Experts are disappointed with the federal government’s proposed changes to the privacy law, with one saying they don’t offer enough protection for personal information held by organizations. However, they are relieved the government has re-introduced its anti-spam legislation largely unchanged.
The proposed Fighting Internet and Wireless Spam Act (FISA, or Bill C-28) and changes to the Personal Information Protection and Electronic Documents Act (PIPEDA, or Bill C-29) were announced by Minister of Industry Tony Clement and Minister of State Denis Lebel on May 25.
Privacy law changes are worrisome
Michael Geist, law professor and Canada Research Chair of Internet and E-commerce Law at the University of Ottawa, refers to PIPEDA as the “anti-privacy privacy" bill. “It’s taken us a long time to get to this point and I think the bill is very discouraging from a privacy perspective,” he said.
The proposed amendments include a number of new exceptions for business and law enforcement, which isn’t surprising, but “the attempt to put a gag order on businesses who disclose information to law enforcement“ is highly problematic, he said.
“It’s USA Patriot Act-like in approach,” said Geist. He also finds the “the continual push towards encouraging business to disclose personal information without court oversight” concerning.
Geist is also disappointed with the security breach notification provisions. “I think the threshold is very high and I think there are no penalties. The absence of penalties, I think, makes it less likely that we will see full compliance and the high threshold means that even if someone does want to comply, they won’t have to send a notification anyway,” he said.
Toronto-based lawyer and privacy consultant Michael Power finds the PIPEDA amendments “somewhat retrograde” from a privacy perspective and “not good” for three reasons.
One is how they treat lawful authority, especially the ability for organizations to disclose personal information without consent and without a requirement to request that the police indicate their lawful authority, he said.
“They’ve basically said that if the police ask for it, and they are doing so in the course of policing services, then a disclosure is permitted,” said Power.
Second is the gag order, which is similar to the Patriot Act in that businesses are required to disclose the information to law enforcement when it is requested and not allowed to tell the individual involved about it, he said.
“If there is a disclosure without consent, you would expect an organization to be able to tell the person concerned that this had happened … that appears not to be the case under this proposed legislation,” he said.
Third is the “relatively weak” breach notifications, said Power. “It leaves the degree of discretion in the hands of the organization that suffered the breach, but I suspect that over time, the Privacy Commissioner’s office will issue guidance,” he said.
“My gut reaction is that you may see more notifications to the individual when breaches occur, except in the most trivial of cases,” he said. But the breach notification requirements are “very watered down” when compared to breach notification laws in the U.S. or Europe, he added.
But the amendments “do the insurance industry a favour” by saying that personal information can be collected, used and disclosed in the context of insurance claims and witness statements without consent, he said.
Bill C-29 is pro-law enforcement and pro-business, according to Power. The changes are good for organizations wanting to co-operate with the police, he said. “The police don’t have as many hoops to jump through and an organization can disclose information easier,” he said.
The amendments also resolve several employee privacy consent issues and make it easier for organizations to disclose and use personal information in connection with business transactions, he said.
The breach notification provisions give businesses a degree of flexibility in terms of when they need to notify individuals – and the most expensive part of a breach management program tends to be the notification aspects, he pointed out.
The amendments also remove business contact information from the definition of personal information, he said, which means that information found on business cards can be used "more readily than one might normally think.”
Tamair Israel, staff lawyer for the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC), complained the proposed changes to the federal privacy act weaken rather than strengthen the protection over the private data organizations hold.
“Given the [recent] technological advances, there’s greater and greater capacity for privacy invasion,” he said in an interview. “We were hoping they’d match that with greater privacy protection, but instead of that they’re lowering the bar.”
In particular, the clinic worries about the expanded ability of police to ask for personal information from businesses without an individual’s consent for “any type of policing activity” without a warrant. There’s no obligation for businesses to confirm if the police have a valid lawful authority the information, Israel added.
“It seems potentially limitless,” he complained.
“Private companies have more and more information on people these days. And when they’re allowed to give it away to police just upon request is really problematic. This type of thing [the new amendments] just legitimizes more.”
For example, he said, a U.S. wireless telecommunications carrier has allowed a government agency to automatically request the location of subscribers, which can be achieved through the GPS capability of a handset. The carrier receives 8 million requests a year, Israel said.
