Experts aredisappointed with the federal government’s proposed changes to the privacy law,with one saying they don’t offer enough protection for personal informationheld by organizations. However, they are relieved the government hasre-introduced its anti-spam legislation largely unchanged.
Theproposed Fighting Internet and Wireless Spam Act (FISA, or Bill C-28) andchanges to the Personal Information Protection and Electronic Documents Act(PIPEDA, or Bill C-29) were announced by Minister of Industry Tony Clement andMinister of State Denis Lebel on May 25.
Privacy law changes are worrisome
MichaelGeist, law professor and Canada Research Chair of Internet and E-commerce Lawat the Universityof Ottawa, refers toPIPEDA as the “anti-privacy privacy” bill. “It’s taken us a longtime to get to this point and I think the bill is very discouraging from a privacyperspective,” he said.
Theproposed amendments include a number of new exceptions for business and lawenforcement, which isn’t surprising, but “the attempt to put a gag order onbusinesses who disclose information to law enforcement“ is highly problematic,he said.
“It’s USAPatriot Act-like in approach,” said Geist. He also finds the “the continualpush towards encouraging business to disclose personal information withoutcourt oversight” concerning.
Geist isalso disappointed with the security breach notification provisions. “I thinkthe threshold is very high and I think there are no penalties. The absence ofpenalties, I think, makes it less likely that we will see full compliance andthe high threshold means that even if someone does want to comply, they won’thave to send a notification anyway,” he said.
Toronto-basedlawyer and privacy consultant Michael Power finds the PIPEDA amendments“somewhat retrograde” from a privacy perspective and “not good” for threereasons.
One is howthey treat lawful authority, especially the ability for organizations todisclose personal information without consent and without a requirement to requestthat the police indicate their lawful authority, he said.
“They’vebasically said that if the police ask for it, and they are doing so in thecourse of policing services, then a disclosure is permitted,” said Power.
Second is the gag order, which is similar to the Patriot Act in that businesses arerequired to disclose the information to law enforcement when it is requestedand not allowed to tell the individual involved about it, he said.
“If thereis a disclosure without consent, you would expect an organization to be able totell the person concerned that this had happened … that appears not to be thecase under this proposed legislation,” he said.
Third isthe “relatively weak” breach notifications, said Power. “It leaves the degreeof discretion in the hands of the organization that suffered the breach, but Isuspect that over time, the Privacy Commissioner’s office will issue guidance,”he said.
“My gutreaction is that you may see more notifications to the individual when breachesoccur, except in the most trivial of cases,” he said. But the breachnotification requirements are “very watered down” when compared to breachnotification laws in the U.S.or Europe, he added.
But theamendments “do the insurance industry a favour” by saying that personalinformation can be collected, used and disclosed in the context of insuranceclaims and witness statements without consent, he said.
Bill C-29is pro-law enforcement and pro-business, according to Power. The changes aregood for organizations wanting to co-operate with the police, he said. “Thepolice don’t have as many hoops to jump through and an organization candisclose information easier,” he said.
Theamendments also resolve several employee privacy consent issues and make iteasier for organizations to disclose and use personal information in connectionwith business transactions, he said.
The breachnotification provisions give businesses a degree of flexibility in terms ofwhen they need to notify individuals – and the most expensive part of a breachmanagement program tends to be the notification aspects, he pointed out.
Theamendments also remove business contact information from the definition ofpersonal information, he said, which means that information found on businesscards can be used “more readily than one might normally think.”
Tamair Israel, staff lawyer for theUniversityof Ottawa’s Canadian Internet Policy and Public InterestClinic (CIPPIC), complained the proposedchanges to the federal privacy act weaken rather than strengthenthe protection over the privatedata organizations hold.
“Given the[recent] technological advances, there’s greater and greater capacity forprivacy invasion,” he said in aninterview. “We were hoping they’d match that with greater privacy protection,but instead of that they’re lowering the bar.”
Inparticular, the clinic worries about the expanded ability of police to ask for personalinformation frombusinesses without an individual’s consent for“any type of policing activity” without a warrant. There’sno obligation for businesses toconfirm if the police have a validlawful authority the information, Israeladded.
“It seemspotentially limitless,” he complained.
“Private companies have moreand more informationon people these days. And when they’reallowed to give it away to police just upon requestis really problematic.This type of thing [the new amendments] just legitimizes more.”
