Emerging Privacy Issues:

The Impact on the

Regulatory Framework

Ottawa – Haifa Law Course

30 April 2015

1

Overview

Five case studies:

1. Body Worn Cameras (BWCs): Where is the line between transparency

and privacy?

2. Cybersecurity: In the face of incessant, sophisticated attacks, what are

organisations’ safeguard obligations?

3. Cybercrime: how do we effectively fight crime in cyberspace without

breaching privacy in cyberspace?

4. Online Behavioural Advertising: does Internet access entail reduced

privacy expectations?

5. Data analytics and the Ebola crisis: when does public interest justify

intrusion upon privacy?

05 May 2015 2

Method

• Consideration of the facts to determine existence, extent and legitimacy

of privacy intrusion

• Identification of privacy issues to assess legitimacy of intrusion

• Necessity and/or consent

• Proportionality/reasonableness

• Effectiveness

• Absence of a less intrusive alternative

• Even where intrusion is legitimate, it requires safeguards

• Appropriate according to sensitivity of the information

• Subject to internal compliance mechanisms

• Under external oversight and/or effective remedies

• Regulation Strategies

05 May 2015 3

The case of BWCs

05 May 2015 4

The facts

• BWCs have become the go-to “solution”: for example:

• London 2011 police shooting and riots: London police piloting BWCs

• Toronto 2013 shooting on a streetcar: calls for BWCs

• North Charleston 2015 police shooting captured on video: Mayor orders all

police officers to wear BWCs

• Assessments, anecdotal or statistical, are consistent on pros and cons:

• Reduction in police complaints (Rialto City: 88%)

• Improvement of police and citizen behaviour (OPC Guidelines on BWCs)

• Reduction in police use of force: (Rialto City: 60%)

• Thorny but surmountable privacy issues (American Civil Liberties Union:

March 2015)

05 May 2015 5

Privacy Issues

• Legitimacy:

• Are BWCs necessary in every context?

• Is there cogent data to show they are effective?

• To remain strictly proportionate to the effects sought, how should their use be

governed?

• Safeguards

• According to what criteria is footage retained and for how long?

• How is it kept secure physically, electronically and administratively?

• Who gets to see the footage?

• Internal compliance

• By whom and how is compliance verified?

• What is the oversight role of police boards and the remedy of citizens?

05 May 2015 6

Regulation strategies

• Former Supreme Court of Canada Justice Frank Iacobucci on BWCs in

Toronto: yes, if

• Use is transparent and evident to all

• De-activation is possible to avoid unnecessary intrusion

• Footage is destroyed as soon as no longer relevant

• Storage is secure

• Use and disclosure are strictly limited

• This entails

• Public and individual notification

• Clear destruction schedule

• Immediate destruction of non-incident footage

• High physical, technological and administrative safeguards in view of

sensitivity

05 May 2015 7

The case of cybersecurity

05 May 2015 8

The Facts

• 97% of American companies experienced a breach in 2014

FireEye Breach Investigations Reports

• Hackers spend an average 229 days on a company’s system

International Cyber-Security Protection Alliance, December 2014

• The Carbanak example:

• Intrusion since 2013

• 100 major banking entities in Russia, US, Germany, China and the UK

• Through spear-fishing emails, decrypting codes and executing a back-door

named Carbanak

Kaspersky Report, Carbanak APT, The Great Bank Robbery, February 2015

05 May 2015 9

Privacy issues

• What is the scope of the duty to safeguard?

• According to the sensitivity of the organisation

• Through measures of protection

• Physical

• Organisational

• Technological

• For e.g.: 2014 Sony Entertainment hacking

• Do cyber-security vulnerabilities impact reasonable expectations of

privacy?

• For e.g.: 2014 Celebrities photos hacking .

• Do they impact organisational accountability?

• For e.g.: Target settlement for data breach

05 May 2015 10

Regulatory strategies

• Focus on accountability rather than occurrence:

• Did the organisation implement all available physical, technological and

administrative safeguards in relation to the sensitivity of the information?

• Apply a calibrated approach from softer to harder compliance action:

• Breach shows no safeguards lapse and harm is negligible: no action

• Breach shows minor safeguard lapse and some but reparable harm: discussion

with the organisation, early-resolution

• Breach shows significant safeguard lapse and/or harm: investigation

• Breach shows severe safeguard lapse and/or harm: public investigation report

• Harm includes moral harm and erosion of democracy

• Safeguards include both preventative measures and breach response

05 May 2015 11

The case of cybercrime

05 May 2015 12

The Facts

• One of the most rapidly expanding crimes while decline in conventional

crime due to:

• Lucrative nature

• Easy access

• Low risk from anonymity and virtual space

• International Centre for the Prevention of Crime, 2014

• Taking advantage of expanding territory: currently 2.3B use the Internet;

5B projected in 2017

• International Communications Union, 2012

• Internet use has blurred the boundaries of national security

• OPC Special Report to Parliament of January 2014

05 May 2015 13

Privacy Issues

• Is personal information on a public platform still protected as private?

