Article 29 Working Party to Quebec: “Sorry, darlings, you’re inadequate…”

This is a tough message to get from the EU; the Article 29 Working Party has identified some areas for improvement in order to find adequacy for Quebec’s Privacy Act (opinion linked here). Particularly harsh, I imagine, getting this by way of a voice mail message since Quebec was celebrating Saint-Jean-Baptiste Day on Tuesday; if they got any forewarning of the result, it was left via voice mail. Harsh.

I have hope that this will prompt changes that the Quebec Commission d’Acces a L’Information (CAI) have been asking for to their legislation; perhaps thoughts like servers leaving Montreal in a caravan down the 401 to Toronto, or even that the ROC (rest of Canada) is considered by the EU – the EU! – as adequate while Quebec is not, may prompt some speedy action…

Seriously, this is a shot across the bow for the provinces, for Canada, and for the world. I had done a presentation last year at the IAPP Canadian Symposium, on the topic of whether our adequacy finding was at stake. The EU had been pressing forward with its draft Regulation, and I speculated over whether we would need to update PIPEDA to maintain our status, and whether in fact provincial ‘substantially similar’ findings would not save the provinces from being reviewed for adequacy, since the draft Regulation contemplated reviews of adequacy of national subdivisions. This issue over Quebec, however, goes back as far as the WADA controversy in which the Working Party issued an opinion over the adequacy of Quebec’s law in relation to drug testing of athletes.

Well, the Working Party didn’t wait for the draft Regulation; they’ve started, and and while it is an advisory opinion, sets out a list of four areas for improvement that can only be interpreted as setting a standard for adequacy:

  • clarifying the territorial application of the Quebec Privacy Act;
  • strengthening transparency by requiring identification of the data controller;
  • clarifying sensitive information; and most significantly,
  • putting in place data agreements for onward transfers.

The last one has relevance for all of Canada – this is an issue raised with the Federal Commissioner’s Office, over the fact that transfers can take place from the EU to Canada freely, but there is no controls over onward transfers – say to the US. I think that this decision sets out not only expectations for Quebec, but for all of Canada, and is possibly also a message to the ‘league of the adequate’ nations as to what they will have to start doing to keep pace with changes in the EU.

Not Alway Private – the other side

Last week I wrote about the customer being wrong about privacy. There is the other side of course; for Not Always Right, there is the sister site Not Always Working.

There are fewer stories I can draw from there – perhaps because I haven’t written in with mine. I will write them in the style of Not Always Working:

Bad to Worse to Worst

I received a call (at dinner) from an otherwise reputable TV and Internet provider, which shall remain unnamed. I don’t normally welcome telemarketing calls, but this time I did because they happened to offering a particularly good deal that was going to save me money. And I happily provided my information to the nice lady on the phone, who informed me that someone would be calling to arrange to send me my set-top box. All was well with the world, until I received later a call from a third party fulfillment firm with a Montreal area code (I’m in Toronto).

Fulfillment guy: Can you confirm your address?

Me: (I do)

Fulfillment guy: To ensure we’re sending this to the right person, could you give us your driver’s license?

Me: Um… no, I won’t give that information, it’s not necessary.

Fulfillment guy: Can you provide your social insurance number?.

Me: Definitely not. Things are going from bad to worse, I think.

Fulfillment guy: We can’t deliver this without some identification for the driver to get from you. How about your health card number?

Me: You have got to be kidding.

I tell him I will pick it up from the local store of the company; this is of course even worse when you realize that he planned to write it on the packing slip for the courier to verify with me when it arrived. Yikes. Of course, the right thing to do would have been for the lady who first called me, to have created an order number, and to have used this made-up number as the authentication.

Going Postal at the Supermarket

This was at Christmas, and the local supermarket was very busy. I had stopped to get a few things so it was tedious getting through the line, and the line was still long behind me. I had cash, and I thought when it was my turn I would at least get done quickly,until…

Clerk: “Can I have your postal code?”

Me: “No, sorry”.

Clerk: “But … I can’t ring you through without your postal code.”

Me: “That’s ridiculous. I  am paying with cash.”

Clerk: “But I need your postal code.”

Me: “No, you don’t.”

Then, as of course everyone behind me is waiting wearily, the clerk attempts to figure out from someone else what is she to do with this recalcitrant customer. Finally a more senior clerk comes over and says:

“Just hit enter, you don’t need the postal code to ring him up!”

Of course, this is due to lack of adequate training – she had been told to get postal codes, and not that she could proceed with a sale without it, regardless of how payment was made. This also shows the danger of leaving fields in databases – someone always thinks they need to be filled in.

Not always Private

One of my favourite web sites is Not Always Right. This is a user-contributed site with stories – many funny, some disturbing – about the trials and tribulations of working with customers – the premise being that despite the often-quoted saying, the customer is not always right. My father was a cobbler, and I often spent time behind the till in his shop; when I was in high school, and in university, I had summer jobs in retail. I have a few stories of my own.

