Thursday, December 01, 2016

Did the Supreme Court of Canada formally establish a new form of consent? Is "implied consent" really "deemed, irrevocable consent"?

I just posted a comment on the new Royal Bank of Canada v. Trang decision from the Supreme Court of Canada (Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections), but there’s an aspect of it I’d like to dig into further.

On close review, it does appear that the Supreme Court of Canada has -- perhaps inadvertently -- re-written a key aspect of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the decision, the Court found that Scotiabank had Trang’s implied consent to disclose a mortgage discharge statement to the Royal Bank of Canada. I don’t think that’s very controversial, but if you dig into it, the Court’s conclusion is significant. It found that "implied consent" is really not consent, but deemed and irrevocable consent where it’s reasonable.

“Implied consent” is consent where you can imply someone’s permission or consent from the circumstances. For example, if I ask someone for their name and address to send them something and they give their name and address, you can imply their consent to use it for that purpose. In other circumstances, it can be unspoken. If I were to ask the same person for their name and address and it is clear in the circumstances that I’d be using it to send them something, their consent can be implied by their providing the information.

This is in contrast to express consent, which is where the individual has expressed his or her consent at the time. (“Yes, I give you consent to use my name and address to send me that thing.”)

All of this is clear from PIPEDA. But what is also clear from PIPEDA is that an individual can withdraw his or her consent at any time:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

In the Trang case, it was abundantly clear that Trang did not consent to any disclosure of the mortgage discharge statement. While the decision does not specifically say that Trang revoked it, it is clear that Trang was asked and did not consent. Further, Trang did not appear at an examination in aid of execution. (I’d imply no consent there.)

So what does this mean? In short, “implied consent” as used by the Supreme Court here is really not “implied consent” but “deemed deemed”. It’s a consent that is reasonable in the circumstances but really cannot be revoked or overridden. It occurs regardless of the actual wishes of the individual. And that’s a big deal.

Now, I don’t think that the Supreme Court just made this up. You might even say it is necessary given that that PIPEDA only has a limited number of circumstances where an organization can do away with consent, all of which are listed in s. 7 of the Act. We can see many examples in findings from the Office of the Privacy Commissioner of Canada, particularly those that arise in the workplace. For example, in Transit driver objects to use of technology (MDT and GPS) on company vehicle, the Commissioner found there was implied consent for a transit operation to use GPS to track his movements on the job. The driver who complained clearly objected -- definitively communicated a lack of consent, but the Commissioner found that the purpose was reasonable and that notice was given to the employees, so all was kosher.

Much of this has been fixed with the Digital Privacy Act (but only for employees), which added this new section 7.3:

Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

So 7.3 fixes it and makes this discussion moot in the employment context, but the Supreme Court’s decision seems to support the proposition that there are circumstances where implied consent really equals deemed, irrevocable consent.

I hesitate to predict how this will play out in the future, but it's likely significant.

Wednesday, November 30, 2016

Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections

The Supreme Court of Canada has recently applied common sense to prevent debtors from using Canadian privacy laws to tie the hands of lenders looking to enforce their legal rights.

In a proceeding brought by the Royal Bank of Canada against a debtor, the bank required the mortgage discharge statement held by Scotiabank in order to complete a sheriff’s sale of the property. Scotiabank took the view, following Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3, that the discharge statement is “personal information” and that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) prohibits its disclosure unless there is consent or a court order. The debtor would not consent.

The Royal Bank brought a motion for such an order and was denied, citing the Citi Cards case. The Ontario Court of Appeal upheld this decision.

Ultimately, in front of the Supreme Court of Canada (Royal Bank of Canada v. Trang), the Court overruled Citi Cards and made some interesting observations that likely have broader application. The Court principally considered two questions: first, would the order sought by the Royal Bank satisfy the consent exception in PIPEDA that permits disclosure pursuant to a court order? Secondly, is there implied consent so that a mortgage discharge statement can be disclosed to a judgement creditor?

On the first question, the Court was clear that a creditor can seek and obtain such an order, and that the order would satisfy the provisions of PIPEDA:

[31] Further, it is clear that this is a case in which it was appropriate to make an order for disclosure. The majority of the Court of Appeal observed that a party seeking an order under rule 60.18(6) must demonstrate “difficulty” in enforcing its judgment, and that “courts should be reticent to require strangers to the litigation to appear on a motion” (para. 77). Hoy A.C.J.O. concluded, however, that rule 60.18(6)(a) can be applied less cautiously where a mortgagee is being examined in order to obtain a mortgage discharge statement. I agree. As Hoy A.C.J.O. noted, a mortgagee is not a stranger to the litigation in the sense that its interest in the property is at issue as well — the sheriff requires the mortgage discharge statement in part to settle the priority between mortgagees and creditors. Moreover, in practice, only the mortgagee can produce a mortgage discharge statement.

[32] I also agree with Hoy A.C.J.O. regarding the application of rule 60.18(6). I conclude that an order requiring disclosure can be made by a court in this context if either the debtor fails to respond to a written request that he or she sign a form consenting to the provision of the mortgage discharge statement to the creditor, or fails to attend a single judgment debtor examination. A creditor who has already obtained a judgment, filed a writ of seizure and sale, and completed one of the two above-mentioned steps has proven its claim and provided notice. Provided the judgment creditor serves the debtor with the motion to obtain disclosure, the creditor should be entitled to an order for disclosure. A judgment creditor in such a situation should not be required to undergo a cumbersome and costly procedure to realize its debt. The foregoing is a sufficient basis to order Scotiabank to produce the statement to RBC, and I would so order. But there is more in the present case.


On the second question, the Court effectively determined that an order – while available – is not necessary. It can be given under implied consent. PIPEDA provides that implied consent can be applicable where the information is less sensitive. Though financial information is generally considered to be sensitive, the Court noted that the information in a mortgage discharge statement is at the less sensitive end of that spectrum. PIPEDA also states that the reasonable expectations of the individual are relevant in the circumstances.

