Home / Privacy Resources / Article Search / PrivaTalk - July 2003

PrivaTalk - July 2003

PrivaTalk

July 2003
Volume 3
Issue 7

B.C. Supreme Court Throws Out Kelowna Video Surveillance Case

The B.C. Supreme Court recently tossed out a lawsuit brought by the federal privacy commissioner over an RCMP surveillance camera in Kelowna, B.C.  


Commissioner George Radwanski argued the camera trained on a downtown park in the Okanagan city violated peoples’ right to privacy. In rejecting the suit, Justice Robert Metzger ruled that Radwanski had no legal jurisdiction to file such an action. The judge agreed with a federal lawyer who had argued Radwaski’s authority as commissioner allows him to investigate issues and report to Parliament, but not to take a case before the courts.  


The Kelowna RCMP said it will accordingly continue to use video surveillance in the city. Radwanski’s legal challenge has had no effect on the RCMP’s plans.  The camera has been operating for a couple of years but RCMP agreed not to record anything on videotape unless there was suspicious activity. Kelowna’s mayor has supported use of the camera, saying it helps discourage crime. He earlier accused Radwanski of blowing the issue out of proportion.  


B.C. Privacy Commissioner, David Loukadelis, who filed the original complaint, says he’s disappointed with the court decision, stating that police forces should not be using video surveillance, unless it’s a last resort where other law enforcement means have been shown not to work.  


It’s a decision that the Vancouver Police Department has been waiting for.  They will now resume their surveillance cameras set up on streets in the city’s troubled Downtown Eastside.  


This case suggests that the Privacy Commissioner’s powers are extremely limited with respect to public sector complaints.  Without the ability to take matters to court, the only way to force change is if the Attorney General commences a prosecution – this is likely to be a rare occurrence. When it comes to the private sector, it is clear that under the Personal Information Protection and Electronic Documents Act, the Commissioner does indeed have the power to take matters to the Federal Court.  The strength of that power will become clearer as we see more privacy court decisions over the next few years.  

Change of Federal Privacy Commissioner could mean Starting from Scratch

 A committee of MPs recently delivered a sweeping and unprecedented indictment of former privacy commissioner George Radwanski, accusing him of financial abuses, creating a culture of intimidation" for his employees, and not meeting the required standard of honesty.  


Although Mr. Radwanski resigned in advance of the committee’s scheduled release of its report, the committee still took pains to note that it would have recommended Parliament fire him, and opened its report which focused primarily on allegations that the former commissioner altered documents and provided false explanations for the changes, and misrepresented his expense claims, all of which Radwanski denies.  


In one sense, the committee’s investigation is not over: It will look into whether Mr. Radwanski or any of his officials should be cited for contempt of Parliament, alleging they misled the committee.


In addition, the committee said it would study how parliamentary officers like the privacy commissioner are appointed, remarking that the government apparently did not note that Mr. Radwanski had just settled a $557,436 tax debt for $62,726 when he was appointed.  


The apparent lack of due diligence concerning Mr. Radwanski’s relationship with the Canada Customs and Revenue Agency, suggested by recent reports in the media, may point to deeper issues.  


Prime Minister Jean Chrétien has appointed Robert Marleau, a former clerk of the House of Commons, to replace Mr. Radwanski on a temporary basis.  


So what does all this mean for the privacy rights of Canadians and the privacy obligations on businesses? It is clear that Radwanski took a very hard-nosed approach with respect to his interpretations of the private sector privacy legislation.  His viewpoints on the limited use that can be made of implied and opt-out consent have left many organizations bewildered and unclear as to how they can implement privacy protections adequately, in the Commissioner’s view, without running their businesses into the ground. Bruce Phillips, Radwanski’s predecessor took a much more business-friendly and pragmatic approach.  


It is unclear what direction Marleau will take.  He clearly has a steep privacy learning curve. Once oriented to his new position, he may indeed adopt a completely new approach that will, to a large extent, make Radwanski’s previous decisions meaningless. As we watch for Marleau’s decisions, it will be interesting to see what precedential value Radwanski’s decisions will have, and whether businesses can rely on his interpretations as we move closer to 2004.

New Brunswick Court Ruling against ISPs Weakens Privacy of E-mail

A recent New Brunswick Court of Queen’s Bench decision could forever change the way we regard e-mail, particularly the degree to which companies have the right to track correspondence concerning their operation. The case involved Loblaws, which discovered that someone obtained confidential payroll information for a number of senior managers and then sent an e-mail to employees with the details. The company traced the source of the e-mails to an account with Aliant Telecom, which provides telephone and Internet service across Atlantic Canada. After a brief hearing, the ISP was forced to give all information concerning the account to the grocery store giant.  


