17 April 2018

Big Data and Canadian Privacy

The Use of Big Data Analytics by the IRS: What Tax Practitioners Need to Know' by Kimberly Houser and Debra Sanders in (2018) 128(2) Journal of Taxation comments
With the budget reductions and losses in staff over the past several years, the IRS has been forced to do more with less. In turn, the IRS has turned to big data analytics make up for its loss of personal and the impact of the budget reductions. In 2011, the IRS created the Office of Compliance Analytics in order to create analytics programs that could identify potential refund fraud, detect taxpayer identity theft, and become more efficient in handling noncompliance issues. The IRS uses a wide range of analytic methods to mine public and commercial data including social media sites such as Twitter, Facebook, and Instagram. The data collected from this mining is combined with IRS’s own proprietary information and analyzed using pattern recognition algorithms, which help to identify potential noncompliant taxpayers. The current ability to continuous monitor financial and personal behavior facilitates the building of exhaustive histories of individuals. Knowing that the IRS is utilizing public internet data from websites such as Facebook, taxpayers should consider that their posts could impact their probability of audit.
‘Data Science, Data Crime and the Law’ by Maria Grazia Porcedda and David S. Wall in Research Handbook on Data Science and Law (Edward Elgar, 2018) comments
This chapter explores the relationship between data science, data crimes and the law. It illustrates how big data is responsible for big data crimes, but that data science and law could mutually help each other by identifying the ethical and legal devices necessary to enable big data analytic techniques to identify the key stages at which data crimes take place and also prevent them. The first part looks at the strengths and weaknesses of data science (big data analytics). The second part explores the data crimes created by Big Data to understand their risks, threats, and harms. The third part discusses the opportunities and limitations of the use of data science in surveillance and criminal prosecution to consider whether the predictive (anticipatory) qualities of Big Data analytics could be applied to identify Big Data Crime.
In Canada the House of Commons Standing Committee on Access to Information, Privacy and Ethics report Towards Privacy By Design: Review of the Personal Information Protection and Electronic Documents Act is now available.

The report states that on 1 November 2016, the Committee 
adopted a motion to undertake the review of the Personal Information Protection and Electronic Documents Act (PIPEDA).  The Committee began its review on 14 February 2017, and held 16 public meetings. It heard from a total of 68 witnesses and received 12 written submissions. In addition, the Committee considered the study on consent carried out by the Office of the Privacy Commissioner of Canada (OPC). The OPC’s findings and recommendations are found in its 2016–17 annual report.  The Committee also considered a draft OPC position on online reputation released on 26 January 2018.  The Privacy Commissioner of  Canada, Daniel Therrien, appeared at the beginning of the study, on 16 February 2017, as well as at the very end, on 1 February 2018. 
In a brief submitted to the Committee on 2 December 2016, Commissioner Therrien proposed the following four areas of focus for the Committee’s study of PIPEDA:4
1) meaningful consent; 
2) reputation and respect for privacy; 
3) the Commissioner’s enforcement powers; 
4) the adequacy of PIPEDA vis-à-vis the European Union’s (EU) General Data Protection Regulation (GDPR), which will come into effect in May 2018.
This report provides an overview of PIPEDA, addresses each area of focus proposed by the Commissioner and makes recommendations to the Government of Canada. It also includes a report on the Committee’s mission to Washington, D.C., from 2 to 4 October 2017.
The 108 page report features the following recommendations
1  the principle of consent: 
That consent remain the core element of the privacy regime, but that it be enhanced and clarified by additional means, when possible or necessary. 
2  opt-in consent by default: 
That the Government of Canada propose amendments to the Personal Information Protection and Electronic Documents Act to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose. 
3  algorithmic transparency: 
That the Government of Canada consider implementing measures to improve algorithmic transparency. 
4  the revocation of consent: 
That the Government of Canada study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications. 
5  the Regulations Specifying Publicly Available Information: 
That the Government of Canada modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral. 
6  legitimate business interests: 
That the Government of Canada consider amending the Personal Information Protection and Electronic Documents Act in order to clarify the terms under which personal information can be used to satisfy legitimate business interests. 
7  depersonalized data: 
That the Government of Canada examine the best ways of protecting depersonalized data... 
8  financial crimes: 
a) That paragraph 7(3)(d.2) of the Personal Information Protection and Electronic Documents Act be amended to replace the term “fraud” with “financial crime.” 
b) That the definition of “financial crime” in the Act include:
  • fraud; 
  • criminal activity and any predicate offence related to money laundering and terrorist financing; 
  • all criminal offences committed against financial service providers, their customers or their employees; 
  • the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing.
9  specific rules of consent for minors: 
That the Government of Canada consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information.. 
10  data portability: 
That the Government of Canada amend the Personal Information Protection and Electronic Documents Act to provide for a right to data portability. 
11  the right to erasure: 
That the Government of Canada consider including in the Personal Information Protection and Electronic Documents Act a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down.
12  the right to de-indexing: 
That the Government of Canada consider including a framework for the right to de-indexing in the Personal Information Protection and Electronic Documents Act and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors. 
13  the destruction of personal information: 
That the Government of Canada consider amending the Personal Information Protection and Electronic Documents Act to strengthen and clarify organizations’ obligations with respect to the destruction of personal information.. 
14  privacy by design: 
That the Personal Information Protection and Electronic Documents Act be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible. 
15  the Privacy Commissioner’s enforcement powers: 
That the Personal Information Protection and Electronic Documents Act be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance. 
16  the Privacy Commissioner’s audit powers: 
That the Personal Information Protection and Electronic Documents Act be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate.  
17  the criteria to determine the adequacy status of the Personal Information Protection and Electronic Documents Act under the General Data Protection Regulation: 
That the Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for the Personal Information Protection and Electronic Documents Act in the context of the new General Data Protection Regulation. 
18  legislative amendments required to maintain the adequacy status: 
a) That the Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation; and 
b) That, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union. 
19  the collaboration with provinces and territories: 
That the Government of Canada work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the European Union. xxx