Office of the Privacy Commissioner Archives - IPOsgoode /osgoode/iposgoode/tag/office-of-the-privacy-commissioner/ An Authoritive Leader in IP Fri, 05 Mar 2021 17:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Privacy Commissioners Reprimand Clearview AI: What’s Next for Facial Recognition? /osgoode/iposgoode/2021/03/05/privacy-commissioners-reprimand-clearview-ai-whats-next-for-facial-recognition/ Fri, 05 Mar 2021 17:00:00 +0000 https://www.iposgoode.ca/?p=36739 The post Privacy Commissioners Reprimand Clearview AI: What’s Next for Facial Recognition? appeared first on IPOsgoode.

]]>
“He is seen, but he does not see; he is the object of information, never a subject in communication…Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power” – Michel Foucault (Discipline and Punish, 1975)

In 2019,  started licencing facial recognition software to law enforcement agencies in Canada and the United States. In addition to , the . At first, the product seemed promising. Clearview AI’s application helped law enforcement officers track down otherwise unidentifiable criminals. However, Privacy Commissioners for , , and immediately launched a joint investigation into the company when news reports began to circulate raising questions and concerns about Clearview AI’s facial recognition technology.

The problem with Clearview AI’s application is that it requires a large biometric dataset in order to operate. To obtain biometric information, Clearview AI has scraped the Internet and collected over 3.3 billion images of faces and associated data from publicly accessible online sources, including Facebook, YouTube and Instagram. Clearview AI uses facial recognition software to create a biometric array for each of its images. When a user uploads a photograph, Clearview AI assesses its biometric data and retrieves images with corresponding information from its database. Each image in its database contains metadata and a link to its original source, so users can cross-reference and identify people using images found online.

Now, almost a year since news first broke about Clearview AI, Canada’s Privacy Commissioners have finally concluded their investigation into the company. In a  issued on February 2, 2021, the Commissioners collectively condemned Clearview AI for collecting, using and disclosing personal information without the requisite consent. Subject to Canadian privacy laws governing private sector entities, Clearview AI’s activities contravene principle 4.3 of Schedule 1, as well as section 6.1 of , section 7(1) of , sections 6-8 of , and sections 6 and 12-14 of .

. However, many are now calling on the Trudeau government to ban federal law enforcement and intelligence agencies from using facial recognition for surveillance purposes entirely. Last July, individuals and organizations representing privacy, human rights and civil liberty advocates penned an , calling on the federal government to “[e]stablish clear and transparent policies and laws regulating the use of facial recognition in Canada, including reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act.” 

Law enforcement agencies can now identify suspects within a matter of seconds. With facial recognition, all it takes is a single photograph to obtain a wealth of personal information about an individual. However, everything comes at a cost, and utilizing facial recognition for law enforcement purposes is no exception. If I have learned anything from Michel Foucault, it is that collective security should not come at the expense of individual autonomy. Do you disagree?

Lamont Abramczyk is a JD Candidate at Osgoode Hall Law School. He is the Deputy Director of the Osgoode Art Law Society and an IP Osgoode Innovation Clinic Fellow.

The post Privacy Commissioners Reprimand Clearview AI: What’s Next for Facial Recognition? appeared first on IPOsgoode.

]]>
Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations /osgoode/iposgoode/2016/07/20/federal-privacy-commissioner-provides-submission-on-new-data-breach-notification-and-reporting-regulations/ Wed, 20 Jul 2016 15:15:11 +0000 http://www.iposgoode.ca/?p=29468 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“). […]

The post Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“).

On June 18, 2015, the (also known as Bill S-4) received Royal Assent in Canada’s Parliament. The Digital Privacy Act amended PIPEDA.  Among other important changes, the Digital Privacy Act amended PIPEDA to require mandatory notification of both the OPC and affected indivdiuals, and introduced a record-keeping requirement (and fines for organizations which fail to meet either of these new requirements).

These new data breach requirements in PIPEDA will come into force once the Government passes regulations, and to that end, the Government has circulated a and solicited comments.

The OPC has provided its , and as body charged with administering and ultimately enforcing the resulting regulations, the OPC’s views are of significance (although they are not determinative of the final form of the regulations).

 

When Organizations Will Need to Report

A challenge organizations face when dealing with a breach affecting personal information is whether to report the breach to the OPC. Currently voluntary, this dilemma will not go away when it becomes mandatory – rather, the question will simply become one of how to determine whether the trigger (“real risk of significant harm”) has been met.

