Michael Girard: e-Lawg - Privacy

Tue, 05 Apr 2005 01:04:28 GMT

Identity theft and corporate liability. Be sure your client is prepared to deal with the nation's fast-growing crime. Source: Law.com [ABA Section of Litigation - Online Resources for Litigators]

Employee Right to Privacy

Tue, 05 Apr 2005 00:31:03 GMT

Yes Virginia, there is a free-standing non-statutory right to employee privacy in Ontario. Maybe. This month.

In December of '04, I blogged about a case in which an arbitrator ruled that employees in the provincially regulated private sector in Ontario have no right to privacy. (See PIPEDA and Canadian Privacy Law: Employees in Ontario (and perhaps other Canadian provinces) have no right to privacy.) Since this area is consistently inconsistent, here is a rececent decision of an Ontario arbitrator who

- David T.S. Fraser [PIPEDA and Canadian Privacy Law]

RSS and Privacy Risks

Wed, 23 Mar 2005 00:19:59 GMT

David T.S. Fraser [PIPEDA and Canadian Privacy Law] picked up an interesting post on the impact of RSS on privacy issues. Because you can subscribe to an RSS feed without giving any personal information, it is superior, from a privacy perspective, to opt in mailing lists where some information usually has to be disclosed:

The Information Security News - Blog Archive - Editorial: How RSS can reduce privacy risks:
"Offering web site content updates via an RSS feed rather than by opt-in email can reduce the risk of privacy exposures. Because subscribing to an RSS feed is a 'pull' technology, it avoids the collection of personal information (email address, name, etc.) that would normally get collected in order to maintain a subscription to a site update alert, newsletter or digest..."

Managing Security in a Law Office

Mon, 21 Mar 2005 00:19:25 GMT

Dan Pinnington of LawPro has written a helpful booklet on Managing Security and Privacy of Electronic Data in a Law Office.

Wed, 02 Feb 2005 01:46:47 GMT

Electronic Data Security and Privacy: Words of Wisdom from Dan Pinnington. It was a lot easier keeping confidential material safe and secret when it only resided in your head and on paper. Now we have Internet connectivity, e-mail, databases, and electronic copies of at least every document that your office prepared.... [Jim Calloway's Law Practice Tips Blog]

CIRA Proposes a New WHOIS Policy

Tue, 23 Nov 2004 03:40:41 GMT

The Canadian Internet Registration Authority has proposed a new WHOIS policy (the publicly available information on the holder of domain names). The changes are designed to improve the privacy protection of individuals who hold domain names.

Michael Geist's comments on the proposal in the Toronto Star.

Is Canadian Privacy at Risk Under the U.S. Patriot Act?

Fri, 05 Nov 2004 02:37:45 GMT

The Privacy Commissioner's Annual Report to Parliament was released today. The report raises some concerns over the erosion of privacy interests in response to security concerns, the sharing of information between states and the potential impact of the Patriot Act in the U.S. on private information about Canadians held by Canadian subsidiaries of American companies.

The Commissioner noted that the British Columbia Privacy Commissioner had launched a public consultation process to look into the ramifications of the Patriot Act on Canadian Privacy.

What happens if a U.S. agency uses the Patriot Act to demand a company provide access to private information which it has in a Canadian subsidiary. Canadian privacy rights and legislation could be violated. Daniel Girard has an article on the issue.

The British Columbia Privacy Commissioner has called for a toughening of laws "to address risks posed by transfers of personal information" from Canada to the U.S.

Employee Video Surveillance

Thu, 06 May 2004 03:17:57 GMT

The Federal Court has heard a case on whether an employer can implement video surveillance of its employees. The case involves CPR's surveillance of employees at one of its rail yard.

Globe & Mail discussion of the case and privacy issues

Incorporating Privacy into Marketing and Customer Relationship Management

Thu, 06 May 2004 02:33:22 GMT

The Canadian Marketing Association (CMA) issued a white paper this week "Incorporating Privacy in Marketing and Customer Relationship Management"

The paper provides guidance on conducting privacy-conscious CRM. The paper is in response to PIPEDA which took effect in January.

