Home / Privacy Resources / Article Search / PrivaTalk - August 2001

PrivaTalk - August 2001

PrivaTalk

August 2001
Volume 1
Issue 7

Federal Privacy Commissioner Criticizes Air Canada’s Opt-out Scheme

Canada's Privacy Commissioner, George Radwanski, has criticized Air Canada for a proposed policy that would allow it to share sensitive financial information about members with its Aeroplan frequent flier program partners using an opt-out scheme.

Air Canada sent a brochure entitled “All About your Privacy” to 30,000 of the airline’s 5 million Aeroplan members. The brochure outlines a new policy in an attempt by Air Canada to be open about its practices and hence comply with the federal Personal Information Protection and Electronic Documents Act, which came into force on January 1, 2001. Under the policy, there are five circumstances under which personal information may be collected and/or disclosed, unless the member expressly indicates to Air Canada that they don’t agree with a certain practice.

Mr. Radwanski had no problem with Air Canada sharing basic mailing information with Aeroplan partners in order to inform members of promotions. However, he did object to the suggestion in the policy that additional information would be sought about Aeroplan members from “additional sources”, most significantly, the collection of financial and credit information. Customers would have to opt out if they did not want Air Canada to collect, use or disclose such personal information from Aeroplan partners.

In his letter to Air Canada, which was made public on the Commissioner’s web site on July 18th, 2001, Mr. Radwanski focused on what a member would routinely expect to happen. He stated, “I would doubt very much that members would expect Air Canada to collect and disclose some of the information suggested in the brochure as part of its routine business practice”.

The Commissioner cited principle 4.3.6 that states “an organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive”. He also cites principle 4.3.7 where opt-out consent is discussed in the context of a checkbox used to request that information not be shared with other organizations – “Individuals who do not check the box are assumed to consent to the transfer of this information to third parties”.

The financial information that Air Canada proposes to collect would be sensitive information and thus the Commissioner stated, “this type of information would appear to require positive opt-in consent”.

From this reasoning, it is clear that the Commissioner considers opt-out consent to be a form of implied consent, although the legislation does not actually say this. Opt-out consent would only be express consent if every individual consenting is fully aware of the implications of not checking off the box, which is highly unlikely. Thus, the assumption is valid – opt-out consent puts the onus on the consumer to thoroughly read every piece of unsolicited mail delivered to them, and it is clear that this doesn’t happen. Not only may the policy remain unread, but it may not be understood by all Aeroplan members. Being given the option thus becomes meaningless for some – a privacy problem common to all opt-out schemes.

The Commissioner also stated that any privacy advocate would question whether the collection, use and disclosure of this type of information would pass the reasonable person test. That is, the collection, use and disclosure of personal information must be for purposes that a reasonable person would consider appropriate in the circumstances. Here Mr. Radwanski sends a clear message – the reasonable person is the privacy advocate, the person who actively seeks to build a privacy consciousness, indeed, someone like the Commissioner himself. Thus, the reasonable person is not the middle-ground privacy pragmatist who is careful to weigh privacy against other rights and interests. How far towards the privacy fundamentalist end of the spectrum the reasonable person test lies is difficult to tell in this case given that Air Canada’s proposed practices are undoubtedly questionable. What is clear is that the Commissioner is setting the bar for the reasonable person test quite high.

Mr. Radwanski was also troubled by the possibility of a four-month time lag from the time an Aeroplan member refuses to give consent before Air Canada can implement the request to opt-out. This timeframe is completely inappropriate given the sensitivity of the information.

So why would Air Canada want to collect financial information about Aeroplan members anyway? Air Canada’s plans included identifying Aeroplan members with a specific demographic profile, and providing these names to a third party credit reporting agency, such as Equifax Canada Inc. The credit reporting agency could then determine members’ eligibility for specific financial products offered by financial companies that are also Aeroplan partners. According to the plan, Air Canada would then be privy to the credit information and do a mailing on behalf of the financial company.

Air Canada has stopped distribution of the brochures and has agreed not to proceed with the plan to process sensitive financial information pending the outcome of the investigation. The involvement of the Privacy Commissioner in this case should make other companies more aware of the fact that disclosing current and anticipated practices is not a formality that in and of itself ensures the company is compliant with the law. Practices will be scrutinized to ensure that privacy is truly being protected.


