OPC Archives - IPOsgoode /osgoode/iposgoode/tag/opc/ An Authoritive Leader in IP Thu, 27 Oct 2022 16:00:39 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 /osgoode/iposgoode/2022/10/27/office-of-the-privacy-commissioner-of-canada-publishes-results-of-investigation-into-marriott-data-breach-of-2018/ Thu, 27 Oct 2022 16:00:39 +0000 https://www.iposgoode.ca/?p=40152 The post Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on October 19, 2022.


On September 29, 2022, the Office of the Privacy Commissioner of Canada (the OPC) published the results of itsinto the 2018 data breach involving Marriott International, Inc. (Marriott), finding many of the hotel giant’s privacy controls inadequate and recommending remedial steps to prevent future breaches.

Marriott announced that it experienced a data breach involving the unauthorized access of a Starwood Hotels (Starwood) database on November 30, 2018, as previously reported by the E-TIPS® Newsletter. Starwood is a separate hospitality company that was acquired by Marriott in 2016, with the unauthorized access reportedly starting before the acquisition (i.e., spanning from 2014 to 2018). The threat actor reportedly obtained access to personal information contained in up to 12.8 million records where the country-of-residence information was listed as Canada. These records included information on guest profiles and contact details, guest reservations, passport details, and encrypted payment card information.

The incident prompted the OPC to launch an investigation into Marriott’s primary operating company for Canadian hotels, Luxury Hotels International of Canada, ULC. During the investigation, the OPC considered the following key issues:

  1. ڱ𲵳ܲ.The OPC reviewed whether there were proper information security safeguards in place to protect personal information. It found several deficiencies in its investigation, including with respect to access controls, anti-virus software, logging and monitoring, and information storage. The OPC found that these deficiencies represented a failure to implement proper protection measures and were a contravention of Principle 4.7 of thePersonal Information Protection and Electronic Documents Act(ʱʷٴ).
  2. Accountability.Following the acquisition of Starwood, Marriott was accountable for implementing policies to properly protect personal information. The OPC found that despite undergoing a post-acquisition assessment of Starwood’s systems and making certain improvements, Marriott failed to adequately perform ongoing security assessments in contravention of Principle 4.1.4 of PIPEDA.
  3. Information Retention.The OPC determined whether the compromised information was held for an appropriate period of time and found that certain personal information was retained for longer periods than necessary in violation of Principle 4.5 of PIPEDA.
  4. Notification and Mitigation.Given that the OPC considered the compromised information as presenting an ongoing risk of harm for those affected, it reviewed whether appropriate notification and mitigation measures were used in response to the breach. Marriott conducted both direct notification for those individuals in which it had a valid email address and indirect notification for the remaining individuals (e.g. issuing press releases and providing breach information on a dedicated website). Additionally, Marriott implemented various mitigation measures, such as offering one year of free web monitoring to affected individuals, establishing a dedicated call centre, implementing a process for individuals to verify whether a passport number was involved in the breach, and notifying credit card networks of the incident. Although the OPC would have preferred the web monitoring protection to be for a longer time period, it ultimately found the above notification and mitigation measures to be adequate.

In concluding its report, the OPC acknowledged the remedial steps carried out by Marriott, such as the decommissioning of the Starwood database in December 2018. It also recommended implementing further action to ensure compliance, including having Marriott (i) retain an independent assessor to review any enhancements it has made to its systems; and (ii) review its organizational and governance measures as it relates to selected privacy practices. With both recommendations, the OPC requested that Marriott submit reports detailing their findings and proposed timelines for addressing any action items arising from the reviews.

The post Office Of The Privacy Commissioner Of Canada Publishes Results Of Investigation Into Marriott Data Breach Of 2018 appeared first on IPOsgoode.

]]>
International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks /osgoode/iposgoode/2022/08/08/international-data-protection-and-privacy-regulators-release-guidance-on-credential-stuffing-attacks/ Mon, 08 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39875 The post International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on July 13, 2022.


On June 27, 2022, the Office of the Privacy Commissioner of Canada, along with fellow members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG), released guidance documents to helpԻprotect against credential stuffing attacks.

Credential stuffing attacks exploit the tendency of users to reuse their usernames and passwords across multiple platforms. Threat actors use username and password information that was leaked in past data breaches to access other online accounts belonging to the users. These attacks may result in financial or reputational harm for individuals, and cyberbreaches for organizations despite a robust cyber security infrastructure. In its guidance, the IEWG states that hundreds of millions of credential stuffing attacks occur each day and credential stuffing has become a global threat to personal data.

