privacy commissioner Archives - IPOsgoode /osgoode/iposgoode/tag/privacy-commissioner/ An Authoritive Leader in IP Mon, 06 Jun 2022 16:00:38 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 The Privacy Commissioner Of Canada Releases Interpretation Bulletin On Sensitive Personal Information /osgoode/iposgoode/2022/06/06/the-privacy-commissioner-of-canada-releases-interpretation-bulletin-on-sensitive-personal-information/ Mon, 06 Jun 2022 16:00:38 +0000 https://www.iposgoode.ca/?p=39689 The post The Privacy Commissioner Of Canada Releases Interpretation Bulletin On Sensitive Personal Information appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted onĚý on June 1, 2022.


On May 16, 2022, the Office of the Privacy Commissioner of Canada (the OPC) released an Interpretation Ěýon sensitive information (the Bulletin), which summarizes general principles from judicial decisions and the OPC’s findings to date to guide organizations in meeting their compliance requirements under theĚýPersonal Information Protection and Electronic Documents ActĚý(PIPEDA).

An organization’s practices under PIPEDA may be heavily influenced by the sensitivity of the information that it handles. For example, PIPEDA requires the form of consent used in an organization’s collection process to account for the sensitivity of the information being collected. The sensitivity of an organization’s information is also a relevant factor when determining the adequacy of its security safeguards and fulfillment of security breach obligations.

While PIPEDA allows for any personal information to be deemed sensitive depending on the context, the Bulletin describes the following factors as relevant when examining the sensitivity of personal information:

  1. Combined Information. In combining data elements (e.g. customer names, contact details, etc.), organizations may add a degree of sensitivity to the information that is further increased in certain risk situations, such as scams and data breaches. Accordingly, organizations should implement safeguards that meet these higher risks when dealing with combinations of data.
  2. Health Information. The OPC mentions that medical and biometric information is usually considered sensitive and should be awarded a high degree of protection. However, there still exists some variation on the degree of sensitivity for certain types of personal health information. For example, an individual’s attendance for a fitness class may be on the lower end of the scale of sensitivity, but their activities in the class may be deemed more sensitive.
  3. Financial Information. In referencing past court decisions on the matter, the OPC describes financial information as sensitive and relating to an individual’s “biographical core”. The OPC further advises that relevant weight should be afforded to the context of the situation as this may affect the degree of sensitivity attributed to the information. For example, the current balance of an individual’s mortgage should be assessed against related information that is already publicly available, the purpose of making such types of information public, and the relationships of the parties involved.
  4. Reputation Information.ĚýInformation that can impact an individual’s reputation and cause embarrassment may be highly sensitive under PIPEDA. Unlike with health and financial data, reputation information is not restricted to traditional information categories and may include financial personal information, information pertaining to an individual’s relationship status, and even court or tribunal decisions.
  5. Other Information Generally Considered Sensitive.ĚýIn addition to the above categories, the OPC mentions that information concerning individuals’ drug and alcohol use, mental health, ethnicity, political affiliations, and sexual preferences are generally considered very sensitive personal information.

Although the Bulletin does not provide a binding legal interpretation on what is sensitive information, the OPC’s breakdown of relevant considerations and references to specific case law and investigations is very helpful for organizations reviewing their information handling practices.

The post The Privacy Commissioner Of Canada Releases Interpretation Bulletin On Sensitive Personal Information appeared first on IPOsgoode.

]]>
Canada’s Privacy Regulators Call For New Legal Framework To Govern Police Use Of Facial Recognition Technology /osgoode/iposgoode/2022/05/24/canadas-privacy-regulators-call-for-new-legal-framework-to-govern-police-use-of-facial-recognition-technology/ Tue, 24 May 2022 16:00:50 +0000 https://www.iposgoode.ca/?p=39617 The post Canada’s Privacy Regulators Call For New Legal Framework To Govern Police Use Of Facial Recognition Technology appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted onĚý on May 18, 2022.


On May 2, 2022, Canada’s privacy regulatory authorities (the Regulators) issued aĚýĚýcalling for a legal framework that clearly establishes the acceptable circumstances for police to use facial recognition technology (FR).

