Saturday, September 22, 2018

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

Thursday, April 26, 2018

AtlSecCon Presentation: Canada's new data breach notification regime

I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.

Friday, March 16, 2018

Presentation: Privacy and privilege at the Canadian border

The Canadian Bar Association's British Columbia Privacy and Access Law Section and the Immigration Section kindly invited me to Vancouver this past week to give a presentation on the topic of privacy and privilege at the border. Much of this was based on my advocacy work with the CBA in presenting on the topic to the Parliamentary Standing Committee on Privacy, Access to Information and Ethics and pro bono work for the Canadian Civil Liberties Association as an amicus.

In case it's of interest, here's my presentation:



One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.

Friday, January 26, 2018

Privacy Commissioner thinks there's a right to be forgotten in Canada

The Office of the Privacy Commissioner of Canada just released a news release, another notice of consultation and a draft position paper on "online reputation".

Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".

I'm just digesting it all, but my preliminary view is that it is incorrect and constitutionally untenable. You can see my submission on the earlier consultation here: You'd better forget the right to be forgotten in Canada.

Here's the OPC's press release on this latest development:

Improvements needed to protect online reputation, Privacy Commissioner says

New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education

GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.

The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.

“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”

The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.

The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.

With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.

Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.

All of these considerations need to be balanced with other important values such as freedom of expression and public interest.

For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.

“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.

There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.

While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.

The report also emphasizes the importance of privacy education.

Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.

“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”

The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.

Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.

After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.

Friday, January 12, 2018

Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company

The British Columbia Court of Appeal has whipped the door open for the greater use of production orders requiring non-Canadian companies to provide user information. Here's the summary I prepared for my firm (also available here):

The Legal Reality: Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company in British Columbia (Attorney General) v. Brecknell

January 12, 2018

By David Fraser, at McInnes Cooper

Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:

The Legal Trend. The decision lines up with the Supreme Court of Canada’s increasing awareness of the Internet’s inherently global nature, willingness to take jurisdiction in cases that cross borders, and readiness to apply existing legal principles to online business – all as illustrated in the Court’s June 2017 decisions in Google Inc. v. Equustek Solutions Inc. and Douez v. Facebook, Inc. There’s every reason to believe this trend is here to stay – and foreign companies doing business in Canada, even if only virtually, should be prepared for the increased legal exposure it entails.

Broader Implications. The Court’s conclusion that the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders. Whether its reasoning vis-a-vis an internet-based company’s “presence” in Canada will have application to, for example, tax laws, remains to be seen.

More Production Orders & More Content. Non-Canadian companies will likely see more production orders from Canadian courts. Canadian courts will more willingly assume jurisdiction over companies where the only contacts with Canada are virtual (i.e. over the internet), and more readily available to police to obtain production orders against such companies – no matter where they are “physically” present. And this route is much preferred by police compared to proceeding under mutual legal assistance procedures. In addition to more Canadian production orders against internet companies, more of those orders will likely be for “content”, not just identifying information and metadata. And this decision will likely lead Canadian police to conclude that compliance is no longer a question of voluntariness: many internet companies “voluntarily” comply with Canadian orders for non-content data but require Mutual Legal Assistance Treaties (MLAT) processes for content such as email and other communications.

In 2016, the Royal Canadian Mounted Police (R.C.M.P.) applied to the B.C. Provincial Court for a production order requiring Craigslist to produce certain information about one of its users. In particular, R.C.M.P. sought the user’s name or physical address, its email address, the IP address assigned to the user when the post was created, the phone numbers used to verify the user account, the dates and times the post was created post and the record of the posting. The court refused on the basis Craigslist had only a “virtual presence in B.C.” The R.C.M.P. appealed and on January 9, 2018, the B.C. Court of Appeal agreed: Craigslist is “present” in the province of B.C. and police can obtain a production order naming it, even though it has no “physical” presence in Canada or an address in Canada to effect service:

Virtual Presence = Physical Presence. Under Canadian law, a Canadian court has jurisdiction where there is a “real and substantial connection” between Canada (or a Canadian province) and the activity in issue. There’s no “bright line” rule, but courts have consistently decided that actively doing business over the internet with residents of a particular Canadian province is enough to create that connection. This in turn gives the court jurisdiction over the specific subject matter and parties (a.k.a “in personam” jurisdiction), a proposition about which the Supreme Court of Canada most recently pronounced in its June 2017 decision in Google v. Equustek Solutions Inc. Here, the Court of Appeal interpreted the Criminal Code provisions as limiting courts’ ability to issue a production order “…only against a person in Canada”, making the question whether Craigslist – a U.S. company with no physical presence in Canada – is “a person in Canada” for this purpose. The Court concluded the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference (at para. 40):