[43] Turning to the reasonable expectations of the individual, the parties disagree on the appropriate scope of the inquiry. The Privacy Commissioner submits that only the relationship between the Trangs as mortgagors and Scotiabank as mortgagee is relevant to assessing the Trangs’ reasonable expectations in the circumstances; the relationship between the Trangs and RBC has no role to play. On the other hand, RBC argues that the party receiving the disclosure is a relevant consideration when determining the Trangs’ reasonable expectations.

[44] In my view, when determining the reasonable expectations of the individual, the whole context is important. This is supported by the Office of the Privacy Commissioner’s consideration of context in various decisions: PIPEDA Report of Findings No. 2014-013; PIPEDA Case Summary No. 2009-003; PIPEDA Case Summary No. 311. Indeed, to do otherwise would unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect, bearing in mind that the overall intent of PIPEDA is “to promote both privacy and legitimate business concerns”: L. M. Austin, “Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices” (2006), 44 Can. Bus. L.J. 21, at p. 38.

[45] As the motion judge observed in the initial motion, and as I have already noted, a mortgage discharge statement “is not something that is merely a private matter between the mortgagee and mortgagor, but rather is something on which the rights of others depends, and accordingly is something they have a right to know” (2012 ONSC 3272 (CanLII), para. 29). In other words, the legitimate business interests of other creditors are a relevant part of the context which informs the reasonable expectations of the mortgagor.

Looking at the situation and assuming a “reasonable debtor”, the Court found implied consent:

[48] Here, RBC is seeking disclosure regarding the very asset it is entitled to, and intends to, realize on. A reasonable person borrowing money knows that if he defaults on a loan, his creditor will be entitled to recover the debt against his assets. It follows that a reasonable person expects that a creditor will be able to obtain the information necessary to realize on its legal rights. From the opposite perspective, it would be unreasonable for a borrower to expect that as long as he refused to comply with his obligation to provide information, his creditor would never be able to recover the debt.

Interestingly, the Court did not consider or comment on whether this implied consent that would have existed initially had been or could be overridden by the debtor’s clear refusal of consent that was communicated during the collection proceedings.

Tuesday, September 13, 2016

Lawful Access (2016): There, I fixed it for you.

In December 2013, I posted "Lawful Access: There, I fixed it for you.". I didn't think I'd need to link to it again so soon, but in light of the Government of Canada's recent Green Paper on national security, lawful access is back in the public policy spotlight. If you'd thought that the Spencer decision had put a bullet into the law enforcement and national security argument that "basic subscriber information" needs no protection and should be available wholesale the state, you're apparently wrong. The RCMP and the Canadian Association of Chiefs of Police have been working behind the scenes to try to circumvent the SCC's Spencer decision (See Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong.)

In my 2013 post, I'd suggested a fix for the apparent problem of police having difficulty in getting access to "basic subscriber information". It's now relevant again and I offer it for your consideration. I've made some small tweaks since 2013.

I'm happy to hear any input ...

Subscriber information production order
*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.
Production to peace officer
(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given
(a) to a peace officer named in the order; or
(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.
Conditions for issuance of order
(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that
(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;
(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;
(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and
(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.
Terms and conditions
(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.
Power to revoke, renew or vary order
(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.
Notice
(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, aAny person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph may be made by the justice or judge who made the order, or a judge of the same territorial division may be made shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.
Probative force of copies
(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.
Return of copies
(8) Copies of documents produced under this section need not be returned.
Subscriber information
(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.
Use and retention of subscriber information
(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,
(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and
(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.
Designated offences
(11) For the purposes of this Section, a designated offense means
(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or
(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).
Tele-production Orders
(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.
National effect
(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.
Compensation
(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.
Report to Parliament
(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:
(a) the number of subscriber information production orders issued in total for the previous calendar year;
(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;
(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;
(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and
(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Application for review of production order

(16) Section 487.0193 shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies to the production orders referred to in that Section.



Saturday, September 10, 2016

Ontario court awards damages for family member's disclosure of mental health information

The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff's stay there. No other information was disclosed.

10. The plaintiff left the crisis facility after a 6 day stay feeling much better and in control. Unfortunately this did not last. A week after returning home she was sitting on the front porch of Dean’s home when Lisa, Fabion’s former common law spouse, arrived. Upon seeing the plaintiff, Dean recalls that Lisa “blurted out ‘Were you in a crisis house?’ not even saying Hello first”. The plaintiff was visibly upset and shaken by the question and asked how she knew. Lisa said Fabion told her about the stay.

12. In the opinion of the plaintiff’s family doctor, filed as Exhibit 5, the plaintiff has “definitely” become more stressed, anxious and depressed since finding out that others were told of her stay in the crisis facility. It may also be contributing to her increased back pain.

13. Both the plaintiff and her boyfriend Dean report that she has become more fragile, anxious and reclusive than before the incident. Unlike before she rarely goes out, will not go shopping and has blackened the windows of her basement apartment. She will not seek respite care help even from other facilities because she fears treatment would likely come to the attention of the defendant through the network of caregivers.

The Court noted that two invasion of privacy torts exist in Ontario:

19. In sum, there are two recognized invasion of privacy torts in Ontario; neither requires proof of pecuniary loss or harm to an economic interest. Aggravated and punitive damages may be awarded and an award should serve as a deterrent to others.

20. These two common law torts exist in addition to the statutory right or cause of action available to a plaintiff under the privacy legislation. The Personal Health Information Protection Act, 2004 S.O. c. 3, Sch A, s. 65 (PHIPA) contemplates mental anguish damages for breaches of statutory duty up to a maximum of $10,000. In Hopkins v. Kay 2015 ONCA 112 (CanLII) (paras 44-45, 73) the Ontario Court of Appeal considered whether the complaints process available under PHIPA displaces the common law authority of the courts to award damages for breach of the statutory duty and found that the legislation is not intended to be an exhaustive or comprehensive compensatory scheme. The complaints process is more suited to systemic breaches and an individual victim retains the right to bring a civil court action for damages.