First Ruling under the New Canadian Privacy Law – Security Cameras in Yellowknife

The first decision under Canada's new private sector privacy legislation, formerly known as Bill C-6, was made publicly available last month. Centurion Security Systems placed four cameras on the roof of a building and pointed them at the main intersection in Yellowknife. The plan was to eventually get the RCMP to buy in to the idea as an effective method of cracking down on crime. When Centurion claimed that the cameras were capable of picking up voices, angry residents prompted the Information and Privacy Commissioner of the Northwest Territories to file a complaint with the Federal Privacy Commissioner.

Bill C-6 sets out rules for the collection, use and disclosure of personal information by the private sector. When collecting information about an individual, an organization must provide reasons for the collection and get consent. The purposes for the collection must be appropriate as seen from the eyes of a reasonable person. An organization is also obliged to collect no more than is necessary to fulfill its purposes.

The Commissioner found Centurion’s installation of street surveillance cameras unlawful. He stated that both live video pictures as well as recorded video pictures of individuals qualify as "personal information", and as such, cannot be collected or used in the context of a commercial activity without the knowledge and consent of those taped. The surveillance was found to be commercial in nature because it was being done strictly to promote the business of selling security services. The live feed being monitored by Centurion staff was not video or audio taped so the following question arose: Was personal information even being collected? The Commissioner found it was since a camera by its very nature is an instrument that is designed to record. In essence, the Commissioner found that recording the monitoring on film was not necessary – the mere act of monitoring is enough. In fact, the Commissioner argued that this would be the case even if the camera were without film or defective. This reasoning seems problematic – it is not the intention to violate privacy but the actual violation that the privacy legislation is aimed at preventing.

The Commissioner noted, “people have a right to go about their business without feeling that their actions are being systematically observed and monitored”. However he did note that there may be instances where it is appropriate for public places to be monitored for public safety reasons, but only if there is a demonstrated need.

After the decision was released, an article appeared in The Ottawa Citizen suggesting that a bank robber could walk into a bank and ask that the video camera be turned off because it violates the robber’s privacy rights. Concern was expressed that the Commissioner’s ruling compromises investigations and crime prevention. Mr. Radwanski responded that Bill C-6 is a very thoughtful piece of legislation that draws a careful balance between personal privacy rights and the legitimate information needs of society. Monitoring the private premises of private businesses is quite a different story from the monitoring of public places as in the Centurion case. The Commissioner argued that a customer or criminal who enters premises where signs clearly indicate that information is being collected by security cameras for security purposes, (which is reasonable given that banks face a serious threat of robbery), is implicitly consenting to being filmed.

The difficulty with the argument of implied consent is that there is a requirement in s. 4.3.8 of Schedule 1 of the legislation that individuals must be given the opportunity to withdraw consent. Thus, although I may have given implied consent to the surveillance when walking into a bank, that doesn’t mean I have to keep continually consenting. Why can’t I withdraw my consent to being monitored by asking that the cameras be turned off as opposed to leaving the premises?

Video surveillance is often engaged in for the purpose of crime prevention and investigation. Videotapes produced by surveillance cameras in banks and convenience stores provide evidence when a problem arises and is being investigated. What we really need is an exemption to the consent requirement in such circumstances. There is an exemption in Bill C-6 for the use or disclosure of information for the purpose of an “investigation of a contravention of the law that has or is about to be committed”. This exemption may not capture the use of video content from a camera that is turned on 24 hours every day regardless of whether or not a crime is imminent. However, at least an exemption for investigations exists, and it could be interpreted to apply to the bank surveillance situation. However, the exemption is only available for the use and disclosure of personal information. There is no such exemption for the collection of personal information. This discrepancy makes little sense and may have been an oversight in the legislation, one that private investigators are justifiably concerned about.

As video surveillance becomes more and more commonplace, it will be interesting to see what decisions come out of the Commissioner’s office, particularly in the context of surveillance truly engaged in by the private sector for security concerns, and not just for the marketing of security services – will this be considered a “commercial activity”?

Provincial Courts of Appeal Setting Precedents for Privacy Cases

Cases involving privacy complaints are beginning to appear in provincial courts of appeal more frequently as the invasion of privacy becomes a growing concern across the country.

