What digital sovereignty? How a Canadian Court is forcing a French company to break French law

Just recently, I heard about a very significant new decision from the Ontario Court ofJustice, where a judge in Ottawa ordered OVHcloud in France and its Canadian subsidiary to hand over user data stored in France, the UK, and Australia. While Canada is focusing a lot of attention on “data sovereignty”, this decision should get a lot more attention, particularly because the Canadian court is ordering the French company to violate a French law that is designed to protect France’s data sovereignty.

I regularly deal with situations like this in my law practice, where I assist companies in responding to police demands for user data. But rarely does it get to this point, and I’m afraid this sets a very negative precedent.

This case touches on jurisdiction, cross-border data, foreign blocking statutes, and the limits of Canadian investigative powers. It also relies heavily on the controversial Brecknell decision from British Columbia — and I have some things to say about that.

Let’s walk through the case, and then I’ll explain why I think the analysis in the decision goes off the rails.

This case arises out of a national security investigation. The RCMP obtained a Production Order under the Criminal Code s. 487.014, requiring two companies to produce customer information linked to four IP addresses. The two companies are OVH Group SA (a French company that provides cloud computing services globally, OVH’s Canadian subsidiary, Hebergement OVH Inc.

All of the IP addresses were hosted outside Canada — in France, the UK, and Australia. The data sought included subscriber information and metadata, but not the content of any communications.

They argued that they did not have the data. It was held by the French parent company. They are the operating company in Canada that apparently runs servers here for the global business. They don’t manage global accounts or have access to the records that the police were looking for. OVH Canada did not oppose the order as it applied to OVH Canada on any jurisdictional basis. They are a company that has offices, employees and facilities that operates within Canada.

The real issue was the attempt to compel the French parent company — a company with no physical presence in Canada — to produce data stored entirely abroad, and that is subject to foreign laws.

The parent company said:

●      “We don’t operate in Canada.

●      We don’t store this data in Canada.

●      OVH Canada doesn’t control this data.

●      French law — specifically the French blocking statute — prohibits us from producing it. (more about that blocking statute later)

OVH also pointed out that the proper, internationally-recognized channel for this type of request is through Mutual Legal Assistance — the MLAT process — which France said it would expedite. Yes, Canada and France have a treaty under which both countries have agreed to manage situations like this. It’s slower because it contains checks and balances. First Canada has to determine if the request is appropriate, and then France reviews the request before getting a French order to provide the data.

The Crown responded that:

●        OVH Parent has a “virtual presence” in Canada, and based on the Brecknell case from BC, and cases following that, a “virtual presence” is enough.

●        The company “presents itself” as a unified global enterprise on its website

●        OVH Canada has previously responded to production orders about foreign IP addresses

●        The French blocking law is rarely enforced

With those facts on the table, the Court had to decide: Does a Canadian criminal court have jurisdiction over OVH’s French parent? And even if it does, should the order be revoked because of conflicting French law or because MLAT is the proper mechanism?

The Court framed five issues:

1. Did OVH Canada have “possession or control” of the data?
2. Did the Court have jurisdiction over OVH Parent?
3. Would French law prohibit disclosure, triggering s. 487.0193(4)(b) - which justifies varying or revoking a production order where the data is “otherwise protected from disclosure by law”?
4. Should MLAT be required in these circumstances?
5. If French law applies, should the Court exercise its discretion to revoke or vary the order?

The first Question is whether OVH Canada has “Possession or Control” of the data

With respect to possession or control, the Court found that OVH Canada had enough of a connection to the information — including prior instances where it assisted police, and the ability to preserve data — to justify the authorizing judge’s conclusion that it had “possession or control.”

The second question was whether there was jurisdiction over OVH Parent

Regarding jurisdiction over OVH Parent, relying heavily on the Brecknell, Love, and textPlus decisions, the Court held that:

●      A company may be subject to Canadian jurisdiction without physical presence

●      A “virtual presence” or “real and substantial connection” can be enough

●      OVH operates data centres in Canada

●      OVH’s website presents itself as a unified global business

●      Therefore, the French parent was sufficiently connected to Canada

The third question was about the effect of the French Blocking Law

The Court accepted French government statements that the French blocking law applied, but it found it could be largely disregarded because (a) The law has been rarely enforced, (b) There is no “real risk” of prosecution, and (c) Courts in other countries have treated it as an “empty vessel”. Yup. It’s a law but let’s largely ignore it.

The next question was whether the police should go through the mutual legal assistance process instead of a production order. The judge held that the MLAT is not mandatory, it can be slow and it is not mutually exclusive with domestic orders. The police can choose door A or door B. Their call.

In the final step, about discretion, the judge upheld the production order against both OVH Canada and the French parent, concluding that: (a) OVH Parent has a real and substantial presence through its “virtual presence” in Canada; (b) The risk under French law is minimal, and (c) The national security interest outweighs comity concerns.

In a nutshell, that’s what the court decided. And I think it’s deeply flawed.

There are, in my humble opinion, major problems with this decision. And they don’t just affect OVH Parent. It will have a big impact on Canada’s own attempts to assert data sovereignty.

The first problem is following the BC Court of Appeal decision called Brecknell

The Court relies on Brecknell as though it stands for a broad doctrine that Canadian courts can compel any foreign service provider operating online to disclose foreign-hosted data as long as the company is “virtually present” in Canada.

Brecknell is a 2018 case from the British Columbia Court of Appeal. In that case, the police wanted some data from Craigslist. They contacted Craigslist, who said “come back with a production order and we’ll happily give you the data.” So the police go to the court to get their production order and the court says that it can’t issue a production order directed at a company outside of Canada. So the police go to another court and get the same answer. So the police appeal that, and end up in the British Columbia court of appeal. The British Columbia Court of Appeal said that Canadian courts can issue production orders naming companies outside of Canada, as long as they have a “virtual presence in Canada.”