To assist individuals in defending against credential stuffing attacks, the IEWG advises, among other things, that users should:

  • not reuse their passwords across multiple accounts;
  • consider implementing multi-factor authentication (MFA) where possible;
  • immediately change the passwords for any compromised accounts and for any other accounts protected by the same or similar passwords; and
  • routinely check account information for unusual activity or unauthorized transactions.

For organizations, the IEWG discusses (i) implementing password systems and policies that fortify the creation and management process for account passwords; (ii) making MFA an essential security measure in one’s organization; and (iii) using alternatives to traditional accounts setups, such as guest accounts, single sign-on systems, and secondary passwords.

Although these guidelines may not represent legal obligations across all IEWG member jurisdictions, the IEWG intends to raise awareness of the threat of credential stuffing and assist the general public, along with private organizations, in fortifying their personal information practices.

The post International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks appeared first on IPOsgoode.

]]>
Office Of The Privacy Commissioner Of Canada Releases Observations Following Global Initiative On Privacy Expectations For Video Teleconferencing Companies /osgoode/iposgoode/2021/11/12/office-of-the-privacy-commissioner-of-canada-releases-observations-following-global-initiative-on-privacy-expectations-for-video-teleconferencing-companies/ Fri, 12 Nov 2021 17:00:28 +0000 https://www.iposgoode.ca/?p=38626 The post Office Of The Privacy Commissioner Of Canada Releases Observations Following Global Initiative On Privacy Expectations For Video Teleconferencing Companies appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was Originally posted on E-TIPS™ For Deeth Williams Wall LLP on November 10, 2021.

On October 27, 2021, the Office of the Privacy Commissioner of Canada (the OPC)observations following a series of international engagements between data protection and privacy authorities around the world and four of the biggest video teleconferencing (VTC) companies: Microsoft, Cisco, Zoom, and Google (the Organizations).

Earlier this year, the OPC, along with privacy authorities from Australia, Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom (the Joint Signatories), sent anto several VTC companies commenting on the rapid recent expansion of VTC services and highlighting their concerns about whether the companies were implementing appropriate privacy safeguards in their platforms. The Organizations responded to the Joint Signatories’ open letter and described how they account for privacy principles in the design and development of their VTC services. This initial response led to a series of video calls between the Joint Signatories and the Organizations to discuss how the Organizations implement, monitor, and validate their privacy and security measures.

In its observations, the OPC discusses key areas that the Joint Signatories recognized as examples of good practice and recommended for adoption by the broader VTC industry. These areas include:

  1. security, such as implementing a regular security testing schedule and ensuring employees and third-party sub-processors comply with privacy obligations;
  2. privacy-by-design by adopting an overarching privacy program and placing all VTC settings at the most privacy protective by default;
  3. audience-specific resources, including providing enhanced VTC safeguard features for parties that share sensitive information and custom-guidance documents to assist different groups to choose the VTC settings that suit them;
  4. transparency through the use of layered notices and informing users of any sharing of their information with third parties; and
  5. end-user control to enable VTC customers to decide what information they share when accessing VTC services and provide alerts when there is a danger that meeting information may become publicly available.

In addition to recognizing good practices, the Joint Signatures also identified the following areas for improvement:

  1. making end-to-end encryption available to users;
  2. clearly identifying any secondary use of users’ data and providing an option for users to opt-in to such processing; and
  3. informing users and, if possible, providing them with the option to choose their data storage location and jurisdictions in which their personal information may be routed through by the VTC company.

Based on the success of the Joint Signatories’ discussions with the Organizations, the Joint Signatories expressed that the engagement process used in this instance may prove valuable in future circumstances where dialogue would assist in clarifying regulatory obligations, identifying good practices, and increasing public trust in emerging technologies.

The post Office Of The Privacy Commissioner Of Canada Releases Observations Following Global Initiative On Privacy Expectations For Video Teleconferencing Companies appeared first on IPOsgoode.

]]>
Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties /osgoode/iposgoode/2021/06/01/privacy-commissioner-of-canada-closes-file-on-privacy-complaint-against-federal-political-parties/ Tue, 01 Jun 2021 13:00:00 +0000 https://www.iposgoode.ca/?p=37476 The post Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties appeared first on IPOsgoode.