For example, he said, a U.S. wirelesstelecommunications carrier hasallowed a government agency toautomatically request the locationof subscribers,which can be achieved through theGPS capability of a handset. The carrier receives 8 million requestsa year, Israelsaid.
On the other hand, the clinic welcomes the proposed new requirement of privateand public organizations to notifyconsumers and the federal privacycommissioner if there has been a breechof private data that could create significant harm.
However, he added, thereare no penalties for not alertingcustomers orthe privacy commissioner.
Catherine Swift, presidentof the Canadian Federation ofIndependent Businesses, is cautious about the government’spromises that the proposed changes streamlineprocesses forsmall and medium businesses.
One provision allows businesses to disclosure personalinformation without consent for privatesector investigations and fraud prevention,which gets rid of a regulatoryprocess. Swift agreed that’s a gain.
“Well seehow the authorities implement thesemeasures,” she said of the proposed changes. The proposed changes to PIPEDA are outlined on Industry Canada’s Web site.
But the anti-spam bill brings relief
FISA is a re-titledand re-introduced version of Bill C-27, which was unanimously passed by theHouse of Commons in November 2009 that died when Canadian Prime Minister Stephen Harper proroguedParliament.
Overseen by Industry Canada,the new Bill C-28 would include enforcements by the Canadian Radio-televisionand Telecommunications Commission (CRTC), Competition Bureau Canada and the Office of the PrivacyCommissioner.
Theproposed bill addresses unsolicited text messages and e-mails. Under the act, theCRTC and Competition Bureau would be able to impose penalties from $750,000 to$1 million per violation for individuals and $10 million to $15 million forbusinesses.
FISA is largely aimed at deterring spam from taking place in Canada anddriving spammers out of the country. The bill also proposes “a private right ofaction” modeled on U.S.legislation that “would allow consumers and businesses to take civil actionagainst anyone who violates the FISA,” states Industry Canada.
Accordingto Symantec Corp.’s May 2010 MessageLabs Intelligence Report, Canada’saverage spam rate is 89.4 per cent of e-mail. This is slightly less than the90.2 per cent global average, said Matt Sergeant, senior anti-spam technologistat Symantec Hosted Services.
But thesefigures reflect the amount of spam Canadians are receiving, not the percentageof spam originating from Canada,which is what Bill C-28 is trying to tackle, he pointed out.
The bill isbasically designed to make malicious activities, such as harvesting e-mailaddresses or sending unsolicited e-mails, illegal for spammers located inCanada, said Sergeant. “As well, it makes sure that legitimate businesseswithin Canada are following what are already considered best practices,” hesaid.
Sergeantsaid FISA will not necessarily impact the amount of spam that Canadians arereceiving to their mail systems, but possibly impact what actually gets throughto their inboxes. “Most people have a spam filter in place already and theydon’t really see the massive amounts of spam that is being blocked by theservices that they have in place protecting them,” he said.
E-mailsthat get past spam filters tend to come from the smaller-scale spammers whoaren’t necessarily sending significant volumes of spam but have the time andresources to vary their spam messages significantly, he said.
Thesespammers are probably not breaking many laws at the moment and skirting “on theedge of the law,” said Sergeant. “They may be violating PIPEDA, but that’spretty hard to prosecute against … I think by introducing FISA, those spammerswill say, okay, we have to go legitimate or do something with better practiceshere,” he said.
Geist isvery supportive of FISA and finds the bill long overdue. “It has been fiveyears in the making. So I think, frankly, those that have been looking foranti-spam legislation in Canadaare just glad to have something there that is credible,” he said.
“Since itroughly mirrors the bill that died with prorogation and that had already beenwell-vetted and the subject of a considerable amount of reform and compromise,I think it is a bill that should be placed on the fast-track and passedquickly,” he said.
But Geist wouldn’tcall FISA perfect. “I think in some ways, some of the very strong provisionshave been watered down somewhat from what was first proposed, but I think itwas a pretty strong piece of legislation. It is certainly stronger than what wehave now,” he said.
Swift saidit’s important for the governmentto get on with it after the billdied when parliament was proroguedin December. But she’s leery that the proposednew spam reporting centre will haveto work with the privacy commissioner, CRTC (which overseesInternet carriers)and the federal competition bureau.
“You canhave a piece of legislation that perfectlyfine in principle, but if some regulatorgoes berserkit can suddenly be a problem, particularlyfor small businesses that don’t havethe resourcesto deal with it,” she said.
“You’ve gotto keep an eye on it to make surethey don’t go overboard,” said Swift.