However, the reason for mentioning this here is that occasionally, people demonstrate how terribly wrong they are about privacy.

The stories you can find will make you laugh, or shake your head. One is an overzealousness in providing information that becomes the retailer’s fault; another demonstrates the willingness to give up on principles for the sake of coupons.  People go to some lengths refusing to provide information that would seem innocuous, like a ZIP code, only to offer something up even worse like banking information – and even worse, their social security number.  Clearly some people are very unclear on the concept of privacy – offering up ZIP, SSN willingly, but then, refusing to provide a proof of age when it is actually required to buy alcohol. Or  going all out paranoid on a poor clerk trying to process a credit card transaction, merely for doing her job.

Why are people so horrible at protecting themselves? (One might also ask why they’re so horrible, generally, after reading a few of these stories – my advice is to read them in measured doses, so you don’t want to give up on humanity altogether). The stories illustrate that people think privacy is important – but that they’re clueless about what to do about it.

A very good book I would recommend is The Drunkard’s Walk: How Randomness Rules our Lives. I have often used this in my talks because in reading this fascinating exploration of the connection between statistics, gambling, history, baseball scores and wine tasting, the author concludes that people are really bad at understanding risk in mathematical way – we’re just not wired that way. For proof  we don’t understand risk, you only need to go to a casino.

Because of this, we understand risk only from our personal experience; the conclusions we draw are different, for example from when we just think about identity theft as a topic, and experience it ourselves or close-hand through a friend or relative. This is why people on the streets of London and New York could be persuaded to give up their e-mail passwords for chocolate. (There are too many stories on this for me to link to; just Google “passwords for chocolate”).

What’s the moral? I think it’s a somewhat paternalistic one; privacy professionals have to be the ones to be the risk managers for the public, whether or not the risks are understood, and do our very best to educate what risks they really do run. At the same time, as you can see from the stories I’ve linked to, we need to also avoid being too alarmist as this seems to lead to unreasoning paranoia…and to rudeness to people in the service industry.

Nymity interview on Canadian response to the EU Draft Privacy Reg

Thanks to Nymity (again) for publishing an interview on the topic I covered at the IAPP Privacy Symposium in Toronto two weeks ago – the discussion from the audience during the session was great (and we were fortunate to have the Privacy Commissioner, Jennifer Stoddart, attend the session). I certainly got a lot out of that myself, and I think its helped developed my thoughts on the topic.

Nymity Interview: http://www.nymity.com/~/media/Nymity/Files/Interviews/2013/2013-06-karbaliotis.aspx

OPC Discussion Paper a starting point for change to Canada’s #privacy framework

The Privacy Commissioner of Canada released her office’s Discussion Paper last week, announcing it at the IAPP Canadian Privacy Symposium. The timing could not have been better for me personally, as I was due to deliver a talk the next day at the IAPP entitled “Canada’s Response to the EU Privacy Regulation.” The Discussion Paper was of course (and properly) focused on the needs of Canadians, but offered this about the EU:

“It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”

This of course led nicely into my presentation. Nymity has kindly done an interview of me on this and I will link to that when it is available; what I want to talk about is the substance of the proposed changes to PIPEDA.

There are four main areas identified in the Discussion Paper for update:

  • Mandatory breach notification;
  • Increased and effective enforcement powers in the Office of the Privacy Commissioner of Canada;
  • Tightening controls on lawful access; and,
  • Increasing organizational accountability for privacy

Needless to say, I agree with all these changes. How we do so is important:

