Tag: Privacy

OPC consultation on artificial intelligence: my submission to the consultationOPC consultation on artificial intelligence: my submission to the consultation



Here is my submission to the OPC consultation.

______________________________________________

Thank you for the opportunity to provide input into the OPC’s consultation on artificial intelligence (AI) as it relates specifically to the Personal Information Protection and Electronic Documents Act (PIPEDA).

By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. As part of my privacy practice, I regularly advise clients on privacy issues. I also teach privacy at Osgoode Hall Law School as part of an intellectual property law course.

OPC position on online reputation: search engines must de-index privacy violating personal informationOPC position on online reputation: search engines must de-index privacy violating personal information



Are search engines subject to PIPEDA? Should they be required to de-index web pages such as when information about an individual is inaccurate, incomplete or outdated, ;or when the linked to information is illegal? Should search engines be subject to a notice and de-indexing or demotion regime? And, should search engines be required to geo-fence to ensure that search results containing personal information about Canadians that violates PIPEDA  is not made accessible in Canada regardless of which domain a Canadian searches on?

PIPEDA privacy law given business friendly interpretation by Supreme Court: RBC v TrangPIPEDA privacy law given business friendly interpretation by Supreme Court: RBC v Trang



Canada’s federal privacy law, PIPEDA, was enacted to be one of our framework laws that would underpin our digital economy. It’s goal was to recognize the privacy rights of individuals and at the same time to recognize the legitimate needs of organizations to collect, use, and disclose personal information. That balance between privacy and  uses of personal information for appropriate purposes was underscored by the Supreme Court in a decision released yesterday in Royal Bank of Canada v. Trang 2016 SCC 50.  

Long arm of EU privacy law: CJEU judgment in Weltimmo v HatóságLong arm of EU privacy law: CJEU judgment in Weltimmo v Hatóság



The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State.

Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)



On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided.

Schrems brings down EU-US safe harbourSchrems brings down EU-US safe harbour



EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.

Cell phone searches legal say SCOC: R v FearonCell phone searches legal say SCOC: R v Fearon



A divided Supreme Court ruled that individuals cannot be secure that their most personal information will be protected from warrantless searches when arrested. In a 4 to 3 ruling, in R v Fearon, the Court held that if a person is lawfully arrested, a search is conducted that is incidental to the arrest, the search is tailored to its purpose, and the police take detailed notes, police may search the person’s cell phone.

The three dissenting judges wrote a powerful defence of privacy rights that recognized the invasions of privacy that could result from warrantless searches of cell phones,.

Digital Privacy Act: Important work still to be done by the INDU CommitteeDigital Privacy Act: Important work still to be done by the INDU Committee



The Digital Privacy Act (Bill S-4) will make significant changes to Canadian privacy law when it is enacted. The amendments to PIPEDA have been in the making since 2007 following the statutory review of PIPEDA by the Standing Committee on Access to Information, Privacy and Ethics. The Bill has passed the Senate and was referred to the Standing Committee on Industry, Science and Technology. The INDU Committee will begin considering the Bill on November 25, 2014.

The Government of Canada Backgrounder says that “Canada’s Digital Privacy Act provides important improvements to Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA)” and that it “will ensure that Canadians are safer and more secure when they surf the web or shop online”.

Internet users’ privacy and anonymity protected by Supreme Court: R v SpencerInternet users’ privacy and anonymity protected by Supreme Court: R v Spencer



Earlier today, the Supreme Court released a landmark decision dealing with privacy on the Internet. The main issue in R v Spencer 2014 SCC 43 was whether a user of the Internet has a reasonable expectation of privacy in his or her basic subscriber information held by the user’s ISP that prevents the police from obtaining this information from the ISP without a warrant or court order. Prior to the decision some courts had ruled that ISPs could turn over subscriber contact details associated with the person’s IP address to police without  a warrant or court order.

Google must comply with EU data protection laws including the right to be forgotten: Google v AEPDGoogle must comply with EU data protection laws including the right to be forgotten: Google v AEPD



In a bombshell opinion released earlier today, the CJEU ruled that Google Inc. is subject to EU data protection laws even where its servers are located outside of the EU. The Court ruled that when Google spiders the web and indexes the globe’s data, it is a processor with respect to personal information and a controller of such information. In the case before the Court, this meant that Google was required to de-index links to personal information, even though the information was accurate and without any showing that making the information available was prejudical to the data subject.