The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, July 15, 2008
I received the following question the other day:
In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:Under PIPEDA, is patient or personal data limited to just traverse within Canada ?
5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:
Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:1 2 ms 1 ms 1 ms [REDACTED]
2 20 ms 9 ms 9 ms [REDACTED]
3 17 ms 12 ms 10 ms [REDACTED]
4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]
5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]
6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]
7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]
8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]
9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]
10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]
11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]
12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]
13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]
14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]
15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]
16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]
Trace complete.
This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.
So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".
Update: Added reference to Quebec statute. Thanks, commenter.
Labels: AskThePrivacyLawyer, health information, patriot act, piidpa, privacy
Wednesday, June 18, 2008
I've been overwhelmed by the number of questions I've received in response to "Ask the privacy lawyer". Some of them are too specific and would cross over the line between legal advice and educational. But I got this question, which is relatively generic and probably is something that many people have to deal with:
HI - In September 2007 I subscribed to a well known Canadian magazine. I did not check a box on the form saying I wanted to receive 'mail' from them. However in December 2007 I and my neighbour (whose subscription to the same magazine had just ended) started receiving unsolicited requests for magazine subscripts at a rate of about 1 a week. I knew where the subscription was coming from since they mispelled my name on all the subscriptions in the same way.I've emailed the magazine and the company responsible for these bulk mailings and have been told they 'occasionally send mailings we think our customs will enjoy' although that's only if you check the box requesting that 'service'.
They tell me the mailings will stop soon - but they haven't and now the mailing have my correctly spelled name.
I know there is a lot of work being done with SPAM laws and no phone anti-telemarketer laws - but is there any way I can legally stop this magazine for falsely advertising that they would to share my name and information with anyone else?
They don't seem to be taking my angry emails very seriously.
This situation sounds like a classic SNAFU, which might only take some more gentle persuasion to fix. But if one wants to take the legal route ....
The first question one has to ask is what privacy law applies. The questioner wasn't specific, so one should consider the options. This is a private sector matter, since we are not dealing with a government institution. Magazines are engaged in commercial activity, so one of the Canadian private sector laws would apply. The default would be PIPEDA, which applies to the collection, use and disclosure of personal information in the course of commercial activities except where there exists an applicable provincial law that has been declared to be "substantially similar" to PIPEDA. The substantially similar laws are the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). The PIPAs of Alberta and BC are very similar to PIPEDA and are built on the same foundation.
For the purposes of considering this question, I'll assume that PIPEDA applies. PIPEDA requires the knowledge and consent of all individuals for all collection, use and disclosure of personal information. Importantly, an organization cannot require an individual to consent to uses that are not necessary.
Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes. In any event, consent ,if previously granted, may be withdrawn: Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308: "The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1." So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court. Labels: AskThePrivacyLawyer, privacy, telemarketing4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.8 - An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
Commissioner's Findings - PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements - April 7, 2005
Saturday, June 07, 2008
Despite the disclaimer on the side of this blog, I often get e-mails from people asking questions about privacy laws and how they affect their own particular circumstances. They are usually from people who are not in a position to pay for legal advice. Often, I get the same basic question (with slight variations) a number of times.
I'm very sympathetic to their circumstances but can't always take the time to provide a full answer. Since there is obviously a need out there, I thought I'd try something new: Ask The Privacy Lawyer. Readers can send me their questions and, assuming it is a question that lends itself to being answered in a public forum, I will post my thoughts on the topic on the blog.
Questions should be sent to ask@privacylawyer.ca or can be left as an anonymous comment to this post. Please try to keep your questions as general as possible and DO NOT NAME ANY PEOPLE, COMPANIES OR ORGANIZATIONS in your query. I will not identify the submitter or anyone else in the response and may edit your e-mail to to make it applicable to a wider audience. Any response will be written to be educational but should not be contrived to be legal advice.
If you are looking to retain a lawyer to assist you with your matter, please e-mail me directly at david.fraser@mcinnescooper.com.
Labels: AskThePrivacyLawyer, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.