The Court made a number of conclusions that are worth noting:

27. I disagree for at least four reasons. First, personal health information includes information about the providing of health care (s. 4(1)(b) PHIPA), not just the details of diagnosis or treatment. The defendant’s disclosure told others that the crisis facility was providing health care to the plaintiff. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. I agree with the opinion of the crisis facility director; the staff and facility are under a statutory and contractual duty to keep the provision of care private.

28. Second, the names associated with the facility – Crisis Respite and Homes for Mental Health – provide some information about the mental health status or condition of the individuals who seek treatment there. Therefore the disclosure went beyond just the providing of care but gave some indication of the nature of the condition being treated. This health information was also required to be kept private.

29. Third, the plaintiff considered this a “private matter” – she did not tell anyone in her family and signed consents limiting the access to information to only two people. The defendant saw the file, and Dean’s name on the paperwork. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. The defendant knew or should have known that this was a private matter and it was a secret to be kept from other family members. In her evidence and counsel submissions, the defendant acknowledges the private nature of the stay when she submits that she did everything she could to protect the plaintiff’s privacy during her shift. She claims to have sought advice, stopped reading the file, remained out of sight and gave away her other shifts, all out of respect for the plaintiff’s privacy. These actions show that prior to disclosure she knew the stay was a private matter to be held in confidence.

30. Finally, the confidentiality agreement signed by the defendant included a broad undertaking to keep confidential “any information regarding any consumer” – this promise extends beyond just personal health information. It clearly prohibits the health care worker from discussing resident’s information at all. The privacy policy requires a staff member to obtain the consumer’s express consent before giving personal health information or personal information to a “family member who is not a substitute decision maker.” The word “Express” is in bold font. In sum, I find that the information disclosed was personal health information, was a private matter concerning the private life of the plaintiff, and was information that the defendant was required to keep confidential under her confidentiality agreement and the privacy policy. Disclosure fell below the privacy standard established by the legislation and the crisis facility and forms the basis for tort liability.

The Court took judicial notice that mental health issues are particularly stigmatized and concluded that the disclosure of this information is highly offensive to a reasonable person: "I have no trouble finding that a reasonable person would find disclosure of their need for crisis mental health treatment to be highly offensive."

The Court also found malice:

39. I have already found that the disclosures were made intentionally and not for advice, support or concern. The defendant denies that they were done with malice but on the facts I am prepared to infer that the disclosures were done with malice, particularly that to the brother. They were intended to diminish the plaintiff in the eyes of her family and cause her embarrassment. I emphasize the brother because I suspect the defendant’s daughter and husband had already had their opinion of the plaintiff shaped by the defendant. However, the brother appeared to be trying to walk a middle ground between the two feuding sisters. The defendant seemed engaged in some kind of competition for her brother’s attention as evidenced when she races to be the first to invite him to Christmas dinner, calling the plaintiff “crazy” as she did so. This subsequent conduct along with her failure to apologize, confirms malice.

On the topic of damages, the Defendant argued that it was a case for nominal damages of around $300. The Court strongly disagreed:

42. I disagree. Actual emotional harm was suffered by the plaintiff. The doctor’s opinion confirms the worsening of her mental health condition following the public disclosure. In submissions during closing, the defendant asks me to disregard the general practitioner’s opinion but did not summons or cross examine the doctor’s opinion nor supply contrary medical expert evidence. Therefore, I accept the opinion of the plaintiff’s doctor as to the plaintiff’s worsened anxiety and depression. It is the only medical expert evidence submitted at trial and was not contradicted.

43. As to the claim that the plaintiff’s reaction is extreme and unusual, again I disagree. It is completely reasonable and foreseeable that the mental health of a patient already suffering from anxiety will deteriorate when someone releases mental health information about them. Unlike Mustapha the withdrawal of the plaintiff is not an extreme, unpredictable or unusual reaction – it is completely reasonable and foreseeable. This is an obvious situation of “take your victim as you find them” – mental fragility was not an unknown or hidden condition which the defendant could not have foreseen. The defendant knew the mental health status of the plaintiff before she committed the wrongful act and therefore she must take her victim as she found her and (I would add) as she knew her to be.

44. Finally, the defendant argues that the failure to subsequently seek treatment at other facilities is a failure to mitigate which goes to reduce her damage award. The failure to seek in-patient treatment is completely predictable in the circumstances and is a by-product of the defendant’s humiliation and embarrassment of the plaintiff. The defendant’s actions have made it more difficult for the plaintiff to seek treatment as she no longer trusts institutional care. She is still privately seeing her family doctor for out-patient care as the doctor’s opinion verifies. Failure to seek in-patient treatment is a symptom evidencing the worsening of the plaintiff’s condition. Prior to the disclosure the plaintiff was willing to seek in-patient treatment, after she was not. In sum the severity of her anxiety and depression is worsened, she rarely leaves her darkened apartment and her quality of life is severely reduced.

45. This is not a case for nominal damages. It properly falls within the range set for non-pecuniary damages in Jones. The summary of past damage awards contained in Appendix A & B of Jones offers a context for setting damages in this case. The documented psychological harm suffered takes the damages well beyond nominal amounts for embarrassment and humiliation while the limited number of people told and the temporary manner of communication (telephone rather than internet) go to contain the award. I award $7,500 for general damages.

The Court then awarded an additional $1500 in punitive damages.

Thursday, April 28, 2016

You'd better forget the right to be forgotten in Canada

Summary: This discussion paper is intended to address the following question put forward in the OPC’s consultation paper on online reputation: “Can the right to be forgotten find application in the Canadian context and, if so, how?” The author is of the view that the right to be forgotten cannot be shoehorned into existing privacy law because search engines do not come within the scope of PIPEDA and the activity of indexing newsworthy content online is subject to the journalism exception in PIPEDA. Furthermore, any attempt to compel a search engine to not include particular results -- particularly pointing to lawful content -- would fall afoul of the freedom of expression right under the Canadian Charter of Rights and Freedoms. The paper concludes with some additional thoughts that will need to be factored into the discussion of the right to be forgotten in Canada.
The next battle over privacy and freedom of expression in Canada will -- not surprisingly -- be carried out over the internet. Or at least it will be about the internet. Following the important decision by the European Court of Justice in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014), which found a “right to be forgotten” in the European Data Protection Directive, it is natural to ask if there is an equivalent or similar right to be forgotten in Canada.

