The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, February 18, 2009
I've just discovered that Brian Bowman of Pitblado LLP has a blog.
Brian's not only a great guy, but a heck of a privacy lawyer. Watch his blog: Brian Bowman - On the Cutting Edge.
Labels: privacy
I blogged earlier this week about a decision from the Ontario Superior Court of Justice that held that Bell Sympatico customers do not have a reasonable expectation of privacy when the police come knocking for the name and address behind an IP address. (See: Canadian Privacy Law Blog: Police get warrantless access to Sympatico customer's data.) I managed to get a copy of the decision in R. v. Wilson (6MB PDF file).
While I disagree with the judge's determination that there is no "reasonable expecation of privacy" in this information, what must be remembered is that Bell voluntarily handed the information over.Labels: bell, law enforcement, lawful access, lawful authority, privacy, surveillance
I blogged a while ago about a lawsuit brought against Google by the Boring family, alleging that Google's Street View was an invasion of their privacy by showing images of the Borings' house. (Google moves to have lawsuit thrown out, arguing complete privacy does not exist , Boring lawsuit over Google's "Street View" ).
According to CNET, the case has been thrown out by the Federal Court (here's the decision).
Via: Google wins Street View privacy suit Digital Media - CNET News.
For more on this topic generally, see postings tagged with "google street view".Labels: google, google street view, privacy
Tuesday, February 17, 2009
If you're serious about data destruction, Lifehacker has some interesting how-to videos: Video: Hard Drive Disposal with Extreme Prejudice.
Labels: privacy
Saturday, February 14, 2009
Here we go again .... the government is preparing a new "lawful access" law. The media coverage seems to suggest that it covers both eavesdropping of internet based communications (with a warrant) and obtaining subscriber data (without a warrant).
globeandmail.com: New law to give police access to online exchangesBILL CURRY
From Thursday's Globe and Mail
February 12, 2009 at 3:39 AM EST
OTTAWA — The Conservative government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians.
The goal of the move, which would require police to obtain court approval, is to close what has been described as digital "safe havens" for criminals, pedophiles and terrorists because current eavesdropping laws were written in a time before text messages, Facebook and voice-over-Internet phone lines.
The change is certain to please the RCMP and other police forces, who have sought it for some time. But it is expected to face resistance from industry players concerned about the cost and civil libertarians who warn the powers will effectively place Canadians under constant surveillance.
Public Safety Minister Peter Van Loan confirmed the plan yesterday during an appearance before a House of Commons committee and offered further explanation afterward.
Public Safety Minister Peter Van Loan confirmed the plan. (Sean Kilpatrick/The Canadian Press)
"We have legislation covering wiretap and surveillance that was designed for the era of the rotary phone," Mr. Van Loan said.
"If somebody's engaging in illegal activities on the Internet, whether it be exploitation of children, distributing illegal child pornography, conducting some kind of fraud, simple things like getting username and address should be fairly standard, simple practice. We need to provide police with tools to be able to get that information so that they can carry out these investigations."
Mr. Van Loan said there have been situations where the police want to act quickly to stop a crime, but can't because of the current laws.
"In some of these cases, time is of the essence," he said. "If you find a situation where a child is being exploited live online at that time - and that situation has arisen before - police services have had good co-operation with a lot of Internet service providers, but there are some that aren't so co-operative."
Although police agencies have been calling for such a law since at least the mid-1990s, this would be the first legislative effort in this direction by the Conservatives.
The reaction can be predicted, however, because Paul Martin's Liberal government faced stiff resistance when his public safety minister, Anne McLellan, introduced a "lawful-access" bill in November, 2005, shortly before that government was defeated.
The Conservative justice critic at the time, Peter MacKay, who is now in the Conservative cabinet, expressed concern with the bill, and Privacy Commissioner Jennifer Stoddart went further, saying there was no justification for such a law.
The concern of critics is that unlike a traditional wiretap that cannot commence without judicial approval, lawful-access legislation in other countries has forced Internet providers to routinely gather and store the electronic traffic of their clients. Those stored data can then be obtained by police via search warrant.
"That means we're under surveillance, in some sense, all the time," said Richard Rosenberg, president of the B.C. Freedom of Information and Privacy Association. "I think that changes the whole nature of how we view innocence in a democratic society."
RCMP Commissioner William Elliott said yesterday the lack of such legislation is causing problems for police.