Police agencies greatly benefit from FR, because it is a useful resource for solving crimes, locating missing persons, and supporting national security objectives. However, the Regulators noted that FR involves the collection and processing of highly sensitive biometric information, which raises a series of privacy and human rights concerns when it is applied on a large scale. Widespread adoption of the technology would enable police agencies to covertly identify and surveil individuals and this may impair Canadians’ privacy right to participate in the world without being regularly identified, tracked, and monitored.

The Regulators called for Canadian legislators to implement a legal framework that outlines the boundaries associated with FR. Although Canada’s current principle-based privacy laws are adaptable to evolving technologies, the Regulators took the position that they are too high-level to address the specific risks associated with police use of FR. They argued that the current legal framework leaves much discretion to police agencies, which creates the possibility for serious harms to an individual’s privacy and other fundamental rights.Ěý

In the joint statement, the Regulators suggested that a new legal framework should be implemented by legislators that includes the following:

  • Defined Purpose and Prohibited Uses:ĚýA clearly defined purpose for police agencies to use FR and a list of prohibited uses, i.e. “no-go zones”.
  • Necessity and Proportionality:ĚýOverarching requirements for the use of FR to be necessary and proportionate for a given objective.
  • Independent Oversight:ĚýEmpowering an independent, external public body to oversee police use of FR, including requirements for police agencies to obtain authorization to launch an initiative.
  • Mitigate Privacy Risks:ĚýPrivacy control measures that mitigate individuals’ risks, including controls to ensure the accuracy of information and appropriately limit data retention for police databanks.

Together with their joint statement, the Regulators released the final version of their joint privacy Ěýon FR use by police agencies that clarifies the agencies’ obligations under current laws. The guidance and joint statement are the product of a public consultation launched in June 2021, in which a large majority of stakeholders agreed that new legislation is required to govern police use of FR going forward.

The post Canada’s Privacy Regulators Call For New Legal Framework To Govern Police Use Of Facial Recognition Technology appeared first on IPOsgoode.

]]>
Privacy Commissioner Of Canada Releases Statement On RCMP’s Use Of Clearview AI And Draft Guidance On Use Of Facial Recognition Technology /osgoode/iposgoode/2021/07/02/privacy-commissioner-of-canada-releases-statement-on-rcmps-use-of-clearview-ai-and-draft-guidance-on-use-of-facial-recognition-technology/ Fri, 02 Jul 2021 13:00:00 +0000 https://www.iposgoode.ca/?p=37725 The post Privacy Commissioner Of Canada Releases Statement On RCMP’s Use Of Clearview AI And Draft Guidance On Use Of Facial Recognition Technology appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Licensed Lawyer in Ontario.

This article was previously posted on Ěý

On June 10, 2021, the Office of the Privacy Commissioner of Canada (OPC) issued aĚýĚýfollowing its investigation into the RCMP’s use of Clearview AI’s facial recognition technology (FRT), reporting that the RCMP contravened theĚýPrivacy ActĚý(the Act) when it collected information from Clearview AI.

Clearview AI scraped more than three billion images from internet websites without users’ consent to create a databank for clients, such as the RCMP, to use for the purpose of identifying individuals by matching photographs to images in the databank. In February 2021, the OPC along with multiple provincial counterparts, found that Clearview AI’s methods constituted mass surveillance and were illegal under federal and provincial private sector privacy laws, as previously reported by the E-TIPS® NewsletterĚý. Following this finding, the OPC began its investigation into whether the RCMP contravened the Act when it used Clearview AI’s services.

In aĚýĚýto Parliament, the OPC shared its findings, where it stated that a government institution cannot collect personal information from a third party if the third party’s collection was unlawful. Given that Clearview AI’s personal information collection practices were found to be illegal, the RCMP’s subsequent collection of that information falls outside its legitimate operating programs and activities and contravenes Section 4 of the Act. The OPC further concluded that the RCMP had an onus to ensure that the databank was compiled according to legitimate privacy practices. Although the RCMP argued that it did not contravene the Act and the onus is unreasonable, it ultimately agreed to follow the OPC’s recommendations and implement changes to its policies, systems, and training. This includes conducting complete privacy assessments of third-party data collection policies to confirm compliance with privacy legislation and ensuring new technologies are on-boarded in a manner that respects privacy rights.

