VOLUME 16, NUMBER 11 Cited as (2019), 16 C.P.L.R. OCTOBER 2019

• PERSONAL INFORMATION IN THE PUBLIC DOMAIN: EXPLORING THE DEFINITION OF “PUBLICLY AVAILABLE INFORMATION” UNDER PIPEDA •

The Canadian Marketing Association Privacy and Data Committee© Canadian Marketing Association

Most of us are familiar with Principle 4.3 of Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. It is challenging for some Canadian organizations to understand that some information available in the public domain is not necessarily “publicly available information” under PIPEDA.

Section 7 of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may collect, use or disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the Regulations Specifying Publicly Available Information, SOR/2001-7 (13 December, 2000) (“The Regulations”). However, that does not mean that PIPEDA does not apply to publicly available information, because all the other obligations under PIPEDA continue to apply to publicly available information including access, safeguards and reasonable purpose.

The Regulations indicate that the following information and classes of information are considered publicly available information under PIPEDA:

• personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;

• personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice that is available to the public, where the collection, use and disclosure of the personal information relates directly to the

• In This Issue •

PERSONAL INFORMATION IN THE PUBLIC DOMAIN: EXPLORING THE DEFINITION OF “PUBLICLY AVAILABLE INFORMATION” UNDER PIPEDA

The Canadian Marketing Association Privacy and Data Committee ..........................................117

AI & PRIVACY THE STRUGGLE IS REAL MEANINGFUL CONSENT AND RETAINING DATA

Amanda Branch .................................................120

CYBERSECURITY RISKS IN MEDICAL DEVICES – HEALTH CANADA ADOPTS GUIDANCE DOCUMENT

David Krebs .......................................................122

VOLUME 16, NUMBER 11 Cited as (2019), 16 C.P.L.R. OCTOBER 2019

• PERSONAL INFORMATION IN THE PUBLIC DOMAIN: EXPLORING THE DEFINITION OF “PUBLICLY AVAILABLE INFORMATION” UNDER PIPEDA •

The Canadian Marketing Association Privacy and Data Committee© Canadian Marketing Association

Most of us are familiar with Principle 4.3 of Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. It is challenging for some Canadian organizations to understand that some information available in the public domain is not necessarily “publicly available information” under PIPEDA.

Section 7 of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may collect, use or disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the Regulations Specifying Publicly Available Information, SOR/2001-7 (13 December, 2000) (“The Regulations”). However, that does not mean that PIPEDA does not apply to publicly available information, because all the other obligations under PIPEDA continue to apply to publicly available information including access, safeguards and reasonable purpose.

The Regulations indicate that the following information and classes of information are considered publicly available information under PIPEDA:

• personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;

• personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice that is available to the public, where the collection, use and disclosure of the personal information relates directly to the

• In This Issue •

PERSONAL INFORMATION IN THE PUBLIC DOMAIN: EXPLORING THE DEFINITION OF “PUBLICLY AVAILABLE INFORMATION” UNDER PIPEDA

The Canadian Marketing Association Privacy and Data Committee ..........................................117

AI & PRIVACY THE STRUGGLE IS REAL MEANINGFUL CONSENT AND RETAINING DATA

Amanda Branch .................................................120

CYBERSECURITY RISKS IN MEDICAL DEVICES – HEALTH CANADA ADOPTS GUIDANCE DOCUMENT

David Krebs .......................................................122

118

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

purpose for which the information appears in the directory, listing or notice;

• personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the registry;

• personal information that appears in a record or document of a judicial or quasi-judicial body that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and

• personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

In an increasingly digitalized world, this list may be out of touch with reality, as it only references formal and – as in the case of telephone directories – somewhat outdated classes of information. As a result, organizations must determine how to treat all the other information shared openly in the public domain, such as information uploaded by individuals to social media platforms, and determine whether they can collect and use such information, for what purpose and what form of valid consent they can rely on.

According to PIPEDA, the simple fact that information is accessible to the public does not mean it is exempt from consent requirements. In its interpretations to date, the Office of the Privacy Commissioner (OPC) has been clear that no other information beyond that which is specified by the Regulations is considered publicly available information under PIPEDA. This has been supported by Court interpretations1, which have maintained that consent should still be required for information that could be considered to be publicly available, such as online content shared by an individual with

CANADIAN PRIVACY LAW REVIEW

Canadian Privacy Law Review is published monthly by LexisNexis Canada Inc., 111 Gordon Baker Road, Suite 900, Toronto ON M2H 3R1 by subscription only.