]]>
This article was previously posted on

Imtiaz Karamat isanOsgoodeAlumnus and a Student-at-Law at Deeth Williams Wall.

On May 13, 2021, the Office of the Privacy Commissioner of Canada (the OPC)that it has closed its file on a complaint against the Liberal, Conservative, and New Democratic Parties (the Parties), noting that the activities in the complaint are not subject to the privacy obligations under thePersonal Information Protection and Electronic Documents Act(PIPEDA).

The complainant argued that the Parties are subject to PIPEDA because they engage in commercial activities to sell or promote their brand to voters and to sell or promote goods, services, and business interests. To support its claim, the complainant cited examples of political advertisements that feature the Parties convincing Canadians to purchase party-branded memorabilia, make donations, elect party candidates to political office, and support selected policies. The complainant claimed that the Parties, under PIPEDA, are obligated to inform Canadians of how they collect, use, or disclose their personal information to conduct political advertising, including “micro-targeted” advertisements that are based on detailed profiles of individuals. The complainant alleged that the Parties are in violation of this obligation and requested that the OPC investigate and issue appropriate recommendations.

Although the OPC agreed that PIPEDA could apply to the Parties to the extent that they engage in commercial activities, it was not convinced that the Parties’ general activities were commercial in nature. The OPC stated that the primary purpose of the Parties’ political advertising is to solicit donations, encourage votes for select candidates, or garner support for certain political platforms. The OPC determined that there is no element of exchange in these activities as nothing is sold, bartered or leased, and contributors do not reasonably expect anything in return for their donations. Furthermore, the OPC said that despite the specific examples cited by the complainant having an element of exchange, they do not qualify as commercial in nature because they involve the raising of funds for the Parties’ political activities.

The OPC was further influenced by Parliament’s recent refusals to subject the Parties to PIPEDA. In 2018, during the examination of Bill C-76,Elections Modernization Act, Parliament refused to act on the OPC’s submission to extend PIPEDA to federal parties. In closing the file, the Commissioner stated that: “Although I strongly believe that privacy laws should govern political parties to better protect both privacy and democratic rights, I must apply the law as it is today.”

The post Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties appeared first on IPOsgoode.

]]>
From Government Surveillance to Federal Data Breaches: Privacy Commissioner Tables Annual Report /osgoode/iposgoode/2015/12/21/from-government-surveillance-to-federal-data-breaches-privacy-commissioner-tables-annual-report/ Mon, 21 Dec 2015 15:29:36 +0000 http://www.iposgoode.ca/?p=28473 The re-posting of this article is part of a cross-posting agreement with CyberLex. On December 10, 2015, the Annual Report of the Office of the Privacy Commissioner (“OPC”) on the Privacy Act for 2014-2015 was tabled in Parliament. The Annual Report provides details on privacy trends and investigations involving Canadian federal departments for the past […]

The post From Government Surveillance to Federal Data Breaches: Privacy Commissioner Tables Annual Report appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

On December 10, 2015, the of the Office of the Privacy Commissioner (“OPC”) on the Privacy Act for 2014-2015 was tabled in Parliament. The Annual Report provides details on privacy trends and investigations involving Canadian federal departments for the past year.

Strategic Privacy Priorities Identified

In his opening message, Privacy Commissioner Daniel Therrien introduced an effort by the OPC to identify key privacy issues that are most significantly affecting Canadians. The effort has identified four strategic privacy priorities that will guide the OPC for the next five years:

  1. The economics of personal information: The commoditization of personal information and new business models developed around the use of Big Data and the exponential growth of Internet-connected/mobile devices have caused stakeholders to question whether it is realistic to obtain quality consent to the use of personal information, the foundation of Canadian privacy laws. The OPC’s goal is to enhance privacy protection and trust, so individuals may confidently participate in an innovative digital economy.
  2. The body as information: The federal government is expanding its use of genetic material for policing, border control and other uses. The OPC will be engaged on initiatives in which federal institutions seek to make use of such data to ensure the privacy implications raised by such uniquely personal and highly sensitive information are respected.
  3. Reputation and privacy: The federal government has demonstrated a desire to use publicly available information, including information found on social media sites, in the context of security screening. The OPC’s objective is to ensure that people can use the Internet without fear that their digital footprint will lead to unfair treatment.
  4. Government surveillance: Bill C-51, Anti-Terrorism Act, 2015, Bill C-13, Protecting Canadians from Online Crime Act and Bill C-44, Protection of Canada from Terrorists Act, are described as giving federal institutions unprecedented ability to disclose Canadians’ personal information without individual knowledge and consent. The OPC intends to use its review and investigative powers to examine the collection, use and sharing practices of departments and agencies involved in surveillance activities to ensure that they comply with the Privacy Act.

