[IP] Online data brokers target Canadian privacy commissioner

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Online data brokers target Canadian privacy commissioner
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 28 Nov 2005 12:33:50 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <p0620076bbfb0b7d019cb@[192.168.1.102]>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Michael Geist <mgeist@xxxxxxxxx>
Date: November 28, 2005 11:18:11 AM EST
To: dave@xxxxxxxxxx
Subject: Online data brokers target Canadian privacy commissioner

Dave,

Of possible interest -- my weekly Law Bytes column focuses on arecent Canadian incident in which a reporter obtained the personalphone records of Privacy Commissioner Jennifer Stoddart. I arguethat in a year dominated by almost daily privacy and securityviolations that have placed the personal information of millions atrisk, that this privacy breach, which affected just one person, ranksas 2005's most shocking incident.

Although major Canadian telecommunications providers such as BellCanada sought to characterize themselves as "victims" of fraudulentactivity and claim that a rapid response to the incident is proofthat the Canada's privacy laws are working as intended, the realityis that Canadian law is simply ill-equipped to deal effectively withsuch incidents.

In light of the privacy breach, the public might naturally expectthat the Privacy Commissioner of Canada has the powers to address theissue. She does not.

The investigation will naturally focus on both the telecommunicationsproviders that disclosed the phone records as well as the U.S.-baseddata broker that obtained and later sold the information.

The Privacy Commissioner has little recourse against thetelecommunications providers. Although she can investigate theincident, without possessing order-making power, the Commissioner isreduced to issuing a non-binding "finding" that must be pursued infederal court in order to levy any financial penalties.

Indeed last week it was the CRTC that was better able to immediatelyaddress the issue. Within days of the report, it sent a letter tothe telecommunications providers demanding an internal investigationand imposing a strict 10-day deadline to furnish a host ofinformation, including descriptions of the safeguards that were inplace when the breaches occurred, explanations of how the companiesverify customer identity, and new measures being taken to improvesecurity.

The situation with respect to the U.S.-based data broker is evenbleaker. Last week the Privacy Commissioner declined to investigatea complaint against another U.S. data broker, arguing that Canada'sprivacy laws do not provide sufficient powers to investigate out-of-country operators.

The implications of that decision are stunning, suggesting thatCanadians enjoy no privacy protection for personal information thatis disclosed to non-Canadian entities. Although the Commissioner' sinterpretation of the limits of the law are subject to challenge -there is a good argument that the jurisdictional limitations oninvestigation should not act as a barrier to issuing a findingagainst a foreign entity - it is increasingly clear that Canadian lawis not up to the challenge of providing effective privacy protectionin a world of global data flows that do not respect national borders.

Tackling this challenge will not be easy, particularly as theCommissioner is asked to address a growing number of concernsincluding spam, spyware, and the threat of secret disclosurescompelled by U.S. law enforcement. A starting point, however, is toprovide the Commissioner with order making power, the unquestionedability to name the names of privacy violators, and the resourcesnecessary to meet her mandate.

While a statutory review of Canada's national privacy legislation isslated for 2006, there is no need to wait for the review. With animminent national election call, Canada's political leaders should berequired to answer a simple question - how are they prepared toreform Canadian law to provide meaningful privacy protection in theInternet era?


Toronto Star version at
http://geistprivacywakeupcall.notlong.com

Freely available version at

<http://www.michaelgeist.ca/index.php?option=com_content&task=view&id=1024>


Best,

MG
--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa, Faculty of Law
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca




-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] nytimes What Google Should Roll Out Next: A Privacy Upgrade E-Mail
Next by Date: [IP] TLDs
Previous by thread: [IP] nytimes What Google Should Roll Out Next: A Privacy Upgrade E-Mail
Next by thread: [IP] TLDs
Index(es):
- Date
- Thread