All rights reserved. No part of this publication may be reproduced or stored in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright Act. © LexisNexis Canada Inc. 2019

ISBN 0-433-44417-7 (print) ISSN 1708-5446ISBN 0-433-44650-1 (PDF) ISSN 1708-5454ISBN 0-433-44418-5 (print & PDF)

Subscription rates: $340.00 per year (print or PDF) $520.00 per year (print & PDF)

Please address all editorial inquiries to:

General EditorProfessor Michael A. GeistCanada Research Chair in Internet and E-Commerce LawUniversity of Ottawa, Faculty of LawE-mail: mgeist@uottawa.ca

LexisNexis Canada Inc.Tel. (905) 479-2665Fax (905) 479-2826E-mail: cplr@lexisnexis.caWeb site: www.lexisnexis.ca

ADVISORY BOARD

• Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Toronto • David Flaherty, Privacy Consultant, Victoria • Elizabeth Judge, University of Ottawa • Christopher Kuner, Professor, Brussels Privacy Hub, VUB Brussel • Suzanne Morin, Sun Life, Montreal • Bill Munson, Toronto • Stephanie Perrin, Service Canada, Integrity Risk Management and Operations, Gatineau • Patricia Wilson, Osler, Hoskin & Harcourt LLP, Ottawa

Note: This review solicits manuscripts for consideration by the Editors, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Canadian Privacy Law Review reflect the views of the individual authors and do not necessarily reflect the views of the advisory board members. This review is not intended to provide legal or other professional advice and readers should not act on the information contained in this review without seeking specific independent advice on the particular matters with which they are concerned.

118

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

purpose for which the information appears in the directory, listing or notice;

• personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the registry;

• personal information that appears in a record or document of a judicial or quasi-judicial body that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and

• personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

In an increasingly digitalized world, this list may be out of touch with reality, as it only references formal and – as in the case of telephone directories – somewhat outdated classes of information. As a result, organizations must determine how to treat all the other information shared openly in the public domain, such as information uploaded by individuals to social media platforms, and determine whether they can collect and use such information, for what purpose and what form of valid consent they can rely on.

According to PIPEDA, the simple fact that information is accessible to the public does not mean it is exempt from consent requirements. In its interpretations to date, the Office of the Privacy Commissioner (OPC) has been clear that no other information beyond that which is specified by the Regulations is considered publicly available information under PIPEDA. This has been supported by Court interpretations1, which have maintained that consent should still be required for information that could be considered to be publicly available, such as online content shared by an individual with

CANADIAN PRIVACY LAW REVIEW

Canadian Privacy Law Review is published monthly by LexisNexis Canada Inc., 111 Gordon Baker Road, Suite 900, Toronto ON M2H 3R1 by subscription only.

All rights reserved. No part of this publication may be reproduced or stored in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright Act. © LexisNexis Canada Inc. 2019

ISBN 0-433-44417-7 (print) ISSN 1708-5446ISBN 0-433-44650-1 (PDF) ISSN 1708-5454ISBN 0-433-44418-5 (print & PDF)

Subscription rates: $340.00 per year (print or PDF) $520.00 per year (print & PDF)

Please address all editorial inquiries to:

General EditorProfessor Michael A. GeistCanada Research Chair in Internet and E-Commerce LawUniversity of Ottawa, Faculty of LawE-mail: mgeist@uottawa.ca

LexisNexis Canada Inc.Tel. (905) 479-2665Fax (905) 479-2826E-mail: cplr@lexisnexis.caWeb site: www.lexisnexis.ca

ADVISORY BOARD

• Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Toronto • David Flaherty, Privacy Consultant, Victoria • Elizabeth Judge, University of Ottawa • Christopher Kuner, Professor, Brussels Privacy Hub, VUB Brussel • Suzanne Morin, Sun Life, Montreal • Bill Munson, Toronto • Stephanie Perrin, Service Canada, Integrity Risk Management and Operations, Gatineau • Patricia Wilson, Osler, Hoskin & Harcourt LLP, Ottawa

Note: This review solicits manuscripts for consideration by the Editors, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Canadian Privacy Law Review reflect the views of the individual authors and do not necessarily reflect the views of the advisory board members. This review is not intended to provide legal or other professional advice and readers should not act on the information contained in this review without seeking specific independent advice on the particular matters with which they are concerned.

Canadian Privacy Law Review October 2019 Volume 16, No. 11

119

an audience – however large or small that audience might be. Similarly, the fact that an individual appears in public does not mean they do not want to retain control over the personal information that may be exposed.