With the rise in police use of FRT, the OPC saw this matter as an opportunity to address serious privacy concerns in the space. Accordingly, the OPC and its provincial and territorial counterparts have launched a consultation on draftĚýĚýto clarify the privacy obligations for police agencies’ use of FRT. The draft guidance highlights the need for law enforcement officials to have lawful authority for the proposed use of the technology and the importance of implementing privacy standards that are proportionate to the potential harms involved. Comments on the draft guidance may be submitted until October 15, 2021 and further information on how to contribute can be foundĚý.

The post Privacy Commissioner Of Canada Releases Statement On RCMP’s Use Of Clearview AI And Draft Guidance On Use Of Facial Recognition Technology appeared first on IPOsgoode.

]]>
Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties /osgoode/iposgoode/2021/06/01/privacy-commissioner-of-canada-closes-file-on-privacy-complaint-against-federal-political-parties/ Tue, 01 Jun 2021 13:00:00 +0000 https://www.iposgoode.ca/?p=37476 The post Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties appeared first on IPOsgoode.

]]>
This article was previously posted onĚýĚý

Imtiaz Karamat isĚýanĚýOsgoodeĚýAlumnus and a Student-at-Law at Deeth Williams Wall.Ěý

On May 13, 2021, the Office of the Privacy Commissioner of Canada (the OPC)ĚýĚýthat it has closed its file on a complaint against the Liberal, Conservative, and New Democratic Parties (the Parties), noting that the activities in the complaint are not subject to the privacy obligations under theĚýPersonal Information Protection and Electronic Documents ActĚý(PIPEDA).

The complainant argued that the Parties are subject to PIPEDA because they engage in commercial activities to sell or promote their brand to voters and to sell or promote goods, services, and business interests. To support its claim, the complainant cited examples of political advertisements that feature the Parties convincing Canadians to purchase party-branded memorabilia, make donations, elect party candidates to political office, and support selected policies. The complainant claimed that the Parties, under PIPEDA, are obligated to inform Canadians of how they collect, use, or disclose their personal information to conduct political advertising, including “micro-targeted” advertisements that are based on detailed profiles of individuals. The complainant alleged that the Parties are in violation of this obligation and requested that the OPC investigate and issue appropriate recommendations.

Although the OPC agreed that PIPEDA could apply to the Parties to the extent that they engage in commercial activities, it was not convinced that the Parties’ general activities were commercial in nature. The OPC stated that the primary purpose of the Parties’ political advertising is to solicit donations, encourage votes for select candidates, or garner support for certain political platforms. The OPC determined that there is no element of exchange in these activities as nothing is sold, bartered or leased, and contributors do not reasonably expect anything in return for their donations. Furthermore, the OPC said that despite the specific examples cited by the complainant having an element of exchange, they do not qualify as commercial in nature because they involve the raising of funds for the Parties’ political activities.Ěý

The OPC was further influenced by Parliament’s recent refusals to subject the Parties to PIPEDA. In 2018, during the examination of Bill C-76,ĚýElections Modernization Act, Parliament refused to act on the OPC’s submission to extend PIPEDA to federal parties. In closing the file, the Commissioner stated that: “Although I strongly believe that privacy laws should govern political parties to better protect both privacy and democratic rights, I must apply the law as it is today.”

The post Privacy Commissioner Of Canada Closes File On Privacy Complaint Against Federal Political Parties appeared first on IPOsgoode.

]]>
Diagnosing Ontario's Electronic Medical Records Bill: Healthier, but Not Out of the Woods Yet /osgoode/iposgoode/2013/10/23/diagnosing-ontarios-electronic-medical-records-bill-healthier-but-not-out-of-the-woods-yet/ Wed, 23 Oct 2013 13:40:02 +0000 http://www.iposgoode.ca/?p=22843 The Ontario Government's new electronic health records bill has passed its second reading. The Electronic Personal Health Information Protection Act (Bill 78, EPHIPA or EHR Act), is a responsive and important - yet still wanting - update to Ontario's 2004 electronic health records legislation. The main update is the addition of Part V.1, a framework […]

The post Diagnosing Ontario's Electronic Medical Records Bill: Healthier, but Not Out of the Woods Yet appeared first on IPOsgoode.

