The reform of Canada’s Copyright Act has been a long and contentious process. We have long held that particular aspects of the copyright debate – and digital rights management technologies (DRM) in particular – could have an impact on the privacy of Canadians.
On Friday, the Commissioner sent a letter to the Minister of Industry and the Minister of Canadian Heritage reiterating our concerns about DRM and the proposed amendments:
“…If DRM technologies only controlled copying and use of content, we would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.
Technologies that report back to a company about the use of a product reveal a great deal about an individual’s tastes and preferences. Indeed, such information can be extremely personal. Technologies that automatically collect personal information about individuals without their knowledge or consent violate the fair information principles that are central to PIPEDA and most other privacy legislation…”
As well, the proposal to implement a “notice and notice” scheme, which would require network operators to retain records on network users, could pose difficulties for companies under PIPEDA.
“…These provisions would have allowed copyright holders to send written notice to Internet Service Providers (ISPs), informing them of alleged copyright violators on their network. The network operators would then be required to forward the notice to the alleged copyright violator and to retain records on network use for periods of up to a year while investigation of violations or court action took place. Failure to retain these records would have enabled rights holders to seek damages against the ISP of up to $10,000.
Allowing a private sector organization to require an ISP to retain personal information is a precedent-setting provision that would seriously weaken privacy protections. When this provision was proposed in a previous proposal to amend the legislation it did not include any threshold that had to be met before the notice could be issued, nor did it provide any means for the ISP to contest the demand to retain the data.
The extended retention periods create additional privacy concerns. PIPEDA requires that organizations retain personal information for only as long as necessary to fulfill the purposes for which the information was originally collected. Limiting the extent of data collection and period of retention is a key strategy to minimize the risk of data breaches of personal information…”
The Copyright Act certainly needs to be amended to reflect today’s realities – but any action should continue to take the privacy rights of Canadians into account.