But in the Brecknell case, Craigslist — the target of the order — had already agreed it would comply with Canadian court orders. Through counsel, Craigslist said: “If we get an order, we will respond.”

This is not a small detail. This is the very foundation of jurisdiction in that case.

In other words: Craigslist voluntarily accepted Canadian jurisdiction.

With that fact, jurisdiction really should not have been an issue. Craigslist said “we have the data, just bring us a production order.”

This is not the situation with OVHcloud. OVH France explicitly said:

●      We do not accept jurisdiction

●      And we are prohibited by foreign law from producing it

OVH Cloud also said, we have the data and we will preserve it for you so you can get it through the established, diplomatic, country-to-country channels.

I am of the view that Brecknell was wrongly decided and this entire line of cases is problematic. We’ve gotten here, I think, they are largely “ex parte” appeals. Craigslist was not at the hearing for the production order. They were not at any level of court. Until the court of appeal, it was just the cops and the prosecution arguing for jurisdiction. At the court of appeal, an amicus was appointed who did a commendable job.

This line of cases also reaches the conclusion that this is the sort of situation that production orders are designed to address. And they are partially right, but again they suffer from generally only hearing from prosecutors on these questions.

The idea behind a production order is that the court can order someone to hand over data or produce data. It is distinct from a search warrant, where the court clearly has to have jurisdiction over the place to be searched and the police need authority as police officers to search the place. Places are physical. There is no way under recognized international law for a judge in Ontario to give the RCMP in Ontario a warrant to search premises in France for these records. If they were to show up in Paris with their warrant, they’d likely be arrested by French police for trespassing. And we’d have an international incident. It would be the same as sending the RCMP to France to arrest someone without the cooperation of the French government. It’s just not done.

Production orders were created so that a person or entity within the court’s jurisdiction can be ordered to produce a record that is under that person’s control. And that generally operates regardless of where the record is. But this depends on the person being within the court’s jurisdiction. It’s a great alternative to a search warrant because it’s not based on the police searching for something, but telling a person to provide data that they control.

A key principle of international law as applied in Canada is that Canadian law does not operate extraterritorially unless Parliament explicitly provides for it. The B.C. Court of Appeal in Brecknell did note this at paragraph 23, but failed to identify any parliamentary signal indicating that production orders were intended to have effect on persons wholly, physically outside of Canada. 

[23]        The need to interpret the section in light of restrictions placed on extraterritorial effects is uncontroversial. The fundamental principles were canvassed in R. v. Hape, 2007 SCC 26. There, Justice LeBel identified a number of settled but important principles. First, customary international law, which has been adopted domestically, limits the actions a state may legitimately take outside its borders. Customary international law is based on respect for the sovereignty and equality of foreign states. Sovereign equality commands non‑intervention and respect for the territorial sovereignty of foreign states. Nonetheless, Parliament may legislate “extraterritorially” in violation of those principles provided it does so expressly: see paras. 35‑46.

...

[30]        The section is silent on issues to do with extraterritoriality, and it is silent on any question dealing with the location of the documents. Section 487.019(2) may offer some assistance by stipulating that, unlike search warrants, the order has effect throughout Canada without requiring endorsement if executed in another jurisdiction. The section reads:

487.019(2) The order has effect throughout Canada and, for greater certainty, no endorsement is needed for the order to be effective in a territorial division that is not the one in which the order is made.

It appears to me that this section is addressing a difference between search warrants and production orders. It does not directly deal with extraterritorial issues.

The only mention of territoriality in the Criminal Code production order provisions is confined to saying that they operate throughout Canada. That seems to me to be a signal in the other direction. That’s parliament saying this is confined to Canada.

The notion of a "virtual presence" was an invention of the Court of Appeal and is contrary to existing principles of international law. Even under the more flexible civil rules, the Supreme Court of Canada has cautioned that "carrying on business" requires some form of actual, not only virtual, presence in the jurisdiction. And public international law - such as criminal jurisdiction - is different from private international law such as determining where a plaintiff can bring a lawsuit.

The Brecknell court wrongly disregarded the inability to enforce the order against a company like Craigslist. The issuance of a production order extending outside Canada is an exercise of enforcement jurisdiction, which violates international law and Canadian domestic law absent clear authority from Parliament. The difference between an “order” and a “request” is the ability to put someone in the defendant’s dock for not following it. A Canadian production order directed at a non-Canadian company has a real potential to offend comity and the other country’s sovereignty.

So what about Mutual Legal Assistance Treaties (called MLATs)? These are the existing, agreed-upon mechanism for Canadian police to obtain data from non-Canadian companies. In circumstances where an order might offend comity and sovereignty, MLATs are how countries decide to deal with the issue.

The effect of privacy laws or blocking laws were not at issue and were not considered – but probably should have been – by the Brecknell court.

In the OVH case, the court refers to the case of The Queen and Love from the Alberta Court of Appeal (R v Love, 2022 ABCA 269), which was a case dealing with the admissibility of data that had been produced by Facebook from the US pursuant to a production order. It was not an application to vary or revoke an active production order. The Love court followed Brecknell. Again, what’s missing is the fact that Facebook provided the data pursuant to that order. Their policy – like most big US tech companies – is that they will follow Canadian legal processes voluntarily where they can do so consistent with their obligations under US law. By and large, Facebook’s voluntary cooperation should have made jurisdiction a non-issue in that case.

