Appearances before Parliamentary Committees

ARCHIVED - Letter with respect to possible amendments to the Copyright Act

January 18, 2008


The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Honourable Jim Prentice, Minister of Industry and the Honourable Josée Verner, Minister of Canadian Heritage, regarding possible amendments to the Copyright Act.

The Honourable Jim Prentice
Minister of Industry
235 Queen Street, 5th floor
Ottawa, Ontario
K1A 0H5

The Honourable Josée Verner
Minister of Canadian Heritage
25 Eddy Street
Gatineau, Quebec
K1A 0M5

Dear Ministers:

I am writing to you with respect to possible amendments to the Copyright Act. While I am not concerned with copyright law in itself, and I certainly understand the need to update the Copyright Act, I am concerned about possible changes to the Act authorizing the use of technical mechanisms to prevent copyright infringement that could have a negative impact on the privacy rights of Canadians.

As you know, the Office of the Privacy Commissioner of Canada is responsible for overseeing two statutes, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). Specifically, my concerns arise from my mandate under PIPEDA which stipulates that entities engaged in commercial activities may collect, use or disclose personal information “only for purposes that a reasonable person would consider are appropriate in the circumstances” and only the personal information necessary for that purpose. Except in specified situations, personal information may not be collected, used or disclosed without the knowledge and consent of the individual to whom the personal information relates.

Privacy protections for Canadians would be weakened if changes to the Copyright Act authorized the use of technical mechanisms to protect copyrighted material that resulted in the collection, use and disclosure of personal information without consent.

Increasingly, Canadians are making use of new information and communication technologies to obtain access to information, films, music and other content. While new technologies have generally widened individual access to copyrighted content, they also allow copyright holders the means to control use or reproduction and to manage authorized uses.

Technological protective measures can be embedded in various media to control copying and prevent copyright infringement, or they can be built into electronic devices to prevent the reading of unauthorized content. Digital rights management (DRM) is the general term for the varied technologies used to enforce pre-defined limitations on the use of digital content. These include any means by which publishers or manufacturers control use of data or hardware. My office has prepared an information sheet on DRM technology, a copy of which is enclosed for your information.

If DRM technologies only controlled copying and use of content, our Office would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.

Technologies that report back to a company about the use of a product reveal a great deal about an individual’s tastes and preferences. Indeed, such information can be extremely personal. Technologies that automatically collect personal information about individuals without their knowledge or consent violate the fair information principles that are central to PIPEDA and most other privacy legislation. That this occurs when individuals are engaged in a private activity in their homes or other places where they have a high expectation of privacy exacerbates the intrusiveness of the collection.

To cite only one high profile example, in 2005, there was extensive controversy concerning Sony-BMG’s Extended Copy Protection (XCP), a DRM tool intended to prevent unauthorized copying. Sony-BMG products contained a particular type of copy protection for music in digital format, namely a program that secretly installed itself in the root system of the user’s computer. If one of these copy-protected CDs was played on a computer connected to the Internet, it was capable of reporting back to Sony BMG information such as when the CD was played, the IP address it was being played at, and whether and how often attempts were made to copy it. Class-action lawsuits were filed in Canada and the United States, alleging violations of privacy law, breach of contract and tort claims. Earlier this month, Sony-BMG announced it would abandon DRM measures completely, joining all other major labels in rejecting the approach. We hope any new legislation currently under consideration will take these recent developments and cases into account.

I would also like to comment on previous proposals to add what is referred to as a “Notice and Notice” scheme to Canadian copyright law. These provisions would have allowed copyright holders to send written notice to Internet Service Providers (ISPs), informing them of alleged copyright violators on their network. The network operators would then be required to forward the notice to the alleged copyright violator and to retain records on network use for periods of up to a year while investigation of violations or court action took place. Failure to retain these records would have enabled rights holders to seek damages against the ISP of up to $10,000.

Allowing a private sector organization to require an ISP to retain personal information is a precedent-setting provision that would seriously weaken privacy protections. When this provision was proposed in a previous proposal to amend the legislation it did not include any threshold that had to be met before the notice could be issued, nor did it provide any means for the ISP to contest the demand to retain the data. The extended retention periods create additional privacy concerns. PIPEDA requires that organizations retain personal information for only as long as necessary to fulfill the purposes for which the information was originally collected. Limiting the extent of data collection and period of retention is a key strategy to minimize the risk of data breaches of personal information.

To summarize, we hope whatever new copyright provisions are under consideration will respect the privacy rights of Canadians and I hope that these comments will be useful to you as you proceed. If my Office can be of any assistance, please do not hesitate to contact me.

Sincerely,

Original signed by

Jennifer Stoddart
Privacy Commissioner of Canada

Encl.