  1. Coordination with the Provinces: We do not want or need the kind of patchwork that the US has to endure. It is not helpful to organizations to have different standards for breach, time limits and procedures varying from province to province or with the Federal government.  In fact, the need for coordination goes beyond breach: we need to ensure we continue to have our laws founded on the same principles, and using the same ideas and tools. The collaborative nature of our commissioners has facilitated this (more on this below), but perhaps we need a ‘model law’ with an appropriate allocation of responsibilities between federal and provincial commissioners, and harmonization of breach requirements, accountability and risk management concepts. I pointed out in my talk how much of our reputation internationally is due to the good luck we have had with privacy commissioners, both federal and provincial. Another aspect of that good luck is the degree to which they work together. PIPEDA (and each of the provincial laws) should encompass shared investigations and responsibilities; we cannot leave to luck the willingness to collaborate between levels, as this is essential for a federal system of shared responsibility for an effective privacy framework. In fact, I think this would be the ideal way to address the challenge of the EU Draft Regulation is for a joint federal-provincial review and update of our legislation – obviously not something the Federal Commissioner can propose in the Discussion Paper on updating PIPEDA, but something we in the privacy community should discuss.
  2. Breach Thresholds: While the Discussion Paper does not go into detail on this, I believe the prevailing view of privacy professionals is that Bill C-12‘s provisions do not go far enough, when it was introduced (in 2011) and certainly not now. I think it is helpful to look at recent developments south of the border: HIPAA in the US was recently updated with the Omnibus Rule to establish a lower threshold for notification of HIPAA breaches–in large part due to the recognition that ‘substantial risk of harm’ was  leading to a conclusion by many organizations that notification was not required,  perhaps in more circumstances than warranted.
    The Alberta model of ‘real risk of significant harm’ and C-12′s “material breach” of security, are subject to the same criticisms. The Omnibus’ new test relies on the assumption that a disclosure is a breach unless a four-point risk assessment determines that there is a low probability that protected health information has been compromised.  While I like the Alberta model otherwise,  I believe it would make sense to utilize the HIPAA Omnibus threshold, as well as the risk assessment piece; Alberta already has this concept embedded in its Mandatory Breach Reporting Tool.
  3. Notification: I also do like the notion that not all ‘breaches’ are reported to individuals. While it may make sense to require mandatory reporting to a commissioner’s office to ensure that there is oversight, there are many ‘events’ which simply do not amount to a situation requiring that individuals be notified and be made concerned.The typical event is where personal information is sent by e-mail to an incorrect party with which the sender has a relationship; the usual course is to have the e-mail deleted, both from the recipient’s mailbox and the company systems, and to obtain a confirmation that the data has not been disclosed or retained. This is not a situation requiring notifications; the recipient is often in a position of responsibility in the recipient company, and has notified the sender of the mis-sent e-mail, so it would be difficult to see how there could be a risk of mis-use.I highlight this scenario because it is very common and yet, can easily under some state laws, requires notification to individuals. With oversight, I believe it is possible to resolve most of these issues without unduly alarming people. I don’t buy into breach exhaustion; I do believe in lack of understanding as a major reason why only 15-20% of credit monitoring offers are usually taken up by the individuals receiving them after a breach notification – even though it’s free. This is why to some extent, we in the privacy community must act as risk managers for the public.
  4. Increased Enforcement Powers: I agree that these should be enhanced; the main concern that most in the privacy community have is over whether this would ‘chill’ the otherwise informal, open, ombudsman-like role the Commissioner’s office plays in resolving privacy issues between organizations and individuals. I once observed at an IAPP event in the US, where FTC Commissioners were having a town hall, a lawyer refused to identify himself when asked by an FTC Commissioner during a question – I think we never want to reach that level of mistrust.I think that this could be addressed by ‘codifying’ some of the alternative-dispute resolution mechanisms that the Office can employ – conciliation, mediation and arbitration – at the same time that enforcement powers are enhanced. This role could be further protected by ensuring that the ‘conciliation’ and ‘enforcement’ arms of the OPC have an ‘ethical’ wall to ensure that organizations feels comfortable in sharing information with the OPC.
  5. Accountability for Cross-Border Data Transfers: The Commissioner remarked during her speech at the general session at the IAPP Privacy Symposium that it was difficult to assert that we had effective control over flows of data out of Canada to the EU, given the limits of her enforcement powers. It is ultimately not only a matter of having fine-making powers; cross border issues will also have to be addressed under the accountability provisions, that organizations taking personal information out of Canada, can ensure that there are adequate controls to carry Canadian privacy principles along with the data.”Adequacy” is met by use of the Model Clauses in the EU; but frankly, the use of agreements has become a very bureaucratic system requiring registrations, fees and much headache due primarily to logistical challenges of multi-nationals having to meet the formalities of the agreements. We can do better; we can require through governance or through contract,  accountability for the management of data in accordance with the commitments to Canadians, and that this accountability ‘travel’ with the data. We leave it to the organization to determine how best to do so, knowing that they may be called upon to defend it.
  6. Lawful Access: I won’t pretend to the knowledge that others, particularly Michael Geist has on this topic, but the Discussion Paper’s emphasis on disclosures of access requests was interesting to me for what is missing: accounting not from the recipients of such requests, but from the makers. Professor Geist has quite a detailed set of ideas he put forward to deal with the last version of ‘lawful access’ under Bill C-30, but the most important one is that suggested by Ontario Privacy Commissioner Dr. Cavoukian, which is an independent body to review lawful access requests. I don’t know that a new body is needed – perhaps the accounting can go simply to the Federal Commissioner’s office – but oversight again will help to facilitate legitimate law enforcement needs while retaining accountability.

I am sure that there will be many thoughts expressed from many quarters; I think the Discussion Paper is an invitation to do just that, discuss, but more importantly, I think we need to create some urgency for change with the legislators, to move forward at last on updating the Canadian privacy framework.