“… [I]n the Internet era it is formalistic and artificial to draw a distinction between physical and virtual presence. Corporate persons … can exist in more than one place at the same time. … I do not think anything turns on whether the corporate person in the jurisdiction has a physical or only a virtual presence. To draw on and rely on such a distinction would defeat the purpose of the legislation and ignore the realities of modern day electronic commerce…”

The Test is Canadian Presence – not Canadian Possession. The Court was clear that the test for a production order is only the presence of the recipient – and not the information sought to be produced – in Canada. Once the Court of Appeal concluded Craigslist was “a person in Canada”, the test was met (at para. 39):

“In the first instance, the [Criminal Code] section, properly interpreted, stipulates only that the person subject to the order must be a person in the jurisdiction. In my view, Craigslist is such a person. Second, the person must be a person who has possession or control of a document. The section says nothing expressly about where that possession or control exists. Indeed, it may not even be sensible to pose the question in terms of the location of control. A person either does or does not have possession of a document. The question is one of control, not where the control is exercised. In this case, Craigslist has possession or control of the relevant records and the provision requires nothing further. In other words, there is nothing in the section that requires the person in the jurisdiction to be a custodian of the documents in the jurisdiction. In my view, it is sufficient that the person is present within the jurisdiction. I do not think that there is anything extraterritorial in such an interpretation. To conclude that Craigslist is a person within the jurisdiction who has possession or control of documents does not give the section an impermissibly extraterritorial interpretation.”

No Other Barriers. The Court of Appeal rejected the argument that a production order against a foreign company effectively intrudes into another country’s sovereignty, essentially deputizing a non-Canadian company to carry out a search in a foreign country that Canadian police could never carry out themselves. The Court concluded the weight of U.S. legal authority doesn’t treat subpoenas in this manner, noting it appears instead to recognize the U.S. validity of subpoenas directed to persons in the U.S. over whom there is personal jurisdiction to disclose documents in the U.S. even where they must be obtained from outside the U.S. The Court also considered – and rejected – the arguments that enforcement difficulties or the existence of Mutual Legal Assistance Treaties (MLAT) militate against the use of production orders in cases like this.

Saturday, December 02, 2017

Federal Court of Appeal: Past privacy consent does not prevent new means of handling and distributing personal information

The Federal Court of Appeal released its long-awaited decision in Toronto Real Estate Board v Commissioner of Competition on Friday, December 1, 2017. The decision is a statutory appeal and is the latest chapter in a very long saga in which the Competition Bureau has accused Canada's largest real estate board of acting in an anti-competitive manner to prevent new forms of competition in the real estate market.

The Canada Real Estate Board (CREA), and its members such as the Toronto Real Estate Board (TREB) own and operate the Canadian Multiple Listing Service (which is the backbone of realtor.ca). A lot of information about current properties on the market is available on the site and realtors have access to a much wider range of information, including historical sales and listing information that is essential to carrying out market analyses for buyers and sellers.

The main issue is that TREB has not permitted innovative forms of real estate sales, such as online, using this much richer information. And privacy was one of the reasons TREB pointed to in order to justify its practices:

[2] TREB maintains a database of information on current and previously available property listings in the GTA. TREB makes some of this information available to its members via an electronic data feed, which its members can then use to populate their websites. However, some data available in the database is not distributed via the data feed, and can only be viewed and distributed through more traditional channels. The Commissioner of Competition says this disadvantages innovative brokers who would prefer to establish virtual offices, resulting in a substantial prevention or lessening of competition in violation of subsection 79(1) of the Competition Act, R.S.C. 1985, c. C-34 (Competition Act). TREB says that the restrictions do not have the effect of substantially preventing or lessening competition. Furthermore, TREB claims the restrictions are due to privacy concerns and that its brokers’ clients have not consented to such disclosure of their information. TREB also claims a copyright interest in the database it has compiled, and that under subsection 79(5) of the Competition Act, the assertion of an intellectual property right cannot be an anti-competitive act.