The OPC is of the view that the current set of factors enumerated in subsection 10.1(8) of PIPEDA are sufficient and any other further guidance on conducting a risk assessment could be provided by the OPC in due course. [1]

The Discussion Paper had also asked if encryption should provide a kind of “get out of jail free” card insofar as encrypted information that is lost or accessed would be presumed to present no or a low  “real risk of significant harm”. The OPC was against equating encryption with a diminished risk of significant harm. This raises the question of why the OPC has regarded the use of encryption as an adequate security safeguard to be considered under Principle 4.7.3.

 

What the Report Should Look Like

The OPC is of the view that any new mandatory breach reports should be in written  form (digital or paper) and require the following information:

  • Name of responsible organization;
  • Contact information of an individual who can answer questions on behalf of the organization;
  • Description of the known circumstances of the breach, including:
    • Estimated number of individuals affected by the breach;
    • Description of the personal information involved in the breach;
    • Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
    • A list of other organizations involved in the breach, including affiliates or third party processors;
  • An assessment of the risk of harm to individuals resulting from the breach;
  • A description of any steps planned or already taken to notify affected individuals, including:
    • date of notification or timing of planned notification;
    • whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
    • a copy of the notification text or script;
  • A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
  • A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
  • A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

The information is not substantially different than that already required by Alberta, which already has a mandatory breach reporting regime, although the OPC’s proposed approach would require more detail. [2] Also, the proposal that organizations provide a “description of the organization’s relevant safeguards” is not found in the Alberta requirements and may give rise to privilege and litigation risk issues. As well, organizations are likely to balk at disclosing this information because it potentially telegraphs an organization’s security strategy and vulnerabilities to bad actors. This is particularly true since this information is at risk of public disclosure via the Access to Information regime.

The OPC believes organizations should have an ongoing obligation to provide updates “as soon as feasible”, a requirement also not found in the Alberta requirements.

 

What Notification to Individuals and Third Parties Should Look Like

The OPC essentially adopts its own document, “” and proposes that the regulations require the following elements be included in notifications to affected persons:

  • Description of the circumstances of the breach incident;
  • Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
  • Description of the personal information involved in the breach;
  • Description of the steps taken by the organization to control or reduce the harm;
  • Steps the individual can take to reduce the harm or further mitigate the risk of harm;
  • Contact information of an individual who can answer questions about the breach on behalf of the organization;
  • Information about right of recourse and complaint process under PIPEDA.

The OPC is of the view that direct notification should be required (e.g. direct communication with each affected individual) and that indirect notification (e.g. via newspaper ads, websites, etc.) should be allowed only with permission and only in certain circumstances. Organizations will be pleased to know that the OPC accepts that “prohibitive costs to the organization and [unreasonable interference] with its operations” are one of the circumstances in which the OPC would accept indirect notification. However, the OPC suggests that organizations must first “[demonstrate] that they may validly use indirect notifications”. It is unclear if to be “valid” an organization will have to demonstrate, for instance, prohibitive costs or other criteria, or that “validity” will be evaluated on the basis of likelihood of the message effectively reaching the target demographic.

On this latter point, the OPC is of the view that indirect notification would need to be to the appropriate geographic market, be relevant to the product or service and the type of customer interaction, be for an appropriate length of time and in plain English, and where appropriate, allow organizations to use third parties to conduct such notification

With respect to the notification of third parties (potentially vendors, industry organizations, other organizations in that sector), the OPC has sensibly supported a permissive approach to notifying third parties, instead of a mandatory one.

 

What an Organizations Record Keeping Obligations Would Be

The OPC appears to regard the new record-keeping requirements (which require organizations to keep a record of all breaches of security safeguards) as a mechanism for general oversight.

The OPC is of the view that such records  should include “sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions.” More significantly, “[t]he content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.”

Relying on this, the OPC believes the following data elements should be included in records of breaches:

  • Date or estimated date of the breach;
  • General description of the circumstances of the breach;
  • Nature of information involved in the breach;
  • Summary and conclusion of the organization’s risk assessment leading to its decision whether to notify/report or not.

These are not particularly onerous, except that including a rationale as to whether to report or not to report such a breach introduces fertile ground for plaintiffs’ lawyers to explore as they make a case for negligence or breach of privacy.  Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000 per violation.

As a consequence of this, organizations will be torn between sufficiently documenting such breaches in order to demonstrate that they evaluated reporting the breach to the OPC and affected individuals (thereby avoiding “knowingly” failing to report) and not including so much information that it could be subsequently used against them.

The OPC would like to see all such incidents documented and recorded on an individual, non-aggregated basis. For organizations such as financial institutions or large retailers which face upwards of  200 threat incidents a week, this could be onerous.

With respect to retention the OPC suggests that records be maintained for a period of five years from the date of creation of the record, after which records could be destroyed.