A separate report on the feedback received from stakeholders, as well as how the OPC intends to address the four priorities is available .

Risks Posed by Portable Storage Devices Highlighted

Of interest to those concerned with information security, the Annual Report includes a report on an audit conducted by the OPC of the use of portable storage devices (“PSDs”) by federal institutions. PSDs are electronic devices intended to hold digital data, such as smart phones, laptops, portable hard drives and flash memory sticks. Of the entities selected for review:

  • approximately 70 percent have not formally assessed the risk surrounding the use of all types of PSDs;
  • over 90 percent do not inventory and track all PSDs throughout their lifecycle;
  • over 85 percent do not retain records verifying the secure destruction of data retained on surplus or defective PSDs; and
  • approximately 55 percent have not assessed the risk to personal information resulting from the absence of controls to prevent the use of unauthorized PSDs.

The audit found that although policies, processes and controls are in place, there are significant opportunities for improvement, and noted that federal entities that allow the use of PSDs without proper controls run the risk of:

  • losing or exposing confidential data or personal information, resulting in harm to the government and individuals;
  • eroding public confidence and exposing themselves to significant reputational risks; and
  • incurring substantial costs for data losses and recovery efforts.

These risks are equally applicable to business, highlighting the importance of robust information security policies that include an assessment of risks and implementation of controls relating to the use of all types PSDs. The details of the audit are found at pages 25 to 40 of the report.

In 2014-2015 there were 256 data breaches reported under the new mandatory reporting scheme, which came into force in May 2014. This represents an increase from 228 the year before, which itself was double the number reported the year before that.

Many Data Breaches are Preventable

The report includes a summary of data breach incidents, which demonstrate that in manycases the breaches have been preventable: Canada Revenue Agency (accidental disclosure of taxpayer information, heartbleed vulnerability, unauthorized access to taxpayer files), Health Canada (unintended disclosure through mailing labels), Public Prosecution Service of Canada (unintended disclosure through envelope windows), Citizen and Immigration Canada (cross-border data breach) and National Research Council of Canada (network intrusion).

The OPC reports that the number of investigations it completed in the last year increased from 1,214 to 1,234, while the number of complaints rose by 123 percent. It is noteworthy that 3,154 of the nearly 4,000 complaints came from a small number of people.

© McCarthy Tétrault LLP

 

is an associate in the Litigation Group at McCarthy Tétrault’s Vancouver office.

The post From Government Surveillance to Federal Data Breaches: Privacy Commissioner Tables Annual Report appeared first on IPOsgoode.

]]>
Targeted Advertising Puts Bell in Sights of the Privacy Commissioner /osgoode/iposgoode/2013/11/13/targeted-advertising-puts-bell-in-sights-of-the-privacy-commissioner/ Wed, 13 Nov 2013 16:36:51 +0000 http://www.iposgoode.ca/?p=23436 Motivated to compete with Facebook and Google, Bell recently announced that starting November 16 it will be collecting massive amounts of customer data to deliver targeted advertising. The Office of the Privacy Commissioner of Canada (OPC) stated that it will be investigating the matter. Canada’s telecom giant is adamant that it will comply with the […]

The post Targeted Advertising Puts Bell in Sights of the Privacy Commissioner appeared first on IPOsgoode.

]]>

Motivated to compete with Facebook and Google, Bell recently that starting November 16 it will be collecting massive amounts of customer data to deliver targeted advertising. The Office of the Privacy Commissioner of Canada (OPC) that it will be investigating the matter. Canada’s telecom giant is adamant that it will comply with the (PIPEDA), but the extent of its practice raises questions about how PIPEDA’s key concepts should be interpreted and applied.

The extensiveness rather than purpose of Bell’s planned data collection seems to have generated the most controversy. The amount and type of user data that will be are ambitious: Internet history, search terms, location, mobile device type, calling patterns, and television viewing habits. To Bell’s credit, the company has been proactive in informing its customers of the upcoming changes and offers an opportunity to .

