Emerging Privacy Issues:
The Impact on the
Regulatory Framework
Ottawa – Haifa Law Course
30 April 2015
1
Overview
Five case studies:
1. Body Worn Cameras (BWCs): Where is the line between transparency
and privacy?
2. Cybersecurity: In the face of incessant, sophisticated attacks, what are
organisations’ safeguard obligations?
3. Cybercrime: how do we effectively fight crime in cyberspace without
breaching privacy in cyberspace?
4. Online Behavioural Advertising: does Internet access entail reduced
privacy expectations?
5. Data analytics and the Ebola crisis: when does public interest justify
intrusion upon privacy?
05 May 2015 2
Method
• Consideration of the facts to determine existence, extent and legitimacy
of privacy intrusion
• Identification of privacy issues to assess legitimacy of intrusion
• Necessity and/or consent
• Proportionality/reasonableness
• Effectiveness
• Absence of a less intrusive alternative
• Even where intrusion is legitimate, it requires safeguards
• Appropriate according to sensitivity of the information
• Subject to internal compliance mechanisms
• Under external oversight and/or effective remedies
• Regulation Strategies
05 May 2015 3
The case of BWCs
05 May 2015 4
The facts
• BWCs have become the go-to “solution”: for example:
• London 2011 police shooting and riots: London police piloting BWCs
• Toronto 2013 shooting on a streetcar: calls for BWCs
• North Charleston 2015 police shooting captured on video: Mayor orders all
police officers to wear BWCs
• Assessments, anecdotal or statistical, are consistent on pros and cons:
• Reduction in police complaints (Rialto City: 88%)
• Improvement of police and citizen behaviour (OPC Guidelines on BWCs)
• Reduction in police use of force: (Rialto City: 60%)
• Thorny but surmountable privacy issues (American Civil Liberties Union:
March 2015)
05 May 2015 5
Privacy Issues
• Legitimacy:
• Are BWCs necessary in every context?
• Is there cogent data to show they are effective?
• To remain strictly proportionate to the effects sought, how should their use be
governed?
• Safeguards
• According to what criteria is footage retained and for how long?
• How is it kept secure physically, electronically and administratively?
• Who gets to see the footage?
• Internal compliance
• By whom and how is compliance verified?
• What is the oversight role of police boards and the remedy of citizens?
05 May 2015 6
Regulation strategies
• Former Supreme Court of Canada Justice Frank Iacobucci on BWCs in
Toronto: yes, if
• Use is transparent and evident to all
• De-activation is possible to avoid unnecessary intrusion
• Footage is destroyed as soon as no longer relevant
• Storage is secure
• Use and disclosure are strictly limited
• This entails
• Public and individual notification
• Clear destruction schedule
• Immediate destruction of non-incident footage
• High physical, technological and administrative safeguards in view of
sensitivity
05 May 2015 7
The case of cybersecurity
05 May 2015 8
The Facts
• 97% of American companies experienced a breach in 2014
FireEye Breach Investigations Reports
• Hackers spend an average 229 days on a company’s system
International Cyber-Security Protection Alliance, December 2014
• The Carbanak example:
• Intrusion since 2013
• 100 major banking entities in Russia, US, Germany, China and the UK
• Through spear-fishing emails, decrypting codes and executing a back-door
named Carbanak
Kaspersky Report, Carbanak APT, The Great Bank Robbery, February 2015
05 May 2015 9
Privacy issues
• What is the scope of the duty to safeguard?
• According to the sensitivity of the organisation
• Through measures of protection
• Physical
• Organisational
• Technological
• For e.g.: 2014 Sony Entertainment hacking
• Do cyber-security vulnerabilities impact reasonable expectations of
privacy?
• For e.g.: 2014 Celebrities photos hacking .
• Do they impact organisational accountability?
• For e.g.: Target settlement for data breach
05 May 2015 10
Regulatory strategies
• Focus on accountability rather than occurrence:
• Did the organisation implement all available physical, technological and
administrative safeguards in relation to the sensitivity of the information?
• Apply a calibrated approach from softer to harder compliance action:
• Breach shows no safeguards lapse and harm is negligible: no action
• Breach shows minor safeguard lapse and some but reparable harm: discussion
with the organisation, early-resolution
• Breach shows significant safeguard lapse and/or harm: investigation
• Breach shows severe safeguard lapse and/or harm: public investigation report
• Harm includes moral harm and erosion of democracy
• Safeguards include both preventative measures and breach response
05 May 2015 11
The case of cybercrime
05 May 2015 12
The Facts
• One of the most rapidly expanding crimes while decline in conventional
crime due to:
• Lucrative nature
• Easy access
• Low risk from anonymity and virtual space
• International Centre for the Prevention of Crime, 2014
• Taking advantage of expanding territory: currently 2.3B use the Internet;
5B projected in 2017
• International Communications Union, 2012
• Internet use has blurred the boundaries of national security
• OPC Special Report to Parliament of January 2014
05 May 2015 13
Privacy Issues
• Is personal information on a public platform still protected as private?