In my submission, there is not. It cannot be shoehorned into our existing federal privacy law, the Personal Information Protection and Electronic Documents Act, and any attempt to do so would ultimately be unconstitutional on at least two grounds.

But there is also the more general, philosophical discussion worth having about whether one can import “RTBF” into Canada, a country that values freedom of expression and purports to embrace the internet. How can it make any sense at all to have a law that says a person or a news outlet can lawfully post material on the internet, but it is illegal for a search engine to tell you that it even exists?    

While I am sympathetic to many who may want to leave unpleasant or embarrassing facts behind them as they progress through their lives, it is wrong in principle to allow information to remain on the internet but to only prohibit a completely uninvolved party from indexing and including it in search results.

If the problem is with the embarrassing or out-of-date information, then any efforts should be directed at the person responsible for the information. However, the legal reality is that it would be constitutionally untenable to pass a law that would prohibit a news outlet or other content producer from expressing him or herself

Are search engines and the results they produce subject to PIPEDA?

The first question to be asked is whether one can locate a right to be forgotten within the existing framework of PIPEDA. I suggest you cannot, for a range of reasons.

Are search engines engaged in “commercial activities”?

To begin with, search engines are likely not engaged in commercial activities, at least for the purposes of section 4(1)(a) of PIPEDA. In order for PIPEDA to apply to any activity, the collection, use and disclosure of personal information must be in the course of “commercial activities.” One cannot simply say that a search engine is a private commercial undertaking because the definition is not as broad as it seems. As found by the Federal Court in  State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736, the actual activity at issue is what needs to be characterised for the purposes of s. 4(1)(a):
[106]      I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties... [emphasis added]
While most search engines are commercial enterprises and supported by advertising revenue, it does not charge users for search results and it does not charge content providers to be indexed in the search engine for inclusion in search results. The indexing, retrieval and serving of search results are not part of any commercial transaction. Ultimately, the search engine is about facilitating timely and easy access to information on the world wide web, which is not an inherently commercial activity. It can most readily be likened to compiling a card-catalogue for a library, but it is electronic and the library is the global internet.

Are search engines handling personal information for “journalistic, artistic or literary purposes”?

Instead of being included in PIPEDA by s. 4(1)(a), I would suggest that most search engines are excluded due to the operation of s. 4(2)(c) of PIPEDA:
Limit
(2)         This Part does not apply to ...
(c)         any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
Search engines are fundamentally journalistic or literary operations, particularly when providing a user with access to news media content. At the same time, they are also providing news media producers with access to readers.

The Torstar case was abundantly  clear that writing on matters of public interest is not reserved to the mass media. On this particular question, the Chief Justice’s judgement in Grant v. Torstar Corp., 2009 SCC 61 (“Torstar”), at paragraphs 96 and 97, is interesting:

However, the traditional media are rapidly being complemented by new ways of communicating on matters of public interest, many of them online, which do not involve journalists.  These new disseminators of news and information should, absent good reasons for exclusion, be subject to the same laws as established media outlets.  I agree with Lord Hoffmann that the new defence is “available to anyone who publishes material of public interest in any medium”: Jameel, at para. 54. …
[97]        A review of recent defamation case law suggests that many actions now concern blog postings and other online media which are potentially both more ephemeral and more ubiquitous than traditional print media. While established journalistic standards provide a useful guide by which to evaluate the conduct of journalists and non-journalists alike, the applicable standards will necessarily evolve to keep pace with the norms of new communications media. [emphasis added]
While Torstar was a defamation case, it is instructive of how traditional categories of “journalism” are being expanded in the modern age, particularly by our courts. This expansion was specifically in reference to the operation of the Canadian Charter of Rights and Freedoms, which is discussed in greater detail below.

The journalism exception to privacy laws has been applied by the Office of the Information and Privacy Commissioner of Alberta in Order P2005-004, which focused on the actions of the Calgary Herald Newspaper. In that case, the Adjudicator appointed under the Personal Information Protection Act (Alberta) (“PIPA”) determined that any interpretation of that Act must follow the Charter and the Alberta Bill of Rights. The complainant alleged that the Calgary Herald had violated PIPA in its publication of a news story. The Calgary Herald argued that sections 4(3)(c) and 4(3)(k) of PIPA meant that PIPA would not apply to these activities. The adjudicator stated:

[para 19] Webster’s New College Dictionary defines “journalistic” as “Of, relating to, or typical of journalists.” “Journalism” is defined as:

1.Collection, writing, editing and dissemination of news through the  media 2. Material written for publication in the media 3. A style of  writing used in newspapers and magazines, characterized by the direct  presentation of facts or occurrences with little attempt at analysis or  interpretation.

[para 20] The personal information disclosed was in the form of a newspaper article which was published by the Organization. This in itself meets the definition of “material written for publication in the media”. Having reviewed the newspaper article itself, the personal information within it is a direct presentation of the facts and is clearly collected and disclosed for journalistic purposes. There is no evidence before me or any evidence from the newspaper article itself that would lead me to conclude that the collection, use and disclosure of the personal information was for any other purpose other than for journalistic purposes.

Having found that s. 4(3)(c) of PIPA applied, the adjudicator determined that that the OIPC had no jurisdiction to consider the matter further:

[para 22] However, my authority under the Act is to determine whether the collection, use or disclosure of personal information was for journalistic purposes only. Once I have established that the use of personal information was for journalistic purposes only, the Act does not apply and my authority to decide any other issue ceases. Any inquiry into what is a reasonable collection, use and disclosure of personal information, can only come into play if I have jurisdiction to proceed under the Act. In this case, I have determined that the Act does not apply to the matter in question and I can go no further.
At their core, search engines perform a journalistic function: it primarily relates to the dissemination of news and information, and is comprised of material written for publication in the media. On that basis, s. 4(2)(c) of excludes the operation of PIPEDA. The fact that this particular paragraph in PIPEDA refers to “journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose” remains vulnerable to Charter challenge, as was the case in the UFCW case discussed below.