The OVH judge also refers to a case involving TD Bank from Quebec (Banque Toronto Dominion c. Cour du Québec, 2025 QCCS 2094). In that case, a big issue was whether TD Bank in Canada could be ordered to produce records held by one of its foreign subsidiaries. The Court concluded it had sufficient control over the subsidiary to require the production of the records. That’s the inverse of the relationship between OVH Canada and OVH Parent. A subsidiary does not control the parent company.

So to use Brecknell as if it resolved this question is — frankly — a misreading of the case.

Problem 2 — The Court Treats Ordinary Corporate Structure as a Legal Fiction

In addition, the decision disregards the fundamentals of second year law school “Business Associations” to treat OVH as effectively one entity, leaning heavily on:

●      OVH’s branding

●      The fact “it” has data centres in Canada

●      The “collaborative language” on its website

●      Shared legal services

●      The appearance of a global enterprise

But this misunderstands how multinational cloud companies operate and how corporate law applies.

I sometimes think that some practitioners who spend all their time focused on criminal law forget the fundamentals of corporate law.

Corporations are separate legal persons. Subsidiaries are not automatically global agents of the parent company. And cloud marketing — “our global infrastructure,” “our data centers around the world” — is not a legal admission of control. It’s marketing.

Corporations are separate legal persons and this corporate separateness is generally only disregarded where there is actual fraud going on.

If courts treat branding copy as determinative of “control,” then:

●      Any cloud provider operating in Canada

●      With foreign infrastructure

●      Could be compelled to produce foreign data

●      Regardless of its actual legal authority to do so

This collapses corporate separateness in a way that is deeply inconsistent with both Canadian corporate law and international norms. Which leads directly to the next problem.

The Court points to a previous investigation where OVH Canada provided subscriber information for a German-hosted IP address to suggest that OVH Canada effectively has access and control over it.

But OVH explained — and this is common across the industry — that:

●      The Canadian subsidiary assisted because doing so was legally safe

●      There was no blocking law that stood in the way

●      The foreign affiliate voluntarily cooperated

This demonstrates cooperation, not control.

Access that is permitted by a foreign affiliate is not evidence of legal authority to compel access.

If you need a particular tool for a project, and I don’t have one but my parents do, I may facilitate YOUR borrowing it from MY parents. That doesn’t mean I have control over that tool.

OVH Canada receives a production order for data that is under the control of its parent company. Rather than say “go to France”, OVH Canada facilitates the parent company producing the data in circumstances where it is lawfully able to do so. It’s called being helpful, and should not lead to the conclusion that the subsidiary has any possession or control of data that’s entirely in the possession and control of the parent company.

By treating occasional past cooperation as proof of control, the Court dramatically expands what “possession or control” means. After this, it would be prudent for the Canadian subsidiary of a foreign corporation to tell Canadian police to just go pound sand, rather than facilitate matters through internal channels.

This is perhaps the most troubling aspect of the decision: The Court Minimizes Foreign Law Because It’s “Not Enforced”

The Court acknowledges that the French blocking law applies. The French government — through the “Service de l’information stratégique et de la sécurité économiques” (SISSE) — which administers and enforces this French law explicitly said so.

But the judge concluded it doesn’t really matter because the French law is apparently rarely enforced, the Canadian prosecutors said there’s no “real risk” of prosecution and other courts have treated it as an “empty vessel”.

I think this approach is dangerous.

The rule of law depends on courts respecting what the law is, not how often a prosecutor decides to enforce it. A foreign state’s policy choices about enforcement:

●      Do not change the meaning of the statute

●      Do not change OVH’s legal obligations under French law

●      Do not give Canadian courts authority to override foreign legislation

A law is a law. I know dozens of Canadian laws that are rarely enforced, but they still need to be followed. Remember, this is a Canadian court shrugging off a law duly enacted by an allied country, France.

If Canada wants foreign law to bend, the proper channel is MLAT — a mechanism built through mutual consent — not unilateral judicial action.

International comity is built on reciprocity. If Canada orders French companies to violate French law, then:

●      Other countries may order Canadian companies to violate Canadian law

●      Canada will have no principled basis to object

●      Global cloud providers will face impossible conflicts

●      And privacy for Canadians abroad will be weakened

Remember, this is happening at the exact time that the Canadian government is focused on Canadian “Digital Sovereignty”. We would find it incredibly offensive if a French or Chinese court were to order a Canadian company, in Toronto, to violate Canadian law.

MLAT exists precisely for situations where:

●      The data is located abroad

●      A foreign statute prohibits disclosure

●      And the foreign state must authorize or supervise the production

France explicitly told Canada it would expedite the MLAT request. Refusing to use MLAT because it might be slow is not a justification for disregarding foreign law. In this case, there is no doubt that the data exists, that France will provide it via the MLAT and will do so speedily. Ordering OVH in France to break French law is unnecessary, unreasonable and – in my view – gratuitous.

This decision is important, but in my view, it’s also misguided.

By stretching Brecknell beyond its facts, by treating global branding as evidence of legal control by a local subsidiary, by using past cooperation as proof of present authority, and by dismissing binding French law because it’s “not vigorously enforced,” the Court has weakened the principles of comity, corporate separateness, and legal certainty.

While Canada is getting excited about “digital sovereignty”, the RCMP, these prosecutors and the court are disregarding France’s explicit law about its own “digital sovereignty.” This is a dangerous precedent to set. After this, why would France give a toss about Canadian laws designed to protect Canadian data?

There is a lawful path — MLAT, letters rogatory, diplomatic channels — and international cooperation depends on states using those channels rather than overriding each other’s laws.

