New Pacific rim privacy commissioners

In the last week or so, new Privacy Commissioners have been named for both Australia and Hong Kong:

Allan Chiang named Privacy Commissioner (Hong Kong)

The Chief Executive has appointed former Postmaster General Allan Chiang as the new Privacy Commissioner for Personal Data for five years from August 4.

Secretary for Constitutional & Mainland Affairs Stephen Lam said today Mr Chiang has rich experience in public administration, served in senior public positions and possesses proven leadership, management and communication skills.

"With his commitment, experience and knowledge he is well placed to perform the roles of the Privacy Commissioner. We are confident under his leadership the office will strive to promote the protection of personal data privacy in the community," Mr Lam said.

Mr Chiang, 59, has served in the Government for 33 years and was Postmaster General from 2003 to 2006. He has since been Chief Executive Officer of the Hong Kong Design Centre.

Mr Chiang said he will work with the incumbent Roderick Woo, whose term of office will expire July 31, to ensure a smooth transition.

Mr Lam said Mr Woo has taken steps to strengthen the enforcement of the Personal Data (Privacy) Ordinance and initiated inspections and investigations of major personal data systems of public concern to facilitate their compliance with the ordinance.

Mr Woo also conducted a comprehensive review of the ordinance having regard to developments in the last decade.

Government appoints new Privacy Commissioner (Australia)

Commissioner touts technology for privacy.

Special Minister of State Joe Ludwig has appointed Timothy Pilgrim as Australia's Privacy Commissioner, replacing Karen Curtis whose term ended on July 12.

Pilgrim was appointed as Deputy Privacy Commissioner in February 1998. He has now been appointed Privacy Commissioner for a five year term.

Senator Ludwig's office said Pilgrim was selected following an "open merit based" selection process, in accordance with the Guidelines introduced by the Government in 2008 after previous Privacy Commissioner, Curtis' term expired on July 12.

"I am confident that Mr Pilgrim's experience and operational knowledge of the office will be of great assistance when the office transitions to form part of the new Office of the Australian Information Commissioner, which will open its doors on 1 November 2010," Senator Ludwig said in a statement.

Pilgrim said he will focus his attention on informing the public about how technology can be used to protect privacy. He will also work with agencies and organisations to design new and developing technologies in a privacy-enhancing way.

"I note that advances in information, communication and surveillance technologies have created and intensified a range of privacy issues.

"While Australians value their privacy, they also appreciate that other interests intersect such as freedom of speech and law enforcement.

"People also want the significant benefits of new technologies, such as communicating with friends and family around the world, and shopping and banking online," he said.

Lawful access to ISP subscriber information reintroduced

The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.

---

Update: Here's the media release from the government:

Government Of Canada Introduces Legislation To Fight Crime In The 21st Century

OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.

“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.

“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”

The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An online version of the legislation will be available at http://www.parl.gc.ca/.

See also:

Technical Assistance for Law Enforcement in the 21st Century Act

Investigative Powers for the 21st Century (IP21C) Act -->

Information:

Darren Eke Press Secretary
Office of the Minister of Justice
613-992-4621

Media Relations
Department of Justice
613-957-4207

Media Relations
Public Safety Canada
613-991-0657

Here is the government's summary of the warrantless access to customer information provisions:

Technical Assistance for Law Enforcement in the 21st Century Act

Subscriber Information Component

Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.

Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.

A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.

This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.

Google execs testify about Street View and privacy

Yesterday, executives from Google Canada testified to the Parliamentary Standing Committee on Ethics, Privacy and Access to Information about their Street View product and how Google is addressing privacy concerns.

Here's some of the media coverage from the Ottawa Citizen, which I'll supplement with the actual testimony when it's posted on the Committee's site:

Google ‘Street View’ amended to allay privacy concerns, executive tells MPs

OTTAWA — Google’s controversial “Street View” feature won’t infringe on Canadians’ privacy rights, the company’s head of Canadian operations said Wednesday in advance of an appearance before a House of Commons committee.

Jonathan Lister, head of Google Canada, was to stand before a federal government committee Wednesday afternoon to defend Google’s Street View service.

Lister came to Ottawa equipped with testimonials from Street View users all over the world — including Boris Johnson, mayor of London. He also offered data that suggest Canadians might be eager to see their home country represented on the new service, as more than 100 million Street View images from other countries have been pulled up by Canadians.

“It has been extremely well received and as people use it, they find more uses for it,” said Lister. “We’re getting indications that it’s going to be popular in Canada. We’ve got testimonials and accolades from tourism officials, the mayor of London, and Australian tourism officials that support the fact that it’s been widely well received.”