"We're speaking generally about the development of technology that is difficult or impossible to wiretap," Mr. Elliott said after appearing alongside Mr. Van Loan at the House of Commons Public Safety and National Security Committee.
"In the old days, for a wiretap it was pretty simple. You sort of clicked onto the physical wires. So we have some instances where the court authorizes us and other police forces, for example, to intercept communications, but we don't have the technical ability to do that. So certainly the RCMP is supportive of changes of legislation that would allow those kind of intercepts."
Labels: facebook, law enforcement, lawful access, lawful authority, privacy, social networking, surveillance
Friday, February 13, 2009
Another case from Ontario about police getting warrantless access to personal information from an internet service provider, in this case Bell Sympatico. For previous cases, see this link.
The justification is based on a particular reading of Section 7 of PIPEDA, and Bell Canada deciding it should hand over the information. I don't agree with this interpretation of s. 7 and I also don't think the Bell should have handed customer information over without a warrant, even if it legally could do so.
Police may have access to your online historyTORONTO - An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant.
Justice Lynne Leitch found there is "no reasonable expectation of privacy" in subscriber information kept by Internet Service Providers, in a decision issued earlier this week.
The decision is binding on lower courts in Ontario and it is the first time a Superior Court level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the charter. The ruling is a significant victory for police investigating crimes such as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding users of the Internet.
"There is no confidentiality left on the Internet if this ruling stands," said James Stribopoulos, a professor at Osgoode Hall Law School in Toronto.
Canada's privacy commissioner also warned Thursday the Conservative government's plans to revive legislation that would force Internet Service Providers to allow police to intercept Internet-based conversations "is a serious step forward toward mass surveillance" that violates the privacy rights of Canadians.
"My concerns are a huge increase in surveillance powers," Jennifer Stoddart told a news conference Thursday. "I understand there are technological challenges for the forces of law and order . . . but is this the only way this can be done?"
Police and the Canadian Security Intelligence Service already have the power to wiretap private communications, but the laws were written before the era of the Internet and wireless technologies such as mobile phones.
A "modernization" bill was first introduced by the former Liberal government and the Conservatives have promised for years to revive the legislation, which privacy advocates oppose because they say it could broaden the power of authorities because they could reach back for months of communications.
Public Safety Minister Peter Van Loan, who assumed the portfolio in November, told a House of Commons committee this week that he will move forward with a bill, which his predecessor, Stockwell Day, relegated to a back burner.
The court ruling by Leitch was made in a possession of child pornography case in southwestern Ontario.
A police officer in St. Thomas, Ont. faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard it was a "standard letter" that had been previously drafted by Bell and the officer "filled in the blanks" with a request that stated it was part of a child sexual exploitation investigation.
Bell provided the information without asking for a search warrant. The name of the subscriber was the wife of the man who was eventually charged with "possession of child pornography" and "making available child pornography."
Most ISPs in the country require search warrants to turn over subscriber information unless it is a child pornography investigation.
Ron Ellis, the lawyer for the defendant, stressed to the judge there was no allegation of attempted luring or of a child in immediate danger. The "making available" charge stems from peer-to-peer websites that permit the downloading of images from other users.
Ellis argued police should have been required to seek a search warrant to obtain the subscriber information.
Leitch accepted the arguments of Crown attorney Elizabeth Maguire the information is similar to what is in a phone book.
"One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state," said Leitch.
The reasoning of the judge misses the context of what police are seeking, suggested Stribopoulos.
"It is not just your name. It is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went," he said.
This information should require a search warrant by police if there is suspected criminal activity, said Stribopoulos. Judges are accepting the argument that this is "just your name" because "everyone wants to get at the child abusers," he said.
The federal Personal Information Protection Electronics Documents Act permits ISPs to provide this information to someone with "lawful authority," which Leitch interpreted as meaning a police officer and not requiring a court ordered warrant.
There is an irony that exemptions in federal privacy legislation have been used to increase police powers and potentially reduce privacy rights, said Stribopoulos.
The trial of the defendant in St. Thomas will resume this spring.
With a file from Janice Tibbetts, Canwest News Service
Labels: bell, law enforcement, lawful access, lawful authority, privacy
Tuesday, February 10, 2009
A little over a year ago, I blogged about a Halifax bar that had its suspended liquor license back by promising to provide the cops and liquor inspectors with off-site access to expanded surveillance in the bar. (See: Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system.) While I understand that the bar volunteered this, I speculated it wouldn't be too long before such access is demanded as a condition of licensing.
