1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

As the next in our series of “back to privacy basics”, we look at the rules regarding accuracy and proportionality in the processing of personal data.

As we will do throughout this series, we take a look at the current position and what is best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Accuracy and proportionality

Data protection law requires the data controller to ensure personal data is accurate and up-to-date. In practice this means an organisation should:

  • try to ensure personal data it collects is accurate;
  • keep a record of the source of any personal data;
  • assess the risks of personal data being, or becoming, inaccurate; and
  • consider how it will ensure the information stays up-to-date.

Data protection law also requires that personal data collected is not excessive for the purpose for which it was collected. In practice this means organisations should not hold more information about the individual than it needs.

Best Practice

Organisations should consider these simple steps for keeping data up to date:

  • Before adding information to your database, ask the individual to confirm it is accurate. For example, in call centre scripts, ensure the operator reads the information back to the individual and confirms it is correct.
  • Ask the individual to confirm the data remains accurate on a periodic basis. For example, once a year when an individual logs into their account, you could present their information to them and ask them to amend it, or tick a box to confirm it is accurate.
  • If you replace IT, securely delete personal data from legacy systems. If the database is not maintained, get rid of it!

Similarly, procedures should be put in place to ensure you are not collecting excessive data:

  • Review your databases regularly and ask yourself if you need all of the information you are collecting. If not, stop collecting it!
  • Don’t hold personal data on the off-chance that it might be useful in the future – you must know the purpose for collecting it first!
  • It’s ok to hold information, even if you never  need to use it, as long as you are holding it for a legitimate purpose – for example, emergency contact details.
  • Identify information that is insufficient for its intended purpose – for example, CCTV images that are poor quality so  they are not able to achieve their purpose.

Position under draft Data Protection Regulation

The draft Data Protection Regulation raises the bar:

  • It requires that “every reasonable step” must be taken to ensure that inaccurate personal data are erased, or corrected, without delay.
  • Only “the minimum necessary” information may be collected and may only be processed if processing non-personal information could not fulfil the purposes. So regulators are likely to expect anonymisation of data where de-personalised data could achieve the same purpose.

It remains to be seen what will be considered as sufficient to comply with the new requirements of the Regulation. However, the good practice steps identified above are a good starting point. Next up in our series is the topic of data retention.

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

Europe under Review : Part 2 of 8 – Data Collection

As the next in our series of “back to privacy basics”, we look the rules regarding collection and processing of personal data.

As we will do throughout this series, we take a look at the current position and what is current best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Data Collection

Data protection law requires all processing of personal data to be fair and lawful. Translating from data protection jargon this means ‘transparency’ and ‘legitimacy’.

For the processing to be “fair” or “transparent”, companies should ensure that certain, clear information is provided to individuals in advance of processing it.  Specifically, data controllers need to ensure that individuals are, so far as practicable, told:

  • who the data controller is
  • why the personal information is being processed
  • any further information which is necessary, having regard to the specific circumstances, to enable the processing in respect of the relevant individual, to be fair.

In practice this means clear and specific information being provided in privacy policies, marketing consents, employee handbooks, online policies etc.

In terms of ‘legitimacy’ (or “lawfulness”) the purpose for which the information is collected is key.  Data protection law will only permit its collection and subsequent processing if organisations can demonstrate the processing is for one of a defined list of conditions for processing.  This aims to ensure that personal data is only used for legitimate reasons.

For many organisations, the key purposes that it will be able to rely upon or are those for which it has collected the individual’s consent; where the processing is necessary in connection with contracted goods / services provided to the individual; and where required by law.

Organisations may also collect and process information where it is in the organisation’s “legitimate interests” to do so.  But this is a balancing act.  The collection and processing will not be permitted where the individual’s fundamental rights under data protection law override the interests of the organisation.

Best Practice

Organisations should ensure that sufficient notices are given to individuals whose personal information is collected.  This will involve employees, customers, business contacts, and any other correspondents.  And don’t forget about the information requirements for the use of cookies on websites.