On the other hand, the clinic welcomes the proposed new requirement of private and public organizations to notify consumers and the federal privacy commissioner if there has been a breech of private data that could create significant harm.
However, he added, there are no penalties for not alerting customers or the privacy commissioner.
Catherine Swift, president of the Canadian Federation of Independent Businesses, is cautious about the government’s promises that the proposed changes streamline processes for small and medium businesses.
One provision allows businesses to disclosure personal information without consent for private sector investigations and fraud prevention, which gets rid of a regulatory process. Swift agreed that’s a gain.
“Well see how the authorities implement these measures,” she said of the proposed changes. The proposed changes to PIPEDA are outlined on Industry Canada’s Web site.
But the anti-spam bill brings relief
FISA is a re-titled and re-introduced version of Bill C-27, which was unanimously passed by the House of Commons in November 2009 that died when Canadian Prime Minister Stephen Harper prorogued Parliament.
Overseen by Industry Canada, the new Bill C-28 would include enforcements by the Canadian Radio-television and Telecommunications Commission (CRTC), Competition Bureau Canada and the Office of the Privacy Commissioner.
The proposed bill addresses unsolicited text messages and e-mails. Under the act, the CRTC and Competition Bureau would be able to impose penalties from $750,000 to $1 million per violation for individuals and $10 million to $15 million for businesses.
FISA is largely aimed at deterring spam from taking place in Canada and driving spammers out of the country. The bill also proposes “a private right of action” modeled on U.S. legislation that “would allow consumers and businesses to take civil action against anyone who violates the FISA,” states Industry Canada.
According to Symantec Corp.’s May 2010 MessageLabs Intelligence Report, Canada’s average spam rate is 89.4 per cent of e-mail. This is slightly less than the 90.2 per cent global average, said Matt Sergeant, senior anti-spam technologist at Symantec Hosted Services.
But these figures reflect the amount of spam Canadians are receiving, not the percentage of spam originating from Canada, which is what Bill C-28 is trying to tackle, he pointed out.
The bill is basically designed to make malicious activities, such as harvesting e-mail addresses or sending unsolicited e-mails, illegal for spammers located in Canada, said Sergeant. “As well, it makes sure that legitimate businesses within Canada are following what are already considered best practices,” he said.
Sergeant said FISA will not necessarily impact the amount of spam that Canadians are receiving to their mail systems, but possibly impact what actually gets through to their inboxes. “Most people have a spam filter in place already and they don’t really see the massive amounts of spam that is being blocked by the services that they have in place protecting them,” he said.
E-mails that get past spam filters tend to come from the smaller-scale spammers who aren’t necessarily sending significant volumes of spam but have the time and resources to vary their spam messages significantly, he said.
These spammers are probably not breaking many laws at the moment and skirting “on the edge of the law,” said Sergeant. “They may be violating PIPEDA, but that’s pretty hard to prosecute against … I think by introducing FISA, those spammers will say, okay, we have to go legitimate or do something with better practices here,” he said.
Geist is very supportive of FISA and finds the bill long overdue. “It has been five years in the making. So I think, frankly, those that have been looking for anti-spam legislation in Canada are just glad to have something there that is credible,” he said.
“Since it roughly mirrors the bill that died with prorogation and that had already been well-vetted and the subject of a considerable amount of reform and compromise, I think it is a bill that should be placed on the fast-track and passed quickly,” he said.
But Geist wouldn’t call FISA perfect. “I think in some ways, some of the very strong provisions have been watered down somewhat from what was first proposed, but I think it was a pretty strong piece of legislation. It is certainly stronger than what we have now,” he said.
Swift said it’s important for the government to get on with it after the bill died when parliament was prorogued in December. But she’s leery that the proposed new spam reporting centre will have to work with the privacy commissioner, CRTC (which oversees Internet carriers) and the federal competition bureau.
“You can have a piece of legislation that perfectly fine in principle, but if some regulator goes berserk it can suddenly be a problem, particularly for small businesses that don’t have the resources to deal with it,” she said.
“You’ve got to keep an eye on it to make sure they don’t go overboard,” said Swift.