Canadian privacy and copyright

**************************************************************
Educational CyberPlayGround Community 
http://www.edu-cyberpg.com/

NetHappenings Mailing List ©1993
-- Subscribe - Unsubscribe - Set Preferences
http://www.edu-cyberpg.com/Community/NetHappenings.html

Advertise on Nethappenings the oldest K12 Mailing List 
http://www.edu-cyberpg.com/Community/Subguidelines.html

All Mailing Lists
http://www.edu-cyberpg.com/Community/
**************************************************************




------ Forwarded Message
From: Michael Geist <mgeist@xxxxxxxxx>
Date: Mon, 14 Feb 2005 07:09:09 -0500


1.      I gave a talk last week tracing the history of Canadian copyright
law reform and highlighting the dangers in the current set of government
proposals.  I think it does a fairly good job of providing background and
showing the harms of anti-circumvention legislation, notice and takedown,
and other proposals.  It also uses some the A2K discussion as potential
opportunities to do some good.  Webcast is at
<http://epresence.tv/archives/2005_feb10/?media=real&archiveID=113>

2.      My weekly Toronto Star column calls on Canadian lawmakers to follow
the California lead by adopting a law that requires organizations to
publicly disclose privacy breaches to their customers. It argues that
privacy breaches, including instances of misused personal information or
inadequately safeguarded information, frequently do not come to light and
that a mandatory self-reporting system on privacy and security breaches
would be a step in the right direction.  Full version of the column below.
It is online at
<http://geistprivacybreach.notlong.com>

Best,

MG

Revise privacy law to protect public, not offenders
Michael Geist
Toronto Star

In the coming months, Industry Minister David Emerson will lead the federal
government on a review of Canada's national privacy law, the Personal
Information Protection and Electronic Documents Act (PIPEDA). Critics are
likely to call for tougher enforcement measures, better reporting of
decisions, and an end to the Federal Privacy Commissioner's policy that
shields organizations that are the target of successful complaints

  The law now on the books has supporters. They will say it has achieved its
goals by providing Canadians with a mechanism to resolve privacy disputes
while encouraging businesses to adopt privacy-friendly practices. The
current law's backers will point to the relatively small number of cases -
there have been fewer than 300 findings from the Privacy Commissioner over
the past four years - as evidence that the law is working.

While citing caseload numbers may seem logical, the reality is that the
number of complaints provides little insight into whether Canadians' privacy
is indeed better protected. More often than not, privacy breaches, including
instances of misused personal information or inadequately safeguarded
information, do not come to light. As last year's CIBC privacy breach
illustrates, serious breaches so rarely become public that when they do, the
stories tend to generate front-page headlines and national interest.

Recognizing that companies have an incentive to keep privacy and security
breaches private, the State of California has adopted a law that requires
organizations to publicly disclose privacy breaches to their customers.
Although opposed by business, the law, known as SB1386, has proven wildly
successful since its enactment just over 18 months ago.

  The law requires companies and agencies that do business in the state, or
possess personal information of state residents, to report breaches in the
security of personal information in their possession. Companies must act
quickly, notifying customers in writing, electronically, or by prominently
posting the information on their website.

The law's impact on business practice has been dramatic. The State's Office
of Privacy Protection recently surveyed California companies and found that
76 percent of surveyed companies changed their communications polices as a
result of the new law; about one third of the surveyed companies changed
security procedures; and almost half changed the way they used social
security numbers (the U.S. equivalent of Canadian social insurance numbers).

  In fact, a provision in the law that excludes encrypted data has reportedly
persuaded many organizations to adopt new encryption techniques to better
protect their customer's personal information.

The changes have no doubt been motivated by the fact that several
organizations have been forced to disclose security breaches to their
customers. As many as 145,00 blood donors in the Los Angeles area were
notified that their personal information may have been compromised when a
laptop was stolen, while numerous banks and credit unions have also reported
privacy breaches.

Universities have been particularly affected by the law. The University of
California at Berkeley reported that information on 600,000 people was
compromised by a hacker, while the University of California San Diego was
forced to notify 380,000 students, alumni, employees, and applicants for
admission about a similar incident.

These cases prove what many analysts have long suspected - that many privacy
breaches never become public as companies prefer to quietly resolve the
issue without raising concern among their customers.

Just last week the Alberta Privacy Commissioner issued scathing findings
against three companies for failing to adequately protect their customers'
personal information.

  The issue only came to light after Edmonton police discovered a motel room
filled with personal information including bank account information, social
insurance numbers, credit card data, and customer signatures.

The time has come to lift the veil of secrecy surrounding privacy and
security breaches in Canada. For every case that comes to light, there is
little doubt that there are many more that remain hidden from public view.

  From a privacy compliance perspective, experience illustrates that
mandatory reporting requirements provide an effective motivation for
organizations to take their privacy and security obligations seriously. With
identity theft at an all-time high, they also ensure that the public is kept
informed about the security of their personal information and better
positioned to monitor their credit reports and credit card activity for
suspicious activity.
Former IBM CEO Louis Gerstner once noted that "people don't do what you
expect, they do what you inspect." For Canada's privacy legislation to meet
expectations, we need more inspection and better disclosure practices. A
mandatory self-reporting system on privacy and security breaches would be a
step in the right direction.


**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca

<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
EDUCATIONAL CYBERPLAYGROUND 
http://www.edu-cyberpg.com

Copyright statements to be included when reproducing
annotations from Nethappenings.

The single phrase below is the copyright notice to be used when
reproducing any portion of this report, in any format.

> From NetHappenings copyright
> Educational CyberPlayGround.
http://www.edu-cyberpg.com/Community/NetHappenings.html

Net Happenings, K12 Newsletters, Network Newsletters
http://www.edu-cyberpg.com/Community/

FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/

HOT LIST REGISTRY OF K12 SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>

Other related posts: