1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canadian Privacy Compliance: Time for your Online Checkup

In a previous post on online behavioural advertising (OBA), we wrote about the Office of the Privacy Commissioner’s “call to action” to stakeholders in the advertising industry on OBA, and we discussed the industry’s response to that call: self-regulation.

2012 – Call to Action: the Privacy Commissioner’s Expectations 

In its 2012 Policy Position on Online Behavioural Advertising, the Office of the Privacy Commissioner (OPC) stated that it “may” be acceptable to rely on implied or opt-out consent when tracking and targeting individuals for OBA purposes, “provided that”:

  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected;
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

2013 – Industry Response: Self-Regulation

In response, the industry developed and launched the Canadian Self-Regulatory Program for Online Behavioural Advertising (the “Ad Choices program”), an initiative tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The initiative is led by the Digital Digital Advertising Alliance of Canada (DAAC), and is monitored and administered by the non-profit industry body Advertising Standards Canada (ASC). A growing number of brands and media companies have registered for the program.

We noted in our previous post that the OPC would no doubt be watching to see whether and how industry self-regulation meets its expectations under PIPEDA and its OBA guidelines.  We also noted, however, that the self-regulatory solution was not designed to cover all OBA activities.  For example, certain types of activities are expressly excluded from the Ad Choices program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

Ongoing OPC Guidelines, Investigations and “Sweeps”

The OPC is not staying on the sidelines – it continues to take a keen interest in OBA and online consent more broadly.  For example, in January 2014, the OPC found that Google ads triggered by web surfing on health sites violated privacy rights.  As a result, Google committed to several measures, including closer monitoring of potential violations by advertisers.  In May 2014, the federal, British Columbia and Alberta Privacy Commissioners issued new guidelines for online consent, calling for transparent and dynamic privacy notices, and greater protections for personal information belonging to children and youth.

In 2015, the OPC is investigating websites visited by Canadians for compliance with OBA requirements.

The OPC has in past years conducted investigation and enforcement “sweeps”.  In 2013, the OPC led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.  The sweep targeted privacy policies, and the OPC published the initial results of its investigations under the headings “The Good, the Bad, and the Ugly“. In 2014, the OPC again participated in the GPEN Sweep, investigating the transparency of privacy practices for 151 mobile apps that were made in Canada or frequently downloaded by Canadians.  The Results of the 2014 Global Privacy Enforcement Network Sweep are an overall, anonymous mobile app “report card”, ranking transparency to users, ease of access/reading on the small screen, and whether privacy information is available before download.

An OPC “report card” on OBA is expected to be released sometime in the Spring.

 

In the news:  see the recent Globe & Mail article “Watchdog to study ‘privacy compliance’ among Canadian advertisers” 

 

Canadian Privacy Compliance: Time for your Online Checkup

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Canada’s Anti-Spam Law – not just for Canadians

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1. It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“.

Are you outside Canada? It’s important to know that this law reaches beyond Canada’s borders. CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada.

As we described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada. That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions. The MOU among the Canadian CASL enforcement agencies (see also our earlier post) similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies.

In a speech yesterday, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“. The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list. The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well.

Companies that are working on their CASL compliance programs should take note of the CRTC’s recently published Anti-Spam Compliance and Enforcement Guidelines. A very helpful summary by Tim Banks, with a link to the Guidelines, is available here.

,

Canada’s Anti-Spam Law – not just for Canadians

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe

The recent Federal Court of Canada decision in Voltage Pictures LLC v. John Doe and Jane Doe (2014 FC 161) has already received considerable attention for its approach to deterring so-called “copyright trolls”: plaintiffs with “improper motives” who file multitudes of infringement lawsuits to extort quick settlements.  While less headline-worthy, the decision is also important for its practical approach to weighing copyright against privacy rights.  The central question was: are individuals who are suspected of engaging in illegal P2P downloading entitled to expect that their ISP will shield their identity from the copyright owner?

In the result, the Court ordered Ontario-based ISP TekSavvy to disclose the names and addresses of some 2,000 subscribers suspected of unauthorized copying and sharing of Voltage’s movies, including The Hurt Locker.  To arrive at this result, the Court had to balance two competing rights that are sometimes considered to be “proprietary” by those who assert them:  copyright and privacy.

The Court’s legal balancing act engaged provisions of the Copyright Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).  On the copyright side, the provisions at issue were sections 35 and 38, which the Court characterized as “a complete code for the recovery of damages for copyright infringement”.  Under the 2012 amendments to the Copyright Act, statutory damages for infringement range from $100 to $5000.  On the privacy side, the Court considered subsection 7(3) of PIPEDA, which (among other things) permits an organization to disclose personal information without knowledge or consent where the disclosure is required to comply with a court order or otherwise required by law.

The Court addressed the issues in two parts.  First, it determined that the plaintiff Voltage had established a bona fide claim, and that enforcement of its rights as a copyright holder outweighed the privacy interests of the subscribers.  Second, the Court considered how to ensure that privacy rights would be “invaded” as little as possible in the circumstances.  To do this, the Court considered case law in the United Kingdom and the United States.  One of the Court’s observations was that

[w]ith respect to privacy concerns, the cases in both jurisdictions suggest that such issues are of secondary importance as the law generally does not shield wrongdoing for reasons of privacy.

The Court concluded that it should give consideration to principles gleaned from Canadian cases, notably, the P2P file-sharing case BMG Canada Inc. v. Doe (2005 FCA 193), as well as cases from the U.S. and UK:

to weigh and balance the privacy rights of potentially innocent users of the internet versus the right of copyright holders to enforce their rights.  The Court ought to balance these rights in assessing the remedy to be granted.

Having determined that an order would be made to obtain subscriber contact information, the Court “built in” important qualifications “to protect or minimize the invasion of the privacy interests of internet users”.  Therefore, the order provides that:

  • disclosure is limited to the names and addresses associated with IP numbers (and not telephone numbers or email addresses);
  • the released information will remain confidential and may be used only in connection with the claims in the present action; and
  • the plaintiff may not disclose any of the information obtained to the general public by making or issuing a media statement.

For an interesting counterpoint on the balance between disclosure and privacy for ISP subscribers, see also our earlier post, The Fake Facebook Profile and the Veiled Victim.

, ,

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:

CRTC: spamming, traffic rerouting (altering transmission data without authorization);  malware (installation of “computer programs” without consent)

Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)

Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).

On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL.  The MOU is dated October 22, 2013.

Nature of the MOU

The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states.  The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task.  For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas.  The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.

While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities.  Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.

Notification

Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that “may potentially affect” the others’ interests under CASL.

Enforcement Cooperation, Coordination and Information Sharing

The agencies will consult with each other, and may share information related to their enforcement activities.  Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another.  The agencies will also coordinate involvement in information requests and arrangements with foreign agencies.  Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.

Criminal Law Enforcement by the Commissioner of Competition

The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions.  Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front.  That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.

Competing interests and Confidentiality

The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act.  This extends to sharing information.  Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”.  The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.

Conclusion

The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.

, ,

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information