Lister was being brought before the access to information, privacy and ethics committee after the committee passed a motion demanding Google explain any impact its new Street View service may have on Canadians’ privacy rights.

The feature allows someone using Google Maps or Google Earth to click on a street or a building and see a picture of the area. The cameras used to capture the picture allow onlookers to swivel 360 degrees within the image and even allows Internet users the ability to take a virtual stroll through neighbourhoods.

Google has been preparing for the roll-out of Street View in Canada since March. The Internet search giant has also been in intense discussions with the federal privacy commissioner’s office since that time, trying to negotiate a solution that would allow Google to offer Street View images from Canada to the rest of the world without contravening Canadian privacy law.

“We think the product is compliant, but we are certainly not going to launch it until we have satisfied our concerns,” said Lister. “We continue to work with the commissioner’s office. As we get closer to rolling the product out we plan on working with local law enforcement officials and stakeholder groups.”

Lister said Google has recently revamped its internal policies to cut the amount of time the company will archive Street View pictures. The move addresses one of the privacy commissioner’s biggest concerns.

“Recently we’ve revised our retention policy such that we have made a decision to only retain these images for an adequate but not-excessive period of time, after which they will be deleted,” said Lister.

Street View also automatically blurs the faces and identifying features of people or licence plates caught by Street View’s cameras and anyone who sees their picture, or a picture of their home or vehicle can ask Google to remove the image.

Lister would not define how long an “adequate” period of time will be. He also refused to commit to a date for the official launch of Street View in Canada. Vehicles having been cruising Canadian streets and suburbs in 32 cities taking pictures for the new service over the past two months.

The access to information, privacy and ethics committee is reviewing Canada’s privacy laws to determine whether they need to be updated. The committee will roll Lister’s comments into a final report on the state of Canadian privacy legislation, which is due later this year.

Pedophile fears as student profiles, pictures go in Queensland education database

Just because you can doesn't mean you should.

Parents' groups are up in arms in Australia after it was revealed that an intranet database of all students in Queensland State is being implemented that will be available to all employees of the education system. The database will include a vast range of information:

The intranet database, dubbed OneSchool, will profile each of the state's 480,000 public school students enrolled from Prep to Year 12.

Photographs, personal details, career aspirations, off-campus activities and student performance records are being collected from all 1251 state schools.

Parents fear that it will become a catalog for pedophiles while the Eduation Minister for the State says inclusion will be mandatory.

However Civil Liberties Council vice-president Terry O'Gorman yesterday said parents should be concerned, warning the OneSchool system could put students' privacy at risk.

Mr O'Gorman called for the system to be restricted so principals and teachers could access data only on their own students, with non-teaching staff excluded and no access for home computers or laptops.

"Why should anyone other than the teacher of a particular student and the principal of that school have a right to know what a child's academic performance is, behavioural status is or what their life aims are?" he said.

"It just puzzles me as to how it can have any possible benefit to centralise that information, whereas it has a clear privacy downside."

See: Pedophile fears as student profiles, pictures go on net The Courier-Mail. Via Australian educational authority forcing kids into invasive database - Boing Boing.

Asia Pacific Privacy Authorities commit to collaboration

We are seeing the growth of formal and informal structures being put in place by privacy commissioners and their counterparts worldwide to foster interjurisdictional collaboration. We've recently seen the establishment of the Global Privacy Enforcement Network and now the Asia Pacific Privacy Authorities form has concluded in Auckland with a further commitment to cross-border collaboration:

Privacy Commissioners Commit To Continue International Collaboration | Voxy.co.nz

The importance of privacy to the public on both sides of the Pacific Ocean has been demonstrated in a meeting of privacy and data protection commissioners from three continents in the Asia Pacific region.

Hosted by the Office of the New Zealand Privacy Commissioner, the Asia Pacific Privacy Authorities (APPA) forum concluded in Auckland yesterday, with members affirming their commitment to continue to collaborate on international data protection issues.

The New Zealand Privacy Commissioner, Marie Shroff was delighted with the success of the meeting.

"This APPA meeting was one of the largest that we have held and it was pleasing to welcome three new members: Mexico, United States and Queensland. The last two days have reinforced our commitment to continue international collaboration amongst members. This will strengthen our ability to get the best possible outcome for the public's privacy rights."

The APPA members discussed a variety of contemporary privacy issues that face members right across the Asia Pacific region including ways to tackle privacy concerns about social networking, direct marketing and credit reporting.

"I think it is no surprise that issues such as online privacy are a common concern for all jurisdictions but there are practical steps that we can all take to educate the public and the business community on their privacy rights and responsibilities," Australian Privacy Commissioner Timothy Pilgrim said.

