Information & Ethics Committee on Oct. 22nd, 2009

Reasonably.

The easiest way, for example, to explain cloud computing is that the term “cloud” is really a metaphor for the Internet. Instead of information being stored on your own computer and you having to purchase the software to manage that information, you store information on a server and you don't even know where it is. The software is purchased or rented, in a sense, from the service provider. It's very popular, for example, with businesses. They don't have to invest in the software and they don't have to worry about securing the information. That raises privacy concerns, because the organization, the business in this case, no longer controls the information at its business site; it may be managed by a third party.

With respect to the reference to deep packet inspection, in the current communications environment, information is sent in what we call “packets”. It doesn't matter whether it's a telephone conversation or music, it's sent in individual packets and your conversation gets mixed up in various packets and then reassembled at the end.

For example, an ISP, or for that matter a law enforcement agency, has the ability to look at those packets as they go through a certain point. There are many uses for that, which are perfectly legitimate, to ensure that no one is trying to hack into that information as it's flowing past that point. However, the concern is that potentially people can inspect this information. They can look at it to hunt for key words, for example, which they may then want to use for marketing purposes. That's where the privacy concerns come in.

The reason it's called deep packet inspection is because it goes down to that level where you get a sense of what people are communicating about, the key words they're using.

I hope that helps explain, at least to a degree, those two concepts.

That's correct. There are substantially similar private sector laws in British Columbia, Alberta, and Quebec. Intraprovincially, our law, PIPEDA, doesn't apply. It applies in the rest of Canada, and it applies to data flows across provincial borders.

I want to add one more thing to your question about the application of the laws. PIPEDA applies in the other seven provinces, but it all applies to federally regulated industries, such as banks and telecommunications and railways, no matter where they operate. I just want to clarify that.

I will ask my colleague to address the second part of your question.

The act imposes obligations on organizations to ensure, to the extent that the information is exchanged or sent to a country such as the United States, that individuals are informed of the fact that their information may be subject to the laws of another country.

We're talking about exchanges of information between private organizations. The act covers the exchange and use of information in the context of private sector organizations. We're not talking about exchanges involving the Canadian government. An organization that would like to enter a client's information in a server located in the United States would have an obligation to inform that client of the fact, under PIPEDA and a confidentiality policy, and to inform that person that his or her information could be subject to the laws of that country.

I believe that agreements have to be established first. However, in the case of exchanges of information between governments, it's the Privacy Act that applies. That's a completely different act. The act we're discussing today applies to private organizations.

Yes, precisely.

Our refer-back process is discretionary. Obviously if we felt that somebody were going to have a difficult time going back on their own, we would definitely help them. If it were an employee who has had a difficult relationship with their manager and wanted to file a complaint, we might not force them to go back to the organization in that circumstance. So we do have discretion in our refer-back policy. It's a very good point.

I absolutely agree with you. If the capture of the image is for a journalistic or artistic purpose, and no other purpose, then consent is not needed and the publishing of that photo can go ahead.

We haven't had that argument put before us by a company to look at whether or not cartography is an artistic purpose. On the surface, I would say it doesn't look that way to me, but we'll see what happens. If we get a complaint, we will look at that thoroughly.

I would like it to be put to me directly, and we would consider it, but the act says it's for journalistic and artistic purposes and no other purpose.