Are search engines subject to PIPEDA? Should they be required to de-index web pages such as when information about an individual is inaccurate, incomplete or outdated, ;or when the linked to information is illegal? Should search engines be subject to a notice and de-indexing or demotion regime? And, should search engines be required to geo-fence to ensure that search results containing personal information about Canadians that violates PIPEDA is not made accessible in Canada regardless of which domain a Canadian searches on? In a Draft OPC Position on Online Reputation released yesterday in response to a public consultation, the answer to each of those questions was YES.
Archive for the ‘Privacy’ category
OPC position on online reputation: search engines must de-index privacy violating personal informationJanuary 27th, 2018
Here are my representations sent to Jill Paterson, Senior Policy Analyst, Digital Policy Branch, Spectrum, Information Technologies and Telecommunications (SITT) Sector, Innovation, Science and Economic Development Canada, CD Howe Building, 235 Queen Street, Room 162D, Ottawa, Ontario K1A 0H5.
These are my representations on the draft Breach of Security Safeguards Regulations published in the Canada Gazette, Part I, August 14, 2017.
I am Barry Sookman, a senior Partner with the law firm McCarthy Tétrault. I am also an Adjunct professor of intellectual property law at Osgoode Hall law School where I teach, among other things, privacy law. My firm acts for clients that have important concerns about the draft Regulations. However, I make these representations solely on my own behalf.
The Federal Court of Canada released a landmark decision finding that the court has the jurisdiction to make an extra-territorial order with world-wide effects against a foreign resident requiring the foreign person to remove documents containing personal information about a Canadian citizen that violates the person’s rights under Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). In A.T. v. Globe24h.com, 2017 FC 114 the Honourable Mr Justice Mosely ordered the individual operator of the website Globe24h.com to remove all Canadian tribunal and court decisions posted on the site that contain personal information and to take all necessary steps to remove the decisions from search engines caches.
Canada’s federal privacy law, PIPEDA, was enacted to be one of our framework laws that would underpin our digital economy. It’s goal was to recognize the privacy rights of individuals and at the same time to recognize the legitimate needs of organizations to collect, use, and disclose personal information. That balance between privacy and uses of personal information for appropriate purposes was underscored by the Supreme Court in a decision released yesterday in Royal Bank of Canada v. Trang 2016 SCC 50. .
Microsoft scored a major victory for the privacy of its cloud computing users yesterday winning a closely watched case against U.S. Government. In Microsoft Corporation v USA (2nd.Cir. Jul. 14, 2016), the U.S. Second Circuit Court of Appeals held that a warrant issued under Section 2703 of the Stored Communications Act (ECA) did not have extra-territorial effect to require U.S. based Microsoft to access and provide the government with user data stored on servers operated by a subsidiary in Dublin Ireland.
I gave my annual presentation today to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covered the period from June 2015 to June 2016. The developments included cases from Canada, the U.S. the U.K., and other Commonwealth countries.
The developments were organized into the broad topics of: Technology Contracting, Online Agreements, Privacy, Online/Intermediary Liability/Responsibility, Copyright, and Trade-marks and Domain names.
The cases referred to are listed below. My slides can be viewed after the case listing. These and many other cases will be added to my 7 volume book on Computer, Internet and E-Commerce Law (1988-2015).
You’re a celebrity and had a threesome. Your partner wasn’t one of them. You want the affair to remain private. You go to a court in England where your family resides and get an interim injunction. It prevents the English press from publishing the tawdry details to protect your privacy and the privacy of your family. The affair becomes widely known in other countries including the US, Canada, and Scotland. The English public finds out about it through foreign web sites. They also find the story when using search engines, even when not looking for it. The English public is incited to access websites where details about the encounter can be found by the tabloids which thrive on selling papers filled with salacious details of sexual encounters. The tabloids create a frenzy working up the public claiming they are being censored when their foreign counterparts are not, then move to set aside the injunction.
The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State. The Court, however, construed the enforcement jurisdiction of supervisory authorities narrowly ruling they do not have the ability to impose penalties on controllers not established in the Member State. The judgment of the Court in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C‑230/14, October 1, 2015 has significant repercussions for EU and non-EU businesses that operate websites that target residents of a Member State and potentially for the territorial reach of the “right to be forgotten”.
Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)October 12th, 2015
On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.