Change data breach bill to notify more consumers, New PIAC report

The Public Interest Advocacy Centre (PIAC) today released a report entitled “Data Breaches: Worth Noticing?”. The report examines data breach notification in Canada in the private sector in general and in particular whether the proposed federal data breach notification law (Bill C-12) is adequate to protect Canadian consumers.
“Data breaches affect consumer confidence in the new economy,” said John Lawford, PIAC legal counsel and co-author of the report. “Government must require business to report all data breaches to the Privacy Commissioner of Canada or their provincial privacy commissioner.”
The report recommends that Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act, be significantly toughened to require all data breaches be reported promptly to the Federal Privacy Commissioner, who in turn should have the power to order companies to notify individual consumers when there is a real risk of significant harm to them. The report also recommends Bill C-12 be amended to give the Privacy Commissioner of Canada order-making power to enforce the requirements and a fining power for non-compliance.
PIAC’s study is based in part on focus groups of Canadian consumers regarding their attitudes to data breaches.
“Consumers clearly think that they should always be notified when a company has lost their personal information unless the Privacy Commissioner says there’s no real risk of harm to them” said Lawford. “Bill C-12 is too weak to assure them that will happen,” he noted.
PIAC called for other amendments to Bill C-12, including increased audit powers for and a special data breach division at the Office of the Privacy Commissioner of Canada.
The Public Interest Advocacy Centre received funding from Industry Canada’s Contributions Program for Non-profit Consumer and Voluntary Organizations. The views expressed in this report are not necessarily those of Industry Canada or of the Government of Canada.

Data Breaches: Worth Noticing?”
Download File: data_breaches_worth_noticing_publication_version_final_final.pdf [size: 0.92 mb]

Executive Summary
Download File: executive_summary_data_breaches.pdf [size: 0.11 mb]

Sommaire: Ce rapport examine la notification des atteintes à la protection des données au Canada dans le secteur privé en général et, plus particulièrement, si le projet de loi fédéral sur la notification des atteintes à la protection des données (Projet de loi C‐12, Loi modifiant la Loi sur la protection des renseignements personnels et les documents électroniques) permet de protéger de façon adéquate les consommateurs canadiens.
Download File: sommaire_data_breaches.pdf [size: 0.14 mb]

Appendix 1: Focus groups
Download File: databreachesappendix_1_focus_groups_1.zip [size: 0.17 mb]

Data breaches: Appendix 2: Environics Report
Download File: appendix_2_environics_report_2.pdf [size: 0.32 mb]

Consumers need more comprehensive protection for returns of online purchases

The Public Interest Advocacy Centre (PIAC) today released a report entitled “Point of No Return: Consumer Experiences Returning Online Purchases”. The report studies the importance of the return policy for consumers purchasing goods online in light of the demonstrated growing popularity of online shopping. The 108-page report examines consumers’ experiences with returns for online purchases and their ability to return the product.
“Canadian consumers need better protections for shopping online and a clear, unequivocal right to return products purchased online,” said Janet Lo, PIAC legal counsel and author of the report. “Business policies and practices for return policies for online purchases vary greatly and Canadian consumers do not always have the ability to return products purchased online.”
The report notes that the European Union recently passed a new Consumer Rights Directive that gives consumers the right to return online purchases and requires retailers to reimburse shipping costs incurred by the consumer. The EU Directive also requires retailers to provide clear information to consumers about their right to return the product and costs associated with the return.
PIAC’s study surveyed Canadian consumers regarding online purchases and returns, with 89% of respondents stating that the right to return was an important consideration when deciding whether or not to purchase a product online. PIAC also purchased and returned products from 15 North American retailers to test the online return process. Retailers had varying return periods and used inconsistent ways to calculate the period for return. As well, consumers are expected to bear the cost of returning a product purchased online by paying for shipping to return the product and having original shipping and handling fees deducted from their refund.
“Consumers purchasing items online do not have the benefit of inspecting the products in person, so the right of return is an important consideration,” said Lo. “The cost to return products purchased online often represents a high percentage of the total purchase price, which likely dissuades consumers to purchasing more items online.”
PIAC called for more comprehensive legal protection for the right to return products purchased online. PIAC’s report recommends several consumer-friendly business practices that should be implemented by online businesses for online returns. PIAC also provides a tips sheet for consumers who are returning online purchases.

