GDPR Archives - IPOsgoode /osgoode/iposgoode/tag/gdpr/ An Authoritive Leader in IP Thu, 13 Jan 2022 17:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 A Look Back at Canada's Privacy Legislation in 2021 /osgoode/iposgoode/2022/01/13/a-look-back-at-changes-in-privacy-legislation-in-2021/ Thu, 13 Jan 2022 17:00:00 +0000 https://www.iposgoode.ca/?p=38880 The post A Look Back at Canada's Privacy Legislation in 2021 appeared first on IPOsgoode.

]]>
Two people looking up at security cameras on a wall

Photo by Matthew Henry ()

Emily Prieur is an IPilogue Writer and a 3L JD Candidate at Queen’s University Faculty of Law. This article was originally written as part of the IPilogue’s annual Year in Review but has instead been published as a standalone article.

2021 was a transformational year for Canadian privacy legislation. Following the changes made to the , several provinces amended their privacy legislation to protect their constituents’ interests. The private sector may be less welcoming to changes in many provinces which expose companies to . On the flip side, these proposed legislative changes will strengthen the privacy of Canadians in their everyday lives.

Provincial Legislative Changes

Quebec’s Bill 64 Passes Royal Assent

The most significant development in privacy legislation is Quebec’s , An Act to modernize legislative provisions as regards the protection of personal information, which received royal assent on September 22, 2021. This legislation is significant because of its effects on the private sector. Starting September 2022, private sector organizations must inform the privacy regulator following any breach to compromised personal information that presents a “serious risk of injury” to affected individuals. To determine if there was a serious risk of injury to affected individuals, the province turns to the factors outlined in the “real risk of serious harm” section of the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). As , the gradual implementation of Bill 64 allows organizations the opportunity to update their processes and procedures to ensure compliance before September 2022. The Quebec legislation also takes inspiration from the European Union's General Data Protection Regulation (“Gٱʸ”), which has been touted as the “” privacy regime because of its strict privacy standards and its partiality towards consumers.

The omnibus bill included such as changes to company websites, assignment of a Privacy Officer, completion of Privacy Impact Assessments, and requirements for consent, individual rights, and automated decision making. To date, the analysis of the legislation compares the provisions to the European GDPR.

Companies operating in Quebec are now required to publish their company privacy policies on their websites. Such privacy policies must describe how companies plan to use personal information.

In the event of privacy infringements that violate individuals’ private information, individuals will now have recourse through administrative monetary penalties, penal offenses, and private rights of action.

Finally, similarly to the GDPR, Quebec introduced consent requirements for collecting personal information, including express consent before using sensitive information and parental consent for minors under the age of 14.

Ontario Welcomes Consultations and Proposes Changes

Under the leadership of Patricia Kosseim, the Office of the Privacy Commissioner pursued their goal of passing an equivalent piece of legislation in 2021. In response to an op-ed piece that argued against provincial legislation in fear of redundancy and duplication, Kosseim recently regarding the potential for new provincial legislation to “fill in the gaps” of what Federal privacy legislation cannot accomplish.

In keeping with Kosseim’s motivation to strengthen privacy laws in Ontario, the Government of Ontario released a along with calls for consultation in June 2021. The White Paper, titled “Modernizing Privacy in Ontario,” set out several proposals the Ministry is considering to strengthen privacy protection for Ontarians. To strengthen such protections, the Ministry has proposed making privacy a fundamental right in Ontario. Ontario has also included suggestions to protect youth privacy online, regulate automated decision-making, and require more informed consent and data transparency from private corporations.

The Ministry allowed the public to provide comments and feedback until August 2021. The Office of the Privacy Commissioner applauded the provincial government for taking a “” with its proposal.

BC’s PIPA Committee Releases their Final Report

The British Columbia Legislative Assembly also created a special committee to review the British Columbia (“PIPA BC”) in February 2020. The objective of this committee was to publish a report proposing amendments to PIPA BC, which the committee completed in December of 2021. In the , the committee suggested aligning PIPA BC with PIPEDA and Europe’s GDPR. Like the recently passed Quebec legislation, the committee also suggested mandatory breach notifications if a breach surpasses the “real risk of significant harm” threshold as established in PIPEDA. The committee also recommended broadening the definition of personal information to address the potential issue of de-identification. Finally, the committee proposed that the Office of the Information Privacy Commissioner have greater enforcement powers.

Federal Legislative Changes

The Federal Office of the Privacy Commissioner (“ʰ”) did not introduce any new legislation in 2021. The Office was engaged in issues surrounding as well privacy issues resulting from the COVID-19 pandemic, including privacy with respect to and the rise in reliance on video teleconferencing platforms like Zoom and Microsoft Teams. The Canadian OPC, along with privacy authorities in Australia, Gibraltar, Hong Kong SAR, China, Switzerland, and the United Kingdom, to the videoconferencing companies regarding their rapid expansion during the pandemic to query and confirm that these technology companies were using appropriate privacy safeguards. The letter led to a series of video calls between the signatories and representatives from the companies. Finally, the signatories and suggestions to improve privacy going forward. Among the suggestions were the implementation of end-to-end encryption, the identification of secondary use data (as well as an opt-out system), and the option for users to choose where their data is stored.

