LAWYERS
Is There Such a Thing as
“Internet Privacy”?
April 13, 2015
LAWYERS
Click to edit Master title style
What is “Internet Privacy”?
Why does it matter?
What laws govern Internet Privacy?
What do individuals need to know about Internet Privacy?
What are the risks?
How do the laws protect you?
What can you do to protect yourself?
What do organizations need to know about Internet
Privacy?
What are an organization’s privacy law obligations?
Agenda
LAWYERS
Click to edit Master title style
What is “Internet Privacy”?
“Internet Privacy” is the privacy and security level of
personal information published or available via the internet.
It is a broad term referring to the various concerns, technologies, and strategies for protecting information, communications, and choices that are meant to be private.
In general, using the internet often means giving up some
measure of privacy.
Taking certain precautions can reduce the privacy risks
LAWYERS
Click to edit Master title style
Canadians log an average of 43.5 hours of online
browsing per month, and nearly half of Canadians are on Facebook.
The Internet is part of almost every aspect of our lives –
both personal and work-related.
Online data:
is permanent
is never entirely private and leaves data trails
over time, reveals a lot about who you are, what you do, and what you like and dislike
is very valuable – for businesses and for criminals
Why does it matter?
LAWYERS
Click to edit Master title style
Federal:
Personal Information Protection and Electronic Documents Act
(“PIPEDA”) Privacy Act
Canadian Anti-Spam Laws (“CASL”)
Saskatchewan:
The Freedom of Information and Protection of Privacy Act (“FOIP”)
The Local Authority Freedom of Information and Protection of Privacy Act (“LAFOIP”)
The Privacy Act
Laws relating to specific organizations or activities (e.g. the
Bank Act, cyber crimes or terrorism laws)
Common law
What Canadian laws govern Internet
Privacy in Saskatchewan?
LAWYERS
Click to edit Master title style
R. v. Spencer: Supreme Court of Canada decision from June 2014
Police requested Internet Protocol address used to access and store child pornography
Ruling: internet users have a “reasonable expectation of privacy” in their “subscriber information”
Can you expect your online activities to
be private?
LAWYERS
Click to edit Master title style
Individuals & Internet Privacy -
What are the risks?
LAWYERS
Click to edit Master title style
There are many threats to Internet Privacy, but some key
threats are:
Threats to Personal Information
Risks relating to Social Networking Sites Online “Spam”
LAWYERS
Click to edit Master title style
Collection, use, and disclosure of personal information
about you – e.g. “Cookies”, information that you voluntary provide, information from other organizations
Online fraud – others using your credit card, stealing
money from your bank account, etc.
Identity Theft – others pretending to be you to open credit
card and bank accounts or take out loans, redirect mail, set up cellphone service, rent or buy vehicles, equipment, or accommodation, secure employment, commit crimes, etc.
“Social engineering” attacks
LAWYERS
Click to edit Master title style
“Social engineering” attacks: using influence and
persuasion to deceive people into divulging personal information.
“phishing”
“spear phishing”
“pharming”
“vishing”
LAWYERS
Click to edit Master title style
Use of social media to build social engineering attacks or
to commit identity theft or fraud
Loss of employment or academic opportunities or
employment or professional discipline
Embarrassment
Threats Relating to Social Networking
Sites
LAWYERS
Click to edit Master title style
More than just unsolicited emails
Potential for serious damage to your computer or risk to your personal information
Threats commonly associated with spam:
Address harvesting Botnet
Denial-of-service (DoS) attacks Dictionary attack
Malware Phishing
LAWYERS
Click to edit Master title style
Require organizations to obtain your consent to collect,
use, or disclose your personal information.
Limit how organizations can collect, use, or disclose your
personal information.
Give you a right to see what information an organization
has about you, and to correct errors in such information.
Privacy Commissioners can investigate complaints about
possible violations of applicable laws.
Anti-spam laws are intended to prevent unsolicited
commercial electronic messages (e-mails, text messages, etc.)
Individuals & Internet Privacy –
How do privacy laws protect you?