The report, “Point of No Return: Consumer Experiences Returning Online Purchases”, is available here:

Download File: online_returns_final_website.pdf [size: 0.75 mb]

Point de non-retour : L’expérience des consommateurs concernant le retour d’achats effectués en ligne Rapport rédigé par le Centre pour la défense de l’intérêt public Le Centre pour la défense de l’interêt public a reçu du financement en vertu du Programme de contributions pour les organisations sans but lucratif de consommateurs et de bénévoles d’Industrie Canada. Les opinions exprimées dans ce rapport ne sont pas nécessairement celles d’Industrie Canada ou du gouvernement du Canada.
Une résumé est disponible ici:

Download File: online_returns_french_exec_summary.pdf [size: 0.05 mb]

PIAC’s tip sheet for consumers who are returning online purchases is available here;

Download File: consumer_tips_sheet_for_online_returns.pdf [size: 0.06 mb]

PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.
For more information, please contact the Public Interest Advocacy Centre.
(613) 562-4002

Consumers Anonymous? The Privacy Risks of De-Identified and Aggregated Consumer Data

Private sector companies may aggregate personal information about their customers for internal purposes and analysis and some companies may sell their aggregated data for profit. Other companies’ business models are founded on combining various sets of aggregated data with sets of publicly available information to produce valuable data sets that help companies make predictions about customers and better target customers or engage in “data mining” practices. When data is aggregated, organizations often claim that they anonymize data such that it no longer fits within the definition of “personal information” under PIPEDA.
However, several researchers have recently shown that de-identified data is often not very anonymous and pieces of data can easily be re-identified or “reattached” to information about an identifiable person. This practice of re-identification is problematic because oftentimes consumers do not realize that the commercial bartering of their personal information is a burgeoning and profitable industry.
As organizations collect an increasing amount of personal information about consumers, their practices of de-identifying this personal information should be scrutinized to ensure that the data has been de-identified to a sufficient degree to protect the consumer from re-identification and potential harms that could flow from the use of de-identified data. Industry best practices regarding de-identification and anonymization would serve to bring increased transparency to garner consumer trust in personal information practices.
De-identified data and the questions around re-identification are growth industries. PIAC’s report explores these questions and privacy concerns with de-identification practices. Given the potential harms to consumers and citizens, the OPCC must monitor this question closely and provide timely guidance to industry – and comfort to consumers – to assure all parties they are aware of how identifiable individuals are or may become in the course of regular commercial data processing.
PIAC also provides a fact sheet (FAQ) to explain de-identification and aggregation practices and privacy risks to consumers. The FAQ also provides information about what consumers can do to protect their privacy.

PIAC Consumers Anonymous Paper
Download File: piac_consumers_anonymous_paper_final_6oct2011.pdf [size: 1.15 mb]

PIAC Consumer Fact Sheet FAQ on De-identification and Privacy Risks
Download File: fact_sheet_faq_final_6oct2011_2.pdf [size: 0.07 mb]