At least one academic commentator has about the legality of Bell’s program, focusing specifically on the sensitivity of the information collected. Given how the concept of “sensitive information” has been interpreted under PIPEDA and how Bell treats location data under its own Privacy Policy for location-based services, the reliance on opt-out consent is indeed surprising. that the form of consent must be commensurate with the sensitivity of personal information. Where the information is considered to be sensitive, express consent (i.e. opt-in rather than opt-out) . PIPEDA identifies medical and income records as examples of sensitive information, but otherwise . The OPC has also held that should be considered sensitive. Further, PIPEDA “any information can be sensitive, depending on the context”.

In light of these facts and the amount and type of data Bell intends to collect, it is difficult to mount a persuasive argument that the information proposed to be collected is not sensitive. In fact, there is reason to believe that Bell itself considers location data to be sensitive enough to warrant express consent. Under covering location-based services, use or disclosure of a wireless phone’s location requires express consent. Whether Bell can reconcile the interpretation of “sensitive information” under PIPEDA and its own position on location data to justify the upcoming changes remains to be seen.

Besides consent requirements, PIPEDA : organizations should only collect personal information necessary for the stated purposes (emphasis added). Critically, both the amount and type of information collected, used, or disclosed. A brief survey of PIPEDA complaint investigations reveals that the concept of ‘necessity’ is given its plain meaning. For example, if the purpose is to contact a customer, then only their contact details are necessary and companies should not solicit additional information. While the concept is clear in this simple example, it is severely strained when information is used for purposes that are not well-defined. For instance, for data collected to facilitate targeted advertising, it is exceedingly difficult to determine the scope of what is necessary for that purpose. Presumably, more data allow more precise targeting, which translates into higher advertising revenue. In at least , the OPC has attempted to balance the purpose of collection against the scope of information collected, but it is uncertain how this approach could be applied to targeted advertising. In that case, the OPC held that a full date of birth is not necessary for demographics research and recommended that the company collect only the month and year. The OPC reasoned that marginal gains in accuracy afforded by using the full date did not justify the impact on privacy. It is difficult to predict whether the OPC will attempt to draw a line between financial rewards and privacy, but its investigation should clarify how the concept of ‘necessity’ should be applied.

In today’s world, businesses like Bell possess a natural data advantage through the services they provide. Since the OPC lacks strong enforcement powers, damage to brand reputation can pose the greatest risk for data gatherers. However, companies with little competition in the marketplace may be little deterred. Given Bell’s position in the Canadian telecommunications industry, we may therefore expect the OPC investigation to be conducted with an increased level of scrutiny.

 

Anatoly Zhitnik is a JD Candidate at Osgoode Hall Law School and is enrolled in Osgoode’s Intellectual Property Law Intensive Program. As part of the program requirements, students were asked to write a blog on a topic of their choice.

The post Targeted Advertising Puts Bell in Sights of the Privacy Commissioner appeared first on IPOsgoode.

]]>
The Office of the Privacy Commissioner Calls for Changes to PIPEDA /osgoode/iposgoode/2013/06/11/the-office-of-the-privacy-commissioner-calls-for-changes-to-pipeda/ Tue, 11 Jun 2013 14:07:23 +0000 http://www.iposgoode.ca/?p=21294 On May 23rd, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) released a report entitled “ The Case for Reforming the Personal Information Protection and Electronic Documents Act” (the “Report”). The Report proposes a number of changes to the Act by identifying four main “pressure points”. The Commissioner’s thesis is that the Personal […]

The post The Office of the Privacy Commissioner Calls for Changes to PIPEDA appeared first on IPOsgoode.

]]>
On May 23rd, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) released a report entitled “ ” (the “Report”). The Report proposes a number of changes to the Act by identifying four main “pressure points”.

The Commissioner’s thesis is that the (“PIPEDA”) is currently outdated and ineffectivedue tothe rapid changes in technology. Information technology currently allows organizations to collect, store, and use Canadians’ personal information in order to create new products and services. This poses several challenges with respect to the security of data but also with respect to the way this data is handled by those organizations. Risks of theft and hacking are increasing and putting Canadians in danger.

