CRTC partners with global agencies to enforce spam and telemarketing rules

David Elder - 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced that it has signed a memorandum of understanding with 10 domestic and global enforcement agencies to aid in the enforcement of spam and telemarketing laws.  However, while the announcement is certainly a step in the right direction, many of the countries that produce the most spam were not at the table.

The agreement is intended to promote cooperation between the various enforcement agencies, and includes commitments by each signatory to share information and intelligence regarding unsolicited communications, where permitted by the laws of its jurisdiction.  

For its part, in Canada, s. 60 of Canada’s Anti-Spam Legislation permits the government, the CRTC, the Office of the Privacy Commissioner of Canada (OPC) and the Commissioner of Competition to share information with foreign governments and agencies with respect to investigations and enforcement activities relating to foreign laws that address conduct that is substantially similar to conduct prohibited under Canadian laws regulating unsolicited telecommunications and commercial electronic messages.

In addition to the involvement of the CRTC and the OPC, the memorandum was signed by 9 international agencies, from the U.S., Australia, the Netherlands, the UK, Korea, New Zealand and South Africa.

Each of the signatories to the new MOU is a member of the “London Action Plan” (LAP), a global organization created to promote international spam enforcement cooperation and address spam related problems, such as online fraud and deception, phishing, and dissemination of viruses. 

Interestingly, while all signatories are members of the LAP, not all LAP members have signed on to this latest memorandum -- in fact, only about one third of LAP members have signed on.  More significantly, absent from the list of signatories are regulatory agencies from 8 of the Top 10 Worst Spam Countries, as compiled by the Spamhaus Project, an international organization that tracks spammers and spam-related activity.

The CRTC has previously entered into similar agreements with the Commissioner of Competition and the OPC, and most recently, announced the signing of an agreement with the U.S. Federal Trade Commission and Federal Communications Commission respecting mutual assistance in the enforcement of laws on commercial email and telemarketing.

Enforcement agencies, including the CRTC, face many challenges in investigating and enforcing unsolicited communications laws where the alleged perpetrators operate from outside of Canada, necessarily requiring the cooperation of local regulatory and enforcement authorities.  Some feel that as a result, CRTC enforcement activity disproportionately focuses on known and legitimate domestic companies, many of whom are trying to comply with the rules, rather than on rogue international operators, whose campaigns often have fraudulent objectives.

Hopefully, these new information and intelligence sharing arrangements will assist somewhat with the CRTC’s international enforcement challenge, although the effectiveness of the initiative will be frustrated by the absence of a majority of the biggest spam-producing countries.

No dice: Supreme Court declares Alberta privacy law unconstitutional in Palace Casino case

David Elder -

In a landmark ruling, the Supreme Court of Canada has declared Alberta’s Personal Information Protection Act (PIPA) to be invalid in its entirety, finding that it infringes the freedom of expression guaranteed by the Canadian Charter of Rights and Freedoms by limiting the ability of labour unions to videotape and photograph individuals crossing a picket line.

The declaration of invalidity is suspended for a period of 12 months to give the legislature time to decide how best to make the law constitutional. In light of the “comprehensive and integrated structure” of the law, the Court decided to strike PIPA down in its entirety, rather than declare as invalid particular provisions.

The Court’s ruling was made in the case of Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, which iscommonly referenced as the “Palace Casino” case, as the case arose in the context of a labour dispute between the management and employees of an Edmonton casino of that name.

As we noted in a previous post, the case considered complaints made by individuals who were videotaped by the union as they crossed the picket line in front of the casino.  Like other Canadian private sector privacy laws, Alberta’s PIPA generally requires the consent of individuals for the collection, use and disclosure of their personal information, including videotaped images of identifiable individuals.  The union, which did not obtain such consent, videotaped and photographed the picket lines in order to publicize the images of individuals crossing the lines.  An Adjudicator for the Information and Privacy Commissioner of Alberta found that the union had contravened the Act, and ordered the union to stop such collection and destroy any personal information obtained in breach of the Act.