Focusing on the privacy argument, TREB essentially argued that people who consented to having their information made available when they hired a realtor, really only consented to having it made available through traditional channels and not published online. The Tribunal below was of the view that TREB's privacy arguments were pretty flimsy and one gets the sense that it was really a pretext to justify their way of doing things.

[131] In considering privacy as a business justification under paragraph 79(1)(b), the Tribunal found that the “principal motivation in implementing the VOW Restrictions was to insulate its members from the disruptive competition that [motivated] Internet-based brokerages”. It concluded that there was little evidentiary support for the contention that the restrictions were motivated by privacy concerns of TREB’s clients. The Tribunal also found scant evidence that, in the development of the VOW Policy, the VOW committee had considered, been motivated by, or acted upon privacy considerations (TR at para. 321). The privacy concerns were “an afterthought and continue to be a pretext for TREB’s adoption and maintenance of the VOW Restrictions” (TR at para. 390).

TREB argued that nobody consented to having this information disseminated via the internet or "virtual office websites" (VOWs), so new consent would be required to do so. Absent new consent, this information cannot be disseminated online:

[160] While the Listing Agreement used by TREB provides consent to some uses of personal information, TREB asserts that had the Tribunal examined it more closely, it would have found that the Listing Agreement did not provide sufficiently specific wording to permit disclosure of personal information in the VOW data feed. Specifically, TREB contends that the consents do not permit the distribution of the data over the internet, and that is qualitatively different from the distribution of the same information by person, fax, or email.

The Commissioner argued that consent for PIPEDA purposes is to the "purposes" proposed for the collection, use and disclosure of personal information, and not the means by which it would be disseminated. The Court of Appeal agreed:

[164] The wording in the Listing Agreements from 2003 onwards is substantially similar to that quoted above. However, the phrase “during the term of the listing and thereafter” (underlined above), first appears in 2012. The Use and Distribution of Information clause in the Listing Agreement is broad and unrestricted. Sellers are informed that their data could be used for several purposes: for distribution in the database to market their house; to compile, retain, and publish statistics; for use as part of comparative market analysis; and any other use in connection with the listing, marketing, and selling of real estate. Nothing in the text implies the data would only be used during the time the listing is active. Indeed, the use of data for historical statistics of selling prices necessitates that the data will be kept. The Tribunal noted that TREB’s policies 102 and 103 add that, apart from inaccurate data, “[n]o other changes will be made in the historical data” (TR at para. 401). We note as well that clause 11 of the Listing Agreement allows for the property to be marketed “using any medium, including the internet”.

[165] PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet in the manner targeted by the VOW Policy−does not accord with the unequivocal language of the consent.

Why is this important? Because it is clear that though technology may shift and putting services online may change the extent of the distribution of information and the possible uses of the information by someone who accesses it, the key to obtaining consent is to clearly articulate the purposes of the collection. The stated purposes are what dictate how the information can be used, but do not dictate the means of dissemination.

Wednesday, November 15, 2017

Ontario Court of Appeal confirms online harassment conviction where threatening website was “about” the complainant but not a threat directed "to" the complainant

At a time when the courts and the rest of the justice system are grappling with how traditional Criminal Code offences and online misconduct intersect, the Ontario Court of Appeal has issued an important decision in R v. Sim on how criminal harassment can take place online. Often, police and others are stuck in an analog paradigm of traditional stalking and menacing.

In this case, the accused created an incredibly offensive website that was not directed at the complainant but was about her, and directed to a select audience that appears to have been intended to exclude her.

The accused used to work in the same building as the complainant lived. They became friends and when the accused showed a romantic interest in the complainant, the complainant made it clear that the feelings were not reciprocated. They went their separate ways, each married other people and started families. They communicated by email from time to time, apparently just to catch up on what the other was doing.

In the meantime, the accused created a Yahoo! Groups website that, according to a statement on the homepage, was dedicated to “the degradation and online spreading” of the complainant. He recruited at least 150 others to join the site. According to the Court:

[9] Sim posted extensive biographical details and photos of the complainant on the website. He authored false, degrading, vile, and grotesque sexualized commentary about her on the website’s messaging forum. He encouraged group members to post their own vile comments about the complainant, to author and share crude sexual fantasies involving her, and to alter photographs of her in a sexually degrading way and share those as well. …

The complainant became aware of the site in 2013 and, with the help of a friend, she created a username and password to get full access to the site.