]]>
The Ontario Government's new electronic health records bill has . The (Bill 78, EPHIPA or EHR Act), is a responsive and important - yet still wanting - update to Ontario's 2004 electronic health records legislation.

The main update is the addition of Part V.1, a framework for the administration of an electronic health record (EHA). and have provided strong shorthand summaries of the legislative changes. The Ontario Hospital Association (OHA) has also created a breaking Part V.1 down into its composite parts and providing descriptions for what the legislation actually means. The update mandates:

  • Privacy and security requirements that "prescribed organizations" managing EHRs must comply with, particularly in regards to collecting and sharing EHR data;
  • The process for consent directives –Ěýknown in some cases as the "lockbox" request or opt-out, where patients may refuse to share their their personal health information (PHI)Ěý–Ěýand the limits of consent directives (i.e. where third parties may be at risk of bodily harm);
  • An advisory committee be set up by the Minister of Health to provide EHR recommendations and guidance;
  • A requirement whereby the Minister of Health must take all direction intended for prescribed organizations to the advisory committee and Information and Privacy Commissioner before directing any prescribed organization; and
  • Increased breach of privacy fines of up to $100,000 for a convicted individual and $500,000 for a convicted organization.

Analysis

This is well-intentioned legislation. It is clearly aimed to provide much-needed privacy protections for citizens amidst the inevitable transition toward electronic medical data collection. My technical concerns centre on a few key issues, namely the ambiguity of a "prescribed organization", the opt-out limitations, the strength of the advisory committee, and the rigour of prescribed organization's accountability to the public. Not all of these need to be thoroughly addressed within the legislation. Certainly a technocratic bill can become impractical and quickly outdated, but it is my opinion that some of the issues could have been better fleshed out within the bill text.

Ambiguity of Prescribed Organization

Part V.1 is clearly a framework for EHRs, not regulatory guidelines for what bodies will be considered "prescribed organizations." It's conceptually difficult to agree on what powers prescribed organizations will (and will not) have without a conceptual understanding of which will fall under this term. eHealth Ontario is one group that will clearly receive "prescribed organization" status, but who else? In my opinion, the clear question that arises is to what extent private companies will be considered "prescribed organizations".

If there is no intent to allow private companies the designation, then why not draft the legislation more accurately and explicitly? The ambiguity of the term "prescribed organization" makes me uncomfortable.

The Opt-Out Limitations

Refusing patients to opt-out of PHI sharing is tricky. There are huge privacy and civil liberty concerns to allowing a health data collection group the right to override a patient's request for privacy. But, on the other hand, there are public safety implications that do merit some exceptions to the opt-out. In my opinion, the test for overriding the requested opt-out needs to be exceptionally high; to develop health care industry norms otherwise would be disastrous.

The OHA has also raised a valid point that the current wording of the legislation seems to imply that the opt-outs can only be made to the prescribed organizations (for example, eHealth Ontario). They rightly point out that health information custodians (HICs), such as doctors or long-term care facility staff, should also be allowed to take consent directives for patients wanting to opt out. This certainly seems to make sense from a patient care perspective; there is ease and intuitiveness associated with making your privacy requests directly to your health care practitioner.

Advisory Committee Strength

I believe in parliamentary committees, especially when they have teeth. Serious, legitimate, proactive, and credible committees staffed with a diverse mix of courageous and smart stakeholders are exactly what this province and country needs. Unfortunately, they are often susceptible to "committee-itus", passive rubber-stamping, or highly intellectual report-making. This advisory committee has a huge role to play in one of the most important public policy issues of the day. This committee needs to be implemented with immense focus and commitment by the Ministry. Also, the Privacy Commissioner should be involved in the committee structure and creation as a far more independent, less politicized body than the Government's health ministry.

Prescribed Organizations' Public Accountability

This legislation has a number of good public reporting requirements. It dictates that prescribed organizations must publicly account for their EHR safety and security measures, as well as other processes. One thing I noticed was missing - as did the OHA in their bulletin - was the risk management protocols for privacy breach disclosure process. What if a system is violated and information is shared? What onus is there on the prescribed organization to report the violation to the public? To the individuals whose information was breached? To the Ministry of Health? To the police? If they do need to report the breach, in how timely a manner does it need to be reported? Suffice it to say, there are a number of outstanding questions to be answered.

