Are your Facebook posts and Tweets private? Can government officials read them? Gather them? What can companies do with your private information, and should they tell you if they lose your data?
Ottawa is in the latest round of its long-simmering debate over privacy rights, one pitting advocates against government and major corporations that collect and monitor data around the clock.
This a critical juncture for the future of Canadian privacy: a handful of bills are being pushed through Parliament with many implications and Ottawa has just appointed a new privacy watchdog.
Here's a primer about what's set to change, what the critics are saying and how it will affect you.
- What's new?
- Telecom data
- Social media monitoring
- The watchdog
- The bills
- C-13, cyberbullying
- C-31, the budget
- S-4, privacy
- Who's watching?
- When will the bills pass?
Major telecommunications companies hand over more data than you may think. Many don’t publicize it, but a document released by the privacy commissioner – a parliamentary watchdog – offers a glimpse. It’s an aggregate list from a law firm acting on behalf of the telecom industry. It shows government agencies asked nine major telecoms for subscriber information 1,193,630 times in 2011, the most recent year available, affecting 784,756 individual accounts.
The 1.2-million cases include a broad range of data requests, including subscriber information, wiretap requests, metadata, emergency location and other information.
Bill C-13 explicitly gives immunity from lawsuits or even criminal code charges to companies who would volunteer information to the government, while Bill S-4 would give companies the power to voluntarily share information with each other. Meanwhile, other companies have begun to disclose their own totals.
Social media monitoring
Government agencies are monitoring your tweets and Facebook posts. Again, it was the privacy commissioner who revealed this, raising concerns in a letter to Treasury Board President Tony Clement, who defended the practice but said he’d investigate it. Government has, however, done this for a while – a First Nations activist complained after her Facebook posts were monitored by a pair of government agencies, a complaint the Privacy Commissioner found was well-founded. The Privacy Commissioner’s Office has said that the public posting of information on social media does not “render personal information non-personal.” Government has disagreed.
After waging battles on these subjects, interim privacy commissioner Chantal Bernier was not extended in her job, and her last day was June 2. Instead, government nominated Daniel Therrien (pictured above) – a career government lawyer familiar with privacy issues, though with no experience in a commissioner’s office – to be the new watchdog. He was confirmed on June 5 and will serve for seven years. His candidacy has raised objections from privacy experts, who fear he’ll be too government-friendly after a career helping develop government monitoring programs, such as the Beyond Borders data-sharing initiative, including those deemed too invasive. A group of experts wrote a letter complaining about the nomination. However, Mr. Therrien has wasted no time in critiquing government.
NDP Leader Thomas Mulcair opposed the nomination, saying Mr. Therrien has an obvious conflict of interest. Conservatives, Liberal Leader Justin Trudeau, Senate Liberal Leader James Cowan and Green Party Leader Elizabeth May backed Mr. Therrien’s candidacy.
C-13, the cyberbullying bill
The “Protecting Canadians from Online Crime Act,” or Bill C-13, creates a new crime – the non-consensual distribution of intimate images – in the aftermath of high-profile cyberbullying cases. But the bill also includes broad new powers for police.
Critics have suggested changes to both aspects of the bill, though the police powers have proven far more controversial. Many groups, including Canada’s new privacy commissioner, have called for the bill to be split in two, so the cyberbullying crime and the police powers can be examined separately. Government has said the powers are necessary to enforce cyberbullying. “It makes no sense to split the bill,” Justice Minister Peter MacKay said in the House on June 4.
On criminalizing the distribution of intimate images, critics have said the threshold is too vague and could be applied too broadly. For instance, one can be charged without any malicious intent to spread photos. But this provision of the bill is nonetheless widely supported.
The remaining parts of the bill have less of an apparent connection to cyberbullying and create a host of new police surveillance powers. Broadly, they extend police surveillance powers into an online era, by generally giving police increased access to transmission data, or metadata, in the same way they can monitor a phone line.
Many experts, however, have told a committee considering the bill that you can glean far more information through transmission data and online than through a phone.
Most of the new powers require warrants, though critics say the requirement to get one – an investigator must only have reasonable grounds to “suspect” a relation to a crime, not “believe” – is too low.
Most controversially, the bill also puts in stone a broad immunity for anyone that hands over data voluntarily, such as a telecom company. Government says this is a formality that already exists in practice; if so, critics ask why it needs to be put in the bill. This provision is widely opposed by privacy critics.
The bill also allows government to monitor people (with a warrant) by using a tracking device or a software program, raising the prospect, for instance, of police tracking or monitoring someone by hacking into their mobile phone. Several other warrants are created in the bill.
C-31, the budget bill
This budget implementation bill also includes a little nugget with privacy implications: the Canada Revenue Agency can hand over tax information to investigators if they have “reasonable grounds to believe that the information will afford evidence” of a crime.
S-4, the privacy bill.
The Digital Privacy Act in the Senate also carries privacy implications, carrying over some suggestions of previously failed bills, C-12 and C-29.
This time around, S-4 opens the door to sharing personal information, without notice or consent, in some cases. For instance, any organization can share private data, without a person’s consent, with another organization to help investigate a broken agreement or law. Critics have warned this will open the door to voluntary widespread data-sharing between companies – on top of the provision in C-13 that gives companies immunity for handing over data to investigators.
The provision would allow companies to, for instance, investigate copyright violations with the help of other companies, should both sides be willing to co-operate. It could also allow, for instance, a company to share information for an investigation by an association, such as a law society, or for insurance companies to share information to investigate a fraud case.
Government argues the provisions are already in place in two provinces and hasn’t led to excessive data-sharing by companies, and that the data sharing is voluntary. “S-4 tightens the rules and places stricter limits on information sharing by private organizations,” says Jake Enwright, a spokesman for Industry Minister James Moore.
But critics have still said the part of the bill should be changed.
Some of the committee discussion on Bill S-4 has focused on what should be disclosed to the Privacy Commissioner – who, under Bill S-4, can request information on breaches – and whether mandatory disclosures would be a good idea. In other words, asking whether all privacy breaches should be flagged for the watchdog.
Among those not in favour of that plan is the watchdog’s own office.
“’On request’ probably does strike the right balance, otherwise we would anticipate to be flooded by breach reports,” Patricia Kosseim, senior general counsel and director general of the Office of the Privacy Commissioner, told a Senate committee on June 4. A recent change in the federal public sector has made mandatory reporting a requirement. “Within this month, we’ve seen an increase of 239 per cent in the number of notifications, when we compared with same period in last year,” Ms. Kosseim explained. “…So of course we can expect a greater workload [with more mandatory reporting].”