CASL is not yet in force. When it comes into force (no date set yet as of the date of this post), CASL will provide exemptions for a commercial electronic message (CEM) sent to a recipient with whom the sender has a “family relationship”. CASL typically requires express opt-in consent to CEMs and requires CEMs to contain prescribed information, including an unsubscribe mechanism. Those requirements won’t apply to CEMs to “family relationship” recipients.

What constitutes a “family relationship” for the purposes of CASL has been left to Industry Canada. The draft regulations did not disappoint for complexity, adopting, in part, definitions from Canada’s Income Tax Act. Does the complexity deprive the exemption of utility? Possibly. Take the question of whether your sister’s boyfriend will be able to send you his monthly business newsletter (without first getting your consent). If he wants to use the family relationship exemption, its availability seems to depend on where your sister and her boyfriend live in Canada, whether they are in a conjugal relationship, and how long they have lived together in that conjugal relationship! Or, in some cases, it might be relevant whether they have a child.

The draft Industry Canada regulations released in December 2012 contained the following definition:

“family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or is of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual, or

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual;

So, an electronic newsletter from your sister’s boyfriend could be exempt if you and your sister’s boyfriend are in a “family relationship”. You will be in a “family relationship” with your sister’s boyfriend, according to the draft regulations, if your sister and her boyfriend are in a common law partnership, since (taking the ordinary meaning of “sister”) you would be connected by a blood relationship to your sister.

The draft regulation assumes that there is something easily identifiable as a “common law partnership” in Canada. That’s an assumption worth examining.

Typically, whether an intimate or interdependent relationship is recognized as having marriage-like qualities depends on provincial legislation. When Canada’s Parliament wishes to impose a uniform definition, it does so through a defined term. For example, subsection 248(1) of the Income Tax Act defines a “common-law partner” as two people who are cohabiting in a conjugal relationship for a continuous period of at least one year. (To make matters complicated, there is another definition involving persons who have a child.)

Provinces also define types of de facto marriage relationships for specific purposes, typically family law support obligations. However, the term “common law partnership” is not a term of legal art.

In Ontario, for example, section 29 of the Family Law Act recognizes individuals as spouses of one another for certain family support obligations if they have lived in a conjugal continuously with one another for a period of not less than three years or are the natural or adoptive parents of a child and are living in a relationship of “some permanence”.

By contrast the period of conjugal relationship in subsection 3(1) of the British Columbia Family Law Act is two years.

By further contrast, the Alberta Interdependent Relationships Act recognizes interdependent relationships of three years or more but there is no necessity for the relationship to have a conjugal element.

In yet another variation, individuals may simply register their relationship as common law under the Manitoba Vital Statistics Act.

So what definition of common law partnership will be read into CASL? Family law where the couple lives? The commonly used federal legislative definition? Something else developed by the regulators or the courts?

The sky won’t fall, of course. There is also a “personal relationship” exemption. The proposed definition for this exemption is very broad. However, it does require direct, voluntary, two-way communications and enough factors to suggest that the relationship is personal. Relevant factors include whether there are shared interests, experiences, opinions and information “evidenced in the communications, the frequency of the communication, the length of time since the parties communicated and if the parties have met in person”. So, the exemptions may not quite overlap.…

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.…

A critical step in the decision tree is, therefore, to determine what constitutes a “commercial electronic message”. Here’s the definition of a “commercial electronic message” in subsection 1(2) of CASL:

(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

When designing a compliance policy, care must be taken not to consider the items listed in (a) to (d) as being exhaustive. Instead, the critical part of the definition is the portion that is bolded –that is, “it would be reasonable to conclude [that the message] has as its purpose, or one of its purposes, to encourage participation in a commercial activity”.

“Commercial activity” is broadly, albeit ambiguously defined in subsection 1(1). A commercial activity does not require profit-making or even a profit-making motive. It involves any transaction, act or conduct or regular course of conduct that is of a “commercial character”.

The difficulty for organizations, particularly non-profit organizations, is that determining what is of a “commercial character” is not straightforward. Indeed, this seems to be acknowledged by the need to expressly exclude such activities as law enforcement, public safety, the protection of Canada and the conduct of international affairs or the defence of Canada.