Increased fines are a strong incentive to prevent EHR privacy breaches but they are also a disincentive to report EHR privacy breaches. Realistically, there is a risk associated with electronic data. But the gains to efficiency and accuracy are so great, it seems as if we, as a society, are collectively agreeing to take on the increased risk. It's a logical, rational choice but we need to plan and manage that risk. In this legislation, the Government seems to say, "never allow privacy breaches." This is impractical. In my opinion, the Government instead needs to say, "do everything you can to prevent privacy breaches. If they happen, you must do the following..." Risk and crisis management protocols that make strong commitments to the public interest are a necessity.

The Bigger Picture

The more the world digitizes, the more important privacy becomes. With every piece of legislation of this nature, the Privacy Commissioner's office needs an adequate boost in funding and standing. The Ontario Privacy Commission is one of the best in the country, but it can only be so with apt resources.

We may need to think bigger. The public interest needs more than just a privacy watchdog, it needs government leadership on privacy. In the digital age, threats to our privacy civil liberties are coming from many more sides than ever before. On a daily basis, private corporations and the data they collect of us through information technology are one of the most important concerns for our privacy. They can collect and database our information about us when we write it and even when we play . If we're going to get serious about protecting our digital health information, I think we should get serious about protection.

Bill 78 is an attempt by the government to be proactive about digital privacy, but, in my opinion, it's only a drop in the bucket in the context of what we might need in the future. Is it time for ministries of public health to get more involved on privacy? Is it time to establish ministries of privacy? It's something to consider.

The concepts of ministries of privacy is a counterintuitive and controversial one, but I think something drastic needs to happen. Perhaps this is the way. The systems in place to protect citizen privacy need work. The current leadership in civil liberties and privacy offices are taking steps, but they are not keeping pace with developments in information technology. In the end, the solution isĚýmore information technology privacy legislation and only our governments can enact it.

Governments are now in an important and unique position to protect our privacy. We need a privacy commissioner to protect our privacy from intruding government action and we need a government to protect our private informationĚý– health-related and otherwise –Ěýfrom corporations that look to misuse it. Will they step up to the challenge?

DeniseĚýis an IPilogue Editor, a Western University JD/MBA Candidate, and researcher for GRAND (Graphics, Research and New Media) Centre and Commercialization Engine.

The post Diagnosing Ontario's Electronic Medical Records Bill: Healthier, but Not Out of the Woods Yet appeared first on IPOsgoode.

]]>
A Report about Facebook by the Office of the Privacy Commissioner of Canada /osgoode/iposgoode/2009/07/27/a-report-about-facebook-by-the-office-of-the-privacy-commissioner-of-canada/ Mon, 27 Jul 2009 11:58:43 +0000 http://www.iposgoode.ca/?p=5218 On July 16th, the Office of the Privacy Commissioner of Canada released a report of findings into complaints made by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. for alleged breaches of the Personal Information Protection and Electronic Documents Act (PIPEDA). Facebook, as most Canadians know by now, is a major […]

The post A Report about Facebook by the Office of the Privacy Commissioner of Canada appeared first on IPOsgoode.

]]>
On July 16th, the Office of the Privacy Commissioner of Canada released a of findings into complaints made by the Canadian Internet Policy and Public Interest Clinic () against Facebook Inc. for alleged breaches of the Personal Information Protection and Electronic Documents Act (). Facebook, as most Canadians know by now, is a major online social networking website that has grown rapidly over the last few years to approximately . Since it is estimated that over a , Facebook's policies and actions can be considered to be of significant importance to the Privacy Commissioner.

There were 12 major subject areas of complaints made, and the report by the Assistant Privacy Commissioner of Canada, Elizabeth Denham, stated that four were not well-founded and another four were well-founded but resolved by measures agreed to by Facebook. Issues within the following subjects were well-founded but not resolved: third-party applications, account deactivation and deletion, accounts of deceased users, and the personal information of non-users.

