search was subject to PIPEDA, Canada’s private sector commercial privacy legislation. Google argued that it was not engaged in commercial activity when it provided search results, and that any search results leading to journalistic content would qualify for PIPEDA’s exception for journalistic, artistic or literary purposes.  At first instance, Associate Chief Justice Gagné concluded that in offering Search, Google was in fact offering a commercial service and that it did not qualify for the journalism exception. 


CIPPIC is pleased to announce the publication of two reports today that raise concerns with Bill C-27, the federal government’s legislative proposal to reform Canada’s private sector privacy laws.

Our first report, entitled “Every Child Left Behind,” details how the proposed Consumer Privacy Protection Act (“CPPA”) fails to adequately protect the privacy rights of Canada’s children. C-27’s provisions to protect the privacy rights of children are unjustifiably weak, and they fall far short of the measures being enacted in peer jurisdictions—such as California and the United Kingdom—to protect children’s online privacy. Our report suggests several potential amendments to the CPPA that, in our view, are well within the federal government’s powers to enact.

Our second report, entitled “Planned Obsolescence,” details the shortcomings of the proposed Artificial Intelligence and Data Act (“AIDA”) by benchmarking it against the European Union’s proposed AI Act. Our report recommends that AIDA be strengthened in at least three ways: by extending its coverage to the federal public sector, by providing clearer definitions for key terms, and by reforming its proposed accountability structure to ensure effective enforcement.

Professor Jane Bailey offered submissions on behalf of CIPPIC at the hearing of R v Downes, an important voyeurism case. This issue before the Court involved the interpretation of the "place" provisions of the Criminal Code's prohibitions against voyeurism. These provisions protect Canadians against surreptitious observation and recording when we have a reasonable expectation of privacy and are in “a place in which a person can reasonably be expected to be nude...”.

 

CIPPIC, working with the eQuality Project, has filed a motion in the Supreme Court of Canada to intervene in the appeal of R. v. Downes, 2022 BCCA 8, a British Columbia Court of Appeal decision, where a coach was charged under the voyeurism provisions of the Criminal Code for surreptitiously taking photographs of pre-teens in their underwear in a sports facility's change room. The majority of the Court Appeal overturned the conviction, ruling that the photographs were not taken in "places in which a person could reasonably be expected to be nude".

CIPPIC will be arguing that the voyeurism provisions ought to be interpreted by framing them within the broader context of the privacy and equality rights of voyeurism targets, including women, children, and members of other equality-seeking communities.

Today, CIPPIC presented its intervention in a hearing before the Federal Court as part of a reference launched by the Office of the Privacy Commissioner of Canada. At issue is the degree to which PIPEDA - Canada's federal privacy law - applies to activities of commercial search engines.

As noted in our written submissions:

1. PIPEDA applies to commercial search engines.

2. In order to determine whether personal information is collected, used or disclosed in the course of commercial activities under s. 4(1)(a) of PIPEDA, the Court must evaluate the relationship between that information and the organization’s business model. The commercial value of most Internet companies and social media platforms is derived by providing a free service to attract user’s time, attention and personal information, which is then monetized through advertising, tracking and profiling. A restrictive definition of “commercial activity” which includes nothing but discrete, revenue-generating interactions ignores precisely the kinds of business models that drive the digital economy and that PIPEDA was intended to regulate.

3. Whether the collection, use or disclosure of personal information is undertaken for exclusively “journalistic” purposes must be determined with reference to Parliament’s intent and the constitutional rationale for the exclusion set out in s. 4(2)(c) of PIPEDA. This analysis must account for the particular role played by a free, adversarial and independent press in a democratic society—through newsgathering, source protection, the exercise of professional discipline and editorial judgement, and a commitment to communication on matters of public interest. The fact that an organization happens to permit the dissemination or discovery of journalistic content through its platform is not sufficient to immunize its activities from scrutiny under PIPEDA as a whole. The Act and the Charter provide other safeguards in this respect.