Consumers Need Better Safeguards for Mobile Premium Services

OTTAWA – The Public Interest Advocacy Centre (PIAC) in a report released today entitled, “Paying a Premium: Consumers and Mobile Premium Services” called for better consumer protection for mobile premium services, also known as premium text messaging services.
PIAC’s report includes focus groups with consumers who had experiences with mobile premium services and a review of industry self-regulation and practices for mobile premium services.
PIAC counsel and report co-author Janet Lo noted that consumers continue to report many problems with mobile premium services, from unauthorized subscriptions to unsuccessful unsubscription and difficulties disputing charges for these third party services with their wireless service provider and the mobile premium service company: “The self-regulatory model for mobile premium services is not working for consumers. Consumers need and expect better protection against unauthorized billing for mobile premium services, especially from their wireless service provider who is a central party profiting from this industry.”
The report notes that many other countries, including Australia, the U.K. and the United States have stronger regulatory models for mobile premium services, some of which mandate that consumers have access to a free premium text blocking service to prevent unwanted charges.
The report makes a number of recommendations to improve consumer protection for mobile premium services. PIAC recommends that the Canadian Radio-television and Telecommunications Commission (CRTC) consider regulating mobile premium services and implement analogous consumer safeguards that currently exist for third party pay call (900/976 services) for phone. PIAC also calls on wireless service providers to assume greater responsibility for protecting their consumers as both a profiting party and as the first point of contact with the consumer.
“Regulatory oversight of premium text messages and strong enforcement of the rules in the public interest is long overdue.” Lo said. “Consumers should be extremely wary of these services until the problems with them are fixed.”
The full report is available for download at the following link: Paying a Premium: Consumers and Mobile Premium Services
PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations to prepare the report. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.
For more information, please contact:
Janet Lo
Counsel
Public Interest Advocacy Centre
ONE Nicholas Street, Suite 1204
Ottawa, ON K1N 7B7
(613) 562-4002×24 (Tel)
(613) 562-0007 (Fax)
jlo@piac.ca

Paying a Premium: Consumers and Mobile Premium Services (Rev Sept 2011)
Download File: mobile_premium_services_final_report_rev_15sept2011.pdf [size: 1.99 mb]

Consumers need more comprehensive protection against late payment penalties

(OTTAWA)— The Public Interest Advocacy Centre (PIAC) today released a 53-page report entitled “A Criminal Rate of Interest: Updating Garland for Consumers” that provides legal updates to the interpretation of usury provisions of the Criminal Code since the Supreme Court of Canada ruled in Garland v. Consumers Gas Co. in 1998 that the definition of “interest” is broad and a late payment penalty could be construed as “interest” on an advancement of credit. Most recently, in De Wolf v. Bell ExpressVu the court refused to extend the definition of “interest” to a $25 administrative fee on late accounts set out in Bell ExpressVu’s standard form contract.
PIAC’s report discusses consumer class actions that challenge the lawfulness of charges and fees levied for late payments by telecommunications, utilities and payday lending companies. These class actions argued that the late payment penalties violate the criminal rate of interest.
“Class actions provide consumers with a useful mechanism to dispute charges related to late payments where they might not otherwise be able to access justice individually,” said Janet Lo, PIAC legal counsel and author of the report. “However, consumer class actions have suffered lengthy delays and are limited in being able to provide direct remedies back to affected consumers.”
Even where class actions reach a settlement, the agreements may provide poor remedies for consumers. For example, some settlements against payday lenders provide vouchers for redemption for future payday lending services, which only serve to perpetuate the spiral of consumer debt. PIAC is also concerned with the recent practice of recovering class action costs by increasing utility rates in Ontario, which has been approved for Enbridge in the Consumers Gas Co. case and is pending approval for Toronto Hydro and other municipal utilities in Ontario.
Payday lenders are now exempt from the application of usury provisions in the Criminal Code where provinces regulate payday lenders and the allowable rate of these loans. Provincial regulation has led to disappointing results for consumers. Several provinces have permitted extra fees that translate to extremely high annual interest rates for consumers.
PIAC’s survey of industry practices found that service providers continue to charge interest rates on late payments. Most service providers charge a fee for payments that bounce due to non-sufficient funds and disclose this fee and the amount charged in standard form contracts.
Combining the disappointing in De Wolf v. Bell ExpressVu, provincial regulation on payday lending that has led to higher interest rates than those allowed by the usury provisions in the Criminal Code and the limitations of consumer class actions against late payment practices, it seems that consumers have even less protection from exploitative credit arrangements today.
Click here for the complete report

Executive summary in English
Download File: garland_execen.pdf [size: 0.02 mb]

Click here for the French translation of the Executive Summary
PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.