We should remember that Costeja arose in the context of a newspaper article appearing in a search result. If a similar case were to arise in Canada, it would be clear that the search engine, in pointing to a newspaper article, is performing a journalistic function.

However, even if one were to conclude that PIPEDA may facially apply to a search engine’s indexing and serving of content to users, any interpretation of the statute along those lines is unconstitutional both on a separation of powers analysis and under s. 2(b) of the Charter.

Freedom of Expression under the Charter

Any reading of PIPEDA that has the effect of regulating the indexing of public content -- particularly newsworthy content -- and providing links to users via a search engine effectively regulates the expressive activity of the search engine operator and would be very problematic under the Charter. As I intend to argue, doing so would offend s. 2(b) of the Charter and cannot be justified under s. 1.

Given that legislation should be read in a manner that is consistent with the Charter, regulators should interpret PIPEDA in a manner that excludes search engines. As the Chief Justice wrote in R. v. Sharpe, 2001 SCC 2, at paragraph 33:

Supplementing this approach is the presumption that Parliament intended to enact legislation in conformity with the Charter. If a legislative provision can be read both in a way that is constitutional and in a way that is not, the former reading should be adopted. [citations omitted]

It is important to consider whose rights are actually engaged in the RTBF discussion. Clearly we are looking at the rights of a search engine operator to communicate meaning from its indexing of websites. But we also have to be mindful that RTBF affects the rights of the organization that created the linked-to content. They have the right to communicate their content to the public and to use search engines to reach their audiences. Finally, the rights of internet users are also engaged as section 2(b) also includes the right to receive expressive content.[1] It is clear that the freedom of expression under the Charter limits the government’s ability to regulate the content of communications, but also the mode and timing of such communication.

Here we are not only concerned with a search engine operator’s constitutionally protected right to freedom of expression, but the right of every Canadian to get access to relevant content on the internet via the use of Google’s search engine. This also limits Canadian media outlets’ constitutionally protected right to disseminate its expressive content on the internet.

Any law or the operation of any law that restricts the mode or content of expression violates s. 2(b) of the Charter and must be justified under s. 1 of the Charter. Once a search engine has shown that any legislative provision limits its rights to expression, the onus will be on the government to justify it.

In R. v. Sharpe, the Supreme Court laid out the framework of analysis that a tribunal must follow at paragraph 78:

The question we must answer is whether that limitation is reasonable and demonstrably justified in a free and democratic society.  To justify the intrusion on free expression, the government must demonstrate, through evidence supplemented by common sense and inferential reasoning, that the law meets the test set out in R. v. Oakes, [1986] 1 S.C.R. 103, and refined in Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, and Thomson Newspapers Co. v. Canada (Attorney General), [1998] 1 S.C.R. 877.  The goal must be pressing and substantial, and the law enacted to achieve that goal must be proportionate in the sense of furthering the goal, being carefully tailored to avoid excessive impairment of the right, and productive of benefits that outweigh the detriment to freedom of expression.

Thus, in order to be justifiable under the Charter, all of the following questions must be answered in the affirmative for this particular application of PIPEDA to be upheld under Section 1 of the Charter:

(a)        Is the limitation prescribed by law?
(b)        Is the legislative objective pressing and substantial?
(c)        Is there proportionality between the limitation on the right and the benefits of the law? This requires answering the following questions:
(i)        Is there a rational connection between the legislative objective and the means in the law meant to achieve that objective?
(ii)        Is the right in issue “minimally impaired”?
(iii)        Is there proportionality between the deleterious and salutary effects of the law? 
There is certainly an argument to be made that RTFB fails on all counts, but the Charter question will likely hinge on the proportionality analysis.

Assuming the limitation would be “prescribed by law”, we have to determine the objective of the legislators and then consider whether it is “pressing and substantial”.

The purpose of the statute is set out in s. 3:

3.         The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

As noted by the Federal Court in State Farm:

[104]        These purposes are reflected in the long title of PIPEDA [emphasis added]:An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

[105]        The collection of information in order to properly defend a civil tort action has little or nothing to do with these purposes.

In the State Farm case, the Court determined that “[t]he collection of information in order to properly defend a civil tort action has little or nothing to do with these purposes.”

The Supreme Court’s characterization of the Personal Information Protection Act (Alberta) in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733 (“UFCW”) is also helpful, as that law is substantially similar to PIPEDA:

[19]         There is no dispute that PIPA has a pressing and substantial objective. The purpose of PIPA is explicitly set out in s. 3, as previously noted, which states:
3          The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.

The focus is on providing an individual with some measure of control over his or her personal information: Gratton, at pp. 6 ff.   The ability of individuals to control their personal information is intimately connected to their individual autonomy, dignity and privacy.  

The purpose of PIPEDA is to protect the privacy of individuals, in a manner that is tempered against the needs of organizations to collect, use or disclose personal information for legitimate purposes, particularly focused on supporting and promoting electronic commerce.

One might even connect PIPEDA’s purposes to the protection of reputation, which has been repeatedly held by the Supreme Court of Canada to be an important value. However, one should note that civil and criminal defamation law has repeatedly been held to be consistent with the Charter because the falsity of the information is a key component. (See Hill v. Church of Scientology of Toronto, [1995] 2 SCR 1130, 1995 CanLII 59 and R. v. Lucas, [1998] 1 SCR 439, 1998 CanLII 815.) Falsity of the information is not integral to the right to be forgotten. Information that is true can still be caught within the European model of RTBF.

There likely is a rational connection between protecting the privacy of individuals and regulating the collection, use and disclosure of their personal information in the course of commercial activity, per (c)(i) above. However, this is not minimally impairing and thus fails the proportionality analysis.

From RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 SCR 199 at para. 160), it is clear that only very focused and restricted impairments of the right to free expression can survive Charter challenge:

As the second step in the proportionality analysis, the government must show that the measures at issue impair the right of free expression as little as reasonably possible in order to achieve the legislative objective.  The impairment must be “minimal”, that is, the law must be carefully tailored so that rights are impaired no more than necessary.  The tailoring process seldom admits of perfection and the courts must accord some leeway to the legislator.  If the law falls within a range of reasonable alternatives, the courts will not find it overbroad merely because they can conceive of an alternative which might better tailor objective to infringement . . . On the other hand, if the government fails to explain why a significantly less intrusive and equally effective measure was not chosen, the law may fail.
PIPEDA, if interpreted in a way that would regulate the inclusion of any particular search result, would simply not be minimally impairing. Prohibiting someone from connecting Canadians to information lawfully existing on the internet goes dramatically beyond the legitimate purposes of PIPEDA, particularly where the information is news reporting.

If PIPEDA is applied to search results, the law does not include any mechanisms by which the constitutional right to freedom of expression may be balanced with the interests protected by the legislation. One cannot save legislation by the belief that it will be applied constitutionally. And I cannot imagine a situation where a private corporation can be expected to carry out the difficult task of balancing rights that would be required for any such scheme to survive constitutional muster. This aspect is completely without precedent in Canadian law.

The Supreme Court has long recognized the fundamental importance of freedom of expression, including expression by corporations. PIPEDA, interpreted in this manner, would outlaw the collection, use, or disclosure of personal information for many legitimate, expressive purposes related to seeking information and knowledge. This infringement of the right to freedom of expression is disproportionate to the government’s objective of providing individuals with control over the personal information, particularly information that has been deemed to be newsworthy.

A proposed interpretation of PIPEDA that would include the search engine would also fail on the final proportionality branch. In this branch of the s. 1 analysis, the tribunal has to determine whether there is proportionality between the infringement of the rights of Canadians and the salutary effect of such limitation. As set out by the Supreme Court of Canada in R. v. Sharpe:

102        This brings us to the third and final branch of the proportionality inquiry: whether the benefits the law may achieve in preventing harm to children outweigh the detrimental effects of the law on the right of free expression. The final proportionality assessment takes all the elements identified and measured under the heads of Parliament’s objective, rational connection and minimal impairment, and balances them to determine whether the state has proven on a balance of probabilities that its restriction on a fundamental Charter right is demonstrably justifiable in a free and democratic society.  

One must consider whether the benefit actually achieved in the form of protecting privacy in the context of e-commerce outweighs the affront to the right to provide access to relevant information and to get access to relevant, lawful information. Preventing a search engine from providing access to this search result does little, if anything, to advance this interest.

At this portion of the analysis, one must also consider what expression is being squelched and how close it is to the “core of Charter values”. It is clear that certain kinds of expression are distant from the core of Charter values and can more readily be limited. Providing access to relevant, lawful information is at the core of Charter values:  “individual self-fulfilment, finding the truth through the open exchange of ideas, and the political discourse fundamental to democracy” (R. v. Sharpe, quoting Irwin Toy). Regulating search results would limit expression that cuts to the core of Charter values (and does little to advance the objectives of the legislation).

A court or tribunal is not only focused on the actual speech in question, but also considers what other speech can be “caught in the net” of the impugned legislation. One can readily imagine that a politician seeking election could attempt to have unflattering material removed, even if entirely truthful. If PIPEDA applies and one has to rely on knowledge and consent, the operator of the search engine may have no choice but to remove it as any consent to include it in the index has been revoked.

I also note that such a finding would legally compel a search engine operator to provide incorrect information to its users, which is a disproportionate effect on freedom of expression. When a user enters a query into a search engine, they expect to receive the most relevant results using the search engine’s usual algorithms. Omitting a highly relevant, responsive search result would mislead that user into believing that certain content does not exist, though it continues to exist and remains accessible on the media outlet’s site. This is akin to a student asking a research librarian for everything the library has about a specific individual, but legally requiring the librarian to lie to the patron. The book would remain on the shelf, but the librarian is prohibited from mentioning it.

Similar to the finding of the Supreme Court of Canada in UFCW striking down Alberta’s privacy law, limiting legitimate expression that relates to the core of Charter values of seeking lawful information is “too high a price to pay”:

[20]        PIPA’s objective is increasingly significant in the modern context, where new technologies give organizations an almost unlimited capacity to collect personal information, analyze it, use it and communicate it to others for their own purposes. There is also no serious question that PIPA is rationally connected to this important objective. As the Union acknowledges, PIPA directly addresses the objective by imposing broad restrictions on the collection, use and disclosure of personal information. However, in our view, these broad restrictions are not justified because they are disproportionate to the benefits the legislation seeks to promote.  In other words, “the Charter infringement is too high a price to pay for the benefit of the law”: Peter W. Hogg, Constitutional Law of Canada (5th ed. Supp.), vol. 2, at p. 38-43.

A failure to satisfy any of the questions in the Oakes analysis results in the legislation being found to be unconstitutional. I fully expect that the Federal Court would find applying PIPEDA to create a “right to be forgotten” in this manner to be unconstitutional. I expect this analysis would yield the same result for a standalone right to be forgotten law.

Separation of powers - Constitution Act, 1867 

Under the Canadian constitution, the provincial governments are given exclusive jurisdiction over matters of property and civil rights in each province. Privacy is a matter of civil rights, as is non-criminal law that would mandate the removal of content such as that referred to by the complainant. The federal government bases PIPEDA on the “General Trade and Commerce Power” that is located within s. 91(2) of the Constitution Act, 1867. In order to be valid federal legislation rooted in the general branch of the trade and commerce clause, the law would have to follow the indicia set out in General Motors of Canada Ltd. v. City National Leasing, [1989] 1 SCR 641, 1989 CanLII 133 (S.C.C.) (“General Motors”).  In upholding the Combines Investigation Act as valid federal law under the general branch of s. 91(2), the Chief Justice Dickson at paras. 32 and 34, enumerated five indicia or factors of the valid exercise of the general Trade and Commerce power:
  1. The impugned legislation must be part of a general regulatory scheme.
  2. The scheme must be monitored by the continuing oversight of a regulatory agency.
  3. The legislation must be concerned with trade as a whole rather than a particular industry or commodity
  4. The legislation must be of such a nature that the provinces, together or independently, would be constitutionally incapable of enacting it.
  5. The failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.
PIPEDA itself rests on a tenuous foundation, as it does not regulate the economy or trade as a whole, but one singular commodity: personal information. Nevertheless, the application of a “right to be forgotten” would rest on an even more shaky foundation as it would be regulating only one activity: the operation of internet search engines.