Sat, 10 Apr 2004 03:15:26 GMT

CBC Montreal - Montreal,Canada - Street cameras raise privacy concerns . MONTREAL - A planned project to install surveillance cameras in downt... [Privacy Digest Weblog]

You Can't Ask For Two Pieces Of ID When One Is Sufficient

Fri, 26 Mar 2004 00:58:52 GMT

The Canadian Privacy Commissioner has held that a bank employee should not have asked for two pieces of identification and further personal information after a client had presented a valid driver's licence. There was sufficient personal information on the driver's licence for the bank's purposes.

Principle 4.3.3 of Schedule 1 of the Act stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.

The request for further information was in breach of the Act.

Issuing Unrequested Credit Card Violates Privacy Policy

Fri, 26 Mar 2004 00:51:03 GMT

The Canadian Privacy Commissioner held that a bank's promotional practice of opening an account and issuing unrequested credit cards to a client were not good privacy practices. These went beyond the purpose of advertising and offering additional products, services and other solicitations that might be of interest to the customer (for which there had been consent).

Accessing Another's Blackberry is Unethical

Tue, 23 Mar 2004 04:00:31 GMT

Ernie questions whether publicizing someone's private E-mail is ethical? Or legal?

The underlying circumstances involve someone finding someone's Blackberry in restaurant. I would think that accessing the Blackberry would be as unethical as going through anything else left behind by a restaurant patron (aside from trying to find some indentification to track down the true owner.)

As to legalities, this conduct probably constitutes trespass, conversion, and breach of privacy rights, at least in this jurisdiction.

(Different considerations would apply if you were the recipient of an email rather than the finder of a device that accesses the e-mail).

Tue, 16 Mar 2004 01:13:54 GMT

New Guidance to Assist Businesses Comply With Privacy Laws [AccountingWeb]

U.S. Lawmakers Tackle Spyware

Sun, 14 Mar 2004 13:30:15 GMT

CNet news.com reports on the difficulties in legislating against Spyware.

ISPs Oppose Release of Information on IP Addresses of Alleged File Swappers

Sun, 14 Mar 2004 13:12:55 GMT

The action by CRIA (an entity owned by the big five record labels) against alleged music file swappers continued this week. They were in court attempting to compel the ISPs to disclose the identity behind the 29 IP addresses alleged to be swapping music files.

Four of the five ISPs involved are opposing the motion. They argued that the IP addresses will not necessarily identify the individuals involved. An IP address represents a unique computer on the internet. What it does not do is identify who was using the computer at any particular time. It could be analogized to a telephone number. Knowing who the telephone number belongs to will not tell you who was using it at any particular time.

It was also argued that CRIA cannot establish that any copyright infringement took place. The fact that a KaZaA user has music files on his computer in Canada does not establish copyright infringement. The Copyright Act permits copying of music for personal use. See discussion in a previous post.

The issue is whether Canadian privacy rights should be trumped by allegations of copyright infringement where the disclosure may not be conclusive and the plaintiff cannot establish the copyright infringement occurred.

Justice Konrad von Finckenstein of the Federal Court heard arguments this week. No decision has been released yet.

For a discussion of IP addresses see p2pnet.

CanadianPress Globe & Mail CBC News CTV P2Pnet

Wed, 03 Mar 2004 02:57:15 GMT

The biggest techno-legal issue in Canada now is the Canadian Recording Industry Association (CRIA) action against 29 alleged music file swappers. All the alleged swappers used KaZaa. The Statement of Claim is here. While this action would seem similar to the RIAA actions in the United States, there are some different hurdles to be overcome due to Canadian legislation.

