Privacy pulse: A series on data governance

As a business owner or professional, you may be experiencing challenges navigating privacy laws throughout various jurisdictions, protecting personal and confidential information, and understanding the risks associated with non-compliance. As a Certified Information Privacy Professional in Canada and the United States, I frequently receive requests on how businesses can simply keep up with this rapidly evolving area of law. That is why I am excited to announce the introduction of “The Privacy Pulse,” a regular blog post series focused on insights, decisions, and legislative changes from Canada and the United States from our Privacy, Cyber and Data Governance team.

Keeping an eye out: Airbnb’s global policy on privacy cameras and car manufacturers sharing of driving data with brokers

March 11, 2024: Airbnb announced an update to their policy on security cameras in private and public spaces. This policy, effective April 30, 2024, prohibits indoor security cameras in all Airbnb listings and includes more comprehensive rules on the use of outdoor security cameras and other devices. Previously, Airbnb allowed indoor security cameras in non-private common areas, subject to some rules.

March 20, 2024: General Motors announces that its “OnStar Smart Driver customer data [will] no longer [be] shared with LexisNexis or Verisk.” Earlier this month, the New York Times reported that GM’s OnStart services monitored things like “how fast you drive, how hard you accelerate and brake, how often you drive at night, and your fuel economy, then uses that data to generate a numerical score from 0 to 100, with a higher number indicating that you’re a safer driver.” However, the New York Times reported that, buried in OnStar’s privacy notice, GM may share such information with “usage based insurance providers.” Such sharing allegedly caused drivers’ insurance premiums to rise.

ArriveCAN privacy probe and the Supreme Court of Canada’s right to protect internet protocol (IP) addresses

March 1, 2024: The Supreme Court of Canada in R. v. Bykovets, 2024 SCC 6, held that there is a reasonable expectation of privacy in a person’s IP address, and that government requests of an person’s IP address from their internet service provider constitutes a search that requires a warrant. Consider reading the Canadian Lawyers article, Police need search warrant to get IP address, rules Supreme Court of Canada in 5-4 split decision to learn more about this decision.

March 19, 2024: The Privacy Commission of Canada announced an investigation into the ArriveCAN app related to the measures in place to protect personal information during the app development phase.

Ontario’s privacy landscape: AI, exam proctoring software and data access

March 7, 2024: The Information and Privacy Commissioner of Ontario (the “OIPC”) is currently evaluating complaints about the use of facial recognition enabled vending machines in the University of Waterloo.

February 28, 2024: the OIPC issued a decision regarding a complaint about McMaster University’s use of Respondus exam proctoring software. The OIPC found that the University of McMaster (the “University”) violated the Freedom of Information and Protection of Privacy Act (“FIPPA”) when:

• the University failed to (1) provide adequate notice to students pursuant to Section 39(2) of FIPPA that their sensitive personal information (including but not limited to biometric information) was being collected by the Respondus Monitor software; and (2) provide the title, business address, and business telephone number of its privacy officials;
• Respondus’ use of student information to improve its own services contravened FIPPA because students had no ability to consent to such use or opt out of such use, and students would “not reasonably expect that the University, having collected their personal information via Respondus to proctor exams, would permit Respondus to then use that personal information to advance the company’s own commercial purposes,” see para 84;
• the University failed to implement satisfactory contractual and oversight measures into its contract with Respondus.

March 6, 2024: In Corporation of the Town of Arnprior, Appeal MA21-00428 the OIPC held that Arnprior was able to withhold the disclosure of certain records containing confidential information relating to the town’s information technology (IT) systems. 

March 18, 2024: Doxy.me, a US video conferencing platform for healthcare professionals, has commenced a lawsuit against Ontario Health (“OH”) for OH’s requirement that Ontario health professionals can only bill OHIP if they used a virtual platform that kept patient data in Canada. See standard no. 2.3.14: “Ensure all PHI data as defined in PHIPA is held by systems located in Canada.” However, the Personal Health Information Protection Act contains no requirement that PHI be stored in Canada. 

Quebec: Guideline for landlords

The Commission d’accès à l’information du Québec has published a new guidance for landlords on the types of personal information that they may request from prospective tenants.

British Columbia: Flo class action

March 7, 2024: A Canadian class-action was certified in British Columbia accusing Flo Health of collecting women’s personal health information and representing that such information would be kept private, but then knowingly shared such sensitive information to third parties. Lam v. Flo Health Inc., 2024 BCSC 391. Stefani Cuberovic, Siskinds class action lawyer, addressed the 2021 settlement of the Federal Trade Commission (“FTC”) with Flo Health in the U.S. in a blog post titled The dangers of sharing personal health information with mobile apps.

