Tuesday, July 28, 2015

Privacy breach class action certified against Government of Canada for medical marijuana breach

In a decision issued on July 27, 2015 but not yet published (but available here as a PDF), the Federal Court of Canada has certified a class action against the Government of Canada for disclosing the personal health information of participants in the "Marihuana Medical Access Program" in a botched mailout that was intended to advise program participants about changes to the regulation, which ironically where said to protect privacy and safety.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error and that it was outside their normal practice, its reaction has consistently been "no harm, no foul".

What's most notable about this decision -- which is consistent with the recent decision in Condon v. Canada -- is that the court certified the plaintiffs' claim under the novel tort of "public disclosure of private facts". This tort is recognized in the United States, but is untested in Canada. It is a part of the four different privacy torts recognized by the Ontario Court of Appeal in Jones v. Tsige.

In March 2015, the Privacy Commissioner of Canada found that Health Canada's breach was a violation of the Privacy Act. At the certification hearing, the Government of Canada argued that the Privacy Commissioner's finding should be enough to satisfy everyone harmed by the breach, but the Court noted that the Commissioner can't award any of the damages sought by the plaintiffs.

Full disclosure: My firm is one of the firms representing the plaintiffs.

From the firms' media release:

Federal Court certifies privacy class action by Medical Marijuana patients against Health Canada


FOR IMMEDIATE RELEASE - July 28, 2015

The Federal Court of Canada has certified a class action commenced on behalf of more than 40,000 medical marijuana licensees alleging that Health Canada violated their privacy.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error, it insists that no one was harmed by the breach.

In March 2015, the Office of the Privacy Commissioner of Canada concluded that Health Canada violated federal privacy laws. However, in the recent certification decision, the Court found that the class action is necessary to provide access to justice because the Privacy Commissioner cannot order the Government of Canada to compensate class members harmed by the breach. The Government has 30 days to appeal the certification decision.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing the plaintiffs in the medical marijuana privacy breach class action filed in the Federal Court against the Government of Canada. The plaintiffs seek damages for breach of contract, breach of confidence, invasion of privacy and Charter violations.

“We are very glad to see this case moving forward. The certification decision means that the Court has agreed that this is an appropriate case for a class action and that allowing all of the class members to proceed in a group is in the interests of justice,” said Ward Branch of Branch MacMaster LLP. “The Government of Canada has fought us at every turn, but have also lost each motion to date. We are hopeful that they will now see the wisdom of sitting down to resolve the issues created by this error.”

“This is not over yet, but the thousands of affected program members should take some comfort that every legal claim we advanced on their behalf has been approved to go forward,” said David Fraser of McInnes Cooper.

“As citizens of this great country, we rely on our government to protect our sensitive personal information from being disclosed and to protect our privacy during all communications. This decision sends a clear message to the government that our Courts consider privacy to be of the utmost importance and expect our government to take its privacy obligations seriously or face the consequences,” said Ted Charney of Charney Lawyers.

“Over one thousand people have registered on our secure website to tell us how the breach affected them. We will continue to pursue justice for those harmed by the breach,” said David Robins of Sutts, Strosberg LLP.

While it is not necessary to “opt in” to participate in the class action, class members are urged to visit the www.marijuanaclassaction.com website to obtain updates and to register because the information collected on the secured site will assist class counsel in communicating with class members and moving the case forward. Those who have already registered do not need to re-register but should update their information if their circumstances change or to report further harm suffered from the breach.

- 30 -

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

For more information or to request an interview, please contact:

Ashley LeCroy
Manager, Marketing & Communications
902.457.5667
media@mcinnescooper.com

For more background, check out these previous posts.

Friday, July 17, 2015

Supreme Court to hear PIPEDA case that left lender out in the cold

The Supreme Court of Canada has granted leave to appeal from the Ontario Court of Appeal decision in Royal Bank of Canada v. Trang, 2014 ONCA 883. This is and will be an important decision about how to deal with certain provisions of the federal privacy law that have an impact on lenders.

