Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In addition, the bill proposes other amendments to PIPEDA, including changes related to protecting the privacy of minors and other vulnerable individuals online.

Bill C-28, the anti-spam legislation, is a re-titled and re-introduced version of Bill C-27, which was unanimously passed by the House of Commons in November 2009, but died when Prime Minister Stephen Harper prorogued Parliament.  FISA is largely aimed at deterring spam email from being sent or received in Canada, and at driving spammers out of the country.  The bill also proposes “a private right of action” modeled on U.S. legislation that “would allow consumers and businesses to take civil action against anyone who violates the FISA” according to Industry Canada.  FISA establishes a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce, and features a technology-neutral approach that would treat all forms of commercial electronic messages, including text messages, equally.

Both bills must go through a number of specific stages in the House of Commons and the Senate before they can be approved and become law.

The letter was highly critical of Google’s implementation of its social networking site, Google Buzz, in February of this year.  When it was launched, the social networking application operated by selecting popular email contacts from Gmail, Google’s private, web-based email system, and allowing them to be made public over Google Buzz by default.  Critics argued that Google had exposed personal information to the public without seeking users’ permission.  Google responded to the outcry by revising Buzz to allow users to regulate access to their contact lists.

The regulators further questioned whether Google adequately examines privacy issues prior to launching products.  The letter stated that “it is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise.  Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

The letter calls on Google to set an example for others to follow, requesting that Google incorporate fundamental privacy principles directly into the design of new online services.  This would include policies such as:

• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honoring their requests in a timely way.

In closing, the authorities stated that they would like a response from Google, “indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products.”

In addition to publishing the letter, the signatories held a press conference on April 20, 2010, to discuss the issue further.  Below are some highlights from the press conference.

• The data protection authorities noted that Buzz was not an isolated case, and that Google is not the only company to have engaged in this kind of practice.  They said they are looking to Google to be a leader going forward by incorporating the above-listed principles from the beginning rather than waiting to respond to complaints.
• They recommended that “privacy by design” processes be incorporated throughout the life cycle of a product or service, from the design and development stages through marketing and sales.
• They emphasized the fact that, while the Internet is global, privacy enforcement is local, and signaled that they plan to act jointly in the future to further fundamental international privacy values.

The full text of the letter can be found on the Canadian Privacy Commissioner’s website.

In the news release, Commissioner Work expressed concern that, as a result of the Court of Appeal decision, many Albertans “will lose the privacy remedies they thought they received in response to their complaints.”  In addition, the decision “simply creates another avenue of judicial review” and “[f]or the poor applicant or complainant, all you are making them do it start all over again.”  The news release indicates that Commissioner Work will seek leave to appeal the decision to the Supreme Court of Canada.  The Commissioner also will request that the Legislative Assembly of Alberta amend PIPA to address issues raised by the decision.

The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

• rules regarding the location of the equipment;
• a process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
• a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
• a prohibition on copying or transferring the images in any way;
• instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
• a process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published.   
 
The use of scanners has been discussed previously in France and Germany. In France, the proposal was dropped due to privacy concerns. The German Data Protection Commission  has indicated it  believes the machines infringe on the privacy of both adults and children, but the German news outlet Spiegel Online recently suggested that the machines may yet be installed in German airports following tests by Germany’s federal police. 

Meanwhile, in a Canadian report published in March 2009, the Ontario Privacy Commissioner,  Dr. Ann Cavoukian, approved the usage of the screening technology, commenting that as long as the scanners “incorporate strong privacy filters … [they] can deliver privacy-protective security.”
 
The British Department of Transport will continue to develop the Interim Code of Practice. The Department has announced that it will launch a full public consultation on the requirements relating to the use of scanners as set out in the Interim Code of Practice, and it will publish a Final Code of Practice later in the year. In the meantime, it is likely that additional airports in the UK and elsewhere in Europe will subject travelers to full body scans. 
 

The main theme for this meeting was potential federal privacy legislation in Mexico and whether it would be consistent with the regulatory approach already in place in Canada and the United States regarding transborder data flows.  Most of the companies present testified on the proposed federal privacy legislation and how it would impact data transfers to and from Mexico.  Currently there are seven different privacy bills active in the Mexican federal legislature.  Two of these bills are considered  the front-runners at this time.  The first is based on the Spanish data protection act and includes European data protection mechanisms such as requiring companies to register databases and restricting the flow of personal data from  Mexico to countries with inadequate data protection.  Generally, there was great concern regarding this bill’s inconsistency with the accountability approach taken in Canada and the United States.

The second bill is based on the OECD Privacy Guidelines and APEC Privacy Framework and requires organizations to hold themselves accountable when transferring personal data outside of Mexico.  This requirement is consistent with the regulatory approaches taken by Canada and the United States.  Consistency is a stated goal for the Trilateral Committee. 

Privacy legislation is not new in Mexico.  There has been a stalemate between European and APEC approaches.  While it is difficult to determine precisely what the Mexican privacy law will look like or when it will appear, there are signs suggesting such a law will be passed in this session.  Given the strong ties between the Mexican, Canadian and U.S. economies and the possibility of European-style restrictions on transborder data flows, this is a topic certain to garner considerable attention as the Mexican legislative process continues.