Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, May 26, 2010

C-29: The Anti-Privacy Privacy Bill

CanadiannIndustry Minister Tony Clement introduced two bills yesterday - the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians’ Personal Information Act (C-29).  The author has spoken positively about C-28, which is long overdue and should receive swift passage.  By contrast, C-29 is a huge disappointment.  The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007.  Just over three years later, the government has introduced a bill that does little for Canadians’ privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes).  The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere.

In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.

The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses.  This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address.  The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools.

The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions.  The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.

The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.

The bill purports to clarify “lawful authority” (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn’t clarify much of anything.

Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority.  The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.

By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.

In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.

Posted on 05/26