On June 18th, the federal Commissioner, along with numerous other privacy commissioners, published a joint letter to Google Inc., urging the company to respond to questions and concerns related to Google Glass, the company’s new Internet-connected glasses.

“Google Glass raises significant privacy issues and it is disappointing that Google has not engaged more meaningfully with data protection authorities about this technology. We are urging Google to take part in a real dialogue with us about Google Glass,” stated Commissioner Stoddart.

In addition, the federal Privacy Commissioner recently issued a position paper, which recommends that she have increased authority; for example, to issue fines (or administrative monetary penalties) or to issue binding orders under PIPEDA.

The Commissioner has also proposed that PIPEDA be amended to empower a Court to order statutory damages for certain contraventions. Pursuant to this model, damages would be awarded for contraventions of certain PIPEDA provisions, without the requirement for a claimant to prove actual loss stemming from the contravention. A range of damage awards could be prescribed, setting out minimum and maximum amounts for contraventions of specific provisions. Within that range, courts would be able to assess damages based on a number of explicit factors to be taken into consideration.

Meanwhile, Private Member’s Bill C-475, which, among other things, would amend PIPEDA to require organizations to notify the Commissioner of information security breaches involving a possible risk of harm to an individual, still has not passed Second Reading in the House of Commons. The previous government Bill C-12, which (among other things) also would amend PIPEDA to require notification of information security breaches in some circumstances, remains in limbo.

The federal Privacy Commissioner also issued her Annual Report to Parliament 2012 this month. Highlights from the Annual Report include:

  • 220 complaints were accepted by the OPC for formal investigation in 2012. 138 complaints were accepted for early resolution in 2012. Only 23 of the complaints accepted for early resolution were unresolved through that process and were referred for investigation.
  • Of the 220 complaints accepted for investigation by the OPC in 2012, only 5 were deemed “well-founded and unresolved”.
  • The OPC received 33 voluntary notifications of an information security breach in 2012. 58 % of these notifications came from the financial industry (next highest was telecommunications, at 9%). The Commissioner commended the privacy officers of federal financial institutions for providing this voluntary notification to the OPC.
  • The Commissioner provided some examples of interesting complaint matters, such as a complaint against Facebook for refusing to notify individuals “friended” by an imposter account relating to a teen-aged girl. Facebook had been quick to remove the imposter account when notified by the girl’s mother about the imposter account, but did not consider it appropriate for Facebook itself to notify those “friended” by the imposter account. Ultimately, Facebook agreed, going forward, to facilitate a process whereby non-users could themselves notify people “friended” by the imposter, in order restore their own online reputation.
  • The Commissioner described an investigation the OPC had undertaken regarding a Canadian franchisee of a USA-company who had used a spyware application called “Detective Mode” to covertly trace laptop computers that had been leased to customers. The Commissioner found the use of the spyware overly intrusive of customer privacy, and the OPC was ultimately able to reach a consensual resolution of the issue with the franchisee.
  • The Commissioner commended LinkedIn for its swift due diligence and accountability in responding to the June 2012 cyber-attack on its system.
  • The Commissioner noted that, despite the concerns raised by the OPC and by several privacy commissioners around the world regarding Google’s privacy policy changes in March last year, Google has not changed its privacy policy to address the concerns raised nor has it indicated that it will do so.