• What is the expectation of privacy?

• Is the information public or private?

• Is an IP address or Basic Subscriber Information behind it, personal or

just the equivalent of phone book, albeit for the absence of an Internet

address book?

• Can we violate the privacy of the perpetrator to protect the privacy of the

victim?

• How far can the public authorities use for their own purposes personal

information provided to private organisations provided for other

purposes?

05 May 2015 14

Regulatory strategies

• OPC on Government monitoring of Facebook accounts, 2013:

• Definition of personal information does not change

• Even on social media consent to disclosure is to specific addressees

• Recommended guidance in Special Report to Parliament of January 2014

• R v. Spencer S.C.C. 2014 on privacy on the Internet

• The test for protection is not just what information but what it reveals

• IP and BSI are highly revealing

• Therefore it is personal and even sensitive – accessible only through lawful

authority

• Protecting Canadians Online Act, S.C. 2014

• Intruding upon the privacy and civil liberties of the perpetrator to protect the

victim

• Applying the legitimacy test

05 May 2015 15

The case of Online Behavioural Advertising

• Screen shot of online ads

05 May 2015 16

The Facts

• Over 90% of Google revenues come from ads

• Millions of advertisers bid on auctions, in nanoseconds, to send billions

of ads

• 3 types of ads:

• Random: just popping up by chance

• Contextual: attached to a website

• Behavioural: attached to the online activity of the user

• Behavioural advertising is nearly 3 times more lucrative than non-

targeted ads

• Behavioural advertising uses personal information

• Personal information has become a commodity and advertising a

business model?

05 May 2015 17

Privacy Issues

• Does service based on use of personal information reduce privacy

expectations?

• If advertising is a business model, is it a primary or secondary purpose of

collection of personal information?

• What level of consent is necessary for behavioural advertising?

• What types of measures are needed to ensure meaningful consent?

• Are all types of personal information fair game for behavioural

advertising?

• What type of safeguards are necessary?

05 May 2015 18

Regulatory strategies

• A business model exclusively based on advertising means that users

should expect advertising in return for access

• OPC Report of Findings, Facebook 2009

• OPC Report of Findings , Bell Canada, 2015

• Advertising, even as a business model, is a secondary purpose thus

subject to conditions on

• Type of Consent - OPC, Bell Canada, 2015

• Meaningful consent - OPC, Google OBA, 2014

• Types of information - OPC, Report of Findings, Nexopia, 2012

- OPC, Google OBA, 2014

• Proper safeguards - OPC Research on Web leakage, 2013

- OPC, Google OBA, 2014

05 May 2015 19

The case of data analytics in the public interest

05 May 2015 20

The Facts

• Public health surveillance can serve crucial public interests

• For e.g.: Cell data collection to counter H1N1 spread in Mexico 2011

• Public health surveillance is the continuous systematic collection,

analysis and interpretation of health care related data for public health

practice

• Data can be aggregate or individual

• If individual, it can be

• Anonymous

• Pseudonymous

• Eponymous

• Data can include personal health records, contact tracking and contact

information

05 May 2015 21

Privacy Issues

• Do patients have a duty to disclose?

• How can consent be meaningful in the circumstances?

• What information-sharing is allowed

• Across borders?

• Between organizations?

• What safeguards apply?

• When does information become anonymous?

Chantal Bernier, Liane Fong and Tim Banks,

Pandemics in a Connected World: Integrating Privacy with Public Health

Surveillance ,

New Brunswick Law Journal, 2015

05 May 2015 22

Regulatory Strategies

• On disclosure

• In Canada, no general rule but criminal cases on non-disclosure in the context

of sexually transmitted diseases and Quarantine Act requires disclosure at the

border

• In Liberia, crime to wilfully infect another person

• On consent

• Unnecessary where necessity is scientifically demonstrated but necessary for

re-purposing subject to consent

• On cross-border and cross-organization sharing

• Based on necessity and limited by proportionality

• Safeguards

• Appropriate access controls and technological protections

• Effective anonymization (UK, ICO Guidelines on Anonymisation)

05 May 2015 23

And much more…

• What do you see as the great privacy dilemmas for regulators?

05 May 2015 24