Before undertaking any data collection, or embarking on a product development that will involve significant data collection, conduct a Privacy Readiness Assessment or Privacy Impact Assessment to identify personal data being collected and establish legitimate grounds for collection and processing.

Position under draft Data Protection Regulation

One of the real bug-bears of privacy regulators is the practice of treating privacy notices as “small print”, burying away details of processing.  Privacy notices should be seen as a way of being upfront and assuring customers of an organisation’s good privacy practices.

Expect this trend to continue should the draft Regulation pass into law in its current state.  The draft Regulation places a greater emphasis on enhanced transparency and requires that a much more extensive privacy notice is given to individuals.  The proposal is that a standard ‘privacy graphic’ is used with organisations being required to specify details of where the processing varies from the norm.

The well known conditions for processing will, fundamentally, remain the same.  This is definitely a case of ‘no news is good news’ for many organisations who rely on ‘legitimate interests’ (or private sector organisations anyway).  However, privacy notices will likely need to specify the legitimate interests in advance so this is an extra overhead.

The bad news for public authorities is that they will no longer be able to rely on this ground.

Next up in our series is the topic of data accuracy and proportionality.

Europe under Review : Part 2 of 8 – Data Collection

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

On April 8, 2014, Canada’s government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 is the federal government’s latest attempt to reform the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). It would be a mistake to say that it is largely recycled from the government’s last attempt to reform PIPEDA in 2011 through Bill C-12, which died on the order paper. Here’s what’s different, what’s been dropped, and what seems to be largely the same. Caveat: This is a first read!

What’s different?

  • Fines for Failure to Record and Report Breaches. First the big news: The government is proposing that it would be a criminal offence for an organization to knowingly fails to keep prescribed records for breaches (see below) or to knowingly fail to report breaches in compliance with PIPEDA (also below). These offences would be punishable by fines of CAD$100,000 (indictable offence) and CAD $10,000 (summary conviction). To facilitate this provision, the Commissioner may disclose breach records and reports to law enforcement or the Public Prosecution Service of Canada  for investigation and prosecution.
  • Records of Breaches. Organizations must keep and maintain records of any breaches of security safeguards and provide those records to the Commissioner on request.
  • Altered the Test for Breach Reporting. The test for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada in Bill C-12 involved an analysis of whether the breach was “material” having regard to a non-exhaustive list of factors. The government has changed its approach and adopted a test that appears to be based on the test in Alberta — that is, an organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. The listed factors for what constitutes a real risk of significant harm (sensitivity of the personal information and probability of misuse) are the same as for a “material breach” under C-12, but the factors also include the possibility of additional prescribed criteria.
  • Confidentiality of Breach Reports and Records. Unlike Alberta, the Commissioner to make a disclosure of breach reports and records for prosecution, these reports will remain confidential. In Alberta, the Commissioner must make a breach notification order. If the order requires individual notification, it is always public.
  • Compliance Agreements. The government is granting the Commissioner additional powers to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfil the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement. This resolves an enforcement conundrum that the Commissioner previously because of limitation periods on seeking court orders following the conclusion of an investigation. This provision will significantly enhance the jurisdiction of the Commissioner provided that organizations determine that it is better to enter into agreements than to start to litigated. It is important to note that compliance agreement does not provide immunity to the organization from an action by an individual for compensation or from prosecution for an offence.
  • Broadening Regulatory Powers. The government has modernized and broadened the regulatory powers of the Executive Branch. This may result in more flexibility to pass clarifying regulations as issues arise under PIPEDA.

What’s Missing?

  • Gag Order Provisions. It appears that the government has dropped the provisions in Bill C-12 that restricted the ability of organizations to be transparent with individuals when they provided information to law enforcement and other government institutions (even absent a court order).
  • Lawful Authority Clarification. The government also appears to have dropped the provisions clarifying that an organization need not inquire into the lawful authority of law enforcement seeking information without a warrant or production order and has also dropped the provisions clarifying the meaning of lawful authority. No doubt the government feels the pending proposed amendments to the Criminal Code granting organizations immunity from voluntarily collecting and disclosing information is sufficient to overcome any lingering doubts of organizations regarding the parameters for responding to pre-warrant requests for information.