The Report calls for the following four key changes to PIPEDA:

1. Enhancing the enforcement powers of the Commissioner

Under the current version of the Act, the Commissioner’s powers are limited to those of an administrative investigator. The Commissioner has the power to initiate investigation of breaches of PIPEDA and to name and shame organizations who contravene the Act. No direct enforcement powers exist in order to enable the Commissioner to incentivize protection of personal data. The Report makes itclear that under the existing powers accorded to the Commissioner, its position becomes more and more deficient in protecting Canadians’ personal information in the digital era. The Commissioner makes three suggestions in that respect:

  • Introduce statutory damages which will be administered by the Federal Court when certain PIPEDA provisions are being breached.
  • Give the Commissioner order-making powers. The Commissioner would be able to order organizations that contravened certain PIPEDA provisions to comply with the Act. In the event of an organization’s failure to obey the order, the Commissioner could have it enforced by the Federal Court as its own order underthe court'scontempt powers.
  • Give the Commissioner the power to impose Administrative Monetary Penalties (“AMPs”). The purpose of the AMPs would be to encourage compliance with PIPEDA and would not have a punitive character.

2. Obligation to report breaches and notify affected individuals

The Commissioner argues that under PIPEDA, organizations are not obliged to report any breaches, further risking potentially affected individuals. Further, the Commissioner reports thatthecurrentlaw permits inequality among the organizations; some organizations report breaches voluntarily and as a result will incur damage to their reputation, while others may purposely fail to report in an effort to avoid such penalties. The Report calls for a mandatory reporting and notification system that would require these groups to report any breaches to the Commissioner and notify the affected individuals.

3. Obligation to report unlawful disclosure to authorities

Section 7(3) (c.1) of PIPEDA currently allows organizations to disclose personal information to governmental authorities and institutions for the purpose of enforcing any law of Canada. The Commissioner argues that the present system lacks transparency since there is no available data regarding how often this provision is used to access information and what kind of personal information is being provided to governmental authorities. Therefore, the Commissioner recommends that a more transparent regime be established. It suggests that organizations be required to publicly report, on a quarterly basis, the frequency of disclosures being made to government institutions without the knowledge or consent of the individuals affected and without judicial warrants.

4. Demonstrating accountability; Incorporation of “enforceable agreements”; and Broadening the scope of Federal Court review

The Report argues there is a lack of resources with respect to monitoring the compliance of organizations. The Commissioner recommends the modification of the accountability principle so that a requirement to demonstrate accountability be put in place. Organizations should be able to show that they have a modern and functioning privacy program. Further, the Report argues for the introduction of the concept of “enforceable agreements”. Under this system, an organization that has been put under investigation would have to agree, at the end of the investigation, to comply with the Commissioner’s recommendations and to demonstrate such compliance within a specific period of time. An organization’s failure to do so would result in action taken by the OPC. Lastly, the Commissioner calls for the expansion of the scope of the provisions under section 14 that the Federal Court can review.

Comments and Analysis

The world is becomingall-the-more interconnected through the use of social media, and as a result, we aredeveloping into a virtual society in which the sharing of personal information is the norm and not the exception. At the same time, people demand moretransparency and accountability with respect to the handling of their personal data by private and public organizations. The way this data is used has so far been, intentionally or not, vague with respect to privacy, and the majority of public and private organizations’ attempts to rectify the problem have been superficial.

, the government’s own bill to amend PIPEDA,sits stagnant in Parliament for the time being. Under this Bill, businessescan decide whether or not to inform affected individuals and report to the Commissioner only when a breach is considered material. Furthermore, the Commissioneronly hasthe power to investigate complaints. Evidently, Ottawa is reluctant to move any privacy reform forward.

The Commissioner’s report is a significant start for serious reform because it openly addresses major problems in Canada’s data protection legislation. The recommendations found in the report are not novelties. They exist and have been implemented in other legislative texts in some Canadian provinces and abroad. Expanding the powers of the Commissioner and requiring businesses and organizations to report security breaches would promote the aims of PIPEDA andmake it an effective legislative tool in the advancement of privacy protection in the era of “Big Data”. It remains to be seen whether Parliament will take any further action to translate the Commissioner'srecommendations into law.

Georgios Andriotis is an IPilogue Editor and a law student at Université de Montréal.

The post The Office of the Privacy Commissioner Calls for Changes to PIPEDA appeared first on IPOsgoode.

]]>
Oversharing on a Public Stage: The Privacy Commissioner of Canada's Annual Report /osgoode/iposgoode/2009/10/15/oversharing-on-a-public-stage-the-privacy-commissioner-of-canadas-annual-report/ Thu, 15 Oct 2009 10:47:00 +0000 http://www.iposgoode.ca/?p=6201 Peter Waldkirch is a second year LL.B. student at the University of Ottawa. The Privacy Commissioner of Canada, Jennifer Stoddard, recently released her office's Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). Several press outlets have covered the report. The Office of the Privacy Commissioner of Canada's (OPC) press […]

The post Oversharing on a Public Stage: The Privacy Commissioner of Canada's Annual Report appeared first on IPOsgoode.