• What is the expectation of privacy?
• Is the information public or private?
• Is an IP address or Basic Subscriber Information behind it, personal or
just the equivalent of phone book, albeit for the absence of an Internet
address book?
• Can we violate the privacy of the perpetrator to protect the privacy of the
victim?
• How far can the public authorities use for their own purposes personal
information provided to private organisations provided for other
purposes?
05 May 2015 14
Regulatory strategies
• OPC on Government monitoring of Facebook accounts, 2013:
• Definition of personal information does not change
• Even on social media consent to disclosure is to specific addressees
• Recommended guidance in Special Report to Parliament of January 2014
• R v. Spencer S.C.C. 2014 on privacy on the Internet
• The test for protection is not just what information but what it reveals
• IP and BSI are highly revealing
• Therefore it is personal and even sensitive – accessible only through lawful
authority
• Protecting Canadians Online Act, S.C. 2014
• Intruding upon the privacy and civil liberties of the perpetrator to protect the
victim
• Applying the legitimacy test
05 May 2015 15
The case of Online Behavioural Advertising
• Screen shot of online ads
05 May 2015 16
The Facts
• Over 90% of Google revenues come from ads
• Millions of advertisers bid on auctions, in nanoseconds, to send billions
of ads
• 3 types of ads:
• Random: just popping up by chance
• Contextual: attached to a website
• Behavioural: attached to the online activity of the user
• Behavioural advertising is nearly 3 times more lucrative than non-
targeted ads
• Behavioural advertising uses personal information
• Personal information has become a commodity and advertising a
business model?
05 May 2015 17
Privacy Issues
• Does service based on use of personal information reduce privacy
expectations?
• If advertising is a business model, is it a primary or secondary purpose of
collection of personal information?
• What level of consent is necessary for behavioural advertising?
• What types of measures are needed to ensure meaningful consent?
• Are all types of personal information fair game for behavioural
advertising?
• What type of safeguards are necessary?
05 May 2015 18
Regulatory strategies
• A business model exclusively based on advertising means that users
should expect advertising in return for access
• OPC Report of Findings, Facebook 2009
• OPC Report of Findings , Bell Canada, 2015
• Advertising, even as a business model, is a secondary purpose thus
subject to conditions on
• Type of Consent - OPC, Bell Canada, 2015
• Meaningful consent - OPC, Google OBA, 2014
• Types of information - OPC, Report of Findings, Nexopia, 2012
- OPC, Google OBA, 2014
• Proper safeguards - OPC Research on Web leakage, 2013
- OPC, Google OBA, 2014
05 May 2015 19
The case of data analytics in the public interest
05 May 2015 20
The Facts
• Public health surveillance can serve crucial public interests
• For e.g.: Cell data collection to counter H1N1 spread in Mexico 2011
• Public health surveillance is the continuous systematic collection,
analysis and interpretation of health care related data for public health
practice
• Data can be aggregate or individual
• If individual, it can be
• Anonymous
• Pseudonymous
• Eponymous
• Data can include personal health records, contact tracking and contact
information
05 May 2015 21
Privacy Issues
• Do patients have a duty to disclose?
• How can consent be meaningful in the circumstances?
• What information-sharing is allowed
• Across borders?
• Between organizations?
• What safeguards apply?
• When does information become anonymous?
Chantal Bernier, Liane Fong and Tim Banks,
Pandemics in a Connected World: Integrating Privacy with Public Health
Surveillance ,
New Brunswick Law Journal, 2015
05 May 2015 22
Regulatory Strategies
• On disclosure
• In Canada, no general rule but criminal cases on non-disclosure in the context
of sexually transmitted diseases and Quarantine Act requires disclosure at the
border
• In Liberia, crime to wilfully infect another person
• On consent
• Unnecessary where necessity is scientifically demonstrated but necessary for
re-purposing subject to consent
• On cross-border and cross-organization sharing
• Based on necessity and limited by proportionality
• Safeguards
• Appropriate access controls and technological protections
• Effective anonymization (UK, ICO Guidelines on Anonymisation)
05 May 2015 23
And much more…
• What do you see as the great privacy dilemmas for regulators?
05 May 2015 24