The bill is being championed by James Moore, Canada's Minister of Industry. Image: Heather/Flickr
Earlier this week, politicians in Canada introduced the Digital Privacy Act, a bill that looks a lot like the United States’ Cyber Information Sharing and Protection Act, which caused widespread outrage and was eventually killed in the Senate.
But Canada’s version of the bill is even more problematic, argues Michael Geist, a law professor at the University of Ottawa who studies Internet policy. With CISPA, the United States government would have incentivized companies to share user information with the government, as long as it related to a “cyber threat.”
The big problem with CISPA, however, was the legal immunity given to companies who overshared customers’ information, meaning they couldn’t be sued if they provided too much. The Digital Privacy Act, meanwhile, allows companies to share information not only with the Canadian government, but with anyone, with legal immunity:
“An organization may disclose personal information without the knowledge or consent of the individual... if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation.”
Geist says that the resulting legal framework would be “stunning from an anti-privacy perspective.” (Notably, the Digital Privacy Act comes on the heels of the revelation that the Canadian government has no legal qualms with metadata collection.)
That “breach of an agreement” bit means that the Digital Privacy Act could be used to hunt down movie pirates, anyone who unwittingly breaks a terms of service agreement, or anyone who is suspected of breaking any sort of agreement. Companies could share customers’ information without a warrant, with legal immunity, and without even notifying the user. Geist argues that the law is overly broad and could lead to a situation where information can be passed from company to company with impunity.
“The potential use of this provision extends far beyond copyright cases,” he wrote. “Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (telecom companies, social media sites, local businesses) might resist disclosing information without a court order, the law would not require them to do so.”
The government says that the bill is being introduced to parliament to “provide new protections for Canadians when they surf the web and shop online,” because it has provisions that would require companies to immediately inform customers when their personal information has been hacked or stolen.
But the government also notes that “changes will also be made to the way personal information is shared from one business to another. This includes vital information for financial institutions to detect financial abuse and attempts to defraud seniors or to communicate with the parents of an injured child.”
In doing so, it would also open the door for companies to share everything else, with impunity.