Conclusion

New and amended privacy legislation continues to develop in Canada and worldwide.Follow the IPilogue and subscribe to our newsletter, the IPIGRAM, for any important legislative changes that emerge in 2022.

The post A Look Back at Canada's Privacy Legislation in 2021 appeared first on IPOsgoode.

]]>
EU Penalizes Amazon $887 million for GDPR Infringement /osgoode/iposgoode/2021/08/24/eu-penalizes-amazon-887-million-for-gdpr-infringement/ Tue, 24 Aug 2021 16:00:18 +0000 https://www.iposgoode.ca/?p=38097 The post EU Penalizes Amazon $887 million for GDPR Infringement appeared first on IPOsgoode.

]]>
Statute of boxes standing on a tree

Photo by ()

Tiffany WangTiffany Wang is an IPilogue Writer, IP Innovation Clinic Fellow, and a 2L JD Candidate at Osgoode Hall Law School.

In July, the European Union delivered an unprecedented fine against Amazon—a record $887 million USD. Luxembourg’s National Commission for Data Protection (CNPD) penalized Amazon for their . The $887 million fine is almost triple the amount of General Data Protection Regulation .

. La Quadrature du Net claims to represent the .

Amazon refuses to remain idle. The multinational firm has already declared it will initiate the to refute this penalty. Amazon voiced that there has been and continues to promise that . The irony here, however, rests in the reality that

The EU’s penalty against Amazon . Legislation still has teeth despite Luxembourg’s historically friendly stance toward Amazon .

The unprecedented fine also underscores the EU’s of Amazon. Amazon has . Even though Amazon claims that collecting data helps to foster a better online retail environment, regulators and lawmakers. In fact, growing suspicion clouds the correlation between data and Amazon’s . The 2018 privacy investigation only fuels the . .

Amazon’s slogan is “Work hard. Have fun. Make history”. Indeed, Amazon has made history with its $887 million penalty. But is this the “history” that Jeff Bezos envisioned?

The post EU Penalizes Amazon $887 million for GDPR Infringement appeared first on IPOsgoode.

]]>
Social Media Privacy: Legalities of Personal Data Collection /osgoode/iposgoode/2021/04/05/social-media-privacy-legalities-of-personal-data-collection/ Mon, 05 Apr 2021 16:00:02 +0000 https://www.iposgoode.ca/?p=36922 The post Social Media Privacy: Legalities of Personal Data Collection appeared first on IPOsgoode.

]]>
Social media platforms are connecting friends, family, and colleagues in new ways. With over using social media in 2020, these platforms are all-encompassing. Each of these billions of users produces data in some form — pictures, videos, text, interactions, purchases — all collectively showing their social media usage over the years.

This data contains personal information specific to each user. Without proper protection, social media companies may mishandle, lose, or leak the data to cybercriminals. Social media companies already widely – and legally – mine customer data for profit-boosting details or sell their information to third parties. To increase protection, governments often develop and enforce stricter regulations.

However, not all countries keep up with consumers’ wants and needs. For example, or protection regulations. Companies in China must obtain consent to interact with their users’ data. However, government officials often block access to sites or monitor how residents use them, raising surveillance concerns. Data privacy rules are further complicated as they vary across platforms.

Social Media Privacy Rules

Registration for any social media site initially requires you to accept their terms and conditions. These conditions detail how the platform will use your data, including your interactions and preferences. Even if your account is “private”, to your information.

No matter how you use social media, you should understand two applicable topics: copyright and how your relationship with a company dictates the way its representatives can collect data. Both of them will likely come up regularly as you learn more about social media privacy — or the lack thereof.

First, copyright is critical for creators and observers. A copyrighted work receives protection once the creator distributes it in a fixed format. For example, posting an original image on social media is enough to . Therefore, users can’t post any picture they find online without permission. Attributing the work is not synonymous with asking the creator for approval.

Most images used legally on the internet fall into several categories:

  • Pictures the poster owns and can use how they wish.
  • Rights-managed images, which allow people to purchase photos and use them per a specific license. This includes many items offered through the Creative Commons organization.
  • Royalty-free images, which enable people to use the pictures in unlimited, multiple and nonexclusive ways.
  • Public domain/Creative Commons Zero (CC0) images, which have no restrictions because creators waive their rights under copyright law.

Any original content posted on social media is royalty-free, but social media platforms generally offer users protection against infringement.

Instagram, for instance, provides instructions on on your copyrighted content. This protection means anything you originally create belongs to you, letting you pursue action against any violation of Instagram’s policy. Facebook, the owner of Instagram, has almost identical rules. Twitter may have some exceptions.

It is essential to protect your own data and avoid infringing on others’ original works. However, the second set of rules focuses on your relationship with the platform itself. Historically, data collection has been controversial around the world. Take Facebook, for instance. The big tech company had to clarify after countless scandals emerged. Thus, these instances sparked broader societal discussions about big tech’s growing power and its potential detriment to user privacy.