Regulate telecommunications by results not promises consumer group says

An Ottawa-based consumer organization, with a 35-year history of representing consumers in telecommunications work, today released a 218-page report on the need for reform of the regulation and performance of markets for telecom services.
The Public Interest Advocacy Centre (PIAC) concludes that ordinary consumers are still not getting the benefits promised to them by industry competition, and, in particular, have received few benefits from the reforms taken by the government in 2006 and 2007 to deregulate telecom services. PIAC’s report principally recommends that policy makers and the regulator stop trying to make decisions based on untested economic theories and make sure that markets actually work for consumers.
“In 2006 and 2007, the government stepped in to tell the CRTC to deregulate as a priority and to deregulate local telephone service faster promising better deals for consumers. As a our report notes, this did not happen despite all the hype”, said Michael Janigan, author of the report, “Waiting for the Dream, The Consumer Brief for Telecom Reform 2010”. In fact, the report concludes that Canada’s performance in telecommunications services such as broadband and wireless has been less than impressive, and the results for customers of cable and satellite services from deregulation of basic service has been the opposite of what should be expected in competitive markets.
“It is one thing to try a course of action that doesn’t work out: it is another to ignore the results and simply try more of the same,” said Janigan. “It doesn’t now make sense to have a government Policy Direction in place that hampers both competition and consumer protection”.
PIAC’s report recommends that the government rescind the Policy Direction of December 2006, and establishing a licensing regime for all carriers with codes of conduct in place for all licensees. It also recommends reforms to the CRTC operations, including the establishment of more powers and resources recommended by the Government’s Policy Review Panel Report of 2006.
Funding of the research on which this report was based was received from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.

Download File: executive_summary_telecom_reform.pdf [size: 0.12 mb]

Click here to download the whole report

PIAC Report: Can We CAN SPAM in Canada?

(OTTAWA)— The Public Interest Advocacy Centre (PIAC) in a report released today entitled, “Can We Can Spam in Canada?” lauded Canada’s recently passed anti-spam law, Bill C-28, as providing real hope for consumers in the fight against unwanted email.
PIAC’s report includes a survey of Canadians’ attitudes to spam. While those attitudes are changing to be more accepting of “legitimate” commercial email, it is clear that Canadians overwhelmingly favour the requirement in the new law for marketers to ask consumers for express consent prior to emailing them.
PIAC counsel and report co-author John Lawford noted that although most Canadians may see slightly less spam than a decade ago in their inboxes, that much more of it now is malicious and spam is moving to new platforms, like social networking sites: “The new law likely will not only reduce unwanted commercial messages but, crucially, phishing and other fraudulent emails that cost Canadians millions every year. This is reason for hope in the fight against spam.”
The report recommends that the Canadian Radio-television and Telecommunications Commission, who are primarily responsible for the fines and penalties spammers now face in Canada, undertake “intense enforcement efforts” in the early days of the law to send a message to violators of the new law and to bolster Canadians’ confidence in using online commerce.
PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations to prepare the report. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.
The full report is available for download here:

PIAC Report: Can We CAN SPAM in Canada?
Download File: can_we_can_spam.pdf [size: 0.7 mb]

For more information, please contact:
John Lawford
Counsel
Public Interest Advocacy Centre
ONE Nicholas Street, Suite 1204
Ottawa, ON K1N 7B7
(613) 562-4002×25 (Tel)
(613) 562-0007 (Fax)
lawford@piac.ca