Despite PIPEDA’s limited and non-technology neutral definition of publicly available information, one can still deduce that an organization could, in fact, use other kinds of public information beyond those listed in the Regulations if it was collected by a third party that can prove it adhered to PIPEDA guidelines, including relying on a form of valid consent.

Let’s bring this to life through an example. Suppose social media company X allows all its users’ data to be publicly viewable on its site, except for those users who specifically requested that their information be private. In company X’s terms of service, it is clear that users’ publicly available data will be used by other parties. These terms ensure company X’s compliance with PIPEDA, including identifying purposes, obtaining consent, and more. In this circumstance, company X complies with PIPEDA and can, therefore, sell that publicly available social media data to company Y.

Now, for its part, company Y might be able to collect and use that data from company X if it also complies with PIPEDA, such as in one of the following manners:

• company X has been clear about what types of companies may use its content;

• company Y has identified purpose for collection, in its customer privacy notice as an example;

• company Y has explained it may collect customer information indirectly from other sources, perhaps listing those sources; or

• company Y gives the customer the opportunity to opt out of such indirect collection.

The only thing company Y can’t do is collect the data from company X without relying on any form of consent. You can see from the above example how important it is for companies on both sides of the arrangement to ensure they are compliant with PIPEDA, and to ensure they evaluate the collection and use of public information on a case-by-case basis.

While PIPEDA was written to be technology-neutral, and in many ways has proved its ability to live up to that vision, this Regulation in reality was not drafted in technology-neutral language. In addition, even the best-worded regulation may age a little after almost two decades of technological change. The use of publicly available information by businesses for legitimate business practices is one such age spot. This is why the Ministry of Innovation, Science and Economic Development Canada (ISED) committed to revisiting the definition of publicly available information in its May 2019 Proposals to modernize the Personal Information Protection and Electronic Documents Act, noting that the Regulations “reflect to some degree, the technology and uses of its time.”

ISED is consulting with organizations over the summer to bring the definition of publicly available information into the 21st century, with the aim of providing more certainty and clarity for businesses while acknowledging concerns about the privacy interests and online reputation of individuals. It is an important conversation that the Canadian Marketing Association and other key stakeholders are actively participating in.

In the meantime, it is important to remember the protection currently offered through adherence to PIPEDA’s 10 principles. All organizations are responsible for being transparent about their uses of personal information, while ensuring adequate protections and adherence to fair information practices, whether it is publicly available or not. The CMA Guide on Transparency for Consumers is a helpful tool for organizations wanting to improve their transparency practices.

[The Canadian Marketing Association Privacy and Data Committee consists of the following members: Amanda Maltby, General Manager, Compliance and Chief Privacy Officer, Canada Post, Sabrina Anzini, VP, Legal, Goeasy Ltd., Ruby Barber, Assistant General Counsel, Legal & Regulatory, Bell Canada, David Elder, Digital Privacy Counsel to CMA, Stikeman Elliott LLP, Deborah Evans, Director, Consumer Policy & Associate Chief Privacy Officer, Rogers, Lisa McKay, Privacy Team Lead,

Canadian Privacy Law Review October 2019 Volume 16, No. 11

119

an audience – however large or small that audience might be. Similarly, the fact that an individual appears in public does not mean they do not want to retain control over the personal information that may be exposed.

Despite PIPEDA’s limited and non-technology neutral definition of publicly available information, one can still deduce that an organization could, in fact, use other kinds of public information beyond those listed in the Regulations if it was collected by a third party that can prove it adhered to PIPEDA guidelines, including relying on a form of valid consent.

Let’s bring this to life through an example. Suppose social media company X allows all its users’ data to be publicly viewable on its site, except for those users who specifically requested that their information be private. In company X’s terms of service, it is clear that users’ publicly available data will be used by other parties. These terms ensure company X’s compliance with PIPEDA, including identifying purposes, obtaining consent, and more. In this circumstance, company X complies with PIPEDA and can, therefore, sell that publicly available social media data to company Y.

Now, for its part, company Y might be able to collect and use that data from company X if it also complies with PIPEDA, such as in one of the following manners:

• company X has been clear about what types of companies may use its content;

• company Y has identified purpose for collection, in its customer privacy notice as an example;

• company Y has explained it may collect customer information indirectly from other sources, perhaps listing those sources; or

• company Y gives the customer the opportunity to opt out of such indirect collection.

The only thing company Y can’t do is collect the data from company X without relying on any form of consent. You can see from the above example how important it is for companies on both sides of the arrangement to ensure they are compliant with PIPEDA, and to ensure they evaluate the collection and use of public information on a case-by-case basis.

While PIPEDA was written to be technology-neutral, and in many ways has proved its ability to live up to that vision, this Regulation in reality was not drafted in technology-neutral language. In addition, even the best-worded regulation may age a little after almost two decades of technological change. The use of publicly available information by businesses for legitimate business practices is one such age spot. This is why the Ministry of Innovation, Science and Economic Development Canada (ISED) committed to revisiting the definition of publicly available information in its May 2019 Proposals to modernize the Personal Information Protection and Electronic Documents Act, noting that the Regulations “reflect to some degree, the technology and uses of its time.”

ISED is consulting with organizations over the summer to bring the definition of publicly available information into the 21st century, with the aim of providing more certainty and clarity for businesses while acknowledging concerns about the privacy interests and online reputation of individuals. It is an important conversation that the Canadian Marketing Association and other key stakeholders are actively participating in.

In the meantime, it is important to remember the protection currently offered through adherence to PIPEDA’s 10 principles. All organizations are responsible for being transparent about their uses of personal information, while ensuring adequate protections and adherence to fair information practices, whether it is publicly available or not. The CMA Guide on Transparency for Consumers is a helpful tool for organizations wanting to improve their transparency practices.

[The Canadian Marketing Association Privacy and Data Committee consists of the following members: Amanda Maltby, General Manager, Compliance and Chief Privacy Officer, Canada Post, Sabrina Anzini, VP, Legal, Goeasy Ltd., Ruby Barber, Assistant General Counsel, Legal & Regulatory, Bell Canada, David Elder, Digital Privacy Counsel to CMA, Stikeman Elliott LLP, Deborah Evans, Director, Consumer Policy & Associate Chief Privacy Officer, Rogers, Lisa McKay, Privacy Team Lead,

120

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

Advisory Services and Head Privacy Canada, BMO, Suzanne Morin, VP and Associate General Counsel, Quebec and Enterprise Chief Privacy Officer, Sunlife Financial, Stephanie Rich, Principal Privacy Officer, Air Canada, Kimberly Eberwine, Senior Legal Counsel, Proctor & Gamble, James Smith, Chief Privacy Officer, Environics Analytics, Pam Snively, VP, Chief Data & Trust Officer, Telus, Colin McKay, Head, Public Policy and Government Relations,

Google, Kevin Chan, Head of Public Policy, Canada, Facebook.]

1 Office of the Privacy Commissioner, 2015: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_06_pai/

• AI & PRIVACY THE STRUGGLE IS REAL MEANINGFUL CONSENT AND RETAINING DATA •

Amanda Branch, Associate, Bereskin & Parr LLP© Bereskin & Parr LLP

Amanda Branch

A key concept of AI is that it is an intelligent system that is able to change its behaviour or adapt based on information or experience. AI is a powerful tool, and for AI to work meaningfully, it requires data - lots of data. Since data often contains personal information, there are real concerns about the privacy implications of AI, like what is required for personal information to be used and what privacy and security measures are required to protect that data. Data is essential to AI, and it is important to have complete data sets

to try to manage concerns surrounding for example bias. Further, the output of AI is often unpredictable and how AI learns may not always be obvious or transparent. This creates tension with privacy laws. This article, the first in a series looking at AI and privacy issues, will discuss retention of data and the challenge of obtaining appropriate consent from users. Our next articles will discuss some of the approaches that companies are taking to manage these issues and the ethical frameworks that are beginning to emerge.

PIPEDA – A BRIEF OVERVIEW

Privacy law in Canada is governed by a regulatory framework and the common law. This article will focus on the Personal Information Protection and Electronic Documents Act, (“PIPEDA”) which establishes the basic rules governing how private-sector organizations must collect, use or disclose

ELECTRONIC VERSION AVAILABLE

A PDF version of your print subscription is available for an additional charge.

A PDF file of each issue will be e-mailed directly to you 12 times per year, for internal distribution only.

120

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

Advisory Services and Head Privacy Canada, BMO, Suzanne Morin, VP and Associate General Counsel, Quebec and Enterprise Chief Privacy Officer, Sunlife Financial, Stephanie Rich, Principal Privacy Officer, Air Canada, Kimberly Eberwine, Senior Legal Counsel, Proctor & Gamble, James Smith, Chief Privacy Officer, Environics Analytics, Pam Snively, VP, Chief Data & Trust Officer, Telus, Colin McKay, Head, Public Policy and Government Relations,

Google, Kevin Chan, Head of Public Policy, Canada, Facebook.]

