<<< Date Index >>>     <<< Thread Index >>>

[IP] Two on Canadian privacy and copyright



Title:   Two on Canadian privacy and copyright

------ Forwarded Message
From: Michael Geist <mgeist@xxxxxxxxx>
Date: Mon, 14 Feb 2005 07:09:09 -0500
To: <dave@xxxxxxxxxx>
Subject: Two on Canadian privacy and copyright

Dave,

Two items of potential interest for IP --

1.      I gave a talk last week tracing the history of Canadian copyright law reform and highlighting the dangers in the current set of government proposals.  I think it does a fairly good job of providing background and showing the harms of anti-circumvention legislation, notice and takedown, and other proposals.  It also uses some the A2K discussion as potential opportunities to do some good.  Webcast is at
<http://epresence.tv/archives/2005_feb10/?media=real&archiveID=113>

2.      My weekly Toronto Star column calls on Canadian lawmakers to follow the California lead by adopting a law that requires organizations to publicly disclose privacy breaches to their customers. It argues that privacy breaches, including instances of misused personal information or inadequately safeguarded information, frequently do not come to light and that a mandatory self-reporting system on privacy and security breaches would be a step in the right direction.  Full version of the column below.  It is online at
<http://geistprivacybreach.notlong.com>

Best,

MG

Revise privacy law to protect public, not offenders
Michael Geist
Toronto Star

In the coming months, Industry Minister David Emerson will lead the federal government on a review of Canada's national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Critics are likely to call for tougher enforcement measures, better reporting of decisions, and an end to the Federal Privacy Commissioner's policy that shields organizations that are the target of successful complaints

 The law now on the books has supporters. They will say it has achieved its goals by providing Canadians with a mechanism to resolve privacy disputes while encouraging businesses to adopt privacy-friendly practices. The current law's backers will point to the relatively small number of cases - there have been fewer than 300 findings from the Privacy Commissioner over the past four years - as evidence that the law is working.

While citing caseload numbers may seem logical, the reality is that the number of complaints provides little insight into whether Canadians' privacy is indeed better protected. More often than not, privacy breaches, including instances of misused personal information or inadequately safeguarded information, do not come to light. As last year's CIBC privacy breach illustrates, serious breaches so rarely become public that when they do, the stories tend to generate front-page headlines and national interest.

Recognizing that companies have an incentive to keep privacy and security breaches private, the State of California has adopted a law that requires organizations to publicly disclose privacy breaches to their customers. Although opposed by business, the law, known as SB1386, has proven wildly successful since its enactment just over 18 months ago.

 The law requires companies and agencies that do business in the state, or possess personal information of state residents, to report breaches in the security of personal information in their possession. Companies must act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.

The law's impact on business practice has been dramatic. The State's Office of Privacy Protection recently surveyed California companies and found that 76 percent of surveyed companies changed their communications polices as a result of the new law; about one third of the surveyed companies changed security procedures; and almost half changed the way they used social security numbers (the U.S. equivalent of Canadian social insurance numbers).

 In fact, a provision in the law that excludes encrypted data has reportedly persuaded many organizations to adopt new encryption techniques to better protect their customer's personal information.

The changes have no doubt been motivated by the fact that several organizations have been forced to disclose security breaches to their customers. As many as 145,00 blood donors in the Los Angeles area were notified that their personal information may have been compromised when a laptop was stolen, while numerous banks and credit unions have also reported privacy breaches.

Universities have been particularly affected by the law. The University of California at Berkeley reported that information on 600,000 people was compromised by a hacker, while the University of California San Diego was forced to notify 380,000 students, alumni, employees, and applicants for admission about a similar incident.

These cases prove what many analysts have long suspected - that many privacy breaches never become public as companies prefer to quietly resolve the issue without raising concern among their customers.

Just last week the Alberta Privacy Commissioner issued scathing findings against three companies for failing to adequately protect their customers' personal information.

 The issue only came to light after Edmonton police discovered a motel room filled with personal information including bank account information, social insurance numbers, credit card data, and customer signatures.

The time has come to lift the veil of secrecy surrounding privacy and security breaches in Canada. For every case that comes to light, there is little doubt that there are many more that remain hidden from public view.

 From a privacy compliance perspective, experience illustrates that mandatory reporting requirements provide an effective motivation for organizations to take their privacy and security obligations seriously. With identity theft at an all-time high, they also ensure that the public is kept informed about the security of their personal information and better positioned to monitor their credit reports and credit card activity for suspicious activity.
Former IBM CEO Louis Gerstner once noted that "people don't do what you expect, they do what you inspect." For Canada's privacy legislation to meet expectations, we need more inspection and better disclosure practices. A mandatory self-reporting system on privacy and security breaches would be a step in the right direction.

--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca


------ End of Forwarded Message

You are subscribed as roessler@xxxxxxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/