The Federal and Ontario privacy commissioners both recently released their annual reports. Their reports contained some common themes, even though the privacy laws they enforce and their application are quite different.
Both expressed concern about the proposed federal "lawful access" legislation, Bill C-30. It's designed to provide police with much greater ability to access and track information about individuals through communication technologies such as the Internet and smartphones, without a warrant or any judicial authorization.
The law includes the ability to obtain a wide range of information, and will require Internet service providers to invest in systems to retain more information in case it's later required for an investigation.
Both commissioners are concerned that the bill is too invasive and privacy unfriendly.
The commissioners also are concerned about the use of biometrics. Biometrics consists of personal information obtained through the scanning of physical features such as your face or your fingerprints.
The federal privacy commissioner has released a guidance document called Data at Your Fingertips: Biometrics and the Challenges to Privacy about the benefits and drawbacks of biometrics.
Ontario's privacy commissioner stated "fortunately, privacy solutions exist, but they must be embedded early into the biometric matching system to be effective. When deployed properly, Biometric Encryption (BE) defeats many of the major privacy concerns surrounding the collection and (mis)use of biometrics: there is no retention of a biometric image or template, which significantly enhances security and diminishes the risk of data-matching against other databases. BE can be deployed with no meaningful loss of system functionality."
In other words, don't store the biometric image itself, and make sure that biometric identifiers cannot be reversed into the biometric image. After all, if a credit card number is compromised, you can get a new one. But if your fingerprint or iris scan is compromised, you can't get a new one.
It's crucial for any use of biometrics as an identifier to be designed with privacy and security issues in mind.
But designing privacy into new products and services is not just for biometrics. Both commissioners also talked about the importance of implementing privacy considerations directly into the design of any program or service where personal data is being collected or used. The federal privacy commissioner has on different occasions been critical of some social media providers, for example, for not considering privacy issues before launching new services.
The Ontario privacy commissioner has labeled this approach privacy by design that is a "pre-emptive approach that requires the integration of privacy considerations into new programs and databases from the outset, and not as an afterthought."
The Ontario commissioner has written several papers on privacy by design that are a worthwhile read for anyone creating a new product or service that uses personal information.
David Canton is a business lawyer and trademark agent with a technology focus at Harrison Pensa LLP. This article, written with the assistance of Thomas Davis, contains general comments only, not legal advice. Contact David at 519-661-6776, visit www.harrisonpensa.com/lawyers/david-canton