1 Office of the Privacy Commissioner, 2015: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_06_pai/

• AI & PRIVACY THE STRUGGLE IS REAL MEANINGFUL CONSENT AND RETAINING DATA •

Amanda Branch, Associate, Bereskin & Parr LLP© Bereskin & Parr LLP

Amanda Branch

A key concept of AI is that it is an intelligent system that is able to change its behaviour or adapt based on information or experience. AI is a powerful tool, and for AI to work meaningfully, it requires data - lots of data. Since data often contains personal information, there are real concerns about the privacy implications of AI, like what is required for personal information to be used and what privacy and security measures are required to protect that data. Data is essential to AI, and it is important to have complete data sets

to try to manage concerns surrounding for example bias. Further, the output of AI is often unpredictable and how AI learns may not always be obvious or transparent. This creates tension with privacy laws. This article, the first in a series looking at AI and privacy issues, will discuss retention of data and the challenge of obtaining appropriate consent from users. Our next articles will discuss some of the approaches that companies are taking to manage these issues and the ethical frameworks that are beginning to emerge.

PIPEDA – A BRIEF OVERVIEW

Privacy law in Canada is governed by a regulatory framework and the common law. This article will focus on the Personal Information Protection and Electronic Documents Act, (“PIPEDA”) which establishes the basic rules governing how private-sector organizations must collect, use or disclose

ELECTRONIC VERSION AVAILABLE

A PDF version of your print subscription is available for an additional charge.

A PDF file of each issue will be e-mailed directly to you 12 times per year, for internal distribution only.

Canadian Privacy Law Review October 2019 Volume 16, No. 11

121

personal information in the course of their commercial activities in Canada.

As a quick refresher:

• Personal information is defined as “information about an identifiable individual” and is given a broad and expansive definition.

• It can include things like name, contact information, health information, financial information, biometrics and tracking information. Information does not need to directly identify an individual to be “about” an individual; it only needs to permit or lead to the possible identification of the individual.

• Organizations may collect, use and disclose personal information only to the extent it is required to fulfill an explicitly specified reasonable purpose. Reasonableness is an overarching standard in PIPEDA that applies even if the individual has consented to the collection, use or disclosure of their personal information.

• The collection of personal information must be limited to that which is needed for the purposes identified by the organization.

TO RETAIN OR NOT TO RETAIN, THAT IS THE QUESTION.

AI may depend on large volumes of data to learn, however, this can be at odds with privacy legislation.

Under PIPEDA, the collection of personal information must be limited to that which is needed for the purposes identified by the organization. Personal information may be retained only so long as necessary to fulfill the reasonably stated purpose for which it was initially collected. There is no hard rule on how long an appropriate retention period is; however, the OPC has stated that indefinite retention is generally not appropriate.

The limitation principle can lead to tension with the necessity for AI to use all of the available information to learn. By limiting certain datasets, AI may have bias introduced because it is only being trained on subsets of the dataset, instead of all the available data.

Retaining data for long periods of time may also result in having a larger data pool. In these circumstances, there may be a risk that data that has been de-identified in isolation may be capable of re-identification when arranged and analyzed as part of a larger data set. It is also possible that AI can recreate identities, or minimally, can recreate portions of identities that were originally removed to protect against discrimination. There are examples where gender and/or name were removed from resumes in order to help protect against discrimination, however, the AI tool was able to pick up subtle nuances in language use that allowed it to recreate and determine the candidate’s gender.

HOW DO YOU REQUEST CONSENT FOR SOEMTHING YOU CAN’T EXPLAIN?

Consent is an important element of privacy law. Organizations must be open and transparent about their privacy practices. Consent should be obtained at the time of collection, as well as for new uses of personal information.

Consent is considered valid only if it is “meaningful” - that is, if it is reasonable to expect that individuals to whom a business’ activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

One of the major challenges organizations face is how to communicate their privacy practices to users. Studies have demonstrated that many people simply do not read privacy policies. This has fueled the open question of whether privacy policies are truly collecting meaningful consent. The Office of the Privacy Commissioner of Canada released new guidance that has been applied since January 1, 2019. The Guidelines for obtaining meaningful consent are intended to provide practical and actionable guidance for organizations to obtain meaningful consent under PIPEDA, and set out the seven guiding principles. Read more on the Guidelines here.

AI presents particular challenges from a consent perspective. For example, a goal of machine learning

Canadian Privacy Law Review October 2019 Volume 16, No. 11

121

personal information in the course of their commercial activities in Canada.

As a quick refresher:

• Personal information is defined as “information about an identifiable individual” and is given a broad and expansive definition.

• It can include things like name, contact information, health information, financial information, biometrics and tracking information. Information does not need to directly identify an individual to be “about” an individual; it only needs to permit or lead to the possible identification of the individual.