Now Boing Boing links to a letter in the Guardian reciting a similar situation in the UK. In this case, the pub was required by the police to install CCTV and provide images to police as a condition of the police approving the license application:
Letters: Keep an eye on our growing surveillance culture UK news The GuardianI have recently agreed to take on a pub in a residential part of Islington. Under normal circumstances this would have simply involved the existing licence holder signing over the premises' licence to me. Unfortunately they had gone insolvent and disappeared so I applied for a new licence, which requires the approval of a number of organisations, including the police. I was stunned to find the police were prepared to approve, ie not fight, our licence on condition that we installed CCTV capturing the head and shoulders of everyone coming into the pub, to be made available to them upon request. There was no way that they could have imposed this on the previous licence holder.
As it happens the Islington Labour party headquarters is on the same street as the pub and, being a member, I contacted the MP Emily Thornberry to see if she really thinks she needs her photo taken when she pops in for a pint - needless to say I have not heard from her. I also spoke with a friend who is the licensing officer for another borough. Not only did he tell me that there was nothing I could do to overturn this, he also strongly advised me not to blot my copybook with the police by even questioning the request; I would not want them against me in the future, he said.
I have been spitting teeth in a silent rage since I first heard of this request, but at every turn I am alternately advised to keep my head down or laughed at for my naivety for thinking that the world was ever not thus. When was it that the constant small erosion of our liberties became irreversible?
Nick Gibson
London
Labels: privacy
Sunday, February 08, 2009
The European Court of Human Rights has ruled that taking a person's photograph (even if not for publication or commercial use) violates that person's human rights. The case stems from a photograph taken of a newborn baby in a Greek hospital by a company that was hired by the hospital to take such photos.
Here's the press relase from the Court:
EUROPEAN COURT OF HUMAN RIGHTS26
15.1.2009
Press release issued by the Registrar
CHAMBER JUDGMENT
REKLOS AND DAVOURLIS v. GREECE
The European Court of Human Rights has today notified in writing its Chamber judgment[1] in the case of Reklos and Davourlis v. Greece (application no. 1234/05).
The Court held unanimously that there had been:
a violation of Article 6 § 1 (right to a fair hearing) of the European Convention on Human Rights on account of the Greek courts’ dismissal of the applicants’ complaint about photographs having been taken of their new-born baby without their consent; and, a violation of Article 8 (right to respect for private and family life) of the Convention in respect of the applicants’ son.
Under Article 41 (just satisfaction) of the Convention, the Court awarded the applicants 8,000 euros (EUR) in respect of non-pecuniary damage. (The judgment is available only in French.)
1. Principal facts
The applicants, Dimitrios Reklos and Vassiliki Davourli, are Greek nationals who were born in 1964 and 1967 respectively and live in Athens. They are the parents of Anastasios Reklos, who was born on 31 March 1997 in a private clinic. Immediately after birth, the baby was placed in a sterile unit to which only medical staff had access.
As part of the photography service offered to clients, two photographs of the new-born baby, viewed face on, were taken by a professional photographer. The parents objected to this intrusion into the sterile environment without their prior consent.
On 25 August 1997, following the clinic’s refusal to hand over the negatives of the photographs to them, the applicants brought an action for damages before the Athens Court of First Instance. The court dismissed the action as unfounded.
In September 1998 the child’s parents appealed unsuccessfully against that decision. In August 2002 they lodged an appeal on points of law, submitting that the court rulings had infringed the right “to dignity” and “to protection of private life”, and stressing the potential dangers for disabled children.
On 8 July 2004 the Court of Cassation dismissed the appeal on points of law on the ground that it was too vague.
2. Procedure and composition of the Court
The application was lodged with the European Court of Human Rights on 28 December 2004.
Judgment was given by a Chamber of seven judges, composed as follows:
Nina Vajić (Croatia), President,Christos Rozakis (Greece),Anatoly Kovler (Russia),Elisabeth Steiner (Austria),Dean Spielmann (Luxembourg),Sverre Erik Jebens (Norway),George Nicolaou (Cyprus), judges,and also Søren Nielsen, Section Registrar.