And one important thing to remember: OVH is not suspected of committing any crime. It simply has records about someone that may be relevant for a Canadian investigation. It is not hiding behind a veil of French law to shield itself from liability. It is an entirely innocent third party that is getting dragged into a Canadian investigation, and is now being ordered to violate the law in the country where they are based. And that order is entirely unnecessary, since France and Canada have already negotiated a clear path to get access to this data without violating anyone’s laws.

I understand the case is being appealed – and rightly so. I’ll be keeping an eye on it.

 

Is Lawful Access Back? With comments on the govt's' disinformation-filled attempt to revive it

On November 19, senior government MPs on the “crime file” held an unexpected press conference that suggests the government is looking to pull lawful access back from the grave. This press conference was full of misinformation and half-truths about the current state of the law and the government’s proposals. 

You may recall that the government introduced Bill C-2, the Strong Borders Act as its very first substantive bill in Parliament following the recent election. It seemingly came out of the blue and its proposed changes to the law related to law enforcement and national security access to information were roundly condemned. As a result, the bill has languished and has not been referred to committee. 

In another strange move, the government tabled a new bill (Bill C-12) that essentially was the Strong Borders Act but without the lawful access parts, apparently so they can fast track the other parts of Bill C-2. The new Bill C-12 is currently being considered by the House of Commons Standing Committee  on Public Safety and National Security. 

Most of us assumed that was the end of lawful access. Apparently not. 

Earlier this week, Public Safety Minister Gary Anandasangree, Transport Minister Steve McKinnon, Secretary of State for Combatting Crime MP Ruby Sahota held a press conference defending “lawful access” and calling for the Conservatives to get onboard. If it hadn’t been for Michael Geist’s eagle-eyed attention to this topic, it might have been completely missed. The full press conference is on YouTube and I’ll link to it below.

The press conference was filled with misinformation about their own proposals and about the current state of the law.  There are some things that are defensible, but they just can’t get out of their own way. Having watched it a couple of times, it was like they really don’t know much about their own bill or how law enforcement currently operates.  

Everything said in the press conference seemed to relate to the provisions in Part 14 of Bill C-2, which are principally new demands and orders for customer information. I did not hear anything said that was a clear reference to Part 15 of Bill C-2, which would create a whole new law called the “Supporting Authorized Access to Information Act”.  And what’s also weird about that is the politicians there are associated with the Department of Public Safety, which we are told is the author of Part 15. Part 14 of Bill C-2 was written by and is the responsibility of the Department of Justice, which was absent from the press conference. 

The press conference was full of confused political puffery. And some statements were entirely incorrect and would leave any viewer misled. They accused others of engaging in dispensing misinformation, which is just rich.

They repeatedly said that the new tools for law enforcement have judicial oversight. Here is Secretary of State for Combatting Crime MP Ruby Sahota:

“They have also made it extremely clear that these tools are not warrantless surveillance. They are used with judicial authorization and clear legal thresholds, including modernized production and (...) preservation orders, clarified duties for surveillance providers, and access to basic subscriber information only on judicial order with strong safeguards.”

I assume instead of “surveillance providers”, she meant to say “service providers”. 

“Bill C2 gives police the tools they need with oversight Canadians expect.(...) Judicial authorization,(...) clear legal thresholds, strict limits on what can be accessed and when, and no warrantless surveillance full stop.(...)”

The WARRANTLESS information demand is just that. No warrant. No judicial authorization required. 

They said that we’re just talking about getting customer names and addresses, so no big deal. 

“We're trying to connect phone numbers to names and addresses, and then judicial authorization would have to get involved even further in order if that person was a suspect and we needed further information. So it's not about encrypted, you know, data or information. It is about connecting a name or an IP address to a phone-- to an-- I mean, an IP address or a number to a name and an address. That's all this is about.”

This also is incorrect and significantly misleading. Customer names and addresses from telcos are certainly “in scope”, but these provisions are not at all limited to telcos. This applies to anyone who “provides services to the public.” You know who also provides services to the public? Your doctor. It can be used with telcos, and it can be used with your doctor’s office. 

And it’s not limited to “customer names and addresses”. Creates a mandatory disclosure of “subscriber information” that is defined so broadly that it includes ALL “information that the subscriber or client provided to the person in order to receive the services”. Yes, that’s the medical history form you filled out when you first visited the clinic. It includes the types of services the clinic provided to you and information about any specialists you were referred to. The scope of this is breathtaking. It does require judicial authorization, but with the lowest burden of proof our legal system has. Something just more than a hunch. And the judge can’t say “hey, all you need is a name and address” so we’ll limit the order to that. Nope, the order is for all SUBSCRIBER INFORMATION. 

And there was also some horrific misinformation about the tools the police currently have to do their jobs.

“The regime we have today is unacceptable. So I'd like to share some examples so that I can bring the issue to light. I find that there's not been a lot of coverage on extortion, but you've definitely been hearing about it in the House. That's because many of our communities are suffering from these cases. And what's unacceptable right now is it taking six months for the police to be able to get judicial authorization, to be able to connect a phone number to someone who's extorting an individual in my riding, who has been out of their home because their home has been shot up and it's dangerous for their kids to live there. They can't go to school in a regular routine. They can't operate their business. And that's unacceptable. And I believe in Canada, our law enforcement should have the capabilities of being able to track down violent criminals such as these.”

I am sorry. If it is taking the police six months to get a warrant after a house has been shot up … the police simply are not doing their jobs and are not using the tools they currently have. A police officer in a squad car can pick up the phone and get a production order, if circumstances exist for dispensing with the formalities of a personal appearance before a justice of the peace. 