• Organizations may collect, use and disclose personal information only to the extent it is required to fulfill an explicitly specified reasonable purpose. Reasonableness is an overarching standard in PIPEDA that applies even if the individual has consented to the collection, use or disclosure of their personal information.

• The collection of personal information must be limited to that which is needed for the purposes identified by the organization.

TO RETAIN OR NOT TO RETAIN, THAT IS THE QUESTION.

AI may depend on large volumes of data to learn, however, this can be at odds with privacy legislation.

Under PIPEDA, the collection of personal information must be limited to that which is needed for the purposes identified by the organization. Personal information may be retained only so long as necessary to fulfill the reasonably stated purpose for which it was initially collected. There is no hard rule on how long an appropriate retention period is; however, the OPC has stated that indefinite retention is generally not appropriate.

The limitation principle can lead to tension with the necessity for AI to use all of the available information to learn. By limiting certain datasets, AI may have bias introduced because it is only being trained on subsets of the dataset, instead of all the available data.

Retaining data for long periods of time may also result in having a larger data pool. In these circumstances, there may be a risk that data that has been de-identified in isolation may be capable of re-identification when arranged and analyzed as part of a larger data set. It is also possible that AI can recreate identities, or minimally, can recreate portions of identities that were originally removed to protect against discrimination. There are examples where gender and/or name were removed from resumes in order to help protect against discrimination, however, the AI tool was able to pick up subtle nuances in language use that allowed it to recreate and determine the candidate’s gender.

HOW DO YOU REQUEST CONSENT FOR SOEMTHING YOU CAN’T EXPLAIN?

Consent is an important element of privacy law. Organizations must be open and transparent about their privacy practices. Consent should be obtained at the time of collection, as well as for new uses of personal information.

Consent is considered valid only if it is “meaningful” - that is, if it is reasonable to expect that individuals to whom a business’ activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

One of the major challenges organizations face is how to communicate their privacy practices to users. Studies have demonstrated that many people simply do not read privacy policies. This has fueled the open question of whether privacy policies are truly collecting meaningful consent. The Office of the Privacy Commissioner of Canada released new guidance that has been applied since January 1, 2019. The Guidelines for obtaining meaningful consent are intended to provide practical and actionable guidance for organizations to obtain meaningful consent under PIPEDA, and set out the seven guiding principles. Read more on the Guidelines here.

AI presents particular challenges from a consent perspective. For example, a goal of machine learning

122

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

can be to create a system that can teach itself, but how can you obtain consent for something that a machine created with limited human intervention? It may be important to ensure there is sufficient human oversight at each step of the process in order to be able to provide meaningful information about the logic involved and the characteristics considered in reaching a particular decision. Transparency and accountability for personal information are essential privacy principles. On the other hand, it may be that human oversight creates other privacy issues since the anonymity and aggregation that occurs by AI may be risked with human

intervention. In any event, organizations should incorporate and consider privacy principles at each step in the design and implementation process (known as Privacy By Design). Notification to consumers should be done in a user-friendly way, such as using clear language, layered policies and just-in-time notices at the point where particularly sensitive data is being collected.

[Amanda Branch is an associate at Bereskin & Parr LLP with extensive experience in privacy law, including cybersecurity and data breach. Her practice focuses on copyright and digital media, as well as regulatory, advertising and marketing law.]

• CYBERSECURITY RISKS IN MEDICAL DEVICES – HEALTH CANADA ADOPTS GUIDANCE DOCUMENT •

David Krebs, Associate Counsel, Miller Thomson LLP© Miller Thomson LLP 2019

David Krebs

Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk, thereby causing potential reputational and financial harms such as identity theft, fraud and humiliation. Immediate physical harm resulting from cybersecurity risks have been less frequently highlighted as acute areas of concern but as this entry will discuss, they are certainly not going unnoticed as they relate to medical devices.

To address cybersecurity risks in medical devices, Health Canada has recently released a Guidance Document: “Pre-market requirements for Medical

Device Cybersecurity.” Canada is not alone. The US Food and Drug Administration (“FDA”) had previously released similar guidance, and, just a few weeks ago, the French authorities, Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), released draft guidance intended to enhance the existing European framework for medical devices (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746).

WHAT ARE THE RISKS?

A recent communication by the FDA is a clear example of how grave the consequences are of cyber vulnerabilities in medical devices. A glitch or error in many other industries may cause harm to personal data, corporate intellectual property and perhaps even indirect physical consequences (cyber infrastructure attacks causing power outages and delays in food supply, to name two), but none so direct and immediate as the risks associated with, for example, being able to hack a medical device and remotely change dosages or otherwise manipulate the delivery of care.