Personal Data Collection Controversies

Data protection regulation and compliance vary by country. Some territories have federal guidelines in place, like the European Union’s General Data Protection Regulation (GDPR).

The United States has no unifying federal law for cybersecurity compliance. However, the posts its own guidance, alongside each state’s own compliance rules.

Each set of regulations aims to ensure that tech companies protect consumer data and provide users with the correct rights. Unfortunately, despite these laws, data collection controversies continue to arise. Companies find loopholes and use the data in questionable ways. Facebook is notorious for attracting bad press, whether related to misinformation, social justice, or individual rights.

Another example is WhatsApp. After Facebook acquired WhatsApp, the messaging platform updated its conditions to indicate that the platforms would automatically link datasets. Facebook could then use this data for marketing purposes. The EU for violating the law and misleading users.

Facebook again found itself at the center of a data-centric legal case at the end of 2020. This time, the big tech company pursued an action against two smaller companies that it , or taking data from another source for their own use. While Facebook was not the accused, this case again raises the question of big tech’s power and responsibility.

TikTok has also received public and government backlash. After the platform grew exponentially, U.S. officials became wary of due to its Chinese ownership. They were mainly concerned about what TikTok might do with the data it gathered, raising possible national security threats to the United States. However, in September 2020, a deal split TikTok’s ownership between China and the U.S.

Moving forward, countries must re-examine how social media companies use data. Though individuals can take legal action against offending corporations in court, these companies often overpower them, meaning the government must step in. For example, Canada’s Privacy Commissioner can investigate how public and private-sector organizations handle data. They also try to resolve disputes through mediation, negotiation and reconciliation.

Changing Priorities

In the United States, the lack of an overarching federal cybersecurity compliance law has left a legal gap. The California Consumer Privacy Act (CCPA) is a good U.S.-based example that the government should follow. It gives a person the right to access all the information a company has about them or ask that it delete their details. Consumers can also request that companies do not sell their data to third parties or find out which categories of businesses have content about them.

Elsewhere, the GDPR has not effectively maintained these platforms as honest with users about data collection and usage as legislators may have hoped. A 2020 study of central government data protection officers in the United Kingdom found that many of them to deal with the growing number of data protection requests.

Once the GDPR came into effect, internet users were bombarded with cookie preferences windows that let them specify what data companies collected about their internet visit. Many clicked “I accept” without reading the specifics because they were impatient to view the websites in question.

Amidst all the controversies, priorities are changing. People want more security and privacy when using social media services provided by bigger companies. As the U.S. government continues to debate regulations around big tech brands, data collection will continue.

However, data collection can benefits consumers. Social media companies can curate enjoyable, personalized experiences for each user. Issues occur when companies mishandle data or overstep their boundaries. As seen with Facebook, this happens all too frequently.

Since many of the biggest social media companies are U.S.-based, calls for stricter regulation often fall on the United States, in the hopes that consumers will feel more comfortable sharing their data online.

Written by Shannon Flynn, IPilogue Contributor and law technology writer discussing topics such as AI, media, and commercial law.

The post Social Media Privacy: Legalities of Personal Data Collection appeared first on IPOsgoode.

]]>
Guidelines for the Implementation of GDPR-Compliant Cookie Notices /osgoode/iposgoode/2021/02/26/guidelines-for-the-implementation-of-gdpr-compliant-cookie-notices/ Fri, 26 Feb 2021 17:00:42 +0000 https://www.iposgoode.ca/?p=36655 The post Guidelines for the Implementation of GDPR-Compliant Cookie Notices appeared first on IPOsgoode.

]]>
This comment investigates how legal requirements for consent are implicated in the deployment of internet browser cookies, with a focus on the European Union’s (EU) (GDPR). Non-EU companies should also take note, not only because the GDPR protects EU citizen data regardless of whether or not the processing takes place in the EU (art 3(1), but because the GDPR’s rules for consent and other data privacy issues will .

CONSENT LAWS

Consent is an integral part of the EU’s approach to data privacy. The concept was codified in the GDPR to mean “”(art 4(11)).

The application of GDPR consent requirements to online cookie notices has been nebulous since the law came into force. A found that the overwhelming majority of cookie notices in the EU are not GDPR-compliant. As enforcement ramps up, companies risk steep fines for non-compliance: is the imposition of a fine of “1% of annual turnover” for a company that failed to satisfy the Belgian Data Protection Authority’s cookie rules.

Guidance on the interpretation of cookie consent rules was provided by the Court of Justice of the European Union (CJEU) in the case, which involved the collection of personal information, through cookies, by an online lottery provider. The CJEU answered several questions (covered in Section III) while among member states (this was so advocated due to the issues created by divergent transposition and implementation of pre-GDPR Directives across the EU).

The European Data Protection Board (EDPB) recently incorporated the Planet49 ruling into a . The key requirements for valid consent, as they relate to cookie notices, are the subject of the next section.