The Quebec Court of Appeal recently heard the case of Srivastava v. Hindu Mission of Canada. The mission’s executive committee had tapped the phone lines due to concerns about thefts at the mission, and a conversation between Srivastava, a volunteer at the mission, and Sharma, the mission’s priest, disclosed what committee members described as a romantic affair. Sharma resigned his post, and then Srivastava and Sharma sued the mission for defamation and for violating their privacy rights under the Quebec charter. The trial judge held that the mission did not violate any privacy rights and rejected the plaintiffs’ defamation claim. However, the Court of Appeal has overturned that decision, and their reasoning seems to mark a new recognition of privacy rights in Quebec employment law that could have repercussions across the country, at least with respect to the monitoring of employees in the workplace.

While the Court of Appeal held that the unreasonable search provision of s. 8 of the Canadian Charter of Rights and Freedoms cannot apply to a private dispute, it found that s. 8 reasoning can apply. The court found that like s. 5 of the Quebec Charter, s. 8 protects the private life of citizens against interference by others – the only difference is that the Canadian Charter only applies to government conduct. Thus, the popular test used under s. 8 of the Canadian Charter: whether the person involved had a reasonable expectation of privacy, could be used in this case. Justice Michel Robert speaking on behalf of the appeal court found that Sharma and Srivastava were confidants, and they had a reasonable expectation of privacy in their telephone conversations, given that the conversation was not related to professional matters. The same would be true of any communication that an employer might intercept during workplace monitoring procedures – whether in the form of a note, a memo or an e-mail message. Professional or business communications were specifically distinguished in order to reconcile the 1992 decision of the Quebec Court of Appeal (Roy v. Saulnier) that tapes of an employee’s phone conversations at work were admissible to show that the employee was luring customers away to a new company she had helped set up. The problem with this distinction is that one would not know whether a conversation was professional or personal until privacy has been violated by listening to or recording the conversation in question.

Against the Hindu mission, the court awarded the plaintiffs $10,000 each for violation of their privacy rights. By applying Charter jurisprudence and the test of whether an employee has a “reasonable expectation of privacy”, the Court of Appeal has presented a significant hurdle for employers to get over in order to engage in workplace monitoring. The court did not comment as to whether the burden of proof lies with the employer to show that the employee does not have a reasonable expectation of privacy.

Meanwhile, the Alberta Court of Appeal has released its long-awaited decision in R. v. Weir, upholding the trial judge’s decision. An Internet company was found to be acting legally when it peeked into a client’s e-mail, found child pornography and immediately called the police. The Court of Appeal unanimously rejected the defence argument that the Internet provider had essentially conducted a warrantless search as an agent of the police, and said police actions resulting from the tip were legal. Thus, the 1998 conviction was upheld against Dale Thomas Weir, an Edmonton resident, for possession of child pornography.

The case began in 1996 when Weir complained to his Internet provider that his e-mail service was not functioning properly. In fixing such problems, the provider would sometimes search for e-mails including attachments that are too large to fit in the user's e-mail box. They came across the attachment that appeared to be child pornography, and upon being notified, police officers obtained a search warrant for Weir's home, seized his computer and computer disks, and found the e-mail.

This ruling shakes the high ground that many have argued for Internet privacy, and puts pressure on Internet service providers to report criminal activity. The decision does not seem to open the door to ISPs poking into people’s electronic mail without any cause. The provider found the pornography while fixing an e-mail problem and stumbling upon the evidence. Based on these facts, the reasoning in the decision cannot be extended to apply to random snooping.

It is not clear whether the decision opens the door to ISP liability for not reporting suspicious activity. Many Internet users feel that an ISP should not have the freedom to report suspicious criminal activities. However, each privacy case involves a balancing act with other rights and social interests at stake that is extremely difficult to engage in objectively.

In neither the Quebec or Alberta case, was prior notification given that telephone or e-mail communications may be examined, and that illegal activity or unacceptable behaviour may be disclosed. Such notification would have definitely put the Mission in a better position. In both cases, a Charter-type question seems to prevail – was the invasion of privacy justified in the circumstances? The competing interest of putting a stop to a perpetrator of child pornography outweighed the privacy interests in the case of R. v. Weir. However, the court did not see the interest of ensuring appropriate conduct among the Mission’s representatives as outweighing privacy rights.