For instance, APPA members affirmed their commitment to jointly promote Privacy Awareness Week, which will be held from 1-7 May 2011. APPA has also established a working group on technology issues.

The next APPA meeting will be in South Korea in June 2011.

US added to CDA, AUS and UK immigration information sharing program

The Secretary of Homeland Security and our Minister of Public Safety just wrapped up a bi-annual meeting and announced the addition of the United States to an existing program that uses biometric information to match immigration and refugee applicants to information in foreign databases. From the media release:

Secretary Napolitano and Minister Van Loan announce initiatives to combat common threats and expedite travel and trade

Immigration Information Sharing: Secretary Napolitano announced that the United States will join a biometric data sharing initiative involving Canada, Australia, the United Kingdom and, eventually, New Zealand – an initiative designed to strengthen the integrity of immigration systems and the security of each country while protecting privacy and civil rights. Minister Van Loan, with the Canadian Minister of Citizenship, Immigration and Multiculturalism, Jason Kenney, welcomed the United States’ participation.

“Previous trials show that biometric information sharing works. For example, when the fingerprints of some asylum claimants in Canada were checked against the U.S. database, more than a third matched and 12 percent of these individuals presented a different identity in the United States,” said Minister Kenney. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”

I'm trying to get my hands on the Privacy Impact Assessment for the program, but as with most such documents they are well hidden on the department's website.

Queensland Privacy Commissioner calls Facebook suspect because of its profit motive

A day after the Canadian Privacy Commissioner stated that Facebook had gotten its house in order, the Privacy Commissioner of Queensland, Australia, has piled on the social networking site.

I have to take issue with some of her comments. She claims that Facebook is deceptive because it bills itself as a site for users to share and connect with friends, while its motives are to make money.

Give me a break. I've had issues with Facebook and their policies, but the suggestion that somehow they are suspect simply because it's a for-profit venture does nothing to move the privacy discussion forward. This is a notion I've been hearing more and more from speakers at conferences. Feel free to criticize them for for what they do or how they do it. Even be suspicious of their motives, but never lose sight of the fact that the service is what it is only because they make money.

Facebook is free to all of its users, paid for by advertisers. The company operates multi-million dollar data centres loaded with expensive servers. Bandwidth isn't cheap, either. Would they have 500,000,000 users if they required each of them to pony up cash? Nope. Most of the internet is advertising supported and users are used to online services being free.

Part of the implicit contract that users have with almost all free services (broadcast TV included) is that it is paid for by ads. If the ads don't generate enough revenue, the users either have to pay or the service goes away. Often, if the users have to pay, they go away and the service goes away. This, in and of itself, is really a non-issue and Facebook is not at all unique in this.

Feel free to criticize Facebook for its privacy policies, its privacy practices and how it manages user information, but don't confuse the issue by pointing to the simple fact that they make their money from advertising.

Here is the full article from iTnews.com.au:

Facebook slammed for ‘deceptive’ approach - Security - Technology - News - iTnews.com.au

Queensland Privacy Commissioner Linda Matthews has criticised Facebook for deceiving potential users about its purpose.

Speaking on a panel at the World Computer Congress in Brisbane, Matthews highlighted the "enormous power" wielded by the social network with more than 500 million users.

Facebook promoted itself as a community; a place to share and connect with other human beings. But like most companies, its goal was to make money, she said.

"There's nothing wrong with making money; what's wrong is that it deceives potential users about that," Matthews said.

"There's a big difference [to users] between choosing to share your personal information to make friends, and sharing your personal information to make someone lots of money."

Corporate advisory lawyer Anna Sharpe, who was also on the panel, described her work on brand networks, which companies used to build rapport with their customers.

Rather than the vague, oft-used statement, "we will use your information for marketing", Sharpe said companies should disclose the information stored, its use and the parties that may access it.

"Given the complexity, I think the onus is on organisations to be a lot clearer on their privacy wordings," she said.

Although companies like Facebook, Google and Sun Microsystems have previously claimed that privacy was a thing of the past, panellists said the case for privacy still could be won.

"The auction is in full swing," said Goethe University professor Kai Rannenberg, addressing the session's theme: "Privacy ... going, going, gone?"

Rannenberg highlighted "privacy gateway infrastructure components" used by mobile telcos T-mobile Germany and Deutche Telekom that allowed users to determine how their information was used and with whom it was shared.

Personal information, he said, was an asset, and privacy required: the minimisation and decentralisation of data; empowering users; user-controlled identity management; privacy by design; and privacy standards.

Fellow panellist and Australian Privacy Foundation chair Roger Clarke observed that privacy would become more of a concern for those born after 1995, the i-Generation.