]]>
Peter Waldkirch is a second year LL.B. student at the University of Ottawa.

The Privacy Commissioner of Canada, Jennifer Stoddard, recently released her office's Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). have covered the report. The Office of the Privacy Commissioner of Canada's (OPC) press release, and the Report itself, can be found . While the report itself covers a wide range of topics, including statistics on complaints received and summaries of recent litigation in which the Office has been involved, the press coverage has focused almost exclusively on one of the “Key Issues” identified in the report: youth privacy online.

This focus of the report is made clear in the Commissioner's opening message, in which she notes that, “Many young people are choosing to open their lives in ways their parents would have thought impossible and their grandparents unthinkable.” Moreover, she notes, many young people don't seem to be taking online privacy seriously; the word used in the report is “indifferent”. Underlying these observations, it seems to me, is the acknowledgment that even strong statutory protection of privacy is ultimately meaningless if the people the statute is meant to protect don't care about their own privacy. PIPEDA revolves around the concepts of notice and consent, and if someone just doesn't care about their privacy, consent will be trivially given.

As the Commissioner points out, many young people do not think of privacy in the same terms as previous generations. The OPC is concerned about serious issues such as identity theft and fraud, problems that most young people simply do not consider. The Report notes that recent research suggests that many young people care about online privacy only to the extent that it impacts their online reputation and status. One’s online life and “real life”, however, are not totally distinct. Information published online can have definite real life consequences, ranging from identity theft to the loss of a job. A good example of how carelessly posting information publicly can have serious repercussions is the from a Provincial election because of inappropriate pictures posted on Facebook.

The indifference of youth towards online privacy seems symptomatic of a profound shift in attitudes I have noticed over my years on the Internet. When I first started “surfing the Infobahn” (am I dating myself?), it was drilled into me that one should never, ever use one's real name or other identifying information online. The very value of today's social networking websites, however, depends on the publication of such information. For many people, the whole point of being on a website like Facebook is to make oneself (and one’s personal data) publicly accessible. If you don't use your real name, how will people find you?

The major role that technology plays in mediating the social interactions of young Canadians affects how identity and relationships are constructed and perceived. As the current generation of people who have been raised with these sorts of technologies matures, what sort of norms will develop? When everyone has pictures of “regrettable moments” online, how will reputation and social status be measured?

That being said, I'm no technological fatalist, and obviously neither is the Privacy Commissioner, who sees room for intervention and education. Regardless of the social consequences, identity theft and fraud remain concrete problems. To that end, the Report details some steps the OPC has taken to raise awareness of the importance of privacy amongst Canada's youth. These include a , educational modules for use in the classroom, and a Youth Privacy Video contest.

In addition to the focus on youth, the Report provides a lot of valuable information for anyone interested in the activities of the OPC. Amongst other things, the privacy complaint against Facebook, initiated by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic (CIPPIC), is discussed (as it is by Virgil Cojocaru). Details on the substance of complaints and the process with which they are handled are also provided.

I was also interested in two elements of the Report that haven't received much media attention. The first is the massive backlog of cases the OPC is facing. Despite the addition in 2008 of significant human resources (for example, ten new investigators were hired in addition to the previous four), the average resolution time for a complaint was 20 months, which the report itself called “unacceptable”. The report also reiterated the Commissioner's call for a statutory mandatory notification scheme when a data breach occurs, writing that, “Our Office feels strongly that private-sector organizations should be obliged by law to inform individuals if their personal information may have been put at risk in a data breach.” Without such a requirement, Canadians have little opportunity to manage and mitigate the risk of identity theft or fraud.

Despite these challenges, the report gives an ultimately optimistic view of the efficacy of PIPEDA to protect the privacy of Canadians. PIPEDA has only been in effect since 2004, and while outreach and education are clear priorities moving forward, the sheer volume of complaints the OPC receives (422 in 2008) illustrates that PIPEDA and the Privacy Commissioner have a vital role to play in helping Canadians protect their privacy.

The post Oversharing on a Public Stage: The Privacy Commissioner of Canada's Annual Report appeared first on IPOsgoode.

]]>