On December 9, 2014, the Ontario Court of Appeal decided that the Personal Information Protection and Electronic Documents Act (PIPEDA) prevents a mortgagee from disclosing the mortgagor’s discharge statement to another lender – even when that lender has a judgement against the mortgagor – without either the mortgagor’s express consent or a specific court order. The decision is relevant beyond Ontario because PIPEDA is federal legislation applicable across Canada, and Atlantic Canadian Provinces have legislation analogous to the Ontario legislation.

Scotiabank held a registered first mortgage on the Trang’s Toronto real property. RBC subsequently loaned the Trangs money. They defaulted and RBC obtained a judgment against them. Twice, the Trangs did not appear for their examination in aid of execution. RBC asked Scotiabank for a mortgage discharge statement to facilitate sale of the property. Scotiabank said PIPEDA precludes it from disclosing the statement without the Trangs’ consent. RBC asked the Ontario court for an order compelling Scotiabank to produce the mortgage discharge statement – but a split five-judge panel of the Ontario Court of Appeal refused. The Court did note that RBC could use the usual procedural tools to examine a representative of Scotiabank, though it is unclear to me whether that would result in the discharge statement.

The majority of the Court found that a mortgage discharge statement is personal information, and there was no implied consent on the part of the borrowers to have it disclosed in the circumstances.

It'll be interesting to see where the Supreme Court of Canada falls on this issue.

Wednesday, July 08, 2015

Court of Appeal finds negligence and breach of confidence claims should go forward in privacy class action against the Federal Government

The Federal Court of Appeal in Condon v Canada, 2015 FCA 159 (not yet available on CanLII but here as a Google Drive PDF), has reversed a lower court decision to not certify claims of negligence and breach of confidence in the class action lawsuit that followed the Federal Government's loss of a hard drive containing personal information about 583,000 Canada Student Loan recipients.

The plaintiffs, in Condon v Canada, 2014 FC 250, sought certification under a number of causes of action, including breach of contract, intrusion upon seclusion (invasion of privacy), negligence and breach of confidence. Breach of contract and intrusion upon seclusion do not require damages for an individual to recover, and both of these causes of action were certified. Those that do require damages to succeed, negligence and breach of confidence, were not successful at the certification motion.

The Court of Appeal noted that the proper test for certification is only to review the pleadings and to not inquire into the evidence. Since the plaintiffs had pleaded damages, that should be determinative:

[13] As stated by the Supreme Court, the determination of whether the pleadings disclose a reasonable cause of action is to be based on the assumption that the facts as pleaded are true. This would mean that evidence is not to be submitted at the hearing of the motion. Otherwise, the hearing of the motion could turn into a full hearing on the merits.

[14] In this case, the parties submitted affidavit evidence. In paragraphs 68 and 69 of her reasons the Federal Court Judge noted that:

68 In addition, a summary review of the evidence adduced by both parties leads the Court to the conclusion that the Plaintiffs have not suffered any compensable damages. The Plaintiffs have not been victims of fraud or identity theft, they have spent at most some four hours over the phone seeking status updates from the Minister, they have not availed themselves of any credit monitoring services offered by the credit reporting agencies nor have they availed themselves of the Credit Flag service offered by the Defendant.

69 Nor does the evidence adduced support a claim for increased risk of identity theft in the future. Since the Data Loss, Equifax has produced reports pertaining to the credit files of the 88,548 individuals who availed themselves of the Credit Flag service. These reports show that there had been no increase in the relevant indicia that would be consistent with an increase in criminal activities involving those individuals' Personal Information. The rate of criminal activities registered was not higher than the 3% of the population generally victim of identity theft. Moreover, the Plaintiffs submitted a CBC news article concerning a Class Member who had been a victim of identity theft yet the article noted no proven causal link between the Data Loss and that theft.

[15] It appears that the Federal Court Judge evaluated the evidence in concluding that the Appellants had not suffered any “compensable damages”. The determination of whether the Appellants had a reasonable cause of action in negligence or breach of confidence should have been made based on the facts as pled, not on the evidence adduced in support of the motion.

[22] Reading the Consolidated Statement of Claim with this principle in mind, the Appellants have claimed that they have suffered damages and they have identified the nature of the damages that they are claiming. In particular, the Appellants have claimed special damages for “costs incurred in preventing identity theft” and “out-of-pocket expenses” and, as noted above, it is to be assumed that these costs have been incurred. As a result there was no basis to not include the claims for negligence and breach of confidence as part of the class proceeding.