Whether through common law remedies, statutory torts (some provinces have legislation making the invasion of privacy actionable without proof of damages), or through private sector privacy legislation (Quebec is currently the only province with such legislation in place), we will see more and more activity in the provincial courts on the privacy front.

Upcoming Data Protection Laws in Thailand

A law aiming at protecting the personal data of individuals has now been drafted in Thailand and is expected to be finalized this summer. Thailand's Data Protection Law is part of a series of six e-commerce laws that will be considered by the Senate, including a Computer Crime Law, Electronic Data Interchange Law, Digital Signature Law, Electronic Funds Transfer Law and Universal Access Law. The six laws are intended to serve as an infrastructure for doing electronic commerce and enhancing confidence among consumers engaging in electronic transactions.

The Thai law is based on data protection laws used in the European Union, New Zealand and Hong Kong, and outlines eight privacy principles:
- Personal data may only be collected when the owner of the data consents to the collection.
- The data must be accurate and up-to-date.
- The collector must state the purpose of collection prior to collecting the data.
- Data can only be used for the purposes for which it was collected.
- Data must be kept secure.
- Individuals have a right to check and correct the data.
- Individuals have the right to deny permission to keep the data (withdrawal of consent).
- Punishment is provided if data is misused.

Rules for the disclosure of personal data to third parties seem to be missing from the list of privacy principles, although disclosure could be interpreted as a use of the data. Also, there does not seem to be a general principle that requires organizations to be open about their data-handling practices. Openness is more of a procedural privacy issue though, as opposed to a substantive issue about privacy protection. It makes good business sense for an organization to let their customers know that they are taking steps to protect personal data and comply with the law, but being open, regardless of whether it is a required privacy principle or not, is a step apart from the actual protection of personal data.

A number of issues are still being worked through. For example, the drafting team has not yet reached agreement on whether data should be separated into less sensitive and more sensitive types. Also, the team has not yet finalized a suitable format for the data protection committee, which must be set up according to the draft law. One idea is to have a government regulatory body while another is to have some form of self-regulation, where the private sector operates without government intervention. A court also needs to be selected to hear legal cases that may arise as a result of a violation of the law.

The Thai government sees the Data Protection Law as providing protection for the general public by preventing the misuse of information while still giving rights to data owners. The initiative puts Thailand at the forefront of privacy protection in South East Asia.

Monitoring E-mail and Internet Use in the Workplace

A new study by the Privacy Foundation found that nearly one-third of the 40 million employees in the United States using e-mail or the Internet on the job are being regularly monitored. The study also found that roughly 100 million employees worldwide, or about 27 percent, are monitored.

The study was based on financial reports from companies that sell software designed to help employers monitor on-line activities. It doesn't account for any monitoring using customized software or procedures. Researchers adjusted the number of users reported by the software companies to account for purchasers who did not report a number. This methodology found that 15 percent of U.S. employees with Internet access are subject to systematic, technology-assisted monitoring of their e-mail, and 19 percent of their Internet use. These two figures could be put together to conclude that about 30 percent of employees with Internet access are systemically monitored. The Privacy Foundation acknowledges that this is a rough estimate, because there is no way of knowing to what degree the two groups overlap.

Researchers then matched the number of employees monitored with publicly available company revenues to come up with a cost-per-user figure. The Privacy Foundation estimates worldwide sales of employee surveillance software at $140 million per year – roughly $5.25 a year per monitored employee. The Foundation found that the dropping cost of surveillance software is the primary reason for its increasingly widespread use.

Employers have often cited concerns such as employee productivity or liability for sexual harassment as the reasons for monitoring their employees. There are other considerations as well. For example, in order for trade secrets to be considered secret, companies must try to keep them from being disclosed. Attempts to protect intellectual property alone accounts for a great deal of e-mail monitoring.

The problem with the study is that it does not take into account that some employers buy surveillance software products not to monitor individual employees but to determine trends in Internet usage. Popular software packages, like Websense, and Surfcontrol can be used for blocking adult and gambling sites without logging surfing habits. Although some engage in actively monitoring specific individuals based on suspicions that have come to the employer’s attention, some large companies do not want to spend a great deal of time looking at reports about patterns of use for individual employees. However, there is the desire to minimize improper use among employees generally.