122

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

can be to create a system that can teach itself, but how can you obtain consent for something that a machine created with limited human intervention? It may be important to ensure there is sufficient human oversight at each step of the process in order to be able to provide meaningful information about the logic involved and the characteristics considered in reaching a particular decision. Transparency and accountability for personal information are essential privacy principles. On the other hand, it may be that human oversight creates other privacy issues since the anonymity and aggregation that occurs by AI may be risked with human

intervention. In any event, organizations should incorporate and consider privacy principles at each step in the design and implementation process (known as Privacy By Design). Notification to consumers should be done in a user-friendly way, such as using clear language, layered policies and just-in-time notices at the point where particularly sensitive data is being collected.

[Amanda Branch is an associate at Bereskin & Parr LLP with extensive experience in privacy law, including cybersecurity and data breach. Her practice focuses on copyright and digital media, as well as regulatory, advertising and marketing law.]

• CYBERSECURITY RISKS IN MEDICAL DEVICES – HEALTH CANADA ADOPTS GUIDANCE DOCUMENT •

David Krebs, Associate Counsel, Miller Thomson LLP© Miller Thomson LLP 2019

David Krebs

Cybersecurity and data breaches are topics of high concern for Canadians. As discussed in previous blog articles, data breaches in Canada, North America and Europe have illustrated how financially motivated hackers and human error can put personal data at risk, thereby causing potential reputational and financial harms such as identity theft, fraud and humiliation. Immediate physical harm resulting from cybersecurity risks have been less frequently highlighted as acute areas of concern but as this entry will discuss, they are certainly not going unnoticed as they relate to medical devices.

To address cybersecurity risks in medical devices, Health Canada has recently released a Guidance Document: “Pre-market requirements for Medical

Device Cybersecurity.” Canada is not alone. The US Food and Drug Administration (“FDA”) had previously released similar guidance, and, just a few weeks ago, the French authorities, Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), released draft guidance intended to enhance the existing European framework for medical devices (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746).

WHAT ARE THE RISKS?

A recent communication by the FDA is a clear example of how grave the consequences are of cyber vulnerabilities in medical devices. A glitch or error in many other industries may cause harm to personal data, corporate intellectual property and perhaps even indirect physical consequences (cyber infrastructure attacks causing power outages and delays in food supply, to name two), but none so direct and immediate as the risks associated with, for example, being able to hack a medical device and remotely change dosages or otherwise manipulate the delivery of care.

Canadian Privacy Law Review October 2019 Volume 16, No. 11

123

In this case, the manufacturer was made aware of a vulnerability in the wireless communication between its insulin pumps and certain other devices (such as blood glucose meters and continuous glucose monitoring systems), which would make it possible for a bad actor to access the device and make changes to the dosing of insulin that a patient receives. There have been no reports of any actual harm to patients, nor knowledge of actual attempts to access the device, but the potential for serious physical harm was such that the devices have been recalled and patients urged to switch to other models, in both the US and Canada.

RESPONSIBILITY FOR CYBERSECURITY IN MEDICAL DEVICES

According to Health Canada’s “Guidance Document: Pre-market Requirements for Medical Device Cybersecurity,” the primary responsibilities fall on the manufacturer of the medical device, stating that:

“Manufacturers should incorporate cybersecurity into the risk management process for every device that consists of or contains software. Manufacturers are also encouraged to develop and maintain a framework for managing cybersecurity risks throughout their organizations.”

One such framework is ISO 14971-07:2007 Medical devices – Application of risk management (ISO 14971. The Guidance Document describes how manufacturers are to incorporate the elements of this framework into their operations and manufacturing life-cycle. Manufacturers are also encouraged to adopt (and adapt) relevant aspects of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” as a “blueprint of best practices to guide their cybersecurity activities, including those related to risk management.” Early-stage consideration of potential threats, similar to the principles underlying “Privacy by Design,” are also highlighted as part of a ‘cybersecurity by design’ approach.

The FDA’s guidance document on this issue also highlights the responsibility of the manufacturer but makes a clear statement that it goes beyond the device

itself, noting that “[t]he heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.”

REGULATORY REQUIREMENTS

The Guidance Document applies to all Classes (I, II, III, and IV), although not every requirement will be relevant to every device type. Class III and Class IV applications will need to submit evidence of adherence to these standards as part of their licence applications. The core elements are as follows:

• Secure Design• Device-specific risk management• Verification and Testing• Ongoing monitoring and response to risks

(including information sharing about known or potential risks).1

Secure Design principles include: a) secure communications between device and other networks devices; b) data integrity and confidentiality, for example, encryption of data; c) user access – different privileges for different required levels of access; d) software maintenance – to secure emerging risks; e) hardware and physical design; f) reliability and availability – designed to recover from attacks and are somewhat familiar from what the expectations would be from a privacy perspective, where these devices process personal health information or other personal data.