The Federal Court of Appeal has sent the matter back to the trial level for determination, including the claims for negligence and breach of confidence and to determine the common questions in the class proceeding in relation to those claims.

Canadian government issues "transparency reporting guidelines"

The Canadian federal government has released "Transparency Reporting Guidelines", to provide companies with guidance on reporting law enforcement and national security requests for customer information. Surprisingly, the guidance came from Industry Canada and not Public Safety Canada or the Department of Justice.

What is particularly notable is that the government is strongly advocating for "banding", so it says that companies should not report exact numbers where they are between 1 and 100. Companies who wish to be transparent (which should be all companies) should know that these are guidelines only and there is no basis in law that I am aware of (absent a term in a particular court order) that requires this banding or aggregation.

B. Limitations

When reporting statistics by each of the categories listed in Part A, organizations should respect the following limitations, in order to protect the work of law enforcement, national security, and regulatory agencies

1. As presented in the sample chart below, figures between 0 and 100 should be represented in a band of '0-100' when any figure in column A (Number of Requests) or Column B (Number of Disclosures) is less than 100. In such cases the banding of figures should apply to all columns for that data type whose figure is between 0-100. Any figure over 100 may be represented by its actual number. This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

2. Figures should be aggregated to reflect Canada-wide statistics, and should not differentiate between law enforcement, national security, and regulatory agencies (i.e. there should be no breakdown by geography or specific agency). Moreover, these figures should also be aggregated such that service type and its associated network technology are not distinguishable (i.e. cellular voice services should not be subdivided and reported according to 2G, 3G or 4G/LTE network type, etc.). This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

3. There should be a six month delay in reporting timeframe. For example, if a report covers the period January 1 to December 31, 2014, it should not be released before July 1, 2015. This is to ensure that most active investigations have no possibility of being compromised.

The limitation provisions will ensure that transparency reporting does not impair or compromise national security or criminal investigations, and the safety and security of Canada and its citizens.

These provisions are dynamic and may be subject to change based on sensitive Canadian government operations that necessitate additional or other safeguards, or to keep pace with suspected criminal and unlawful activities that use telecommunications services and related technologies.

Personally, I think that companies should separately report ordinary criminal law enforcement requests and national security requests.

As an aside, I wonder if this means we'll get transparency reporting from Bell Canada, which is the only major Canadian telco to not provide such reporting.

Thursday, June 18, 2015

Digital Privacy Act (Bill S-4) now (partially) in force

Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.

Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.

See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.

New Law to Protect the Personal Information of Canadians Online

Government of Canada's Digital Privacy Act comes into force

June 18, 2015 — Ottawa — Industry Canada

As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.

Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.

Under the Digital Privacy Act:

  • Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
  • Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
    Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
  • The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
Quick facts
  • Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
  • All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.
Quotes

"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry

"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada


Friday, May 01, 2015

In the absence of actual harm, privacy cases are hardly worth pursuing

Continuing the theme of "don't bother unless you have actual losses ..."

In Albayate v. Bank of Montreal, 2015 BCSC 695, the plaintiff claimed against her bank for wrongly changing the address on their records and thus exposing her financial info to her former spouse. In short, the court found the bank mistakenly changed her address but the husband did not read her statement. He did not use them to her detriment. The bank apologized. End of story.

Her damages were assessed at a nominal $2000.

Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist http://t.co/yENHoUsxnx


from Twitter http://ift.tt/1b1ze0I

Tuesday, April 28, 2015

Ontario school bus association says Toronto crash records should be public | Toronto Star http://t.co/wusm5KScjj


from Twitter http://ift.tt/1b1ze0I

RT @ricochet_en: This Friday! Privacy “Ask me anything” session on Reddit with @BCCLA, @cqwww, @PrivacyCDN and other Cdn experts: https://t.co/LY6JBFpbOX


from Twitter http://ift.tt/1b1ze0I

RT @anitahovey: Cyber Liability Issues for SMB Lunch & Learn w @HR_Pros @OTCInsurance @PrivacyLawyer May 26 http://t.co/evamRAgVbu http://t.co/AGpsI8aJRB


from Twitter http://ift.tt/1b1ze0I