He observed that as Generation Y - those born between 1980 and 1995 - faced the impact of having their information stored and published online, 'iGen' would become more careful.

"Youth have always been risk-talkers," Clarke said. "The big thing that's changed is not the behaviour; it's the impact of the behaviour, how long that data exists and how many people have access to it."

"iGens are already absorbing those messages ... What will actually happen is that the young generation of right now will be more privacy conscious and more privacy demanding than their predecessors were."

Former Australian Privacy Commissioner Malcolm Crompton noted, "privacy is a cloudy term", highlighting linked elements of control, trust, risk and accountability.

He said users could exercise "people power" by deciding whether or not to use Facebook, and any other consumer services that came with privacy risks.

International data protection authorities form Global Privacy Enforcement Network

Privacy regulators from around the world have joined forces to establish the "Global Privacy Enforcement Network" to facilitate interjurisdictional cooperation on privacy matters. The network includes:

• U.S. Federal Trade Commission
  
• Office of the Privacy Commissioner of Canada
  
• Commission Nationale de l’Informatique et des Libertés (France)
  
• Office of the Privacy Commissioner, New Zealand
  
• Israeli Law, Information and Technology Authority
  
• Office of the Privacy Commissioner, Australia
  
• Office of the Data Protection Commissioner, Ireland
  
• Agencia Española de Protección de Datos (Spain)
  
• Information Commissioner’s Office (United Kingdom)
  
• Garante Per La Protezione Dei Dati Personali (Italy)
  
• Dutch Data Protection Authority (the Netherlands)
  
• Federal Commissioner for Data Protection and Freedom of Information (Germany)
  
• Office of the Victorian Privacy Commissioner, (Victoria, Australia)

Here is the announcement from the Canadian Commissioner's office: Announcement: Canada joins privacy enforcement agencies in establishing Global Privacy Enforcement Network - September 21, 2010.

Here is the joint press release:

Global Privacy Enforcement Network Launches Website

Page created on 21 September 2010 - 11:35.

September 21, 2010

Thirteen privacy enforcement agencies around the world have joined forces to launch the “Global Privacy Enforcement Network” (GPEN), a network designed to facilitate cross-border cooperation in the enforcement of privacy laws. In developing this network, the participating agencies recognized the need for greater international cooperation in this area. In the Action Plan launching the network, the founding privacy enforcement authorities stressed that “it is important that government authorities charged with enforcing domestic privacy laws strengthen their understanding of different privacy enforcement regimes as well as their capacities for cross-border cooperation.”

“Cooperation is critical in the enforcement of privacy laws. GPEN will provide us with the necessary tools to facilitate cooperation with our international counterparts,” stated Jon Leibowitz, Chairman of the US Federal Trade Commission, one of the network’s launching members.

Discussions that led to the creation of GPEN began in the fall of 2009, and on March 10, 2010, representatives from many of the founding GPEN agencies met in Paris to discuss the network’s direction and to officially launch GPEN.

“We live in a globalized world with new technologies providing infinite possibilities for sharing and re-using information globally. Privacy has thereby also become a global issue. If we want to continue to protect the privacy rights of our national citizens, it is essential that we work together internationally,” stated Jacob Kohnstamm, Chair of the Dutch Data Protection Authority, another founding GPEN member.

The need for greater cooperation in the enforcement of privacy laws has been recognized not only by privacy regulators, but also by multilateral organizations, including the Organisation for Economic Cooperation and Development (OECD) and the Asia Pacific Economic Cooperation (APEC) forum.

The agencies participating in GPEN are pleased to unveil the public GPEN website today, www.privacyenforcement.net, and thank the OECD for supporting the website. Government agencies interested in participating in GPEN are encouraged to review the guidelines and instructions available on the GPEN website.

“The challenges in obtaining redress for consumers whose privacy has been compromised in today’s digital environment can be daunting. GPEN is part of a collective effort to provide more effective cross-border enforcement and complaints resolution. This is as relevant for a small economy in the South Pacific as it is for Europe and North America and New Zealand is pleased to play its part,” said New Zealand Privacy Commissioner, Marie Shroff, another GPEN founding member.

“As host of the 32nd International Conference of Data Protection and Privacy Commissioners, which will take place next month in Jerusalem, I have decided to devote part of the regulators’ closed session to discussion of collaboration not only among data protection regulators, but also between data protection regulators and additional regulatory authorities, such as consumer protection, competition, and securities authorities. I hope the Jerusalem conference will mark the first step in establishing innovative modules for such collaboration,” said Yoram Hacohen, Head of ILITA, the Israeli Law, Information and Technology Authority, another GPEN founding member.