The judgement focuses in particular on the breadth of PIPA, which the Court found limits the non-consensual collection, use and disclosure of personal information without regard for the nature of the information, or the purpose or context for its collection, use or disclosure. It is this approach, which the court found “deems virtually all personal information to be protected regardless of context,” which resulted in a finding of a Charter violation, since PIPA excludes any mechanisms by which a union’s constitutional right to freedom of expression may be balanced with the privacy interests protected by the Act.

Moreover, the Court noted that picketing represents a particularly crucial form of expression, and that the restrictions imposed by the statute impaired the ability of the union to communicate with and persuade the public, one of its most effective bargaining strategies in the course of a lawful strike. As a result, the Court found that the infringement of the freedom of expression was not justified under s. 1 of the Charter.

The ruling will have significant implications for other private sector privacy laws in Canada, and particularly with the existing provincial privacy laws in British Columbia, Québec and Manitoba (although the latter is not yet in force). Implications for the federal law, the Personal Information Protection and Electronic Documents Act, which applies in the remaining provinces, are less clear, since the federal applies to the collection of personal information from the public only in the course of commercial activities, which would not appear to include the activities of a union during a labour dispute.

Manitobans get new privacy law, but no one to complain to

David Elder and Bessie Qu -

Nearly a decade after British Columbia and Alberta enacted their own private sector privacy laws, Manitoba’s Legislative Assembly recently passed the Personal Information Protection and Identity Theft Prevention Act (PIPITPA or the Act), a privacy statute governing the private sector in that province.

The Act, which has yet to be proclaimed in force, will apply to the collection, use and disclosure of personal information by organizations carrying on commercial activities in Manitoba, and will govern the handling of both consumer and employee information. While much of the Act is modeled after Alberta’s Personal Information Protection Act (PIPA), several differences are worth noting:

Oversight – strangely,unlike the other federal and provincial private sector privacy laws, which are administered and enforced by their respective privacy commissioners, the new Manitoba law does not establish a privacy commissioner’s office to oversee the bill. Moreover, it lacks any sort of complaint mechanism by which individuals might file complaints relating to non-compliance with the Act (although the Act gives limited procedural powers to the  province's Ombudsman, an existing office that otherwise investigates and reports on general complaints with respect to the operation of  government).  This odd structure is apparently due to the fact that the law originated as a private member’s bill, which, under legislative rules, could not contain provisions that would have placed additional financial obligations on the government.

Private right of action - the Act provides individuals a statutory right of action to claim damages arising out of failure to safeguard personal information or to provide notification of a privacy breach. Unlike the private sector privacy statutes in Alberta and British Columbia, the Manitoba law does not make its private right of action conditional on a finding by the regulator of a violation of the statute; rather, aggrieved individuals can directly bring an action, without any oversight or involvement whatsoever by the Ombudsman. The statute does not explicitly indicate whether the damages available through such an action would include moral damages or damages for non-pecuniary losses, although this has certainly been the case in other jurisdictions. Given the lack of a complaint mechanism or the requirement that the Ombudsman make a finding of non-compliance before an action for damages may be initiated, the enforcement of the Act may largely be driven by private litigation, and could serve to encourage the filing of class action suits for privacy breaches in Manitoba.  Although the Act does provide that non-compliance with the key requirements of the Act constitutes an offence carrying fines of up to $100,000 for businesses, it seems unlikely that scarce Crown resources would be directed at the investigation and prosecution of any but the most egregious of privacy violations.

Breach notification - one of the other distinguishing features of the Act is the breach notification provision, which requires organizations to notify affected individuals directly, instead of notifying a regulator, if their personal information has been stolen, lost or accessed in an unauthorized manner. Notice is not required where a law enforcement agency investigating the breach instructs the organization to not disclose the breach or where the organization itself is satisfied that it is not reasonably possible for the information to be used unlawfully. Unlike Alberta’s PIPA, the Act does not contain a harm threshold for triggering the notification requirement, which suggests that all breaches can potentially trigger notification.