Saskatchewan: Introduction of a Privacy Protective Guidance

March 2024: The office of the Saskatchewan Information and Privacy Commissioner’s (“SK OIPC”) issued a Privacy Protective Survey Guidance (15 pages) aimed at assisting public bodies at conducting privacy protective surveys.

March 26, 2024: Ron Kruzeniski, the Information and Privacy Commissioner of Saskatchewan, recently published a blog post about how the Saskatchewan Health Information Protection Act prohibits snooping into patient’s personal health information, including when that patient is a public figure, like Princess of Wales Kate Middleton.

U.S. regulatory roundup: Developments impacting data privacy and security

February 22, 2024: The FTC settled with Avast, an anti-virus vendor, for $16.5 million. The FTC alleged that Avast claimed its products would block online tracking, yet it sold its user’s sensitive browsing information without adequate notice to and without consent of its users.

February 28, 2024: President Biden signed a new executive order (“EO”) entitled, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This EO requires the US to issue regulations that would prohibit or restrict transactions involving the transfer of bulk “sensitive personal data” or any government-related data (and certain other classes of transactions) to certain “countries of concern.”

March 4, 2024: The Federal Trade Commission’s (the “FTC”) recent cases show that browsing and location data are sensitive personal information.

March 5, 2024: The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against the Intellexa Consortium for proliferation of commercial spyware.

March 14, 2024: The Federal Communications Commission adopted its proposal to launch a voluntary cybersecurity labelling program for qualifying consumer smart products that meet certain robust cybersecurity standards. Assuming such products meet the standards, they will be allowed to bear the U.S. Cyber Trust Mark logo.

March 15, 2024: Hughes v. Apple, Inc., a class action alleging that Apple’s AirTag has substantial safety issues that caused the members of the class injuries, was given court approval in part to proceed to discovery.

March 18, 2024: The Office of Civil Rights (“OCR”), who enforces the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”), updated its online tracking guidance for regulated entities. In particular, “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

March 18, 2024: The Securities and Exchange Commission has fined Delphia (USA) and Global Predictions for $400,000 in civil penalties for allegedly “AI washing”, which is an informal term that describes the practice of making “unfounded AI claims to the public.”

March 21, 2024: The US Department of Transportation launched a “privacy review of the nation’s ten largest airlines regarding their collection, handling, maintenance, and use of passengers’ personal information.”

March 21, 2024: The US Department of Justice and sixteen states filed a lawsuit against Apple for monopolization / attempted monopolization of the performance smartphone Market in the United States in Violation of Sherman Antitrust Act.

March 26, 2024: According to Politico, the FTC is investigating TikTok over its “allegedly faulty privacy and data security practices.”

March 27, 2024: The US National Telecommunications and Information Administration released its Artificial Intelligence (AI) Accountability Policy Report.

California: Data broker registry and GenAI guidelines

The California Privacy Protection Agency has publicized their 2024 Data Broker Registry. As you may know, a data broker is a business that data subjects do not directly interact with, but that buys and sells personal information about data subjects from other businesses. By law, data brokers must register with the California Attorney General.

March 2024: California released its GenAI Guidelines for Public Sector Procurement, Uses, and Training.

New Hampshire: Expectation of privacy bill

January 2024: The state of New Hampshire has enacted its comprehensive consumer privacy law, effective January 1, 2025, and at first glance appears to be based on the Virginian privacy model. It’s the 14^th state to do so (or 15^th, if you count Florida). Kentucky is likely to be coming next.

Utah: AI Act

March 2024: The Utah Legislature passed Senate Bill 149, the Artificial Intelligence Policy Act, which generally attributes the statements of generative AI to the business employing the AI, and also brings in general transparency requirements.

Virginia: Consumer Data Protection Act updates

The recent Virginian Consumer Data Protection Act was updated to add protections for children. Notable changes include increasing the age of what constitutes a minor from 13 years old to 18 years old.

Putting privacy first: Your path to compliance starts here.

Establishing a robust privacy program is vital for businesses. At Siskinds, our Privacy Concierge program offers subscription programs that are tailored to your needs. Our offerings include:

• On-demand monthly legal and consulting advice.
• Regular updates on the latest Canadian and US privacy laws.
• Assistance with employee compliance training.
• Support with data subject requests.
• Assistance with incident response.

Discover how Siskinds can assist you in meeting your privacy compliance needs. Contact us today to schedule a consultation.