Updating my profile pic & snow: Lessons from the Summit #1

My profile picture is a a few years out of date, but I have resisted changing it because I just don’t like any of the photos I have had recently. However,  I just updated both my LinkedIn and Twitter profiles as a result of an experience last week.  I was at the Global Privacy Summit in Washington DC last week. I was rushing to find where the E&Y folks were gathering the people they invited to their dinner on Wednesday night; Christine Ravago sent one of her folks looking for ‘a silver-haired Canadian”.  He found me.

I realized that the photos are accurate, and it’s reality I’m objecting to.

Kudos to Christine and E&Y, as they managed to pull together dinner after their planned location at the National Zoo was canceled due to the anticipated snow. This of course did not happen, Washington was without a flake of snow on the ground, but it certainly made life difficult for anyone who’d planned a dinner at the Summit. I had liked the term ‘Snowquestration’ (certainly different than the usual “Snowpocalypse” or “Snowmageddon”, but it was certainly disappointing that so many people had their flights canceled for what was essentially a ‘No Shnow’.  (Snow-job? I can’t come with anything as clever as the “Snowquestration”).

Could ‘lawful access’ jeopardize Canada’s adequacy status with EU?

In the midst of the debate over Canada’s lawful access proposals – Bill C-30 or the misleadingly-named Protecting Children against Internet Predators Actsome have compared the removal of requirements for warrants and court oversight, as well as lack of transparency, to the USA Patriot Act. I think those observations are valid, but what doesn’t appear to have been recognized or discussed is the possible impact on Canada’s adequacy status, especially given the proposed new EU Data Privacy Regulation. Bill C-30 would arguably put our adequacy status on the table for revocation.

The proposed EU regulation provides for the ability in Article 38 to review adequacy, and suggests more vigorous tests for adequacy; as well it permits the EU Commission to consider sub-divisions (states or provinces) in considering the extent to which a country is considered adequate. I would regard the willingness of the EU Commission to challenge the Hungarian data protection authority on the basis of its independence, a strong signal that they will in fact regard the efficacy of privacy regulations, independence and enforcement authority in determining adequacy.

So: if the EU were to re-consider PIPEDA as it currently stands, under the new regulation, AND with ‘lawful access’ as contemplated by the Conservative government presently, would we get a finding of adequacy? I suggest not:

  • It is the lack of judicial oversight, accountability and transparency, that makes the Patriot Act in EU (and Canadian) eyes intolerable. The impact of this cannot be understated. Even if the proposed framework for consumer privacy recently unveiled by the White House is adopted, while certainly very welcome, there would still be the underlying weakness that the Patriot Act would trump privacy protections, and doubtless stand in the way of EU acceptance of a US private sector privacy law, much less recognition of its adequacy. If this is the case for the US, then moving Canada to a regime that mimics this lack of oversight and transparency, would undermine current recognition of PIPEDA.
  • Sometime over the next year to two years, the EU Privacy Regulation will be adopted, hopefully with some of the problematic areas worked out; there is no reason at this point to think that the provisions relating to adequacy however will change. It puts all countries who have achieved adequacy on notice, that they will have to ensure their laws keep pace with the development of the Privacy Regulation.
  • With an adequacy review likely and inevitable, it follows that Bill C-30′s Patriot-like features could undermine our status as adequate. This will have a negative impact on Canadian business, and put us in effectively the same position as the US in terms of the difficulties in dealing with cross-border transfers of personal data.
  • It is not only Bill C-30 that should be making us consider our adequacy status. Canada should be keeping PIPEDA up to date, and enacting Bill C-12 updating PIPEDA would help ensure we meet heightened EU expectations through stronger enforcement as well as breach notification. This bill has languished, despite the support of all parties, and as Michael Geist has pointed out, is now somewhat out of date; nevertheless, strengthening privacy protections has to be part of a serious and reasoned approach to lawful access (see Professor Geist’s comments in this regard), and now, critically, to retaining our adequacy status.

In both my professional work and in discussions with privacy professionals, I have always touted Canada as the ideal ‘data hub’ bridging the EU and Canada. Locating a data centre in Canada means (for Americans) near-shore support with a culture and language largely similar to their own and in the same time-zones; for Europeans, our privacy laws and culture have been recognized as similar to their own, and so locating EU data in Canada has been more ‘comfortable’ as a concept. I have always wondered why we have not been more aggressive in selling Canada in this fashion.

I would say that Canadian values for privacy and respect for the individual, and regard for due process supervised by our courts, would be enough of an argument against C-30 as it is drafted. Certainly we should be paying attention to the concerns of both our Federal Privacy Commissioner and that of the Ontario Privacy Commissioner. However, it may speak to the Conservative government more forcefully to consider the economic impact on Canada before introducing lawful access provisions without due regard to our adequacy status with the EU.