The handling of personal information by private sector organizations in Manitoba is currently governed by the federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information in the course of commercial activity, but does not apply to the handling of employee data by most employers in the province, as PIPEDA applies only to employee personal information that is handled by federally regulated organizations. The new Manitoba law would introduce a privacy framework for the handling of employee personal information.

PIPEDA will continue to apply - even after PIPITPA is proclaimed in force - until the Governor in Council is satisfied that the Manitoba law is substantially similar to Part 1 of PIPEDA. However, without a complaint mechanism, it remains to be seen whether PIPITPA, in its current form, would be considered “substantially similar” to the federal law, raising the possibility that Manitoba organizations might be faced with complying with two overlapping privacy laws. To avoid this possibility, the Government of Manitoba could introduce a bill amending PIPITPA so as to introduce a complaint mechanism and clarify an oversight role.

New privacy bill would require breach notification, allow Commissioner to make orders

David Elder -

In an apparent attempt to apply pressure to the government to amend the federal private sector privacy law, New Democrat Digital Issues Critic Charmaine Borg recently introduced a private members bill that would introduce mandatory data breach reporting and provide the Privacy Commissioner of Canada with direct enforcement powers.

The government’s own bill to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in September of 2011, but Bill C-12, as the bill is known, has not moved forward since that time. 

The New Democrat bill, known as C-475, differs from C-12 in several important ways.

First, C-475 would require that organizations report data breaches to the Privacy Commissioner, who would then determine whether the organization would be required to notify affected individuals (although organizations would not be precluded from providing such notice).   By contrast, Bill C-12 includes a provision that would require organizations to report data breaches to the Privacy Commissioner, as well as to notify affected individuals in certain circumstances.

Bill C-475 also contemplates what appear to be lower standards for the types of breaches that require reporting, or with respect to which the Privacy Commissioner may require notification of affected individuals, likely resulting in more reports and notifications than under the government bill. 

In this regard, Bill C-12 requires organizations to report material breaches of security safeguards involving personal information; Bill C-475 requires organizations to notify the Privacy Commissioner where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the breach. With respect to notification of affected individuals, Bill C-12 would require organizations to notify an individual where it is reasonable to conclude that the breach creates a real risk of significant harm to the individual; Bill C-475 would provide that the Privacy Commissioner may require an organization to notify affected individuals to whom there is “an appreciable risk of harm” as a result of the breach.

Bill C-475 would also provide the Privacy Commissioner with new enforcement powers respecting compliance with PIPEDA as a whole, including the ability to issue orders requiring organizations to take corrective action to come into compliance with the law and to publish notices of any such action taken or proposed to be taken. The Bill would also provide the Privacy Commissioner with the ability to seek from the Federal Court penalties of up to $500,000 against organizations that do not comply with orders issued by the Commissioner. 

The Bill would also create a private right of action whereby individuals affected by any violation of PIPEDA that was made the subject of a Privacy Commissioner order may seek damages for losses suffered as a result of the non-compliance.

At the same time, the New Democrat bill omits several important business-friendly reforms contained in the government bill, including a clearer and more expansive carve out for business contact information and a prospective business transaction exception that would allow businesses to disclose personal information without consent in the context of certain transactions, including mergers, acquisitions and financing.

A number says a thousand words: Data Privacy Day 2012

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently issued a press release  warning consumers that new technology has the potential to build individually-detailed profiles based on IP addresses, social insurance numbers and even license plates. Her comments highlight a growing trend that the anonymity of personal information is becoming increasingly scarce, especially for online consumers.

The Commissioner’s comments are timely considering that Data Privacy Day  is January 28, 2012, a day when awareness of online privacy and data protection is brought to the forefront. Recognized in Canada, the United States and most of Europe, Data Privacy Day is organized by the National Cyber Security Alliance, who seeks to educate the general public about data privacy and to encourage dialogue about data protection among consumers, businesses and governments.