Historically, Canadian courts have interpreted “commerce” as any activity involving the exchange for money, or by barter, of products. The debate has been whether a one-off transaction would be considered commerce. CASL seems to suggest that even a one-off transaction could be commerce, given the reference to a “particular” transaction, act or conduct. In the context of CASL, any electronic message that “encourages participation” in a commercial activity will be a CEM.

If a broad scope is given to the meaning of “commercial character”, the definition may sweep in many types of messages that would not be commonly understood as such. For many organizations, branding is critical. Emails will frequently include at least some form of information to invite the reader to visit a website for a hyper-link or announce or promote a product or service. Once CASL comes into force, it will be important for organizations to have strict controls over the content of electronic messages and approvals for content. Choices may need to be made between promotional “add-ons” and ensuring consent is obtained or the organization has a viable exception to consent.…

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?…

In Order F2013-12, the issue for the Office of the Information and Privacy Commissioner of Alberta was whether the entirety of an accident report created from information collected from the driver of one vehicle should be automatically and routinely disclosed by the police to the other driver involved in the accident.

The form established by the Registrar for the accident report collects the driver’s name, address, date of birth, gender, home phone number, work phone number, and operator’s license.

The case for disclosure looked strong:

• The Alberta Traffic Safety Act requires drivers who are involved in an accident to complete an accident report with the policy.

• The form of accident report is prescribed by the Registrar of Motor Vehicles.

• The police are required to collect the accident report.

• If requested, a driver is required to disclose to the police or anyone sustaining loss or injury, the driver’s name, address, operator’s licence, name and address of the registered owner of the vehicle, licence plate of the vehicle, and the financial responsibility card issued in respect of the vehicle.

• The police are permitted to provide the Registrar with a copy of the accident report.

• The police are permitted to release information in the accident report to a person if the person may be liable to pay damages.

The Freedom of Information and Protection of Privacy Act permitted disclosure of personal information for a purpose in accordance with a law that authorizes or requires disclosure, but only to the extent necessary to carry out the purpose in a reasonable manner.

The Adjudicator agreed that in theory disclosure of an accident report was authorized by law. However, the disclosure provision was permissive – that is, the police had discretion to exercise.

So, why did the police exercise the discretion to disclose the entirety of the report? The Adjudicator didn’t receive a good answer. It seems it was the practice of the police to do so. But the drivers in this case had not asked for each other’s information. Even had they done so, the Traffic Safety Act did not require disclosure of the drivers’ birth dates or telephone numbers. Moreover, no party requested a copy of the accident report.

The disclosure was gratuitous in order that the drivers need not ask for copies of the report and in order to ensure that the drivers meet their obligations to one another. In the result, the Adjudicator ordered the police to cease disclosing more information than was necessary for that more limited purpose – such as name, address and operator’s licence.…

When CASL eventually comes into force, there will be two separate transition periods. The first is for consent to commercial electronic messages (CEMs) and the other is for the installation of computer programs. This Spam Smart Tip examines the transition period for CEMs and existing business relationships.

Section 66 provides for implied consent to CEMs for the shorter of:

• three years after the coming into force of the legislation; or

• the recipient’s “unsubscribe” or indication that they no longer.

An organization may relied on the transitional implied consent to CEMs if:

• the person has an “existing business relationship”; and

• that relationship includes CEMs

What’s an “existing business relationship”? For the purposes of the transition period, the existing business relationships that will be applicable to most enterprises are ones that arises out of:

• the purchase or lease of a product, goods, a service, land or an interest or right in land by the person to whom the message is sent from the person who sent the message or caused the message to be sent (the “purchaser / lease exception”);

• the acceptance by the person to whom the message is sent of a business, investment or gaming opportunity offered by the person who sent the message or caused the message to be sent (the “investment / gaming opportunity exception”);

• a written contract entered into between the person to whom the message is sent and the person who sent the message or caused the message to be sent (and that is not already covered by the purchaser / lease exception or the investment / opportunity exception);

• an inquiry or application made by the person to whom the message is sent to the person who sent the message or caused the message to be sent regarding the purchaser / lease exception or the investment / gaming opportunity exception.