3. Summary of the judgment[2]
Complaints
Relying on Article 6 § 1 (right of access to a court), the applicants complained about the dismissal by the courts of their action concerning the photographs of their new-born baby taken in the clinic without their consent. They further complained of a breach of their child’s right to respect for his private life under Article 8.
Decision of the Court
Article 6 § 1
According to the Greek Court of Cassation, the applicants had failed to fulfil one of the requirements for admissibility of their appeal on points of law, consisting in specifying the relevant facts on which the Court of Appeal had based its decision dismissing their appeal. The Court, by contrast, took the view that the Court of Cassation had been apprised of the facts as established by the Court of Appeal.
The Court considered that declaring the parents’ appeal inadmissible on the sole ground that it had been too vague had amounted to excessive formalism. This had prevented the applicants from having the well-foundedness of their allegations examined by the Court of Cassation, in breach of the right of access to a court set forth in Article 6 § 1.
Article 8
The Court reiterated that the concept of private life was a broad one which encompassed the right to identity. It stressed that a person’s image revealed his or her unique characteristics and constituted one of the chief attributes of his or her personality. The Court added that effective protection of the right to control one’s image presupposed, in the present circumstances, obtaining the consent of the person concerned when the picture was being taken and not just when it came to possible publication.
The Court observed that, since he was a minor, Anastasios’s right to protection of his image had been in the hands of his parents. Their consent had not been sought at any point, not even with regard to the keeping of the negatives, to which they objected. The Court noted that the negatives could have been used at a later date against the wishes of those concerned.
The Court concluded that the Greek courts had not taken sufficient steps to guarantee Anastasios’s right to protection of his private life, in breach of Article 8.
***
The Court’s judgments are accessible on its Internet site (http://www.echr.coe.int/).
[1] Under Article 43 of the Convention, within three months from the date of a Chamber judgment, any party to the case may, in exceptional cases, request that the case be referred to the 17‑member Grand Chamber of the Court. In that event, a panel of five judges considers whether the case raises a serious question affecting the interpretation or application of the Convention or its protocols, or a serious issue of general importance, in which case the Grand Chamber will deliver a final judgment. If no such question or issue arises, the panel will reject the request, at which point the judgment becomes final. Otherwise Chamber judgments become final on the expiry of the three-month period or earlier if the parties declare that they do not intend to make a request to refer.
[2] This summary by the Registry does not bind the Court.
Hat tip to: European court expands image privacy rights OUT-LAW.COM.
Labels: privacy
Saturday, February 07, 2009
The title says it all. If you use Facebook, you should read this: 10 Privacy Settings Every Facebook User Should Know. And act on it.
Labels: facebook, privacy, social networking
Friday, February 06, 2009
I had the pleasure of speaking this morning at the Canadian Institutes 4th Annual Payment Card Compliance In Canada. I was on a panel with Art Dunfee, Director General of Investigations and Inquiries at the Office of the Privacy Commissioner of Canada and Sandy Stephens, Senior Manager, Legal CounselCapital One Canada. Sandy covered the new Do Not Call List and Art covered PIPEDA compliance and the new breach notification guidelines. I then presented on a few additional topics: (i) the effect of US breach notification laws on Canadian companies and (ii) the effect of provincial anti-USA PATRIOT Act laws on Canadian banks.
Here's my presetation if you're interested:
And if Google Documents isn't showing you the love, here it is as a PDF: Payment%20Card%20Compliance.pdf
Labels: breach notification, patriot act, piidpa, privacy
Wednesday, February 04, 2009
Google has just launced "Latitude", which uses the GPS on your smartphone to share your location with your friends. Though it looks very customizable from a privacy perspective, you will always need to remember that Google will know where you are at all times.
Some features make it look like a location-aware version of Twitter.
See: Google Mobile Latitude for your phone.
Also, check out the following video:
Labels: privacy
Tuesday, February 03, 2009
I had the opportunity this morning to speak at the Ontario Bar Association's annual CLE extravaganza on the topic of cross border laptop searches. I was joined by David P Sanders of Williams Mullen in Washington, DC.
For those who may be interested, here is my presentation that was given at the session:
The ultimate conclusion is that Canadian border authorities have similar powers to search your laptop when you cross into Canada.
In case Google Documents isn't being helpful, here it is as a PDF: Border searches - OBA Institute - DFRASER.pdf.
Labels: border, laptop, presentations, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.