Employers have the right to monitor use of their equipment and resources, but some companies go too far. A company needs to think through why they monitor, and need to make serious efforts to warn employees ahead of time. The Federal Privacy Commissioner has made it clear that he expects monitoring to occur for some valid reason or suspicion, but would not find spontaneous, unfounded surveillance acceptable. Too often, the warnings are buried in an employee handbook – this is not adequate notice. Ideally, a user would be reminded that the employer is monitoring their on-line activities with a notification screen every time they log in.

Schulman, who heads up the Privacy Foundation's Workplace Surveillance Project, contends that his survey presents a more reliable representation of the state of workplace monitoring than have previous studies on the same topic. Reviewing the public records of the companies that sell monitoring software provides more conservative figures than those produced by poll-driven studies, some of which, such as those conducted by the American Management Association (AMA), indicated that as many as three-fourths of all U.S. employers engage in some form of electronic monitoring.

The AMA drew its conclusions based on surveys it sent the human resources departments of its members, which are mostly Fortune 500 companies. Any company that did any monitoring of e-mail, voice mail or computer files – including spot checks conducted randomly or in response to specific complaints – was marked down as a "monitoring" company. The Privacy Foundation has attempting to assess systematic monitoring to give employees a more accurate sense of the likelihood they're being watched at work. It is important to note though that random checks have gotten employees fired before.

Although employee monitoring in the workplace has become commonplace, surveillance in any form that is not accompanied by detailed and clear policies, giving employees reasonable notice, is less and less likely to be tolerated.

High-tech Cameras put Privacy at Stake

High-tech surveillance cameras and face recognition technology are beginning to appear in a variety of contexts. They are accompanied by privacy concerns that have been gradually intensifying in the public and the media. Security cameras in banks and department stores have been the norm for some time – but there are other new and less obvious uses of surveillance technology that are beginning to surface.

In the United States, Food Services Solutions Inc. have tapped into face and voice recognition technology by offering to install web cameras in school cafeterias. Students will be able to position themselves in front of the camera (attached to a computer monitor), say their name or any chosen word, have the computer immediately identify the student and have the meals deducted from their accounts. To enroll, the student looks at the camera and says his or her name three times for verification. Food Service Solutions plans to expand the use of their technology to the library and for taking attendance.

Voice recognition technology in this context keeps pass cards from being forgotten, stolen or lost and also remedies the problem of students giving out their PINs. The software measures speed, direction and flow as an individual speaks, and takes a number of points around the face to measure how they move.

An interesting use of regular surveillance cameras in Britain will soon make it possible to predict crime on the streets. Researchers at Sussex University studied 10,000 excerpts from CCTV footage and found a number of signals in criminal behaviour, which indicated when offenders were about to commit a crime. For example, car thieves tended to walk erratically and look in directions irrelevant to their path of travel, and an aggressive walk involving static arms at the sides and long purposeful strides usually preceded violence. The team is now seeking funding to develop software to continue their work. Privacy concerns about intelligent cameras are about the only thing standing in their way.

A new crime-fighting camera system has been installed in the nightlife district of Tampa, Florida that scans faces to patrol crowds. A computer program linked to 36 surveillance cameras compares the characteristics of people’s faces against a database of mug shots of people wanted by the police. A similar system was set up during the Super Bowl in January and received much criticism from privacy advocates. Tampa is the first U.S. city to install such a system along public streets.

Surely face-recognition technology is a powerful tool that can assist in maximizing public safety. But be it public safety, a replacement for access cards, or any other use, the interests served by the installation of face or voice recognition technology, or simple surveillance cameras, must outweigh the right to privacy in order for the surveillance to be justified. Thus, random surveillance without any basis or reason for concern must be avoided.

Cameras at intersection are used in various cities around the world to catch drivers as they speed through red lights. In San Diego, California, red-light cameras have been challenged as being an unconstitutional use of police power because the program is designed to bring in revenue, not enhance safety. Malfunctioning sensors (that are embedded in the asphalt and trigger the photograph) and the fact that tickets are almost impossible for the average person to fight, have made the system difficult to defend in San Diego.

Surveillance by public authorities, including police forces, is not covered under the new private sector privacy law in Canada. The Federal Privacy Commissioner is investigating a complaint about the use of surveillance cameras in a public place by the RCMP under the Privacy Act though, which covers public sector bodies. As the expanding surveillance world and privacy world collide, a balance will become increasingly tricky to achieve.