Usually, there is a sunset provision for an existing business relationship under CASL. For example, an existing business relationship in respect of an inquiry or application ends 6 months after the inquiry or application for the purposes of implied consent for any new relationships after CASL comes into force. But that isn’t the case for those existing at the time of CASL coming into force. The sender may rely on implied consent for three years.

This is a significant transition period. Three years is a long time to refresh consents for existing business relationships and existing non-business relationships. Organizations may wish to consider this in planning priorities in their compliance strategy.

However, the story isn’t uniformly a good news one. Organizations should also carefully review the scope of the relationships captured by the transition period. The definition of an existing business relationship certainly does not cover the field of relationships that enterprises may have with individuals to whom they send CEMs. Notably, the transition period may not be of assistance to professions or enterprises with very long lead times to make sales.…

Recently, in R. v. B. (C.), 2013 CarswellOnt 3851 (SCJ), P. Smith J. considered the constitutionality of a warrantless search and seizure of a camera that was alleged to have been used to surreptitiously film a child in the accused’s residence as well as the seizure (but not search) of the accused’s computer.

According to the allegations, the complainant (a minor) found a video camera in her bedroom containing naked pictures of herself. The police were called to a relative’s house and were showed the pictures on the video camera. While the police were at the relative’s house, the accused showed up and identified the camera. The police took the camera.

Following taking the accused into custody, the police were given access to the accused’s home by other family members and a computer accessed by family members was seized but not searched.

The police then obtained two warrants to search the camera and the computer.

When the accused challenged the search and seizure of the camera, the court ruled that a video camera is different from a mobile phone. The court concluded that a video camera does not have the capability of storing private voice, text, e-mail communications, detailed personal contact lists, agendas and diaries, that are typically stored on a mobile phone. Accordingly, the accused did not have a heightened expectation of privacy.

But, more importantly, when the contents of the camera were first viewed by the police, the ownership of the camera was not yet known. Moreover, any privacy interest that the accused had was, in the court’s view, “relinquished” when the accused “decided to hide it in the bedroom” of the complainant.

Turning to the computer, the court noted that the fact that the entrance to the house was provided by the co-owner and the computer was commonly used by the family, including the accused, made the seizure of the computer “incident to arrest” reasonable in order to preserve potential evidence. The court noted that the computer was only searched after a warrant was obtained.

Some of the reports of this case stress the judge’s conclusion that a video camera is not like a cell phone. That certainly is part of the decision. Content matters. However, context matters as well. The video camera here was presented by the accused. The police were provided with the camera by the complainant and looked at it not knowing who the owner was in order to make a determination of whether to proceed. This is far different from searching and seizing a camera that was under the custody or control of the accused.…

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.…

Increasingly objects are becoming “smart”. No human intervention is required to record and communicate data, permitting otherwise unconnected objects to interact with one another.

Objects are being embedded with a variety of sensors. These objects collect information about their environment, their operation, and their interaction with other objects. These devices can communicate with each other and with databases through wireless networks. All the of data that these objects collect and produce becomes fodder for analysis in Big Data projects for understanding complex systems.

Even though human intervention is not required; individuals are often interacting with those objects in some way, such that the information is, at least in part, about those individuals.

As the Federal Trade Commission (FTC) puts it:

“Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.”

For that reason, the FTC is holding a workshop on November 21, 2013 to study the Internet of Things.

FTC will accept submissions on the implications of these developments through June 1, 2013.…

You won’t have been alone if you didn’t tackle that in the first quarter of 2013.

However, the Information and Privacy Commissioner of Ontario has filmed and posted a “Commissioner’s Corner” that might get this item onto your agenda. Following the latest loss of data in Ontario, Dr. Cavoukian spoke out on the transfer and storage of personal information on unencrypted storage devices.

Some salient quotes from Dr. Ann Cavoukian:

“It wasn’t encrypted; that’s what makes me crazy”

“You cannot allow data, sensitive data especially, to be transferred onto a mobile device, be it a laptop, a USB key, whatever, without encrypting the data”

“It’s not enough to have a policy that says you are supposed to encrypt the data, you have to have that reflected in concrete actions that take that from the policy stage to the front line staff who are doing these things and you have to train the staff […] and you have to give them the means by which they know how to encrypt the data […]”

“Don’t let there be one more data breach like this”

 Message received, Commissioner.…