 

An Organizations Obligations to non-Canadians

The OPC notes that organizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of Canada (for instance, residents of the U.S.).As such, the OPC is of the view   the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. At a minimum, the OPC suggests that regulations should require organizations to consider the breach notification laws of those jurisdictions., as well as any local notification requirements.

 

Future OPC Guidance

The OPC clearly sees itself as playing an instrumental role in the future primacy landscape, and has indicated that  once the Government passes final regulations it is prepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group.

 


 

[1] Subsection 10.1(8) reads “The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused; and (c) any other prescribed factor.

[2] Section 19 of the Personal Information Protection Act Regulation, Alta Reg 366/2003

The post Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations appeared first on IPOsgoode.

]]>
SCC to Consider Provincial Privacy Commissioner Powers to Compel Production of Privileged Documents /osgoode/iposgoode/2015/12/01/scc-to-consider-provincial-privacy-commissioner-powers-to-compel-production-of-privileged-documents/ Tue, 01 Dec 2015 17:12:01 +0000 http://www.iposgoode.ca/?p=28349 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Supreme Court of Canada is revisiting the issue of whether a privacy commissioner can force disclosure of documents where solicitor-client privilege is asserted. In 2008, the Supreme Court considered a privacy commissioner’s powers under Canada’s federal private sector legislation and concluded (in […]

The post SCC to Consider Provincial Privacy Commissioner Powers to Compel Production of Privileged Documents appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Supreme Court of Canada is revisiting the issue of whether a privacy commissioner can force disclosure of documents where solicitor-client privilege is asserted.

In 2008, the Supreme Court considered a privacy commissioner’s powers under Canada’s federal private sector legislation and concluded (in Canada (Privacy Commissioner) v. Blood Tribe Department of Health, ) that the federal privacy commissioner could not compel the production of documents over which privilege is asserted . This time around, the court is examining the privacy commissioner’s powers under provincial privacy legislation, which has language that differs from that found in the federal privacy legislation.

On Oct. 29, 2015, Canada’s top court in University of Calgary v JR, .  In that decision, the Alberta Court of Appeal reversed the lower court’s order that documents be produced to the Privacy Commissioner by the university notwithstanding that the university asserted privilege over them. That decision was detailed in McCarthy Tétrault’s Canadian Appeals Monitor .

 

Background

JR had sued the University for wrongful dismissal and other causes of action. In the course of the litigation, JR made an access to information request under section 7 of the province’s  , R.S.A. 2000, c. F-25 (“FOIPPA”). The University disclosed some, but not all, of the records, withholding records it asserted were subject to solicitor-client privilege. Following unsuccessful mediation, the Alberta Privacy Commissioner commenced a formal inquiry through an appointed delegate into whether the University was exempt from producing the outstanding documents. The Commissioner’s delegate ordered production of certain records so the Commissioner could determine the propriety of the University’s claim that those records were subject to solicitor-client privilege.The delegate’s decision was then judicially reviewed.

Central to the consideration at both levels of court was the statutory interpretation of section 56(3) of FOIPPA, which states:

Despite any other enactment or any privilege of the law of evidence, a public body must produce to the Commissioner within 10 days any record or a copy of any record required under subsection … (2).

The Alberta Court of Queen’s Bench found that the plain meaning of the provision gave the Commissioner the power to compel the records. However, the Court of Appeal applied the Supreme Court’s reasoning in Blood Tribe to determine the Commissioner or her delegate cannot order a public body to produce records over which it has asserted solicitor-client privilege. The Supreme Court will now consider the issue.

 

© McCarthy Tétrault LLP

Julia Johnson is an articling student in McCarthy Tétrault’s Toronto office.

The post SCC to Consider Provincial Privacy Commissioner Powers to Compel Production of Privileged Documents appeared first on IPOsgoode.

]]>
The Office of the Privacy Commissioner Calls for Changes to PIPEDA /osgoode/iposgoode/2013/06/11/the-office-of-the-privacy-commissioner-calls-for-changes-to-pipeda/ Tue, 11 Jun 2013 14:07:23 +0000 http://www.iposgoode.ca/?p=21294 On May 23rd, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) released a report entitled “ The Case for Reforming the Personal Information Protection and Electronic Documents Act” (the “Report”). The Report proposes a number of changes to the Act by identifying four main “pressure points”. The Commissioner’s thesis is that the Personal […]

The post The Office of the Privacy Commissioner Calls for Changes to PIPEDA appeared first on IPOsgoode.

]]>
On May 23rd, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) released a report entitled “ ” (the “Report”). The Report proposes a number of changes to the Act by identifying four main “pressure points”.