Third-party applications are those that have been created by outside developers but through the use of the Facebook Platform and can be added to a user's profile. These can be anything from games to personality tests to a seemingly endless variety of other products. In order to add one these to their profile, a user must give their consent to allow the third-party developer access to the information on their profile. Furthermore, the application developer can have access to the information of other users that the adding user has access to even though the other users may not have added the application themselves. The report states that "[i]n its site literature, Facebook has represented itself as taking little or no responsibility for the activities of third-party application developers". Despite this finding Facebook refused the Commissioner's recommended measures:

"(1) to limit application developers' access to user information not required to run a specific application;

(2) whereby users would in each instance be informed of the specific information that an application requires and for what purpose;

(3) whereby users' express consent to the developer's access to the specific information would be sought in each instance; and

(4) to prohibit all disclosures of personal information of users who are not themselves adding an application."

Another recommendation that Facebook refused to comply with had to do with account deactivation and deletion, which are two separate actions a user may take. An account may be deactivated from a link on the My Account page, at which point it becomes no longer accessible or searchable by other users of the website and appears essentially non-existent. However, all of the information is stored indefinitely so that if and when the user wishes to reactivate the account, it will appear as if nothing has changed since the time of deactivation. In order for a user to delete their account, along with all of the information it contains, that user must access a link from the Help section (and this information is not available when deactivating an account), though Facebook also noted that it is technically challenging to delete all information. The report states that "[PIPEDA] is clear that organizations must retain personal information only for as long as necessary to fulfil the organization's purposes". Facebook disagreed to the measures of setting time limits for retention of information on deactivated accounts and placing links for the procedures to both delete and deactivate an account on the same account settings page.

When a user dies, and has not shared their login information with anyone else, the account cannot be deactivated or deleted from within. If notified by friends or family that the account's user is no longer alive, Facebook will usually "memorialize" the profile, which used to be explained in its old Terms of Use with the following statement: "When we are notified that a user has died, we will generally, but are not obligated to, keep the user's account active under a special memorialized status for a period of time determined by us to allow other users to post and view comments." Despite this process continuing, there no longer seems to be any meaningful consent for it, but only a description in the Help section. Though at first the Assistant Commissioner believed that an opt-out procedure for the memorializing of profiles should be implemented, she then later found that based on the reasonable expectations of users, such a process would likely be welcome, in which case Facebook could rely on the continuing implied consent of its users to justify the lack of explicit agreement. Oddly enough, Facebook refused to comply with the simple recommendation to "include in its Privacy Policy, in the context of all intended uses of personal information, an explanation of the intended use of personal information for the purpose of memorializing the accounts of deceased users", stating that it does not believe that memorializing constitutes a new use of the information collected under PIPEDA.

The final subject that was deemed in the report to be well-founded, but which Facebook refused to comply with, had to do with the personal information of non-users. Users may routinely post personal information of non-users such as when writing on a friend's profile page or tagging an uploaded photo (whereby an individual's image is indicated and outlined within a photo). The Assistant Commissioner stated that "I was mindful of a clear distinction between activities conducted by Facebook users for strictly personal reasons and activities in which Facebook itself is involved", and that "[PIPEDA] would apply only where Facebook uses non-users' personal information for purposes of its own". So in such cases where a non-user is tagged in a photo and then an e-mail invitation to join the site is sent out to that non-user, the report stated that Facebook had a duty to exercise its due diligence in making sure that its users obtained consent to post the personal information of non-users, which meant "not only informing users clearly of the consent requirement in the Privacy Policy, but also notifying them of the requirement at each instance of disclosing non-users' email addresses to Facebook". The report also recommended that Facebook set a time limit for retaining the e-mail addresses that its users sent invites to; Facebook uses these addresses for the purposes of providing an invitation history to its users and documenting the success of its referral program. Facebook disagreed to follow the measures recommended by the Assistant Privacy Commissioner.

Facebook was given 30 days to comply with all outstanding requests by the Office of the Privacy Commissioner, and if they are still found to be in breach of PIPEDA at this point the report states that the Commissioner "will then consider how best to address these ...issues in accordance with our authorities". Despite these disagreements, the report commended Facebook for its privacy efforts on a number of fronts. At the same time, the Assistant Commissioner made it clear that her office takes seriously any continued breaches of privacy legislation. In a announcing the report, she stated, "[p]eople have every right to share their thoughts, their images and their personal information. But they need to understand what they're getting into, and to do it on their own terms".

The post A Report about Facebook by the Office of the Privacy Commissioner of Canada appeared first on IPOsgoode.

]]>