LAWYERS
Click to edit Master title style
Protecting Canadians from Online Crime Act New criminal offence for distribution, advertising of “intimate images” without consent
Cyber Bullying - expansion of existing criminal code offences to include electronic communications
Lawful access provisions
Individuals & Internet Privacy –
How do privacy laws protect you?
LAWYERS
Click to edit Master title style
Require organizations to collect, use, or disclose your
information in certain circumstances.
Individuals & Internet Privacy –
LAWYERS
Click to edit Master title style
Cannot eliminate the risk, but you can reduce the risk:
Protect your computer
Update your browser
Be suspicious of e-mails
Don’t click on links or call numbers in e-mails
Ensure that you are using an authentic, secure website
Watch out for suspicious or unfamiliar clickable items
Read website privacy policies
Limit the information you provide
Use and update appropriate security settings and passwords
Report as soon as possible if you suspect your personal
LAWYERS
Click to edit Master title style
What personal information is the organization collecting?
How is the organization collecting your personal information?
What is the organization using your personal information for? Will the organization be sharing your personal information with
third parties?
Where will your personal information be stored?
Does the organization have appropriate safeguards in place?
Does the organization have a contact responsible for privacy and access/amendment to my personal information?
What to Look for in Website Privacy
Policies
LAWYERS
Click to edit Master title style
Organizations – Obligations Under
Privacy Legislation
Privacy legislation contains requirements regarding
collection, use and disclosure of personal information:
Limits on the collection, use and disclosure of PI Subject individual’s consent is required to collect PI
Exceptions to the general consent rule (these vary from statute to statute)
Collection of PI must be reasonable for the purpose for which it is collected
Reasonable steps must be taken to ensure that PI collected is accurate, complete and up-to-date
LAWYERS
Click to edit Master title style
Organizations – Privacy Compliance
Program
LAWYERS
Click to edit Master title style
Organizations – Privacy Compliance
Program
Organizational Commitment
Buy-in from the Top Privacy Officer
Program Controls
Personal Information Inventory Policies
Risk Assessment Tools
Training and Education Requirements Privacy Breach Protocols
Service Provider Management External Communication
LAWYERS
Click to edit Master title style
Organizations – Protecting Customers:
10 Tips for a Better Privacy Policy
Make your privacy policy about your business
Be specific and provide meaningful information
It’s about more than cookies – how do you collect, use and disclose personal information?
Privacy choices (i.e. opt-outs)
Access/amendment processes
Update your privacy policy regularly
Make it easy to contact you
Make privacy information easy to find
Use plain language
LAWYERS
Click to edit Master title style
Is personal information processed outside of Canada?
Not prohibited, but PIPEDA sets out guidelines.
If information used for the purpose it was originally collected, additional consent not required.
Outsourcing the processing of personal information does not outsource accountability.
Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing.
LAWYERS
Click to edit Master title style
Organizations – What Happens If There is a Privacy Breach?
LAWYERS
Click to edit Master title style
Digital Privacy Act (proposed)
– mandatory notification
Saskatchewan OIPC recommendations:
Step 1 – Contain the Breach
Step 2 – Investigate the Breach
Step 3 – Assess and Analyze the Breach
Step 4 – Notification: Who, When and How to Notify
Step 5 – Prevention
Role of the OIPC
Organizations – What Happens If There is a Privacy Breach?
LAWYERS
Click to edit Master title style
Investigation/Review by Privacy Commissioners
The Privacy Commissioners and complainants may
seek remedies for non-compliance in the court system
Digital
Privacy
Act:
Compliance
Agreements
(proposed)
Organizations – What Happens If You Don’t Comply
LAWYERS
Click to edit Master title style
Many useful websites:
Privacy Commissioner of Canada
Information and Privacy Commissioner of Saskatchewan
MLT Privacy and Technology Blogs
LAWYERS
Click to edit Master title style
Thanks for attending!
Please note that the information contained in this presentation is general in nature and does not constitute legal advice, nor is it exhaustive on the
subjects noted.