Clearly, e-mail accounts are not nearly as private as many people believe. The case is one of the first of its kind in Canada.  In the past, a request for e-mail account information has come in the criminal context. But as lawyers get more and more comfortable with the idea of dealing with electronic evidence, I think we’re going to see it come up more and more in the civil context.  


New York-based Verizon Communications Inc., the largest phone company in the United States, was recently forced to give a record industry trade group the names of on-line subscribers accused of illegally copying music over the Internet.  


Verizon has been locked in a prolonged legal battle with the Recording Industry Association of America over access to millions of Internet account holders who download music. The industry group argues it requires only a subpoena from a U.S. federal court clerk to gain access to the accounts. Verizon argues that is too easy and is open to abuse. But so far, the courts have sided with the recording industry.   T


he Loblaws and Verizon cases demonstrate a new trend in access to on-line accounts.  


If other companies follow Loblaws’ lead, the ISPs may be required to undergo significant infrastructure upgrades to store the necessary traffic over an extended period of time. It’s a notion already under debate within Industry Canada, which is mulling legislation nicknamed “Lawful Access” to help out law enforcement organizations. Spokespeople for that industry have already pointed out the possible misuse of data which can be seen by any of an ISP’s employees, and the costs associated with managing those records.  


A consultation period for Lawful Access only recently ended, and there will no doubt be further wrangling before we learn how much of a role ISPs will take in the surveillance of criminal activities. Until that’s clear, there is no good reason for ISPs to give corporations the privilege of obtaining private e-mail account information for civil or criminal matters in Canada without getting them to first obtain a court order.  

U.K. Data Protection Act Seen Insufficient to Deal with Privacy

The U.K. Human Rights Act, which came into force in October 2000, laid the foundation for a privacy law by incorporating the European convention on human rights into English law.  Even before the act, the judges, accepting that ministers had no appetite to legislate for a right of privacy, had begun developing a new privacy right by building, through case law, on the existing law of breach of confidence.  


The lawlords called on the government to reconsider its position and bring forward legislative proposals to clarify the protection that individuals can expect from unwarranted intrusion by anyone - not the press alone - into their private lives. The obligations under the European convention on human rights are satisfied if UK judges can ensure that individuals are guaranteed respect for “private and family life” and a remedy if the right is ignored. Germany has developed a strong privacy law through the courts, as had France until 1970, when a law was enacted which provided simply that “each person has the right to have his privacy respected”  


A series of celebrity cases have established that the courts will prevent publication of any private information obtained in circumstances where a reasonable person would think the information should be treated as private.  


A Select Committee of the House of Commons has recommended a general privacy law which will work alongside the privacy provisions of the Data Protection Act 1998 and which will cover intrusions of privacy by the media. When challenged as to why the Committee had not taken account of the Data Protection Act, with its general principles of information privacy, an inexpensive complaints procedure and a regulator (the Information Commissioner), the Chair of the Committee, Gerald Kaufmann, responded that the Act was not the proper vehicle and has many limitations.  


He cited the case of a constituent who had his telephone stolen. When it was retrieved, and when he asked for the numbers which had been used by the thief while the thief had possession of his telephone, he was told he could not be given that information because of the Data Protection Act. Mr Kaufmann added that this was evidence “of how stupid the Act is”. (Cite: Out-Law.com (UK), June 16, 2003).  


The influential Commons culture committee has also urged ministers to bring in legislation to curb intrusion into people’s private lives but within minutes of its report being published, the government dismissed the idea, arguing better self-regulation was the answer. 


Although legislation based on public consultation and debate would be better than case-by-case development of the right to privacy, without a statute, the Courts will indeed develop that right to privacy that the Data Protection Act can’t seem to adequately address in a balanced fashion.  

Study of Corporate Privacy Practices Reveals Shortfalls in Privacy Compliance

While a vast majority of U.S. and Canadian corporations have privacy policies to document how they collect, use, share and protect personal information about customers, consumers and employees, more than half report that these privacy policies may be too difficult for the average person to understand. Further, many privacy professionals believe they don’t have the resources to achieve their organization’s privacy compliance objectives.  


These are some of the findings of the 2003 Benchmark Study of Corporate Privacy Practices Report recently released by the International Association of Privacy Professionals (IAPP), based in Philadelphia.  Unisys Corporation sponsored the survey.  


