Remember your privacy? It’s back! in Annual Report form.

mmm deliscious privacy“The Commissioner shall, within three months after the end of each financial year, submit to Parliament a report…” doesn’t sound like the basis for an exciting post on privacy in the modern technological age, yet here we are!

So every year the Privacy Commissioner must, by law, write a report to Parliament. About privacy! What I quoted above is from PIPEDA, the law about privacy and personal information in the public sector. What you may not know is that there is also something called the Privacy Act, which deals with privacy in the public sector (i.e. the federal government and its institutions), and this also has an annual reporting requirement from the very same Privacy Commissioner. It used to be they were separate reports because the timing of the “financial year” was different under PIPEDA and the Privacy Act. But then last year they got Superman to spin the Earth backwards for a bit, which fixed that timing problem. So now we get one giant privacy report to Parliament every year.

And it came out this week! And it’s like 100 pages! And so I got drunk and read it for you. Don’t thank me, it was fun. Because of the drinking.

Here is the title of The Report:

2015-2016 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act

Oh no wait, that’s the boring title, and you knew that part already. Here’s the fun title:

Time to Modernize 20th Century Tools

Yes! Given that the 20th century ended 15-ish years ago, now would be a good time! The Commissioner, Daniel Therrien, who I will undoubtedly refer to as “The Commish” in this blog post, does have a pretty decent, if obvious, point in his introduction:

A key theme of this report is the constant and accelerating pace of technological change and its profound impact on privacy protection. In both the public and private sectors, it’s clear that we need to update the tools available to protect Canadians’ personal information. Not doing so, in my view, risks eroding the trust and confidence citizens have in federal institutions and in the digital economy.

I am not sure that Canadians have that much trust in things already, but whatever. What else does he say in the introduction?

the Internet did not even exist when the Privacy Act was proclaimed in 1983

Well that’s just wrong. Any geek will tell you the internet started as the ARPANET in the 1960s. Hell, even Wikipedia will tell you that. Bad start Commish!

OK enough introducing, what’s in The Report? Well it’s divided into a number of sections and chapters:

Privacy by the numbers
Chapter 1: Privacy Act reform
Chapter 2: C-51 and surveillance
Chapter 3: Consent and the economics of personal information
Chapter 4: Reputation and privacy
Chapter 5: The body as information
Chapter 6: The Year in Review

Am I going to attempt to give you a summary of each of those parts in turn? Apparently.

Privacy by the numbers

There are numbers. Lots of numbers! Well really not that many, because this is just sort of  a snapshot before a crapload of numbers comes later. It’s just a table that summarizes the amounts of complaints and other things that the Office of the Privacy Commissioner (OPC) deals with, like the numbers of laws the Office looked at, how active the Office was on social media (okaaaay, they have 10k+ Twitter followers! hooray!) and other OPC activities. What jumped out at me was that the OPC accepted 1389 complaints under the Privacy Act, but only 381 under PIPEDA. Considering the relative size of the entire public sector in Canada vs. just the Federal government and its institutions, I can only draw one conclusion. People are way more scared of retaliation from companies for complaining than they are from the government. Long live capitalism and democracy!

Chapter 1: Privacy Act reform

Federal institutions are changing and adopting technology at an amazing pace. The Privacy Act has barely changed since it was adopted in 1983. That’s a problem!

But the Commish is on it. There is already some Parliamentary Committee looking to reform the Privacy Act, and the OPC made a giant submission to that Committee. This chapter basically just rehashes that submission. There are 16 specific recommendations under 3 themes – responding to technological change; legislative modernization; and the need for transparency. Yawn. When will this Report get interesting? Actually, here is a nice little tidbit maybe you didn’t know, after describing how in 2012 one measly hard drive was lost:

the Privacy Act does not impose a specific legal obligation on departments to safeguard the personal information they hold

The hard drive had “the personal information of close to 600,000 people who’d participated in the Canada Student Loan program—names, dates of birth, social insurance numbers, addresses, phone numbers and financial information”. OK then! So the Commish recommends the Privacy Act be amended to have the specific legal requirement to safeguard personal information. Good idea. The government is always screwing up. Do you like weed? Uh oh:

In 2013, Health Canada sent letters to more than 41,000 people across the country in windowed envelopes that showed not only the recipient’s name and address, but the fact the letter was from the department’s medical marijuana program.

Ok at least weed is interesting. But this Report better pick it up soon.

Chapter 2: C-51 and surveillance

Hello, sexy interesting topic! National security and privacy – mutually exclusive? Good question!

C-51 created the Security of Canada Information Sharing Act (SCISA), which the Commish has some issues with. The Report then says that the new Liberal government is taking a look at some of the nastier stuff of C-51, so that’s cool. There is a subsection of this Chapter, a review of the first 6 months of SCISA. The conclusion there is that some agencies are sharing information about individuals, but only those who were “suspected of undermining the security of Canada.” Nice and vague. Anyway, the big problem with SCISA was a lack of coherent guidelines about how it should be used, and the documentation that was provided by Public Safety Canada was pretty crappy.

