Marking 20 years
of bold journalism,
reader supported.
Mediacheck
Politics
Science + Tech

New Law Will Keep Personal Data Sharing out of Court

A law meant to stop online piracy may give companies the power to share subscriber information in secret, without a warrant.

Michael Geist 15 Apr 2014TheTyee.ca

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at [email protected] or online at www.michaelgeist.ca.

image atom
The Digital Privacy Act raises the possibility of warrantless disclosure to anyone, not just law enforcement. Phone record photo via Shutterstock.

After years of false starts, Industry Minister James Moore last week unveiled the Digital Privacy Act, the long-awaited reform package of Canada's private sector privacy law.

The government promised that the bill "will provide new protections for Canadians when they surf the web and shop online." But buried within Bill S-4 is a provision that threatens to massively expand warrantless disclosure of personal information.

The centrepiece reforms within the bill are much-needed security breach disclosure requirements that would force organizations to disclose breaches that put Canadians at risk for identity theft.

Security breach disclosure rules are well-established in other countries and long overdue. The Canadian rules include notification to the federal privacy commissioner, the prospect of wider notices to affected individuals, and tough penalties for organizations that fail to comply with these obligations.

While security breach disclosure requirements are a welcome addition to the Canadian privacy framework (as is the introduction of compliance orders that may help hold organizations to account where violations occur), the expansion of warrantless personal information disclosure raises enormous concerns.

Incentive to disclose

The law currently entrusts telecom companies and Internet providers with a gatekeeper role in law enforcement cases. It permits these companies to either voluntarily disclose personal information as part of a lawful investigation or to demand that law enforcement first obtain a court order.

Bill C-13, the cyber-bullying bill, creates an incentive for companies to voluntarily disclose to law enforcement by granting them full immunity from any civil or criminal liability for doing so. In light of recent revelations that they already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision has raised significant fears in the privacy community that the practice will become even more commonplace.

Yet the voluntary disclosure to law enforcement rules pale in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).

When might this be used?

Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy, a leading Internet provider, to disclose the names and addresses of thousands of subscribers. The federal court responded by establishing numerous safeguards to protect privacy and to discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers.

If the Digital Privacy Act were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy to voluntarily disclose the subscriber information (including details that go far beyond just name and address) without any court order and without informing the affected customers.

Sharing between companies

The potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (including telecom companies, social media sites, and local businesses) might resist disclosing information without a court order, the law would not require them to do so. 

The end result makes a mockery of the notion that Canadian privacy laws are premised on consent and court oversight.

Organizations would be permitted to voluntarily disclose personal information to law enforcement as part of a lawful investigation (with legal immunity) and to voluntarily disclose to private organizations if they are investigating a contract breach or alleged legal violation. Moreover, the disclosures would be kept secret from the affected individuals and the disclosing organizations would be under no obligation to publicly report on their practices.

The government may be promising new protections, but the troubling reality is that legislation currently before Parliament will expose all Canadians to the prospect of widespread warrantless disclosure of their personal information.  [Tyee]

Read more: Politics, Science + Tech

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.

Do:

  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

LATEST STORIES

The Barometer

Do You Think Naheed Nenshi Will Win the Alberta NDP Leadership Race?

Take this week's poll