Links to other PIAC documents on Transport

Whitelisting for cyber security: What it means for consumers

Nov. 15 Ottawa—The Public Interest Advocacy Centre (PIAC) today released a report entitled “Whitelisting for Cyber Security: What It Means for Consumers” that examines the technique of whitelisting and provides examples of how whitelisting is being deployed in Canada by security companies. As cyber threats continue to increase, traditional cyber security protections such as anti-virus solutions are challenged to keep up and provide diminishing returns in effectiveness.
The practice of whitelisting defines a set of parameters that designate applications, email addresses and websites as “safe” for a given system and enforces a set of accesses in order to control the computer system. This means that any application or email or website that does not meet the defined safelist is automatically blocked from the computer or network.
PIAC conducted interviews with industry and government stakeholders and found that the use of whitelisting has advantages for cyber security, such as preventative protection against zero day attacks. However, whitelisting is not a holistic cyber security solution and is particularly ineffective at dealing with grey areas such as spyware and adware. A centralized whitelist can slow efficiency and stifle innovation. Whitelisting is an important layer of a holistic cyber security solution and complements and augments existing defences.
Whitelisting currently lends itself well to deployment in the enterprise environment, particularly closed environments where network resources and assets need to be protected.
“Whitelisting does not work for consumers yet because it requires a level of technical sophistication and time to set up and manage that most consumers do not have,” said Janet Lo, Legal Counsel for PIAC. “As whitelisting continues to develop in the enterprise space, pure-play vendors and holistic security vendors will likely look to innovate for deployment in the consumer space. The successful adoption of whitelisting will depend on innovation that makes it easier for consumers to implement and administer whitelisting.” Some small whitelisting solution companies suggest that even though traditional anti-virus solutions are becoming less effective, there is no incentive for big player anti-virus companies to offer better protection using whitelisting because they continue to earn most of their revenue from consumers using blacklisting.
The report calls for greater government leadership in cyber security to protect critical infrastructure and help consumers deal with online safety challenges. The Government of Canada Cyber Security Strategy announcement is an important first step in the right direction. PIAC warns that whitelisting could be deployed in an overly broad manner by governments and ISPs that would compromise the historical values of the internet such as openness and network neutrality. This would stifle the generative qualities of the internet to the detriment of the public interest. Consumer education about cyber security will help consumers understand the benefits that whitelisting can offer and how to properly use whitelisting in conjunction with other mechanisms such as blacklisting and firewalls.
The Executive Summary is available here:

Download File: whitelistingexec.pdf [size: 0.05 mb]

Le Centre pour la défense de l’intérêt public a entrepris d’examiner une nouvelle technique, les listes blanches et de fournir des exemples sur la manière dont ces dernières sont utilisées par les entreprises de sécurité au Canada. Un résumé est disponible ici:

Download File: leslistesblanches.pdf [size: 0.06 mb]

The full version of “Whitelisting for Cyber Security: What It Means for Consumer” is available here:

Download File: whitelisting_final_nov2010.pdf [size: 0.25 mb]

PIAC Submission to Ontario government re: proposed privacy legislation

Comments to the Ontario MCBS on the Consultation Draft of the Privacy of Personal Information Act, 2002

Key Points

The draft legislation’s opt-in approach to consent for marketing strikes the right balance between individual privacy and business needs, and reflects clearly expressed public opinion.
If negative option consent is permitted, it should only be so in limited, specified circumstances, and only where specific conditions have been met. Those conditions should require that the negative option be brought to the individual’s attention, be clearly worded and sufficiently detailed, and be easy to execute at minimal cost.
The proposed “definition” of implied consent in subs.8(5) is appropriate and should not be revised. If negative option consent is permitted, it should be subject to a different set of requirements, given important distinctions between it and normal implied consent.
Express consent should not be required where consent can be implied under the proposed test in subs.8(5). Nor should exceptions to the rule of consent be provided where the test for implied consent is met. Such duplication creates unnecessary confusion, suggesting as it does that consent cannot be implied where indeed it can.
If necessary to address stakeholder uncertainty as to when consent can reasonably be implied under subs.8(5), the legislation or regulations can be used to elaborate further on the circumstances in which consent can be implied, outside the negative option context.
Exceptions to consent for collection, use and disclosure of personal data in both the health and non-health contexts should be much more limited than in this draft. Particularly where Ontario is proposing broader exceptions than those in the federal PIPEDA, explanation is required as to why such new or broader exceptions are necessary and appropriate. In each case, the most privacy-protective safeguard appropriate (e.g., notice or negative option consent) should be included.

Regulation-making powers should be far more limited than in this draft. For example, it should not be possible for the government to fundamentally alter the legislation’s scope of application by regulation. Governments should not be able to fundamentally change the application of legislation, or the substantive rights and obligations in it, through a process that does not involve full public scrutiny. Regulation-making powers should be limited to technical matters of implementation. PIAC cannot support legislation which leaves the door open to such substantial narrowing of scope through regulations.