 Based on the survey’s findings, it appears the most companies are putting their resources into privacy policy development, employee communications and regulatory compliance monitoring. Areas that are getting the least attention include having a formal process for responding to a privacy complaint and having programs to measure and monitor the effectiveness of an organization’s privacy and data protection activities. Ignoring these important aspects of a privacy program can however make organizations vulnerable to a privacy breach.  


The benchmark survey, sent to more than 1,000 IAPP member organizations, was taken from 55 of 107 completed responses. The 55 selected responses were chosen from responses from organizations with more than 5,000 employees.  The survey had a response rate of more than 10 percent and a sampling rate of more than 5 percent.  


The survey's goal was to answer four basic questions:  


- What are companies doing to ensure compliance with new privacy regulations?  


- Are there common strategies among leading companies to ensure reasonable protection of personal information?  


- What vulnerabilities exist with regard to personal data and privacy protection?  


- Do privacy protection practices vary across industry sectors?  


The study’s report includes a number of interesting findings related to corporate privacy policy and implementation, including:  


- While 98 percent of companies report having privacy policies in place, 52 percent feel their policies may be too difficult for most people to understand;  


- 92 percent of companies have a process to inform their employees of their corporate privacy policy, but only 53 percent have mandatory training;  


- 52 percent of companies report inadequate resources for privacy management;  


- Only 36 percent believe privacy is important to corporate brand or image; and,  


- Only 19 percent of respondents report using privacy-enabling technologies.  


This survey illustrates the gulf that exists between planning and implementation, and the need within organizations for privacy professionals who can manage the new and complex realm of privacy compliance. Companies understand the importance of being compliant with privacy laws, but reveal that they are unsure of how to actually put their policies into effect.  


The 2003 Benchmark Study of Corporate Privacy Practices Report drew most heavily from the financial services (17 percent), health and pharmaceuticals (16 percent), manufacturing (16 percent), and consumer products (13 percent) industries.  Other industries represented include retail, telecommunications, automotive and transportation, and technology.    

ICANN Discusses Whois Data Privacy

At the Internet Corporation for Assigned Names and Numbers' (ICANN) meeting that recently took place in Montreal, a task force was formed to review the privacy issues surrounding the management of the Whois database, and the technical solutions for improving privacy protection.  This is the first time the Internet Corporation for Assigned Names and Numbers met in Canada. About 525 people from industry, government and academia attended the five-day event.  


Essentially, the Whois is a database of contact information about domain name registrants. It is accessed through the websites of registrars or registries, as well as through technical means by the registrars and registries, themselves. The current structure of Whois allows for variations among different registries (the operators that maintain the list of available domain names within their extension), and registrars (the organisations, such as Register.com, that maintain contact with the registrant, such as invoicing and client service, and act as the technical interface to the registry on the registrant’s behalf).  


Over the last couple of years there has been a debate within ICANN and among other interested parties over the accessibility of Whois information, with intellectual property owners on one side arguing for all registrars to provide full Whois details all of the time, and those who want to restrict such information in the name of privacy on the other side. Full and accessible Whois details are important to IP owners for monitoring trademark infringements and to determine whether a particular registrant has developed a pattern of cybersquatting activities. Consumers have become more concerned about privacy from a number of different aspects, including the annoyance of spam to the misleading and sometimes fraudulent emails sent out by those who mine the Whois contacts, as well as the occasional case of the stalker accessing victims’ phones and addresses through the Whois.  


Whilst National and international authorities such as the European Commission and Nominet (the registry operator for .uk) have become increasingly vigilant about online privacy, the Whois requirements for gTLDs still lag behind. In response, there has been an increase in identity proxy solutions offered by registrars, whereby a registrant’s details within the Whois may be disguised. Large corporations also use this technique, for example when registering new websites for forthcoming product launches or re-branding exercises.  


These solutions are no doubt useful, but they are not the ultimate answer. Long-term solutions that do not impede on privacy, but also increase accuracy, are required. Among those proposed, a good interim solution might be to provide ‘tiered access’, whereby different sets of requestors are allowed access into different sets of data. For example, most requestors may be allowed to see very limited Whois data, whereas authorized users such as vetted IP interests, are allowed to see it all. Additionally, registrants might be provided with a report of who asked for their data, when, and for what purpose. This would additionally allow registrants to protect themselves from unwarranted infringement.  


The broad interest in Whois, particularly privacy protection, has prompted a policy development process, the first step of which was for ICANN’s counsel to write a report regarding the issues and processes surrounding Whois and privacy. The Generic Names Supporting Organization (GNSO) Council reviewed the report and voted to launch a task force. The goal of the process is to flush out the experiences and interests of the relevant stakeholders – providers, users, and consumers – and arrive at a technical and policy solution that balances these interests and concerns.