What’s largely recycled?

  • Conditions for Valid Consent. The requirement for informed consent has been reintroduced.
  • Work Product Information Exceptions. Exceptions for the collection, use and disclosure of work product information have been reintroduced.
  • Disclosure of Information in a Business Transaction. The provisions in Bill C-12 enacted to facilitate the sharing of personal information in the course of the due diligence process and the completion of business transactions for the purchase and sale of a business have been largely recycled.
  • Business Contact Information. As with Bill C-12, the government has introduced an exemption from the requirement for consent for the collection, use and disclosure of business contact information when used solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. However, the government has tweaked the definition of business contact information. Business contact information is now “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment”, including the usual data elements such as name or title, work address, work telephone number, work fax number or work email address. Previously, the definition began with this list of data elements and ended with a “basket clause”.
  • Financial Abuse Exceptions. Regrettably, the ham-fisted exception for disclosure without consent to deal with the plague of financial abuse (particularly of the elderly) have been reintroduced. The provisions permit disclosure to a government institution (which is not controversial) and also to next of kin or an authorized representative (neither of which is defined) irrespective of the competency of the individual. The government appears to have been deaf to the decades of provincial experience with substitute consent.

Now, the only question is whether the government will fare better getting this Bill passed than it has previously.


Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

Digital Privacy Act to Reform Canadian Privacy Laws

On Friday, April 4, 2014, the Hon. James Moore, Canadian Minister of Industry, announced the launch of “Digital Canada 150.”

As part of the Digital Canada 150, the Government of Canada intends to introduce a Digital Privacy Act in Parliament this coming week to reform Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Minister’s announcement was short on details. It is expected, however, that the Digital Privacy Act may include some of the following reforms that were previously attempted by the government:

  • Mandatory data breach reporting to the Office of the Privacy Commissioner of Canada and individual breach notification requirements.
  • Clarification that organizations may disclose personal information when requested by police without verifying the lawful authority of the requester to make the request. (This provision was controversial when previously introduced. A different approach has been taken in Bill C-13, which is also before Parliament. That Bill would amend the Criminal Code to provide criminal and civil immunity to organizations that preserve and disclose data to law enforcement agencies, among others.)
  • An exemption that would allow an organization to disclose (without the consent of the individual and whether or not the individual is competent) personal information to the individuals’ next of kin, an authorized representative or law enforcement if the organization had reasonable grounds to believe the individual may be the victim of financial abuse.
  • Exemption from PIPEDA for the collection, use or disclosure of an individual’s business contact information when used for the purposes of communicating with that individual about their business.
  • Clarification that consent is not required for the collection, use and disclosure of employee work product information.
  • Provisions to facilitate the transfer of personal information without the need for consent when selling or acquiring a business.
  • New investigatory provisions for the Commissioner.

It is not clear whether we might also see new order making powers and administrative monetary penalties for egregious breaches of PIPEDA. Although these tools have been previously requested by the Office of the Privacy Commissioner, the government has not acceded to those requests to date.

Privacy law reforms are only one piece of the Digital Canada 150 initiative. A central plank in the Digital Canada 150 strategy is to have high-speed Internet at 5 megabits per second available to 98% of Canadians. The government will inject CAD $300 million to bring that effort to fruition. In addition, the government has announced that it will cap domestic wireless roaming rates. The government will continue to pursue passage of laws relating to cyberbullying and the regulation of virtual currency that have already been introduced into Parliament.

For our international readers, an explanation might be required as to why the government is branding its initiative “Digital Canada 150″. This is a reference to the 150th anniversary of the founding of Canada through Confederation in 1867. The building of a transcontinental rail road is a central theme in the history of nation-building in Canada. Under Confederation in 1867, two of Canada’s Maritime provinces were promised railway links to Ontario and Quebec. When British Columbia (on the far west coast) joined in 1871, there was a condition that the railway be completed across the continent. Evidently, what the rail road was to the history of Canada, the government believes high speed broadband will be to the future.

Digital Privacy Act to Reform Canadian Privacy Laws