The Commissioner’s thesis is that the (“PIPEDA”) is currently outdated and ineffective due to the rapid changes in technology. Information technology currently allows organizations to collect, store, and use Canadians’ personal information in order to create new products and services. This poses several challenges with respect to the security of data but also with respect to the way this data is handled by those organizations. Risks of theft and hacking are increasing and putting Canadians in danger.

The Report calls for the following four key changes to PIPEDA:

1.     Enhancing the enforcement powers of the Commissioner

Under the current version of the Act, the Commissioner’s powers are limited to those of an administrative investigator. The Commissioner has the power to initiate investigation of breaches of PIPEDA and to name and shame organizations who contravene the Act. No direct enforcement powers exist in order to enable the Commissioner to incentivize protection of personal data. The Report makes it clear that under the existing powers accorded to the Commissioner, its position becomes more and more deficient in protecting Canadians’ personal information in the digital era. The Commissioner makes three suggestions in that respect:

  • Introduce statutory damages which will be administered by the Federal Court when certain PIPEDA provisions are being breached.
  • Give the Commissioner order-making powers. The Commissioner would be able to order organizations that contravened certain PIPEDA provisions to comply with the Act. In the event of an organization’s failure to obey the order, the Commissioner could have it enforced by the Federal Court as its own order under the court's contempt powers.
  • Give the Commissioner the power to impose Administrative Monetary Penalties (“AMPs”). The purpose of the AMPs would be to encourage compliance with PIPEDA and would not have a punitive character.

2.     Obligation to report breaches and notify affected individuals

The Commissioner argues that under PIPEDA, organizations are not obliged to report any breaches, further risking potentially affected individuals. Further, the Commissioner reports that the current law permits inequality among the organizations; some organizations report breaches voluntarily and as a result will incur damage to their reputation, while others may purposely fail to report in an effort to avoid such penalties. The Report calls for a mandatory reporting and notification system that would require these groups to report any breaches to the Commissioner and notify the affected individuals.

3.     Obligation to report unlawful disclosure to authorities

Section 7(3) (c.1) of PIPEDA currently allows organizations to disclose personal information to governmental authorities and institutions for the purpose of enforcing any law of Canada. The Commissioner argues that the present system lacks transparency since there is no available data regarding how often this provision is used to access information and what kind of personal information is being provided to governmental authorities. Therefore, the Commissioner recommends that a more transparent regime be established. It suggests that organizations be required to publicly report, on a quarterly basis, the frequency of disclosures being made to government institutions without the knowledge or consent of the individuals affected and without judicial warrants.

4.     Demonstrating accountability; Incorporation of “enforceable agreements”; and Broadening the scope of Federal Court review

The Report argues there is a lack of resources with respect to monitoring the compliance of organizations. The Commissioner recommends the modification of the accountability principle so that a requirement to demonstrate accountability be put in place. Organizations should be able to show that they have a modern and functioning privacy program. Further, the Report argues for the introduction of the concept of “enforceable agreements”. Under this system, an organization that has been put under investigation would have to agree, at the end of the investigation, to comply with the Commissioner’s recommendations and to demonstrate such compliance within a specific period of time. An organization’s failure to do so would result in action taken by the OPC. Lastly, the Commissioner calls for the expansion of the scope of the provisions under section 14 that the Federal Court can review.

Comments and Analysis

The world is becoming all-the-more interconnected through the use of social media, and as a result, we are developing into a virtual society in which the sharing of personal information is the norm and not the exception. At the same time, people demand more transparency and accountability with respect to the handling of their personal data by private and public organizations. The way this data is used has so far been, intentionally or not, vague with respect to privacy, and the majority of public and private organizations’ attempts to rectify the problem have been superficial.

, the government’s own bill to amend PIPEDA, sits stagnant in Parliament for the time being. Under this Bill, businesses can decide whether or not to inform affected individuals and report to the Commissioner only when a breach is considered material. Furthermore, the Commissioner only has the power to investigate complaints. Evidently, Ottawa is reluctant to move any privacy reform forward.

The Commissioner’s report is a significant start for serious reform because it openly addresses major problems in Canada’s data protection legislation.  The recommendations found in the report are not novelties. They exist and have been implemented in other legislative texts in some Canadian provinces and abroad. Expanding the powers of the Commissioner and requiring businesses and organizations to report security breaches would promote the aims of PIPEDA and make it an effective legislative tool in the advancement of privacy protection in the era of “Big Data”. It remains to be seen whether Parliament will take any further action to translate the Commissioner's recommendations into law.

Georgios Andriotis is an IPilogue Editor and a law student at Université de Montréal.

The post The Office of the Privacy Commissioner Calls for Changes to PIPEDA appeared first on IPOsgoode.

]]>