Final issues

Who is the decision maker?

Even if one were to create a right to be forgotten in Canadian federal law, transplanting the European model of operation into Canada would be grossly problematic. In Europe, the burden is entirely on the search engines to receive applications for removal, to evaluate them and to act upon them. This places the search engine in the position of having to decide, using its own frame of reference, whether the information is out of date, inaccurate or obsolete. The search engine does not know the complainant, does not know the context, does not know if the individual is a public figure and does not know whether the individual has genuinely “moved on with his life”. There may be some scenarios that are relatively easy to deal with, such as revenge porn, but for most cases the search engine will only have the complainant’s submissions to rely upon.

Content providers’ rights

Any process needs to also appreciate that the content provider’s interests are also at stake. Content providers choose to make their materials available online and also choose whether to allow it to be indexed by search engines. Meddling with how such content appears in search engine listings interferes with the ability of content providers to reach their intended audiences. Doing so without their input is very problematic: At the very least, content providers will need to be consulted to provide input on whether the content is “newsworthy”. However, placing the search engines as the arbiters of the content provider’s rights is not fair to the content provider.

Reviving forgotten information

A final consideration would have to be how can one revive forgotten information that becomes relevant again. The last election saw a number of political candidates whose social media activity and other online content came back to haunt them. Most notably, an old video surfaced online of an individual who was working as a plumber who was recorded urinating into a customer’s coffee cup. When it surfaced, the plumber was running as a candidate for Parliament. One can readily imagine scenarios in which someone with political ambitions will seek to have content suppressed before seeking a nomination. If successful, relevant information about the candidate’s history and character many be indelibly lost.  

Conclusion

While aspects of the right to be forgotten can be compelling, particularly for privacy advocates like myself, it is a concept that cannot find a Charter-resistant foothold either within PIPEDA or some other means in Canadian law.
 
David TS Fraser is lawyer with McInnes Cooper, where his practice is exclusively devoted to internet and privacy law. David is also a part-time faculty member at Dalhousie Law School and an associate of the Institute of Law and Technology. The views expressed in this paper are solely those of the author and should not be attributed to the firm or any of its clients.


17        Freedom of expression protects not only the individual who speaks the message, but also the recipient. Members of the public —  as viewers, listeners and readers —  have a right to information on public governance, absent which they cannot cast an informed vote; see Edmonton Journal, supra, at pp. 1339-40.  Thus the Charter protects listeners as well as speakers; see Ford v. Quebec (Attorney General), 1988 CanLII 19 (SCC), [1988] 2 S.C.R. 712, at pp. 766-67.
18        This is not a Canadian idiosyncrasy.  The right to receive information is enshrined in both the Universal Declaration of Human Rights, G.A. Res. 217 A (III), U.N. Doc. A/810, at 71 (1948), and the International Covenant on Civil and Political Rights, Can. T.S. 1976 No. 47.  Canada is a signatory to both.  American listeners enjoy the same right; see Red Lion Broadcasting Co. v. Federal Communications Commission, 395 U.S. 367 (1969), at p. 390; Martin v. City of Struthers, 319 U.S. 141 (1943), at p. 143. The words of Marshall J., dissenting, in Kleindienst v. Mandel, 408 U.S. 753 (1972), at p. 775, ring as true in this country as they do in our neighbour to the south: [T]he right to speak and hear —  including the right to inform others and to be informed about public issues —  are inextricably part of [the First Amendment]. The freedom to speak and the freedom to hear are inseparable; they are two sides of the same coin. But the coin itself is the process of thought and discussion. The activity of speakers becoming listeners and listeners becoming speakers in the vital interchange of thought is the means indispensable to the discovery and spread of political truth. [Citations omitted.]

Tuesday, January 26, 2016

Ontario court explicitly adopts new privacy tort: public disclosure of private facts

For anyone who was wondering: the arc of the common law is long and it bends towards privacy. The Ontario Superior Court of Justice has this past week expressly recognized the tort of "public disclosure of private facts".

This is a huge deal, as it explicitly expands the scope of privacy protection under the common law and stands as an example of how the traditional courts (and perhaps new-ish torts) can be called upon to help victims of cyberbullying.

Arising from a horrific case of revenge porn where the defendant had uploaded to the internet an explicit sexual video of the plaintiff, the Court in Doe v D., 2016 ONSC 541 (CanLII) [Edit: try this version -- I understand that CanLII may have inadvertently published some details contrary to the publication ban], said this about the ability to sue for invasion of privacy:

C. Invasion of Privacy

[34] In Jones v. Tsige, 2012 ONCA 32 (CanLII), the Court of Appeal for Ontario recognized the existence of the tort of invasion of privacy in the context of intrusion upon seclusion. In that case, the Court found that the defendant had committed the tort of intrusion upon seclusion when she used her position as bank employee to repeatedly examine private banking records of her spouse's ex-wife. While that case dealt with a significantly different fact situation, many of the Court’s comments are germane to this case, and I will therefore refer extensively to that decision.

[35] To begin with, the Court noted (at para. 15) that “[t]he question of whether the common law should recognize a cause of action in tort for invasion of privacy has been debated for the past one hundred and twenty years. Aspects of privacy have long been protected by causes of action such as breach of confidence, defamation, breach of copyright, nuisance and various property rights. Although the individual's privacy interest is a fundamental value underlying such claims, the recognition of a distinct right of action for breach of privacy remains uncertain.”