Canada does not have the equivalent of the DMCA. To obtain the names of the alleged file swappers, CRIA will have to obtain an order from a court. They have brought a motion seeking to compel the ISPs to disclose the names of their subscribers who are alleged to have been involved. Some of ISPs have advised they will oppose the motion.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) and Electronic Freedom Canada(EFC) were both granted leave to intervene on March 1, 2004. It appears that there will be a thorough review of the competing public policy issues in this action. The motion will raise issues under Canada's privacy legislation PIPEDA.

Even if CRIA is successful in obtaining the names of the alleged file swappers, they will still have to confront section 80 of the Copyright Act which provides for personal copying for private use:

"80. (1) Subject to subsection (2), the act of reproducing all or any substantial part of

(a) a musical work embodied in a sound recording,

(b) a performer's performance of a musical work embodied in a sound recording, or

(c) a sound recording in which a musical work, or a performer's performance of a musical work, is embodied

onto an audio recording medium for the private use of the person who makes the copy does not constitute an infringement of the copyright in the musical work, the performer's performance or the sound recording."

While the Act would seem to cover downloading of music files, it may not cover making files available for uploading by others.

The action is in its infancy. It will certainly have an impact on the development of internet and privacy law in Canada.

Video Surveillance - Should Big Brother Watch?

Tue, 25 Nov 2003 02:47:39 GMT

Ernie raised the issue of video surveillance of public spaces in a post. He thought it was a good idea. I have concerns that it is a further step along the path to Big Brother.

There seems to be a continuous erosion of privacy in the digital age. As the means of recording and storing vast amounts of data becomes easier and the costs less onerous, huge amounts of personal information can be captured, maintained and searched. The trauma of terrorism has caused citizens to be much more amenable to impositions on their freedom and their privacy in favor of greater protection. Law enforcement agencies have used this opportunity to increase their capabilities at the expense of individual privacy.

It is hard for the average citizen to become exorcised over creeping loss of privacy. We have become so inured to seeing video cameras and offices, banks, public buildings, that their existence on a public street or in a public park does not raise much anxiety. People may even feel safer walking through a public space which they know is under surveillance. There is also the mantra that "if you're not doing anything wrong, why should you worry that you are under surveillance". These attitudes prevent the issue from gaining the political momentum necessary to institute appropriate controls and balancing of interests.

In Canada, violent crime has been declining. The need for greater infringement of personal freedoms in favor of crime prevention is difficult to demonstrate.

Canada's former Privacy Commissioner had taken a strong position against such surveillance. Different cities had set up video surveillance of public spaces at the behest of security or police forces in hopes that the surveillance would reduce crime. The Privacy Commissioner considered this issue as a result of a complaint.

The complaint arose out of the RCMP's proposed installation of surveillance cameras in the downtown core of the City of Kelowna, British Columbia. The video was recorded 24/7 and was retained for six months. The Commissioner held that the surveillance was a breach of federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the ruling, the Commissioner stated:

"Section 4 of the Privacy Act states that 'No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution'. It is a tenet of the Act that an institution can collect only the minimum amount of personal information necessary for the intended purpose. There must be it demonstrable need for each piece of personal information collected in order to carry out the program or activity."

"This type of wholesale monitoring or recording certainly runs afoul of the requirement to collect only the minimum amount of personal information required for the intended purpose. Moreover, the broad mandate to prevent or deter crime clearly does not give police authorities unlimited power to violate the rights of Canadians. They cannot, for instance, compile detailed dossiers on citizens ' just in case.' They cannot force people at random to identify themselves on the street. They cannot enter in search homes that will, without proper authorization."

"It is equally clear, in my view, that police forces cannot invoke crime prevention or deterrence to justify monitoring and recording on film the activities of large numbers of the general public."

The commissioner relied on previous reasoning by the Québec privacy commissioner arising out of similar surveillance activity in the City of Sherbrooke in 1992. He also relied on the reasoning of the Supreme Court of Canada in R. v. Wong, where the Court stated:

"...to permit unrestricted video surveillance by agents of the state would severely diminish the degree of privacy we can reasonably expect to enjoy in a free society...we must always be alert to the fact that modern methods of electronic surveillance have potential, if uncontrolled, to annihilate privacy."