PRACTICAL RECOMMENDATIONS

In light of the GDPR, the Planet49 decision, and the recent guideline, the following consent acquisition practices should be adopted for data controllers employing cookie notices. Consent should be:

a) Freely given

A user’s access to services and functionalities on the user’s consent to information storage or access on their terminal equipment (at para 39). In other words, “cookie walls” are an invalid form of consent. While it is acceptable to restrict certain functionalities if the user does not consent, to the site must not be made conditional on cookie acceptance.

b) Specific

Data controllers should provide information about each cookie type (e.g., “marketing” or “statistics”) and allow subjects to choose which cookies to accept. Apart from essential cookies, without which provision of “general access” to the site is impossible, subjects should be allowed to reject other categories of cookies (arts 5(1)(b), 6(1)(a).

c) Informed

The data subject should be given, at a minimum, the : the controller’s identity; the purposes of each of the processing operations for which consent is being sought; the type of data that will be collected; and the existence of the right to withdraw consent (arts 5, 7(2)). This information should be provided in to facilitate comprehension by laypeople (at para 67). It is insufficient to embed a consent request within a paragraph of the website’s terms of service (i.e., the consent request must be clearly distinguishable from other matters) (at para 71).

d) Unambiguous

are insufficient for showing consent, as are the mere acts of scrolling or swiping on a webpage (at paras 79, 81). to cookie use can only be shown through the provision of an unticked box that the user must actively select (art 4(11)).

e) Revocable

must be as easy to withdraw as it is to give. Data controllers could include a withdrawal option, either on a separate webpage or embedded within the site’s privacy policy. This function could also display the user’s current status (e.g., “allow only essential cookies” or “block all cookies”) (art 7(3).

f) Demonstrable

The burden of proof is on the data controller to show that valid consent was obtained. It is recommended that data controllers store and log all consents in the form of information on the browsing session in which consent was obtained along with a copy of the information presented to the data subject at the time of consent (art 7(1)).

g) Obtained prior to data processing

The words “has given” in of the GDPR imply that prior consent is a prerequisite to the lawful processing of personal data. Therefore, all non-essential cookies should be blocked until the user consents to their deployment.

Written by Daniel Joseph, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2020/2021 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

The post Guidelines for the Implementation of GDPR-Compliant Cookie Notices appeared first on IPOsgoode.

]]>
The Precarious Position of Streaming Video Games – Potential Repercussions from the European Copyright Directive /osgoode/iposgoode/2019/11/27/the-precarious-position-of-streaming-video-games-potential-repercussions-from-the-european-copyright-directive/ Wed, 27 Nov 2019 16:30:25 +0000 https://www.iposgoode.ca/?p=34567 The post The Precarious Position of Streaming Video Games – Potential Repercussions from the European Copyright Directive appeared first on IPOsgoode.

]]>
Esports and video game streaming have become a popular pastime and a big business with gaming platforms such as Twitch and [i] attracting millions of viewers apiece and tournaments for popular games such as .[ii]

This leads to the assumption that streaming is a safe legal activity. Instead, most streamers are in a [iii] through the public performance of a copyright protected work. While this can be rather surprising to the public who would expect that activities that are likely illegal would not develop into a growing mainstream business, the tolerance of infringing content by the game publishers is logical in this instance from a business standpoint as streaming is free advertising that could help grow the game.

A potential issue for the future of streaming, however, is the European Copyright Directive. A throughout the process of drafting was Article 13[v] which critics have held will lead to the censoring of the internet.

Article 13 has since been passed as and is concerned with the sharing of protected content online by service providers.[vi] Article 17 moves away from the framework provided by the DMCA and its safe harbour provisions. Instead, it changes the landscape for service providers or content hosts by explicitly choosing to hold them liable. Online services that distribute content must obtain a licence from a rights holder. Beyond this requirement, require online content providers to make best efforts to prevent copyright protected work to be uploaded, or reuploaded in the future.[viii]

So, the main question at issue here will be enforcement. If enforcement will be done on a discretionary basis requiring a complaint to be made than the streaming industry can persist barring future issues. to take down streams in Europe support the position that takedowns will occur on a complaints basis. [ix] Especially as some of the takedowns which are on done on a copyright basis have been filed for reasons outside of the purely economic sense of copyright law but out of disgust for certain streamers behaviours while playing games such as.[x] It is inevitable for some rights holder to take issue with some streamer or any of the individual streams in the future.

Even if complaints are made, it is possible for the state of affairs to continue as they are as the text of ) states that the rights holders have to have “provided the service providers with the relevant and necessary information” before content can be blocked as infringing.[xi] If no details are provided, it is possible that no requirement to block the stream or other content need take place.

If, however, the European Union or one of its member states take a more proactive approach to ensuring services operating within it are compliant, as they are staring to do with,[xii] streaming services such as Twitch could become more limited in scope and functionally become a live game streaming version of Netflix or be blocked in Europe altogether.

Written by Matthew Drinovac, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

[i] Leo Sun, “Microsoft’s Mixer is Catching up to Amazon’s Twitch and Google’s YouTube” (6 October 2019), online: <https://www.fool.com/investing/2019/10/09/microsofts-mixer-is-catching-up-to-amazons-twitch.aspx>.