Things get juicy with a metadata discussion. National Defense announced in January 2016 the Communications Security Establishment (CSE) would no longer share metadata with other countries, because before that time, the metadata was giving too much info. The OPC looked into this. They said the CSE should be more careful, and do a Privacy Impact Assessment (PIA) before sharing metadata again. Well maybe this wasn’t so juicy.

Warrantless access! Now we’re talking. The Report talks about R v. Spencer, which I already wrote about back in the day. Point: “It is only in exceptional circumstances that warrantless access is and should be permitted.” Agreed!

Anyway, back to the question – are privacy and national security mutually exclusive?

When it comes to security and privacy, rather than wanting one over the other, Canadians rightly want both. Finding the right balance is absolutely critical because the repercussions can be so serious when that equilibrium shifts too far one way or the other.

How do we find that balance? Minor tweaks to existing laws. Sigh.

Chapter 3: Consent and the economics of personal information

Personal Information is valuable. Indeed! PIPEDA’s cornerstone is consent – you must know why you are giving up your Personal Info, and consent to doing so. But there is a problem:

(PIPEDA) predates smart phones, cloud computing, Facebook, the Internet of Things and so many other information-gathering technologies that are now part of the everyday. It is no longer entirely clear who is processing our data and for what purposes.

The problem is that shit has gotten so complicated, maybe consent is no longer a good principle to base things on. The Report describes several alternatives to consent, but there are problems with all of them.

There is also a problem with the Internet of Things, because usually consumers have no fucking clue that their data is collected there so they can’t really offer their informed consent to the collection and use of such data. The Report offers no solution. OK then!

There are other areas where consent is problematic, which the Report outlines. The OPC:

hope(s) to be in a position to contribute real, concrete solutions and to identify what role individuals, organizations, regulators and legislators need to play if we are to truly help people exercise greater control over their personal information.

Yes, we hope so too!

Chapter 4: Reputation and privacy

Social media is a privacy nightmare. People’s reputations get ruined as a result. No shit. The Report looks at Europe’s awesome Right to be Forgotten, which we don’t have here. Maybe we should.

The Report looks at the Ashley Madison hack, which then led the OPC to investigate. They found that Ashley Madison security sucked, and they weren’t transparent at all about uses of Personal Info collected.

The point of all this?

Immense technological changes in a relatively short period of time have brought about new challenges to regulation, legislation, legal frameworks and individuals

Yes, we know that already.

Chapter 5: The body as information

Your body is a wonderland. And “a whole global industry has arisen that capitalizes on information about the body”. Because this data is especially sensitive, it should be given highest priority. All body information should be anonymous. Genetic testing has massive privacy risks. The OPC is really looking into these issues. Good for them?

Chapter 6: The Year in Review

Well this is almost half of the Report. Am I going to go into detail about what the OPC did all year? Fuck and No. We’re both tired. To the bullet points!

  • Public information and outreach – the OPC did lots of it. Especially to the kidz!
  • Parliamentary activities – the OPC did lots of it. Provided input on lots of bills.
  • Audits – the OPC did, uh, one. On the personal information handling practices of Employment and Social Development Canada (ESDC) for the Old Age Security program. There were “a number of gaps and weaknesses”!
  • Privacy Impact Assessments – they reviewed a few of these that were done by government agencies, like the RCMP, the CRA, and the CFIA. So many acronyms.
  • Investigations – the OPC did lots of them. Not so many under PIPEDA, but man oh man did the government agencies need investigating! My favourite was the investigation into the TV show “Border Security: Canada’s Front Line” which seems to have violated the Privacy Act. The show got canceled as a result!
  • They investigated lots of privacy breaches too, more than usual, because of the the new Digital Privacy Act, aka Bill S-4.
  • International and domestic cooperation – the OPC did lots of it.
  • Intervening in court cases – the OPC did lots of it.

And… we’re done? No wait, Appendices!

Appendices

There are appendices.

So what have we learned from all of this?

There are many many privacy issues out there, only increasing because the pace of technological progress is really increasing. But don’t worry about it, because the Privacy Commissioner and his Office are on it, dude.

Posted in: Privacy
Tagged: , , .

3 Responses to Remember your privacy? It’s back! in Annual Report form.

  1. steve says:

    Spit in the ocean. Since we all use US based email and search engines its really largely irrelevant. The right to be forgotten great. Searches without warrant, must be ticking time bomb stuff. The number one priority should be getting people off facebook:)

  2. steve says:

    If the world knew the most important fact was the big picture we would not need lawyers and as successful as you are you might have had the opportunity to do something useful :) I know you somewhat like mr zimmerman and the whole Nobel prize thing has made me a fan:)
    Regardless in the case of Bob Dlyan Vs intellectual content IMHO he is not a winner, just a nasal wineer. I jest but Woody Woody Guthrie needs more credit before he can be laid to rest.
    Allen do you not love it when I talk to you in a non selfie
    way. I am sure there are billions of intelligent conversations
    going on in the internet today. Yet we only see the stupid ones in public. Casa Bella baby

Leave a Comment

Your email address will not be published. Required fields are marked *