The Honourable Ruby Sahota is the MP for Brampton North Caledon in Ontario. The local police of her jurisdiction is the Peel Regional Police. I’ve seen many production orders obtained by officers in the Peel Regional Police. I really, really doubt that it takes six months of effort to get a production order. Most of them are issued within a very short period of time from the alleged offence. Just for illustration purposes to find something on the public record, I did a really quick search in a public legal database and found a case from Brampton that will illustrate the current process. The case is called R v Owen, 2017 ONCJ 729. 

The investigation began on March 23, 2015 of an unknown individual suspected of downloading images of child abuse. They had an IP address connected with the suspected crime, but didn’t know who it was connected to. They could determine the internet service provider. After some investigating, the Peel Police sent a preservation demand to the internet service provider, requiring the ISP to preserve the account information while they got a production order. On April 7, they applied for a production order to get the customer name and address from the internet service provider. The order was issued the next day. Less than a week later, on April 17, the internet service provider provided the information. Three days after that, on April 20, the police had a warrant to search the home. (I should note that the reason why the Owen decision goes into so much detail was that the production order and the search warrant were thrown out because the police misled the court in getting them.)

But setting that aside, that’s nowhere near six months. The laws in effect in 2015 are essentially the same laws we have now, that the government wants the police to be able to side-step. Suggesting it takes six months to get a production order is an outrageous statement from the “Secretary of State for Combatting Crime.” It’s so outrageous that I assume it’s an outright lie. 

Here’s what’s currently in the criminal code, which authorizes the cops to go to a judge and get an order for customer name and address – or any other information – if they have reasonable grounds to believe an offence has been committed and the addressee of the order has the data. What’s proposed in Bill C-2 is an order based solely on a hunch – reasonable grounds to suspect an offence has taken place. And the scope of the production is much broader. Fewer grounds and more information. 

Look, if the government thinks their proposal has merit and should proceed through parliament, they should be prepared to actually justify the new powers. And they should do it with facts and not political puffery or straight BS. 

I will assume – at least for now – that the Minister of Public Safety is being honest when he acknowledges that the current bill is flawed and is willing to listen to feedback to make it acceptable:

“Um, it is not a perfect piece of legislation. So, we are open to to uh to feedback from uh from our partners, from uh uh from civil liberties groups, from other uh entities that may have an interest um in this area. And we will work across party lines to make sure that we have consensus on on having a lawful access regime that is acceptable to Canadians.”

I’ll link below to my previous episodes where I discuss, in some depth, Part 14 and Part 15 of Bill C-2, in case you want the straight goods on what’s in the Bill. So far, nobody has accused me of making stuff up. 

My previous video on Part 14 of Bill C-2: https://youtu.be/wOgo4TuoJec

My previous video on Part 15 of Bill C-2: https://youtu.be/E1LV2fcD9Bs

Online reviews and privacy claims: Lessons from RateMDs v Bluler (BCCA)

 

Can a doctor claim a privacy violation because a website creates a profile for them using public information, hosts anonymous reviews, and ranks them against their peers?

The British Columbia Court of Appeal says no in RateMDs Inc. v. Bleuler, 2025 BCCA 329. Let’s walk through what happened — and what this means for privacy in Canada.

Let’s start with the background to this case.

RateMDs.com is a website where people can look up health professionals, read and post reviews, and compare ratings. You’ve probably seen it — you search for a physician, and you get their name, their contact information, their ratings, and often a long list of anonymous comments.

Dr. Ramona Bleuler, a BC physician, discovered that RateMDs had created a profile for her. She didn’t ask for it. She didn’t consent to it. And she couldn’t remove it.

The platform listed her name, her professional contact information, a list of reviews from anonymous users and a comparative ranking of doctors in her specialty and geographic region.

RateMDs also offers paid subscriptions that allow physicians to hide a limited number of reviews. Dr. Bleuler wanted to start a class action on her own behalf and on behalf of other physicians in Canada who had listings on RateMDs. 

Class actions – at least in Canada – have specific procedures, which require that the class action be certified before it can go ahead. There are a number of things the court must look at pursuant to the Class Proceedings Act, but the most important question for our analysis here is whether the pleadings disclose a cause of action. When you read the pleadings, and assume that the facts are true and provable, is there an actual legal claim there? This is a screening function to weed out any legal claims that are bound to fail, and the court is only supposed to examine the facts alleged in the statement of claim. 

This case principally turns on whether the legal claims made by the representative plaintiff are viable. 

So the plaintiff sued RateMDs and its parent company under the provincial Privacy Act. She said that by creating a profile for her, hosting reviews, and ranking her relative to her peers, RateMDs violated her privacy.

She wasn’t claiming that specific reviews contained private information. She wasn’t arguing defamation. Her claim was broader: she said the very act of aggregating, hosting, and ranking health professionals without their consent violated privacy law. In particular, the plaintiff was relying on the statutory privacy torts created by the legislatures of British Columbia, Saskatchewan, Manitoba and Newfoundland. The proposed class would be physicians who reside in those provinces. The plaintiff also tried to rely on Quebec’s privacy statute, but that part wasn’t allowed to proceed in the lower court. 

She relied on two sections of the British Columbia Privacy Act, and their equivalents in the other provinces.

First, section 1, which creates a tort — actionable without proof of damage — where a person ‘wilfully and without claim of right’ violates the privacy of another.

Violation of privacy actionable

1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Second, section 3(2), which prohibits the unauthorized use of someone’s name or portrait for the purpose of advertising or promoting the sale of goods or services.

Unauthorized use of name or portrait of another

3 (2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on the other's behalf, consents to the use for that purpose.

Her argument was that RateMDs is a commercial enterprise. The profiles draw traffic, the reviews attract users, and the rankings keep people engaged. Because this commercial model depends on using doctors’ names and contact information, she said this amounted to both a privacy violation and commercial exploitation of identity.

