Commissioner Miner

Apr 252018
 
 April 25, 2018  Posted by  Breaches, Non-U.S.

From the better-late-than-never dept.

For readers who are interested and may have missed what’s occurring with the Facebook breach, Cambridge Analytica, SCL, SCL Canada, and AggegatedIQ (AIQ)  in Canada, there have been some remarkable meetings and testimony occurring that are worth watching. The latest was testimony by Zackary Massingham, Chief Executive Officer, AIQ, and Jeff Silvester, Chief Operating Officer, AIQ.

As the AIQ CEOs were giving their testimony and stating they have replied to all of the questions the UK ICO asked of them, someone, apparently from the UK ICO, texted the committee in real time to state what they were stating isn’t true and stated why it wasn’t true. It was a ball dropper as the committee read the text out loud in real time to the CEOs.

You can watch the 2-hour video from the Standing Committee on Access to Information, Privacy and Ethics (ETHI) and their investigation into the “Breach of Personal Information Involving Cambridge Analytica and Facebook” here (meeting 101):
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-101/notice

Click on the green icon labeled, “Watch on ParlVu”, for the video.

On the 26th of April, the investigation continues Starring Professors Colin J. Bennett, Thierry Giasson and Mozilla. You will be able to watch it from this link (meeting 102) :
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-102/notice

All previous meetings from this investigation, including the testimony from Chris Vickery, can be streamed by going to the following web page and by expanding the meeting dates (meetings 99 to 101 as of writing):
https://www.ourcommons.ca/Committees/en/ETHI/StudyActivity?studyActivityId=10044891

Apr 232018
 
 April 23, 2018  Posted by  Business, Laws, Non-U.S., U.S.

An interesting thing is playing out in Canada with Rogers Communications (a major Canadian ISP) and Verizon owned Yahoo-Oath services (Email service and chat apps).

Rogers-Yahoo-Oath recently sent out a notice to Rogers subscribers (provided below) which has raised many questions. The situation with Rogers, and only Rogers to my understanding, is currently before the Office of the Privacy Commissioner of Canada. Some of the situation is reported by Christine Dobby of The Globe & Mail, here:

https://www.theglobeandmail.com/business/article-rogers-terms-of-service-asks-e-mail-users-to-share-friends-personal/

Of note is that Rogers-Yahoo-Oath will be scooping up every possible bit of information possible from their subscribers Email. This includes attachments, email content, Address book contacts, email contacts, metadata, IPs, device identifiers, and more.

Part of the issue is that Rogers-Yahoo-Oath put the onus on the email user to collect consent from the people they communicate with for the Rogers-Yahoo-Oath data collection, data sharing, and ad/marketing business.

To be clear, an Email user of Rogers or Yahoo Canada is responsible for obtaining 3rd party consent for Yahoo Canada (and Verizon-Oath USA) to take, scan and use your private email content , attachments, metadata and email contact.

As I was reading this I thought, how is the GDPR applicable in all this, and is it? Do EU citizens have any reasonable expectation of communications privacy when communicating with a Canadian via Yahoo Canada? What about Yahoo USA?

Regardless of what happens to Rogers Communications in Canada, Yahoo Canada and Yahoo US (Oath) will still be doing this. Thus, it doesn’t matter what happens in the end with Rogers, the above scenario of 3rd party consent on your behalf will still play out.

My questions are:

-Do the EU GDPR and the EU ePrivacy Regulation still apply for EU citizens when they communicate with a Canadian?

-Is assumed (implied) 3rd party consent allowed under GDPR without any recording of said consent?

-Can others, such as a 13 year old Canadian child who is collecting no data about you, consent on behalf of Rogers-Yahoo-Oath to collect your EU private and sensitive data?

Below are the links to the terms and the original Email People received from their Rogers-Yahoo Email service.

Rogers

Of interesting note:

What’s interesting about this email is that it conflicts with the Terms of Use. For example, arbitration clauses are not enforceable in Ontario & Quebec. The law and forum provisions state it is New York, yet the Terms of Use state it’s Ontario, Canada. So what people are consenting to in that Email isn’t even correct and conflicts with Rogers-Yahoo other terms.

Additionally, Rogers Communications terms state they will not collect information on children under the age of 16. Yet Yahoo-Oath state they will not collect information on children under the age of 13.

All links applicable that people supposedly read, understood and consented to (and supposedly know the errors in) in the above Email they received:

1. Oath Terms of Service:
https://policies.oath.com/ca/en/rogers/terms/otos/index.html

2. Rogers Yahoo Internet Services Privacy Policy:
https://policies.oath.com/ca/en/rogers/privacy/index.html

3. Verizon Privacy Policy>
https://www.verizon.com/about/privacy/privacy-policy-summary

4. Privacy Controls (Which many complained were not functional):
https://policies.oath.com/ca/en/oath/privacy/controls/index.html

5. Oath FAQ:
https://policies.oath.com/ca/en/oath/privacy/guce/faq/index.html

6. Oath Approach to Privacy & Getting to know you:
https://www.oath.com/my-data/

Other applicable links:

7. Rogers-Yahoo Oath Terms of Service
https://policies.oath.com/ca/en/rogers/terms/otos/index.html

8. Page 10, Section 5d of Rogers ToS (PDF):
https://www.rogers.com/cms/pdf/en/Rogers-Terms-of-Service-Acceptable-Use-Policy-and-Privacy-Policy-en.pdf

9. That section above states this websites terms are applicable to you:
https://policies.oath.com/ca/en/rogers/privacy/index.html

10. If interested to read how upset people are, check the Rogers forum:
http://communityforums.rogers.com/t5/Internet/Change-to-Email-Terms-of-Sevice/m-p/420164

How many pages is all that? Is it reasonable for the average 13 year old kid who is going to get consent on your behalf and actually understand the conflicting and error filled information?