[ii] Chris Bumbaca, “16-year-old Kyle ‘Bugha’ Giersdorf takes home prize for Fortnight World Cup win” (28 July 2019), online: <https://www.usatoday.com/story/sports/gaming/2019/07/28/fortnite-kyle-bugha-giersdorf-wins-3-million-world-cup/1853058001/>.

[iii] Scott Alan Burroughs, “A Twitch In Time” (5 September 2018), online: <https://abovethelaw.com/2018/09/a-twitch-in-time-legal-issues-catch-up-with-popular-game-broadcasting-platform/>.

[iv] Julia Alexander, “YouTube CEO says EU regulation will be bad for creators” (22 October 2018), online: <https://www.theverge.com/2018/10/22/18008406/article-13-copyright-directive-youtube-susan-wojcicki-robert-kyncl>

[v] Cory Doctorow, The Final Version of the EU’s Copyright Directive is the Worst One Yet” (13 February 2019), online: <https://www.eff.org/deeplinks/2019/02/final-version-eus-copyright-directive-worst-one-yet>.

[vi] European Union Directive 2019/790, online: <https://eur-lex.europa.eu/eli/dir/2019/790/oj>.

[vii] Digital Media Law Project, “Protecting Yourself Against Copyright Claims Based on User Content” (2014), online: <http://www.dmlp.org/legal-guide/protecting-yourself-against-copyright-claims-based-user-content>.

[viii] European Union Directive 2019/790, online: <https://eur-lex.europa.eu/eli/dir/2019/790/oj>.

[ix] Raj Shah, “Twitch Bans Several Accounts for Unauthorized CSGO Berlin Major Streaming” (27 August 2019), online: <https://www.talkesport.com/news/twitch-bans-several-accounts-for-unauthorized-csgo-berlin-major-streaming/>.

[x] Owen Good, “Firewatch creator vows DMCA retaliation against PewDiePie for racist slur used in stream” (10 September 2017), online: <https://www.polygon.com/2017/9/10/16285188/pewdie-pie-racist-slur-firewatch-retaliation-dmca>.

[xi] European Union Directive 2019/790, online: <https://eur-lex.europa.eu/eli/dir/2019/790/oj>.

[xii] Victoria Arnold, “What the latest GDPR fines reveal about authorities’ attitude” (30 September 2019), online: <https://www.lexology.com/library/detail.aspx?g=a4054dd5-3215-4f69-bf13-3f2858600ad1>.

The post The Precarious Position of Streaming Video Games – Potential Repercussions from the European Copyright Directive appeared first on IPOsgoode.

]]>
Who owns my privacy and why I don’t want people to know where I drive /osgoode/iposgoode/2019/11/18/who-owns-my-privacy-and-why-i-dont-want-people-to-know-where-i-drive/ Mon, 18 Nov 2019 16:26:50 +0000 https://www.iposgoode.ca/?p=34494 The post Who owns my privacy and why I don’t want people to know where I drive appeared first on IPOsgoode.

]]>
To me, “big data” has become synonymous with Big Brother, the central political figure behind data collection and monitoring in George Orwell’s “1984.” Big Data plays a similar role in today’s society, but it’s not often clear who or what organizations play this role, and what parts of my private data are being collected to violate my personal privacy. Following the revelation of the Facebook-Cambridge Analytica scandal in 2018, the public consciousness has grown to include privacy and data collection as primary concerns, but there hasn’t been much transparency, or changes in this practice.

In the Facebook- Cambridge Analytica scandal, people’s personal information was harvested without their consent and was used to create “psychographic”[1] profiles that were then used as part of political manipulation in the Brexit vote, as well as the 2016 American Election.[2] More recently, Facebook was caught outsourcing the transcription of audio-chats that occurred in Facebook Messenger to contractors working as a third-party, thus exposing the private conversations of those Facebook users who had opted into the transcription service offered by Facebook.[3]

But the collection of data occurs in all aspects of daily life not just through social media. A statistician working for Target explained how the retailer kept tabs on its customers’ purchasing habits and tried to target (no pun intended) pregnant women based on their purchasing patterns.[4] This led to a father learning that his teenage daughter was pregnant after Target sent maternity flyers addressed to the teen. These instances highlight the lack of consumer awareness, truly informed consent, and control that people have over their own information. This is a huge issue as “data flakes off us like dead skin cells”[5] and in those moments corporations should not be profiting.

To address the issue of data exploitation, the European Union has implemented the General Data Protection Regulation (“Gٱʸ”)[6] that aims to protect a citizen’s privacy and increase the amount of control an individual has over their own data. The GDPR also addresses the transfer of EU citizens’ personal data outside of the EU in jurisdictions like Canada, that don’t have equivalent legislation already in place. Currently, the federal government has a measly two pieces of legislation governing Canadian’s privacy and personal data, the [7] and the (“Pʷٴ”).[8] The Privacy Act applies to federal institutions and is meant to govern “a person’s right to access and correct personal information that the [Canadian] Government […] holds about them” while PIPEDA oversees the private sector. However, neither of these provide resources to Canadians to educate themselves or protect their data. PIPEDA outlines “”[10] but these fail to provide avenues for consumers to seek recourse when their privacy has been violated, or ways of monitoring and protecting their privacy. Canadians might be protected by the patch-work privacy laws that provinces have enacted, or the set by some Canadian courts.[11] Canada lags in data protection and empowering people to control their data.

