Roundup of Canadian Privacy System
How much privacy does a Canadian citizen enjoy? Is Canada better than US when it comes to sneaky surveillance activities? Understand your privacy rights and how can you protect them.
Privacy — how many of us attached serious importance to this word until the onset of the digital age? How many of us were concerned that someone might get inadvertent access to our information before the advent of sites like Google and Facebook? As it turns out, every coin has its flip side. Just as technology has raised our standards of living, it has also posed serious threats to the privacy of our information. As the renowned music artist Moby puts it, “Anything that is digitized, isn’t private. And that, is terrifying.”
Where do you draw the line in Privacy?
There are two facets of privacy issues in our generation. One is the privacy of people’s personal information from third parties, such as individuals and companies. Another is the privacy from the government. Both have their own negative and positive repercussions. Companies might argue that they might offer personalised services, if we allow them to collect data about our browsing, email communication etc. Amazon has a pilot project in place, which predicts a product which a shopper is going to buy, based on the browsing history, and ships it to the consumer even before he/she actually orders it, thus making sure the customer is satisfied and at the same time upping the company’s sales. Similarly, governments might argue that collecting information from phone call logs, text messages, e-mails, location tracking etc. might be essential for national security purposes. It is true that such information does prove to be crucial in the event of extremist attacks, but shouldn’t innocent people have a right to privacy?
In his magnum opus Nineteen Eighty-Four, George Orwell describes a totalitarian society run by a government called Big Brother which keeps an obsessive watch over its citizens and demands strict discipline. This is commonly used as a comparison to show the ill-effects of government surveillance of citizens. Governments do have the right to collect and store essential information like name, date of birth, marital status, address, phone number etc. But, conducting a program like the US Government’s NSA would amount to gross breach of personal privacy. The NSA collected data on every American’s phone call, across service providers and stored them together. It then used massive computer networks to search these call logs for associations and connections, without warrant. The lack of laws or constitutional rights to prevent governments from doing this to their citizens, only aggravates the situation.
What’s Happening in Canada?
Does the Canadian government indulge in such mass surveillance? Documents obtained by the Globe and Mail and The Canadian Press suggest that Canada is, indeed, engaged in mass warrantless surveillance. According to the Globe, Defence Minister Peter MacKay signed a ministerial directive in November, 2011, authorizing the re-start of “a secret electronic eavesdropping program that scours global telephone records and Internet data trails — including those of Canadians — for patterns of suspicious activity.”
The program evidently had been launched in 2005 by then-Defence Minister Bill Graham, in the Liberal government of Paul Martin. But the Communications and Security Establishment Canada (CSEC) — the Canadian equivalent of the NSA — suspended the surveillance program in 2008 over concerns from the agency’s watchdog that it could lead to warrantless surveillance of Canadians, the Globe reported. The program was restarted under new rules by MacKay, but it’s not clear what those rules are. The surveillance program evidently scours the web for “meta-data” — not the actual content of communications such as emails, but rather information about an email or telephone call, such as the participants, their locations and time of contact. According to a document obtained by The Canadian Press, in December 2011, the CSEC advised its watchdog, Robert Decary, that MacKay had approved seven new directives to the spy service, including one on the use of metadata gleaned through foreign intelligence gathering. The document says the CSEC’s use of metadata “will be subject to strict conditions to protect the privacy of Canadians, consistent with these standards governing CSEC’s other programs.” It lists five steps the CSEC must take to protect Canadian privacy, though the steps themselves were deleted from the version released under the access law.
Moving on to the other half of privacy concerns in which companies and organizations across the world collect information from consumers while transactions are made, with or without consent. There is one oft-quoted line “If you want privacy, you cannot have Google — but you cannot have both.” This is an example of how much imbibed in our life some companies have become. The amount of data these companies possess about us, ranging from contact details and location to credit card details, personal photos and media, search histories, video views, etc; is absolutely staggering. It is difficult to imagine what would happen if data of such sensitive nature fell on the wrong hands.
In a world where size of social networks are larger than most of the countries, government regulation of information privacy is a herculean task, but unquestionably essential. Ann Cavoukian, the privacy commissioner for Ontario feels that privacy, including online privacy, is foundational to a free society. Canada first started responding to privacy issues when computers and networking started becoming important tools in government and big businesses.
It passed the Privacy Act in 1983, establishing the office of the Privacy Commissioner of Canada. This act regulates how federal government institutions collect, use and disclose personal information. It also provides individuals with a right of access to information held about them by the federal government, and a right to request correction of any erroneous information. Under the Act, the Privacy Commissioner has powers to audit federal government institutions to ensure their compliance with the act, and is obliged to investigate complaints by individuals about breaches of the act. The Act and its equivalent legislation in most provinces are the expression of internationally accepted principles known as “fair information practices.” As a last resort, the Privacy Commissioner of Canada does have the “power of embarrassment”, which can be used in the hopes that the party being embarrassed will rectify the problem under public scrutiny.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the hallmark of Canada’s modern data privacy policy. This act limits companies from collecting, using or disclosing personal information of an individual without his/her express consent. Exceptions are made in cases of national security, law enforcement, international affairs, etc. An individual also may not be given access to his/her personal information in the case that doing so may reveal information about a third party or information that cannot be disclosed due to legal, security, or commercial property reasons or solicitor client privilege.
Some interesting facets of the act are that an organization is required to provide a service or product to the individual even if they refuse to give consent to collect information, unless it is essential for the transaction. The individual also has a right to know who in the organization is responsible for protecting the sensitive data. The organization is also expected to make sure that the information thus held is accurate and up-to-date. If a violation occurs, it needs to be reported via an ombudsman system to the Privacy Commissioner, who then conducts an investigation. The complainant can then take the report of the investigation to the Federal Court. This ensures that the job of the court becomes easier and the interests of the individual are protected. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages. An improvement to this PIPED Act was proposed in February 2013, entitled bill C-475, but is yet to be passed.
In 2013, Canada also passed a Cyberbullying Bill, which lays down mandates for distribution of media with consent, in order to bring down incidents of people misusing intimate pictures of others. It prohibits non-consensual distribution of intimate images, empowering a court to order removal of the same and forfeit the device used in the offence. The act has focus towards protecting children from online bullying and exploitation, establishing websites and helplines where cases of the same can be reported.
The Fighting Internet and Wireless Spam Act (FISA), passed in 2010, required that all communication sent by Canadian companies through Canadian servers, including SMSes or e-mails — delivering any form of media such as text, images, voice or sounds- to consumers should be authorised by explicit or implicit acceptance. The company should also provide an option to opt out of all such communication. The e-mail address or mobile number also should be obtained only after a consent. Since the final regulations are still pending, the act is currently not in force. Marketing lobby groups are applying continuous pressure against it, leading to speculations that it might be abandoned even before it takes effect.
Conclusion
Legal jargon aside, Canada has a pretty strong system in place to protect the privacy of individuals’ data, with institutions like the Privacy Commissioner in place and a battery of laws. Laws always have loopholes but the current ones have undergone refinement over the years. It can be argued that gaping holes still exist, especially in the FISA since around 70% of spam communication is routed through botnets operating in other countries. The government also needs to come out clean on its electronic and cyber surveillance and make sure that people know what information it is collecting, how the information is stored and processed. Though human rights organizations around the globe have argued against such data collection, no government seems to be leaning towards giving it up. In such a scenario, explaining to the citizens is the best way to help them feel more comfortable, secure and private.
This article originally appeared on PerfectCloud blog. Visit it to read more on cloud security and privacy