4. The remedy sought by the Complainant has obvious implications for section 2(b) Charter rights and a conclusion that PIPEDA applies to commercial search engines may eventually raise other constitutional and policy questions. However, the rules of statutory interpretation do not permit the Court to preempt these debates by distorting the meaning of the Act’s application clause to exclude certain organizations from Canadian privacy regulation altogether. Appropriate and properly tailored constitutional remedies are available in the event that these concerns are well-founded in law and actually materialize.

The reference is currently scheduled to be heard January 26-27. CIPPIC is being represented by Me Lex Gill from Trudel, Johnstone & Lespérance.

Image Source: Learntek, "big-data-analytics", April 23, 2018, Flickr, CC-0 1.0

In partnership with our fellow Samuelson-Glushko Clinic at the University of Colorado, CIPPIC today submitted comments to the Office of the Privacy Commissioner regarding two of its proposals for reforming PIPEDA—Canada's federal private-sector privacy statute—to deal with the challenges posed by artificial intelligence. Our submissions on behalf of 25 privacy scholars from Canada, the United States, and Europe—led by Prof. Margot Kaminski of the University of Colorado and CIPPIC Director Vivek Krishnamurthy—respond to OPC's proposals to amend PIPEDA to “[p]rovide individuals with a right to explanation and increased transparency when they interact with, or are subject to, automated processing” (Proposal 4), and “[r]equire the application of Privacy by Design and Human Rights by Design in all phases of processing, including data collection” (Proposal 5).

Specifically, our submissions suggest that a revised PIPEDA should include:

1. An individual right to an explanation of an algorithmic decision with significant effects on individuals;

2. Legal requirements for the application of Privacy and Human Rights by Design in all phases of data processing;

Office of the Privacy Commissioner's Office, 2010 Consultation on Online Privacy

The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.

On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information.  In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants.  CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.

CIPPIC actively participated in a multidisciplinary research project funded by the Social Sciences and Humanities Research Council (SSHRC) Initiatives on the New Economy (INE) Program that focuses on issues of anonymity and authentication.

In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes.  As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.

Privacy in domain name registration (CIRA & ICANN)

Open Smart Cities FAQ

Introduction 

“Smart” city technologies collect, analyse, and use data to improve city life. Data collection can be active or passive, and data analysis can reveal patterns in how people work, live, and travel. Many cities use sensors to passively collect data about how people use bridges and roads, while some cities actively collect data about residents, using cameras to gather traffic data or “smart” meters to show how people use water and electricity.

Smart city initiatives are often public-private partnerships, involving two or more public and private sector organizations working together towards a long-term goal. For example, in 2016, Ottawa and Gatineau partnered with Strava, a fitness tracker company, to gather information about how residents use urban bike infrastructure. The cities intend to use this data to make the nation’s capital region more bike-friendly. Larger scale projects, such as Sidewalk Labs’ proposal for a connected community on Toronto’s Eastern waterfront, engage complex legal issues and involve dozens of public and private stakeholders.

FAQ on privacy and copyright issues raised by photography-related activities.

Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.

Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.

Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.

The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.

National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.

Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.

Reference re PIPEDA, T-1779-18, Motion to Intervene

Voltage v. Doe, Federal Court, 2013

A.B. v. Bragg Communications, 2012 SCC 46, SCC File No. 34240, Anonymity in judicial proceedings

Warman v. Fournier, 2010 ONSC 2126, [2010] 100 O.R. (3d) 648, 319 D.L.R. (4th) 268 (Ont. Div. Ct.)

CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.

On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. This finding was in response to CIPPIC's complaint against Abika.com.

Royal Bank of Canada - Refusal to deal for secondary purposes

CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.

PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI

CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick

PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.

Winners/Homesense (collection minimization & disclosure for secondary purposes)

Sony/BMG Rootkit

Canadian Banks and SWIFT

Ticketmaster (November 2005)

CIPPIC filed a formal complaint under PIPEDA against Ticketmaster on November 17, 2005. The complaint alleges that Ticketmaster's information management practices violate PIPEDA's requirements for openness, accountability, consent , and access to information. Specifically, CIPPIC alleges failures on the part of Ticketmaster to clearly identify what it does with personal information once collected, to protect information transferred to third parties for processing, to obtain proper consent from customers for secondary uses and disclosures, and to respond adequately to access to information requests.