This becomes increasingly important in the discussion of autonomous vehicles which are an emerging area of data collection. Data will need to be collected to ensure the safe operation of these vehicles and to prevent security breaches that could be exploited by ill-meaning entities. to the advancement of autonomous vehicles, but it is unclear what data has been collected, and how this data has been collected.[12] Deployment of these vehicles doesn’t make clear how future data will be collected and used but could lead to the evisceration of privacy altogether, which could have devastating consequences. I believe that in order to successfully and safely integrate autonomous vehicles, rigorous data regulation must first be developed and well-established before the day that my future car drives me to my destination.

The Facebook-Cambridge Analytica scandal threatened democracy, and now the potential improper collection and management of data could threaten our physical safety in the form of autonomous vehicles. The type of successful data regulation I foresee ought to require the informed consent, control, and awareness of consumers that the data collection is occurring.[13] No longer should “Terms and Condition” pages or mandatory cookie tracking agreements be used to exploit the average internet user.

Written by Julianna Felendzer, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

[1] Psychographic profiles rely on a consumer’s psychological characteristics to describe them, this encapsulates values, opinions, attitudes, interests, and lifestyles and can be used to personalize advertising. See William D. Wells, “Psychographics: A critical review” (1975) Journal of Marketing Research 12 at 196.

[2] Issie Lapowsky, “How Cambridge Analytica Sparked the Great Privacy Awakening”, WIRED (17 March 2019), online: <www.wired.com> [perma.cc/VL7T-FRE6].

[3] Sarah Jeong, “No, Facebook Is Not Secretly Listening to You”, New 91ɫ Times (20 August 2019), online: <www.nytimes.com> [perma.cc/8C9M-3E3F].

[4] Charles Duhigg, “How Companies Learn Your Secrets”, New 91ɫ Times (16 February 2012) online: <www.nytimes.com> [perma.cc/ENG8-D47Z].

[5] Charlie Warzel, “The High Stakes of Living Online”, New 91ɫ Times (6 August 2019), online: <www.nytimes.com> [perma.cc/JP7Q-D7KZ].

[6] EC, Commission Regulation (EC) 679/2016 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ, L 119/1.

[7] Privacy Act, RSC 1985, c P-21.

[8] Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

[9] Office of the Privacy Commissioner of Canada, “Summary of privacy laws in Canada”, online: <www.priv.gc.ca> [perma.cc/PC8J-XNJY].

[10] Office of the Privacy Commissioner of Canada, “PIPEDA fair information principles”, online: <www.priv.gc.ca> [perma.cc/5W8C-4ZYU].

[11] Douez v Facebook, Inc., 2017 SCC 33 [Douez].

[12] Magnolia Potter, “Big Data’s Role in Self-Driving Car Development” (5 April 2019), online: <www.insidebigdata.com> [perma.cc/CU5J-983F]. See also Bernard Marr, “BMW: Using Big Data And Artificial Intelligence To Create Autonomous Cars”, online: <www.bernardmarr.com> [perma.cc/Q62M-6BWA].

[13] Lucille Perreault, “Big Data and Privacy: Control and Awareness Aspects”(Paper delivered at the International Conference on Information Resources Management (CONF-IRM), Ottawa, 20 May 2015) [unpublished].

The post Who owns my privacy and why I don’t want people to know where I drive appeared first on IPOsgoode.

]]>
Big Data, Privacy and the GDPR /osgoode/iposgoode/2018/08/15/big-data-privacy-and-the-gdpr/ Thu, 16 Aug 2018 00:21:26 +0000 https://www.iposgoode.ca/?p=3297 When I attended theInstitute for the Future of Law Practiceboot camp in May 2018 in Chicago, ProfessorMatthew Kuglerfrom Northwestern University Pritzker School of Law gave a lecture on cybersecurity, explaining how big data companies are turning humans into business products. In this information age, we are creating a breadcrumb trail of information about who we […]

The post Big Data, Privacy and the GDPR appeared first on IPOsgoode.

]]>
When I attended theboot camp in May 2018 in Chicago, Professorfrom Northwestern University Pritzker School of Law gave a lecture on cybersecurity, explaining how big data companies are turning humans into business products. In this information age, we are creating a breadcrumb trail of information about who we are and what we do almost every day by sending text messages, posting on social media, snapping pictures, and using GPS applications like Google Maps. The records we create are, in turn, creating business opportunity for companies. To be successful in the digital revolution, companies must increasingly seek more and more data about their customers. For example, data is being used to drive strategic decisions about new avenues of business and the development of new products, and to know what kinds of relationships will help businesses grow.

The General Data Protection Plan (“”) is a regulation on data protection and privacy for all individuals within the European Union and the European Economic Area, made by European Parliament and Council of the European Union in April 2016 and implemented recently in May 2018. Prior to its enactment, it was sufficient for an organization to obtain a consumer’s “implied consent” to the organizations data practices. In essence, implied consent means that by visiting a website or downloading an app, a consumer is implicitly agreeing to everything in the organizations Terms and Conditions agreement, including the fine print that no one has read. However, under the GDPR, a company needs to gain explicit consent for all the things it wants to do with an individual’s personal data, or Personally Identifiable Information (“PII”).