The BC Supreme Court agreed the case should go forward. The judge certified the class action. I have to emphasize that this was only based on the pleadings and the court was essentially saying that the claims looked viable, but that didn’t mean the plaintiffs would win at any eventual trial. 

But RateMDs appealed. And at the Court of Appeal, everything changed.

The Court of Appeal approached the case by asking the basic but crucial question: Even assuming all the facts in the claim are true, is there a viable cause of action under the privacy statutes?

Again, this is a threshold question in class action certification. You don’t look at evidence. You look at the pleadings. You ask whether the claim has a reasonable chance of success.

A claim can be novel — that’s okay. But if it’s doomed to fail, the court must strike it.

Here’s the heart of the Court of Appeal’s reasoning:

At least for the purposes of a civil claim, privacy starts with identifying private information. And the claim failed at this starting point.

The Court of Appeal said:

●        A doctor’s name is not private.

●        Professional business contact information is not private.

●        Reviews written by patients about a doctor’s professional services are not private.

●        Rankings based on those reviews are not private.

The Court emphasized that privacy law protects reasonable expectations of privacy. And when someone is carrying out professional, public-facing work, the threshold for privacy protection is different.

The Court relied on earlier BC cases — including Niemela v. Malamas — which held that complaints about how a lawyer performs their work do not attract a reasonable expectation of privacy. Professional reputation is not the same thing as privacy.

The doctor tried to frame her privacy right as a right to control how information about her was used. But the Court said: control only exists if there’s a privacy interest in the underlying information. If the information is not private, there is nothing to control. Or at least privacy torts don’t leap in to give you that control. 

For privacy lawyers, this is an important clarification: The BC Privacy Act protects privacy, not reputation, and not personal preference about the use of publicly available professional information.

The Court concluded that because there was no reasonable expectation of privacy in the information posted on RateMDs, the privacy claim under section 1 was bound to fail.

The Court also noted an important distinction: This case wasn’t about whether any particular review contained sensitive information. The plaintiff expressly disclaimed that argument. She said the content didn’t matter — only the existence of the profile and the ranking system did.

The Court said that privacy law doesn’t work that way. You can’t claim a violation based on a website compiling publicly available information unless there’s some private content involved.

So the broad theory — that creating a profile and ranking professionals without their consent is itself a privacy violation — was rejected. There would have to be something more … and in this case, there was not.

The BC Supreme Court judge had relied in part on the rules governing how health professionals can advertise. For example, doctors can’t use testimonials. They can’t compare themselves to colleagues. The judge below thought this regulatory context created a privacy interest.

The Court of Appeal disagreed.

Those rules regulate doctors. They do not regulate third-party websites. They do not create privacy rights. And they do not convert publicly available information into private information. The Court of Appeal wrote at paragraph 98: “However, the interest of provincial regulators in restricting advertising by health professionals has no obvious connection to the respondent’s asserted privacy interest. The regulatory concern is to protect the public, not to protect the privacy of health professionals. That regulatory interest has nothing to do with the plaintiff’s reasonable expectation of privacy.”

So the regulatory framework could not be used to manufacture a privacy interest where none otherwise existed.

Next, the Court examined the claim under section 3(2) — unauthorized use of name or portrait for advertising.

This is the ‘misappropriation of personality’ tort. It typically covers: (a) using someone’s name or image in an ad, (b) using a person’s likeness to promote goods or services or (c) endorsements without consent.

RateMDs wasn’t using doctors’ identities to advertise or sell anything in the sense required by the statute. It was running a platform where reviews are posted and accessed. Running a commercial website that uses names in this manner doesn’t cut it. That’s not the kind of commercial exploitation section 3(2) is meant to capture.

So the Court of Appeal found that the claim under section 3(2) was also doomed to fail.

With both privacy causes of action rejected at the threshold stage, the Court of Appeal allowed the appeal, set aside the certification order and dismissed the action entirely. This was a complete win for RateMDs.

What are the broader implications?

First, the Court drew a clear boundary around privacy law: You can’t use privacy torts to challenge the existence of a professional review platform.

Second, the decision reinforces that privacy torts require a reasonable expectation of privacy in identifiable, specific information. That expectation must be grounded in: (a) the nature of the information, (b) the specific context, and (c) established privacy norms.

Third, platforms that rely on publicly available, professional information to generate profiles or rankings are, at least under BC’s statute and its equivalents, unlikely to face successful privacy claims — unless they publish actually private or sensitive data.

Fourth, the Court left open — deliberately — that if a review leaks confidential information or medical information, that could be a privacy violation. But that’s not what this case was about.

Finally, this is a reminder that privacy law is not a catch-all remedy for online reputational harm. Other legal avenues may exist such as defamation — but the privacy tort has a defined scope.

A last thing to note, which is important, is that this decision was made in the context of privacy torts – civil claims for invasion of privacy or use of image and likeness. Under our more general privacy statutes, such as the Personal Information Protection and Electronic Documents Act, whether information is “personal information” – and thus whether the statute applies to it – does not depend on whether the information is “private” or the “confidentiality” of the information.

A person’s name is subject to those laws, but may simply be less “sensitive”. Though a lot of the same principles may be in play, one should always be cautious about assuming that what a court says in the tort context will apply directly to our commercial privacy laws.

Nova Scotia's new Freedom of Information and Protection of Privacy Act (Bill 150)

In just the past month, kind of unexpectedly, the Nova Scotia government introduced and passed a new public sector privacy and access to information law that completely replaces the existing Freedom of Information and Protection of Privacy Act (known here as “FOIPOP") with a new law that will come into effect in April of 2027.