SUMMARY

As the general threats of cybersecurity become more well-known and top-of-mind, so will the expectations of patients, hospitals, and the regulators that specific threats related to medical device security will be appropriately addressed by manufacturers. The Guidance Document only became effective June 26, 2019, and companies should be monitoring how it will be interpreted and implemented by Health Canada.

[David Krebs has a business law practice focusing on data privacy, cybersecurity, and regulatory

Canadian Privacy Law Review October 2019 Volume 16, No. 11

123

In this case, the manufacturer was made aware of a vulnerability in the wireless communication between its insulin pumps and certain other devices (such as blood glucose meters and continuous glucose monitoring systems), which would make it possible for a bad actor to access the device and make changes to the dosing of insulin that a patient receives. There have been no reports of any actual harm to patients, nor knowledge of actual attempts to access the device, but the potential for serious physical harm was such that the devices have been recalled and patients urged to switch to other models, in both the US and Canada.

RESPONSIBILITY FOR CYBERSECURITY IN MEDICAL DEVICES

According to Health Canada’s “Guidance Document: Pre-market Requirements for Medical Device Cybersecurity,” the primary responsibilities fall on the manufacturer of the medical device, stating that:

“Manufacturers should incorporate cybersecurity into the risk management process for every device that consists of or contains software. Manufacturers are also encouraged to develop and maintain a framework for managing cybersecurity risks throughout their organizations.”

One such framework is ISO 14971-07:2007 Medical devices – Application of risk management (ISO 14971. The Guidance Document describes how manufacturers are to incorporate the elements of this framework into their operations and manufacturing life-cycle. Manufacturers are also encouraged to adopt (and adapt) relevant aspects of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” as a “blueprint of best practices to guide their cybersecurity activities, including those related to risk management.” Early-stage consideration of potential threats, similar to the principles underlying “Privacy by Design,” are also highlighted as part of a ‘cybersecurity by design’ approach.

The FDA’s guidance document on this issue also highlights the responsibility of the manufacturer but makes a clear statement that it goes beyond the device

itself, noting that “[t]he heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.”

REGULATORY REQUIREMENTS

The Guidance Document applies to all Classes (I, II, III, and IV), although not every requirement will be relevant to every device type. Class III and Class IV applications will need to submit evidence of adherence to these standards as part of their licence applications. The core elements are as follows:

• Secure Design• Device-specific risk management• Verification and Testing• Ongoing monitoring and response to risks

(including information sharing about known or potential risks).1

Secure Design principles include: a) secure communications between device and other networks devices; b) data integrity and confidentiality, for example, encryption of data; c) user access – different privileges for different required levels of access; d) software maintenance – to secure emerging risks; e) hardware and physical design; f) reliability and availability – designed to recover from attacks and are somewhat familiar from what the expectations would be from a privacy perspective, where these devices process personal health information or other personal data.

SUMMARY

As the general threats of cybersecurity become more well-known and top-of-mind, so will the expectations of patients, hospitals, and the regulators that specific threats related to medical device security will be appropriately addressed by manufacturers. The Guidance Document only became effective June 26, 2019, and companies should be monitoring how it will be interpreted and implemented by Health Canada.

[David Krebs has a business law practice focusing on data privacy, cybersecurity, and regulatory

124

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

compliance strategies. David is a key contact for Miller Thomson’s cybersecurity practice and the editor of the firm’s Cybersecurity Blog. He has significant experience in the Health, Biotech, and Technology sectors as well as in the US, Europe, and other cross-border settings. Prior to joining

Miller Thomson, David Spent seven years as Senior Compliance Counsel at a large multi-national medical device and life sciences business.]

1 The FDA encourages self-reporting of known issues with cybersecurity of devices.

124

October 2019 Volume 16, No. 11 Canadian Privacy Law Review

compliance strategies. David is a key contact for Miller Thomson’s cybersecurity practice and the editor of the firm’s Cybersecurity Blog. He has significant experience in the Health, Biotech, and Technology sectors as well as in the US, Europe, and other cross-border settings. Prior to joining

Miller Thomson, David Spent seven years as Senior Compliance Counsel at a large multi-national medical device and life sciences business.]

1 The FDA encourages self-reporting of known issues with cybersecurity of devices.