One simple way for individuals to control their data is blocking cookies from running on websites via web browser settings. However, blocking cookies decreases the convenience of web browsing, since cookies allow our favourite sites and apps to remember our online history, such as billing and shipping information. Generally, users would not expect that companies use their PII in ways that they do not agree with, such as political lobbying or insurance telemarketing. Users also think that they have the ultimate control of the their PII, enjoying the right to revise, remove or duplicate the data.

You may think that deleting Facebook posts would mean “permanently” deleting them from Facebook pages, remote servers and all possible storage facilities but in reality that is not the case: the deleted posts may just magically re-appear on your timeline page. In, Max Schrems, an Austrian law student brought a class action suit against the Irish Data Protection Commissioner, in which he asserted that the commission should have taken more substantial action when he filed a complaint against Facebook for how they handled his data. In January 2018, Europe’s highest court ruled in favor of the U.S. tech company: Schrems cannot bring a class action lawsuit on behalf of others because each individual, which had a specific contract with Facebook, must file a separate legal case. Although each individual user has the right to personally sue the company for the alleged misuse of PII, the unequal bargaining power between the individual and powerful companies like Facebook will make him a vulnerable target and unable to effectively defend his privacy rights. Shortly after the GDPR coming into effect on 25 May 2018, Schrems filed suit in Ireland against Google and Facebook for coercing their users into accepting their data collection policies.

is a recent Supreme Court of Canada (“SCC”) case that touched on the same issue of “unequal bargaining power”. Deborah Douez claimed that Facebook violated s.3(2) ofBritish Columbia’s Privacy ActRSBC 1996 c 373, after the site used her image without her consent for promotional purposes. However, the legal issue considered by the SCC was not privacy infringement, but rather whether the forum selection clause in the consumer contract of adhesion that Ms Douez “signed” is enforceable. This forum selection clause stated that any claim against Facebook must only be pursued in California, irrespective of the user’s geographic location. In a narrow 4-3 decision, the SCC overturned the British Columbia Court of Appeal’s decision and modified the application of thePompeytest for enforceability of forum selection clauses. The majority held that the court should consider public policy considerations related to “gross inequality of bargaining power between the parties and the nature of the rights at stake”. As a result, the British Columbia Supreme Court decision certifying the class action was restored.

The new GDPR rules apply to any organization that has customers in the EU, regardless of whether the organization is based in Europe. An organization that does not comply with the GDPR may be subject to fines of up to, whichever is higher. Unsurprisingly, both Clickfor a list of some of the GDPR’s notable Articles regarding individuals’ rights over their data.

Ultimately, the implementation of GDPR requires companies to take quick actions, such as adopting and integrating new tools and systems to allow individuals to access, delete, update, share, or control the way that their PII is used. Additionally, an organization may want to sit down with legal counsel to decide if its marketing endeavors and advertising partners are GDPR compliant.

Does GDPR only protect EU citizens or residents? Not necessary. Both Recital 2 and Recital 14 state that the protection should apply to natural persons “whatever their nationality or place of residence”. Recital 22 and Article 3 mention that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union “regardless of whether the processing itself takes place within the Union”. For example, if a Canadian citizen residing in Toronto places an online order from an e-commerce merchant established in EU and the website collects personal information, then GDPR applies. Less than a month before tough new GDPR rules take effect, Facebook changed its terms of service to move users in Asia, Africa, and Latin America under Facebook Inc. in Menlo Park, rather than Facebook Ireland.. Although Stephen Deadman, Facebook’s deputy chief global privacy officer, said that “”, EU users arguably enjoy greater data protection rights under the GDPR than their non-EU counterparts.

 

Grace Wang is an IPilogue Editor and a JD candidate at Osgoode Hall Law School.

The post Big Data, Privacy and the GDPR appeared first on IPOsgoode.

]]>
EU-US Privacy Shield Adopted: Now What? /osgoode/iposgoode/2016/08/04/eu-us-privacy-shield-adopted-now-what/ Thu, 04 Aug 2016 16:34:59 +0000 http://www.iposgoode.ca/?p=29560 The re-posting of this article is part of a cross-posting agreement with CyberLex. On July 12, 2016, the European Commission formally issued its adequacy decision endorsing the EU-US Privacy Shield, following the approval of the deal by the Article 31 Committee on July 8. Although the European adequacy decision has immediate effect, U.S. organizations will […]

The post EU-US Privacy Shield Adopted: Now What? appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

On July 12, 2016, the European Commission formally issued its endorsing the EU-US Privacy Shield, following the of the deal by the Article 31 Committee on July 8. Although the European adequacy decision has immediate effect, U.S. organizations will not be able to take advantage of the Privacy Shield until the U.S. Department of Commerce begins accepting self-certifications, on August 1.