[36] The Court went on to recognize as authoritative a seminal American legal article on the subject by William L. Prosser, "Privacy" (1960), 48 Cal. L. Rev., noting that “Prosser argued that what had emerged from the hundreds of cases he canvassed was not one tort, but four, tied together by a common theme and name, but comprising different elements and protecting different interests. Prosser delineated a four-tort catalogue, summarized as follows, at p. 389:

1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.

2. Public disclosure of embarrassing private facts about the plaintiff.

3. Publicity which places the plaintiff in a false light in the public eye.

4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness. “

[37] The Court also noted (at para. 19) that “[t]he tort that is most relevant to this case, the tort of ‘intrusion upon seclusion’, is described by the Restatement [Restatement (Second) of Torts (2010)], at 652B as: ‘One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.’”

[38] The Court went on to note (at para. 20) that “[t]he comment section of the Restatement elaborates this proposition and explains that the tort includes physical intrusions into private places as well as listening or looking, with or without mechanical aids, into the plaintiff's private affairs. Of particular relevance to this appeal is the observation that other non-physical forms of investigation or examination into private concerns may be actionable. These include opening private and personal mail or examining a private bank account, ‘even though there is no publication or other use of any kind’ of the information obtained.’” The Court commented that if the plaintiff in Jones had a right of action, it fell into the first category of intrusion upon seclusion, described by Prosser as comprised of the following elements:

• there must be something in the nature of prying or intrusion;

• the intrusion must be something which would be offensive or objectionable to a reasonable person;

• the thing into which there is prying or intrusion must be, and be entitled to be, private; and

• the interest protected by this branch of the tort is primarily a mental one. It has been useful chiefly to fill in the gaps left by trespass, nuisance, the intentional infliction of mental distress, and whatever remedies there may be for the invasion of constitutional rights.

[39] Later in its reasons, when considering the desirability of recognizing the tort of intrusion upon seclusion, the Court made a number of comments that are relevant to the issues in this case, including the following:

39 Charter jurisprudence identifies privacy as being worthy of constitutional protection and integral to an individual's relationship with the rest of society and the state. The Supreme Court of Canada has consistently interpreted the Charter's s. 8 protection against unreasonable search and seizure as protecting the underlying right to privacy. In Hunter v. Southam Inc., 1984 CanLII 33 (SCC), [1984] 2 S.C.R. 145, [1984] S.C.R. No. 36, at pp. 158-59 S.C.R., [page254] Dickson J. adopted the purposive method of Charter interpretation and observed that the interests engaged by s. 8 are not simply an extension of the concept of trespass, but rather are grounded in an independent right to privacy held by all citizens.

43 In Hill v. Church of Scientology of Toronto 1995 CanLII 59 (SCC), [1995] 2 S.C.R. 1130, Cory J. observed, at para. 121, that the right to privacy has been accorded constitutional protection and should be considered as a Charter value in the development of the common law tort of defamation. …

45 While the Charter does not apply to common law disputes between private individuals, the Supreme Court has acted on several occasions to develop the common law in a manner consistent with Charter values: [citations omitted].

46 The explicit recognition of a right to privacy as underlying specific Charter rights and freedoms, and the principle that the common law should be developed in a manner consistent with Charter values, supports the recognition of a civil action for damages for intrusion upon the plaintiff's seclusion ….

67 For over 100 years, technological change has motivated the legal protection of the individual's right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of "the pressing need to preserve 'privacy' which is being threatened by science and technology to the point of surrender": "The Law and Privacy: the Canadian Experience", at p. 1. See, also, Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message.

68 It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

69 Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. …

[40] The passage quoted immediately above most certainly applies to the case before me.

[41] While the facts of this case bear some of the hallmarks of the tort of "intrusion upon seclusion", they more closely fall within Prosser’s second category: “Public disclosure of embarrassing private facts about the plaintiff.” That category is described by the [Restatement (Second) of Torts (2010) at 652D as follows: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.”

[42] The comment section of the Restatement elaborates on this proposition as follows:

Every individual has some phases of his life and his activities and some facts about himself that he does not expose to the public eye, but keeps entirely to himself or at most reveals only to his family or to close friends. Sexual relations, for example, are normally entirely private matters, as are family quarrels, many unpleasant or disgraceful or humiliating illnesses, most intimate personal letters, most details of a man's life in his home, and some of his past history that he would rather forget. When these intimate details of his life are spread before the public gaze in a manner highly offensive to the ordinary reasonable man, there is an actionable invasion of his privacy, unless the matter is one of legitimate public interest.

Although written in somewhat antiquated language, the concepts described are entirely apposite to this case. Among the illustrations offered by the Restatement is the following: “A publishes, without B's consent, a picture of B nursing her child. This is an invasion of B's privacy.”

[43] Prosser listed the features of this tort as follows:

• the disclosure of the private facts must be a public disclosure, and not a private one;

• the facts disclosed to the public must be private facts, and not public ones; and

• the matter made public must be one which would be offensive and objectionable to a reasonable man of ordinary sensibilities.

[44] Plainly, writing in 1960, Prosser was discussing events that might occur in a pre-Internet world, where the concepts of pornographic websites and cyberbullying could never have been imagined. Nevertheless, the essence of the cause of action he described is the unauthorized public disclosure of private facts relating to the plaintiff that would be considered objectionable by a reasonable person. In the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection. Personal and private communications and the private sharing of intimate details of persons’ lives remain essential activities of human existence and day to day living.

[45] To permit someone who has been confidentially entrusted with such details – and in particular intimate images - to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies. I therefore would hold that such a remedy should be available in appropriate cases.

[46] I would essentially adopt as the elements of the cause of action for public disclosure of private facts the Restatement (Second) of Torts (2010) formulation, with one minor modification: One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of the other’s privacy, if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. [modification shown by underlining]

[47] In the present case the defendant posted on the Internet a privately-shared and highly personal intimate video recording of the plaintiff. I find that in doing so he made public an aspect of the plaintiff’s private life. I further find that a reasonable person would find such activity, involving unauthorized public disclosure of such a video, to be highly offensive. It is readily apparent that there was no legitimate public concern in him doing so.

[48] I therefore conclude that this cause of action is made out.