This isn’t completely out of the blue because the Nova Scotia government has been “reviewing” FOIPOP since 2022, but unlike in most provinces it has been “behind the scenes”. Unlike other provinces, which have public consultations, Nova Scotia’s consultation on transparency was behind closed doors.

I wrote to the then Minister of Justice seeking to participate on behalf of the Nova Scotia branch of the Canadian Bar Association’s Privacy And Access Law Section. The CBA was never invited to chat. I wonder who else commented. We were told that the results of this review would be made public, but they never were. All we got was Bill 150, dropped in the legislature on September 26 and passed on October 3. There was no real opportunity given for privacy and access to information experts to appear in committee with their comments. 

In this episode, I’m going to do a relatively high-level overview of what’s changing with the new FOIPOP that will come into effect in 2027. There’s some good, some bad and some changes that I’m indifferent to. I hope I can provide a relatively unbiased view of it, given that I do legal work for applicants who are seeking access to records, for public bodies who have to comply with the law and third parties whose records held by public bodies are sometimes the subject of access requests. 

There’s a big change to the purposes clause of the law. The original FOIPOP was relatively unique among access to information laws in Canada in that it clearly had as its intent full transparency, accountability and access – as fundamental to how democracy should work. 

The purpose clause in the current act includes:

2. The purpose of this Act is …

(b) to provide for the disclosure of all government information with necessary exemptions, that are limited and specific, in order to

(i) facilitate informed public participation in policy formulation,

(ii) ensure fairness in government decision-making,

(iii) permit the airing and reconciliation of divergent views;

That part is gone. Just removed. The leader of the opposition made a motion to have it returned, but the motion was defeated.

That’s too bad. The purpose clause is important in how regulators and courts approach the law, and future governments will be able to say it was removed for a reason and that should influence how it is interpreted. That’s a real step backward. 

As I said, the new Act fully repeals and replaces the earlier statute. It restructures the entire Act into clear Parts (e.g., Part I – Freedom of Information; Part II – Protection of Privacy; Part III – Reviews and Appeals; Part IV - Information and Privacy Commissioner), and has a number of standardized definitions for consistent terminology (like “access request,” “correction request,” etc.), and procedural timelines are now measured in business days rather than calendar days. This will draw out access requests. Previously, the public body had thirty days; now it’s thirty business days. That’s thirty five percent longer. Easier on the public body, to be sure, but it will mean it takes longer to get requested information from public bodies.

An important change in the new FOIPOP is that it will include municipalities. The Commissioner's jurisdiction is significantly expanded through the consolidation of provincial and municipal regulation. Specifically, the new Act repeals Part XX of the Municipal Government Act and integrates municipalities and municipal bodies into the general FOIPOP framework. Part XX of the MGA was generally a mirror of FOIPOP, but with some significant differences. Bringing municipalities into FOIPOP means the Commissioner now has explicit and uniform jurisdiction to conduct reviews and investigations involving municipal units. The Review Officer's previous roles in handling appeals related to access and correction requests are maintained, but the new Act formalizes two new categories of complaint investigation called Privacy Reviews. These reviews can be initiated by individuals who believe their personal information was collected, used, or disclosed in contravention of the Act, or proactively by the Commissioner if there are reasonable grounds to suspect a contravention.

One of the most important changes is that the former “review officer” is now the Information and Privacy Commissioner of Nova Scotia, and will be an officer of the Nova Scotia House of Assembly. While still appointed by the Governor-in-Council, this position is much more independent of government than under the present Act. A big miss, at least as far as critics are concerned, is that the Commissioner does not have the ability to issue binding orders on public bodies. That position still just issues recommendations, and it’s up to applicants to go to court to get orders.

The 2027 Act introduces or revises numerous definitions, including “Personal information” which now explicitly includes IP addresses, biometric data, and genetic characteristics, while excluding business contact information.

In the part of the Act related to the right of access to public body records, changes clarify that the right of access extends to records in custody or control of a public body, but not to duplicates or exact copies. It says that part of a record that can be withheld and can be reasonably severed, access must be provided to the remainder of the record.

Not surprisingly, the amendments made earlier this year related to frivolous, vexatious and unduly repetitive requests have been continued in the new FOIPOP. The Commissioner must approve a request from a public body to disregard a request, with defined criteria and 14-business-day timelines for both application and decision. It does provide applicants with a right to appeal to the Supreme Court of Nova Scotia if their request is disregarded.

Almost all the timelines in FOIPOP have been extended. All procedural periods are now in business days (such as giving a public body 30 business days to respond to an access request). It also introduces an  explicit suspension of time calculations while fees are being negotiated or reviews are underway (s. 20).

The government gets to set a standard application fee pursuant to the regulations, and also sets  service-based fees but exempts requests for one’s own personal information and provides 3 free hours of work time. Public bodies can charge additional fees if the request will take more than three hours. When presented with a fee estimate, applicants may narrow their requests accordingly. Once the request is being processed, a public body can provide a “revised fee estimate” that the applicant can either accept or revise their request. Fee estimates and revised fee estimates can be referred to the Commissioner. 

There remains a possibility for fee waivers where disclosure serves a public interest (e.g., environment, public health, or safety), or if the applicant can’t afford to pay the fee.

One thing that is interesting and progressive: The new FOIPOP specifically says that public bodies must provide electronic records in “an electronic form that is capable of re-use”. This is positive. If the record is an Excel spreadsheet, the spreadsheet itself should be provided and not just a photocopy of the spreadsheet. (There are few things as useless and opaque as a print-out of an excel spreadsheet full of formulas.)