We received the report of findings by the Office of the Privacy Commissioner on February 12, 2008. The OPC found that our complaints about lack of openness and consent to be well-founded, but resolved as Ticketmaster agreed to change its policies and practices accordingly.

Resources

CIPPIC's letter, Nov.17,2005.

 

InfoCanada (July 2005)

On July 15, 2005, CIPPIC filed a complaint with the Privacy Commissioner of Canada against InfoCanada, a Canadian company that sells lists of information about Canadian businesses and consumers.

In the complaint, CIPPIC alleged that InfoCanada combines publicly available personal information from telephone books with aggregated demographic data from Statistics Canada, to create lists of "personal demographic information" for sale to marketers, thus invoking PIPEDA. PIPEDA requires organizations to obtain consent before using and disclosing personal information. CIPPIC argued that InfoCanada violates PIPEDA by failing to obtain consent to its use and disclosure of this personal information, inaccurate as it may be. CIPPIC also alleged that InfoCanada violates PIPEDA by failing to be open about its personal information management practices and by using personal information for inappropriate purposes.

Although CIPPIC chose to investigate InfoCanada, CIPPIC has reason to believe that many other data-brokers in Canada use similar data matching techniques to create and enhance marketing lists. CIPPIC anticipates that a finding from the Privacy Commissioner will clarify the appropriateness of these data matching activities for all companies in this industry.

Abika.com and National Locator Services (June 2004)

In June and July, 2004, CIPPIC filed complaints with the Privacy Commissioner of Canada about two U.S.-based companies, Abika.com and National Locator Services, that offer online background checks and other search services about individuals, including Canadians, for a fee. In its complaints, CIPPIC alleged that these services breach federal data protection legislation by routinely collecting, using and disclosing personal information about Canadians, for unlimited purposes, without the knowledge or consent of the individuals in question. As well, CIPPIC noted that its testing of the Abika.com "psychological profile" service suggested serious inaccuracies in the personal information provided, thus further contravening the legislation. The Office of the Privacy Commissioner responded by way of a letter dated November 30, 2004, stating that "While the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA."

Bank's wrongful access to and disclosure of individual's credit report (May 2004)

CIPPIC assisted an individual in his efforts to obtain fair compensation for a significant violation to his privacy. The violation occurred when a ScotiaBank employee accessed and disclosed his credit bureau report to his fiancee without his knowledge or consent. Banks and other credit grantors are under a legal obligation in Canada to obtain individual consent before accessing, using or disclosing that individual's credit report. In this case, the bank employee failed to obtain the individual's consent before pulling up his credit report and disclosing it to his fiancee, who was seeking information on mortgage rates.

CIPPIC assisted the individual in his dealings first with the Scotiabank Ombudsman, then with the Canadian Bank Ombudsman, then with the Privacy Commissioner, and finally with Scotiabank's legal department. The Privacy Commissioner found, after investigating, that Scotiabank had violated the consent requirement in Principle 4.3 of the PIPED Act. Scotiabank admitted the error, but was unwilling to pay the individual more than $500 in compensation. The individual ultimately settled with Scotiabank.

Resources

Privacy Commissioner, letter, July 13,2005.

 

MBNA Mastercard (Blanket consent to unlimited & unnecessary use/disclosure)

Houst of Commons ETHI Committee Study: Privacy & Social Media Sites

Industry Canada: Questionnaire on Updating OECD Privacy Guidelines

Modernizing Convention 108: the Council of Europe's Privacy Framework

OPC Consultations on Online Tracking, Behavioural Targeting & Cloud Computing

In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

Canada's 2010 Digital Economy Consultation

Data Breach Notification

The Privacy Act is a federal statute governing the federal government's treatment of personal information.  It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats.  The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).

APEC Cross Border Privacy Rules

In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.

Regulators provide guidance on mobile privacy, tracking & advertising