We value: Our readers.
Our independence. Our region.
The power of real journalism.
We're reader supported.
Get our newsletter free.
Help pay for our reporting.

New Law Will Keep Personal Data Sharing out of Court

A law meant to stop online piracy may give companies the power to share subscriber information in secret, without a warrant.

By Michael Geist 15 Apr 2014 | TheTyee.ca

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

image atom
The Digital Privacy Act raises the possibility of warrantless disclosure to anyone, not just law enforcement. Phone record photo via Shutterstock.

After years of false starts, Industry Minister James Moore last week unveiled the Digital Privacy Act, the long-awaited reform package of Canada's private sector privacy law.

The government promised that the bill "will provide new protections for Canadians when they surf the web and shop online." But buried within Bill S-4 is a provision that threatens to massively expand warrantless disclosure of personal information.

The centrepiece reforms within the bill are much-needed security breach disclosure requirements that would force organizations to disclose breaches that put Canadians at risk for identity theft.

Security breach disclosure rules are well-established in other countries and long overdue. The Canadian rules include notification to the federal privacy commissioner, the prospect of wider notices to affected individuals, and tough penalties for organizations that fail to comply with these obligations.

While security breach disclosure requirements are a welcome addition to the Canadian privacy framework (as is the introduction of compliance orders that may help hold organizations to account where violations occur), the expansion of warrantless personal information disclosure raises enormous concerns.

Incentive to disclose

The law currently entrusts telecom companies and Internet providers with a gatekeeper role in law enforcement cases. It permits these companies to either voluntarily disclose personal information as part of a lawful investigation or to demand that law enforcement first obtain a court order.

Bill C-13, the cyber-bullying bill, creates an incentive for companies to voluntarily disclose to law enforcement by granting them full immunity from any civil or criminal liability for doing so. In light of recent revelations that they already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision has raised significant fears in the privacy community that the practice will become even more commonplace.

Yet the voluntary disclosure to law enforcement rules pale in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).

When might this be used?

Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy, a leading Internet provider, to disclose the names and addresses of thousands of subscribers. The federal court responded by establishing numerous safeguards to protect privacy and to discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers.

If the Digital Privacy Act were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy to voluntarily disclose the subscriber information (including details that go far beyond just name and address) without any court order and without informing the affected customers.

Sharing between companies

The potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (including telecom companies, social media sites, and local businesses) might resist disclosing information without a court order, the law would not require them to do so. 

The end result makes a mockery of the notion that Canadian privacy laws are premised on consent and court oversight.

Organizations would be permitted to voluntarily disclose personal information to law enforcement as part of a lawful investigation (with legal immunity) and to voluntarily disclose to private organizations if they are investigating a contract breach or alleged legal violation. Moreover, the disclosures would be kept secret from the affected individuals and the disclosing organizations would be under no obligation to publicly report on their practices.

The government may be promising new protections, but the troubling reality is that legislation currently before Parliament will expose all Canadians to the prospect of widespread warrantless disclosure of their personal information.  [Tyee]

Read more: Politics, Science + Tech

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free.


The Barometer

Tyee Poll: Who Do You Think Should Get the Job as New Governor General?

Take this week's poll