There are a number of changes that will restrict public and journalistic access to records. The first is an expansion of the definition of “legal privilege” to specifically include settlement privilege. And at section 86(2), the Information and Privacy Commissioner will not be able to inspect a record that is alleged to be privileged to determine if it actually is privileged. Only the Court can do that, and the process to get there can be set out in the regulations.

The second major restriction on the right to know is essentially excluding any right of access to any record that is defined as an “Executive Council record”, going well beyond what was traditionally “cabinet confidences.” To make it worse, in section 32(2), a head of a public body is prohibited from disclosing Executive Council records. There’s no discretion. 

The new Act expands the privacy sections substantially and in a good way, but most of the details will have to wait until we get to see the regulations.

Every public body will have to have a privacy policy and has to publicly disclose its internal privacy-complaint process.

Once the Act comes into effect, every public body will have to carry out a privacy assessment for any new or substantially changed “project, program, system or other activity involving the collection, use or disclosure of personal information”. The details for what must be in a privacy assessment will be determined in regulations. 

The new Act defines “Data-linking” programs – where two or more data sets are combined, either temporarily or permanently, and requires them to be carried out only in accordance with the yet to be seen regulations. 

There are some tweaks to the rules that permit a public body to collect, use or disclose personal information. These public sector privacy laws are generally not based on consent so these rules set the guardrails for public bodies. There are new rules related to inter-agency data sharing, research, and public-interest exceptions.

There’s a new explicit authorization for disclosure to protect individuals from intimate-partner violence or human trafficking.

The new Act introduces obligations to contain, assess, and notify affected individuals and the Commissioner of privacy breaches that pose a real risk of significant harm — aligning Nova Scotia with federal PIPEDA and other provincial models.

There is a weird new provision in s. 79 that authorizes a public body to go to court if “personal information in the custody or under the control of a public body has  been stolen or has been collected by or disclosed to a third party other than as  authorized by this Act”. They can get an order to return or destroy the personal information, or any other order the court considers appropriate to protect the personal information. 

If you’ve been reading or watching my stuff, you may recall that in 2020, the Government of Nova Scotia went to court to try to identify people who may have read unredacted Workers Compensation Appeal Tribunal decisions that were mistakenly given to the Canadian Legal Information Institute, known as CanLII, and they were posted online. I was one of the people they identified, and I was contacted by the government as part of their damage control.  (Here's a video I did on that on my YouTube channel: https://youtu.be/XETVLvkksj0.)

There’s also an interesting, quirky new section that essentially says that a public body is deemed to have not “collected” personal information if it does not relate to a program or activity of the public body, and they either delete it, return it or transfer it to another public body or federal government institution if it’s relevant to the other public body or institution’s programs or activities. 

Individuals still have a right to access their own information, and public bodies have an obligation to retain any information that has been used to make a decision directly affecting an individual for at least one year so the individual can exercise their access right. And also in such circumstances, the public body has to make every reasonable effort to make sure the information is accurate and complete.

While the former Privacy Review Officer Act existed separately, the new Act integrates and strengthens the privacy review powers directly within the consolidated statute, giving the Commissioner an explicit mandate to conduct Privacy Reviews. This authority can be used to investigate complaints that personal information has been improperly collected, used, or disclosed, and allows the Commissioner to proactively initiate an investigation if they have reasonable grounds to believe a contravention has occurred.

Finally, on the privacy side, the new FOIPOP revokes and replaces the Personal Information International Disclosure Protection Act or PIIDPA. That law generally prohibits a public body from allowing personal information to be stored outside of Canada or to be accessed from outside of Canada, subject to some exceptions. Under the new FOIPOP, a public body will only be allowed to store or permit access from outside of Canada in accordance with specific regulations, which we haven’t seen yet.

While the new independent Information and Privacy Commissioner is not granted the ability to issue orders or levy penalties in connection with access, correction or privacy reviews, the Commissioner does have broad powers in connection with carrying out such a review. The Commissioner can summon witnesses and compel records (other than records that are claimed to be privileged). The Commissioner can initiate a privacy review without a complaint or request if the “Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene this Part”.

The Commissioner also has an important role to play in requests that a public body thinks is trivial, frivolous, vexatious or abusive. The public body has to seek the approval of the Commissioner to disregard such requests, which is an important check to prevent the overuse of these new provisions.

Individual complainants, exercising access, correction and privacy rights, still have recourse to the Supreme Court of Nova Scotia. In most cases, that will be following a review by the Information and Privacy Commissioner, but individuals do have the right to skip the Commissioner and go straight to the Supreme Court of Nova Scotia. Once you’re in the Court, it is what’s called a “de novo” proceeding meaning that the Court will determine the matter from the very beginning. And the court can issue binding orders.

Finally, the new FOIPOP expands the number and kind of offences that can result in charges and prosecution: this includes (a) willfully collecting, using or disclosing personal information in contravention of the Act, (b) willfully attempting to gain access to personal information in violation of the Act, (c) obstructing the Commissioner and (d) destroys, alters or falsifies a record to evade a request for access to records. 

So this represents a significant change to the privacy and access to information landscape in Nova Scotia. It repeals the old Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act, the Personal Information International Disclosure Protection Act and Part XX of the Municipal Government Act, replacing all of them with a new Freedom of Information and Protection of Privacy Act. As I said, it comes into effect in April 2027. 

This has been a relatively high-level overview of the new Act. Each time I read it, I find something new. I would encourage folks in Nova Scotia who have an interest in access to information and privacy to review the legislation, and let the government know if it raises any concerns. Though the process to get here has been the opposite of transparent, there is an opportunity before April 2027 to amend it before it comes fully into effect.