The RCMP responded by suggesting that they would cease recording the video. They would run the cameras but not make a record.

The commissioner rejected this alternative. He commented:

"If we cannot walk or drive down the street without being systematically monitored by the cameras of the state, our lives and our society will be irretrievably altered. The psychological impact of having to live with the sense of constantly being observed must surely be enormous, indeed incalculable. We will have to adapt, and adapt we undoubtedly will. But something profoundly precious -- our right to feel anonymous and private as the go about our day-to-day lives -- will have been lost forever."

The Commissioner did not feel there was persuasive evidence that video surveillance was an effective deterrence to crime. Even if it were effective, the need to make so great a sacrifice of privacy in favor of such deterrence had not been demonstrated.

The Commissioner went so far as to institute a subsequent court challenge against the RCMP, alleging that the video surveillance violated the Charter of Rights and Freedoms.

After the Commissioner resigned, the new Commissioner withdrew the court challenge on July 4, 2003.

Think about it...

"The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live - did live, from habit that became instinct - in the assumption that every sound you made was overheard, and except in darkness, every movement scrutinised." George Orwell, 1984

Tue, 25 Nov 2003 01:37:10 GMT

Radio tags spark privacy worries. The use of radio tags on consumer products should be put on hold, say privacy campaigners. [BBC News | Technology | UK Edition]

Thu, 20 Nov 2003 03:01:43 GMT

CDT wants your worst Spyware stories. The Center for Democracy and Technology has just released a report addressing the growing problem of so-called spyware or malware programs, which include targeted advertising programs, key stroke loggers and screen capture utilities that can be used to steal passwords and aid identity theft.

The report requests that rather "than drafting narrowly targeted legislation to outlaw specific snooping tactics, Congress should establish broad online privacy rights to protect against secret online surveillance." [Snoopy software would be tricky to outlaw]

CDT is also calling on internet users to send in their experiences with specific "spyware" products, so that CDT can collect the most egregious cases and file a complaint with the Federal Trade Commission.

CDT Report: "Ghosts in Our Machines: Background and Policy Proposals on the "Spyware" Problem" [pdf]

Join CDT's Campaign Against "Spyware"

Category: Spam | More: Internet Pop-Up Ad Firm Wins 2nd Courtroom Victory [Tech Law Advisor]

Thu, 20 Nov 2003 02:50:40 GMT

CDT Report on Spyware. The Center for Democracy and Technology has issued a sensible and accessible paper about the spyware problem and associated policy issues. Spyware is software, installed on your computer without your consent, that gathers information about what you do on your... [Freedom to Tinker]

Thu, 13 Nov 2003 02:27:24 GMT

Workplace Computer Off-Limits?. "A Connecticut lawyer wants the state's high court to recognize that employees have some expectation of privacy regarding workplace computers -- even if the material they view or download is child pornography. The lawyer is appealing the denial of a motion to suppress by a Superior Court judge, who ruled that her client, a former Yale professor, did not have a reasonable expectation of privacy because he did not make his computer files inaccessible to other authorized users." [Connecticut Law Tribune]

Category: Workplace Privacy [Tech Law Advisor]

Thu, 30 Oct 2003 12:44:41 GMT

Personal Data Must Be Redacted from Paper and Electronic Filings Before Year's End. From today's Daily Business Review: "To prevent identity theft and other criminal uses of data as more court documents go... [beSpacific]

Thu, 16 Oct 2003 16:19:57 GMT

Privacy and Court Records. Chris Jay Hoofnagle, EPIC Deputy Counsel, will present the following paper, Public Records and Privacy (pdf), to the National Conference... [beSpacific]

Tue, 14 Oct 2003 12:58:47 GMT

Survey: 90% of Managers Check Employees' E-Mail/Web Usage [AccountingWeb]