Self-Certification

The Department of Commerce has issued to companies wishing to self-certify under the Privacy Shield. Only U.S. organizations subject to the jurisdiction of either the Federal Trade Commission or the Department of Transportation will be eligible for self-certification. This will exclude some organizations, such as banks and telecommunications companies, which are outside the jurisdictions of those agencies.

Eligible organizations that wish to self-certify should carefully review the guidance as well as the seven framework principles and the sixteen supporting principles (the “Principles”) that they must commit to adhere to. Although participation in the program is voluntary, once made, the commitment to adhere the Principles will be enforceable under U.S. law.

Many of the Principles will be familiar to U.S. organizations that have previously participated in the former Safe Harbour regime, although they have now been elaborated in more detail, creating new compliance obligations. There are some significant practical differences in the new model, including an obligation for organizations to provide access, at no cost to the individual, to an independent recourse mechanism, stricter limitations on onward transfers to third parties (including service providers)

Organizations should be cautious about any representations that suggest compliance with Privacy Shield if the organization has not formally self-certified. The FTC has recently issued a number of to organizations it alleges are claiming compliance with the APEC Cross-Border Privacy Rules system without actually meeting the certification requirements. Moreover, the U.S. government has formally stated in a to the European Commission that it intends to actively police false claims of participation in the Privacy Shield program.

 

Legal Challenges Likely

Legal challenges to the Privacy Shield framework are probably inevitable. For example, Max Schrems, the Austrian whose successful challenge invalidated the previous Safe Harbour regime (see our previous articles, , , and ) apparently intends to challenge the Privacy Shield as well.

The Article 29 Working Party had expressed some of a previous draft of the Privacy Shield. The deal was then strengthened at the negotiating table address concerns relating to bulk data collection, the independence of the Privacy Shield Ombudsperson mechanism for review of complaints about state access to personal information, and data retention.

Even after these enhancements, it is perhaps unclear whether the proposed Ombuds mechanism would qualify as a means of “redress”, as that concept has been described by the CJEU. The terms of reference provide only that the Ombudsperson will “respond” to the complaint, in one of two ways: either to confirm either that relevant safeguards provided by U.S. law were complied with or, if that is not the case, that the non-conformance has been remedied. The Privacy Shield Ombudsperson will expressly not be permitted to report on any remedial action taken. Nor will the mechanism involve any possibility of access to, rectification of, or erasure of, any personal data in the hands of any state actors. As the Commission noted in the adequacy decision, these were explicit requirements set out by the CJEU in the Schrems decision.

In response, the new adequacy decision simply states that “The Commission’s assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism.” [See para. 124.]

It remains to be seen whether the CJEU agrees with this assessment. Until such a decision has been rendered, the Privacy Shield mechanism may offer less stability than most organizations would prefer. Moreover, the mechanism will be subject to annual reviews and the obligations it imposes may be subject to further elaboration over time.

 

Alternatives to Privacy Shield

U.S. organizations which do not wish to, or are not eligible to, participate in the Privacy Shield self-certification program can instead continue to rely on other mechanisms recognized by European law, including Standard Contractual Clauses (although these are themselves currently subject to a and reference to the CJEU) or Binding Corporate Rules.

 

GDPR on the Horizon

All of this must also be assessed in light of the new General Data Protection Regulation (GDPR), set to come into force in the EU in 2018. The GDPR will impose significant new obligations on data processors (including some data processors located outside of the EU) including record keeping, data security, and breach notification obligations. Non-European data processors who offer goods and services to individuals in the EU, or who monitor the behavior of individuals in the EU, may be directly liable for fines up to € 20 M or 4% of annual global revenues.

Organizations will have to consider how they will respond to the new GDPR obligations whether or not they self-certify under the Privacy Shield. Furthermore, the GDRP also tightens the rules by which the “adequacy” of foreign laws respecting the protection of personal information must be assessed. This raises the spectre of further challenges to (or evolutions of) the Privacy Shield itself in the future.

 

Implications for Canadian Organizations

Canada’s privacy laws have been endorsed in 2001 as adequate in a separate decision of the EC. This was not directly affected by the Schrems decision and it remains in effect.

However, there has been some that the Privacy Shield has effectively raised the bar and that Canada’s laws may be subject to new scrutiny. The Canadian adequacy decision is scheduled to be reviewed as part of a larger review, which is not due until 2020, but a review could be triggered at any time by a direct challenge.

To date, there have been no suggestions of any particular changes to Canadian privacy legislation that might be considered to strengthen the case for a renewed adequacy decision.

However, Canadian organizations which store or process personal information about EU citizens may wish to consider how their practices might be assessed against the Principles articulated in the Privacy Shield agreement.

In any event, they will have to consider how the GDPR may apply to them and what changes that may require, particularly in light of the significant penalties that can be assessed under the new regulation.

As a result, Canadian organizations that deal with European data will need to pay close attention to the changing global compliance landscape and should expect that they will face new compliance challenges over the next 18-24 months.

 

© McCarthy Tétrault LLP

is an associate in McCarthy Tétrault’s Business and Technology Law Groups in Toronto.

 

 

The post EU-US Privacy Shield Adopted: Now What? appeared first on IPOsgoode.

]]>