The accused was charged with criminal harassment and publishing a defamatory libel. He was convicted of harassment and acquitted of defamatory libel. The accused appealed his conviction to the Ontario Court of Appeal, arguing that the necessary actus rea of harassment had been made out.

The accused had been convicted under paragraph 2(d) of section 264 of the Criminal Code:

(1) Criminal harassment – No person shall, without lawful authority and knowing that another person is harassed or recklessly as to whether the other person is harassed, engage in conduct referred to in subsection (2) that causes that other person reasonably, in all the circumstances, to fear for their safety or the safety of anyone known to them.

(2) Prohibited conduct – The conduct mentioned in subsection (1) consists of …

(d) engaging in threatening conduct directed at the other person or any member of their family.

The trial judge acknowledged that if “threatening conduct” required a subjective intention to threaten the complainant, the accused should be acquitted for lack of evidence. But the judge decided that there was no such requirement; rather the question is whether the conduct is objectively threatening.

In 2008, the Ontario Court of Appeal in R. v. Burns determined that an objective standard was required for the actus rea of criminal harassment under paragraph 2(d):

To establish harassment under s. 264(2)(d) of the Criminal Code, the Crown had to establish that the appellant engaged in “threatening conduct”. We accept the definition of threatening conduct given in R. v. George at para. 39 that, in order to meet the objectives of s. 264, the threatening conduct must amount to a “tool of intimidation which is designed to instill a sense of fear in the recipient”. The impugned conduct is to be viewed objectively, with due consideration for the circumstances in which they took place, and with regards to the effects those acts had on the recipient. [Citation omitted.]

With regard to the accused’s specific arguments, Laskin JA, on behalf of a unanimous Court, wrote:

[18] First, Sim’s submission is inconsistent with s. 264(1) of the Code and thus is contrary to Parliament’s express intent. Subsection 264(1) specifies that the mens rea component of criminal harassment can be met by an accused’s knowledge or recklessness. To suggest that the actus reus of threatening conduct requires a specific intent to instil fear is contrary to the plain language of s. 264(1).

[19] Second, as this court said in Burns, under s. 264(2)(d) the conduct in question must be viewed objectively. In other words, would the accused’s threatening conduct cause a reasonable person in the complainant’s situation to fear for her safety? The word “designed” does not require the Crown to prove the accused’s subjective intention. And, in assessing whether an accused’s conduct is threatening under s. 264(2)(d), a judge is not required to get into the accused’s mind.

[20] Instead, the word “designed” is meant to focus on the effect of the accused’s conduct on a reasonable person in the shoes of the target of the conduct. In Burns, this court clarified that the objective assessment must consider the circumstances in which the conduct took place, and the effects that the conduct actually had on the complainant. Although an accused's threatening conduct may not affect every target of that conduct, in every conceivable situation, it could well instill fear in a reasonable person in the complainant’s specific situation, particularly when the actual effects of the conduct on the complaint are considered. That is the case here. The trial judge did not err in finding that the Crown had established the actus reus of the offence.

While the site at issue was clearly about the complainant, there was no evidence that it was directed at the complainant in order to threaten her. This decision will hopefully reinforce the notion that the criminal harassment offence may be made out in cases where the accused creates “threatening” content about the victim, rather than directed to the victim.

[An earlier version of this case summary was written for the Canadian Technology Law Association’s newsletter.]

Wednesday, November 01, 2017

My suggestions to the NS Minister of Justice to facilitate access to justice under the new cyberbullying law

I have expressed some concerns about Nova Scotia's new Intimate Images and Cyber-protection Act, mainly related to barriers to access to the courts by the adoption of a regular procedure for applications in the Supreme Court of Nova Scotia. The new law allows the Minister of Justice to make regulations about the procedures for such applications. I hope the Minister of Justice makes regulations that will facilitate access to the courts while ensuring fairness for everyone. To that end, I sent the below letter to the Minister today:

Dear Minister Furey:

RE: Bill 27, the Intimate Images and Cyber-protection Act

As you know, the Nova Scotia legislature recently passed Bill 27, the Intimate Images and Cyber-protection Act. The Act sets out a mechanism by which victims of cyberbullying and the non-consensual distribution of intimate images may seek an application for relief and damages in the Supreme Court of Nova Scotia.

I am writing in my personal capacity, and not on behalf of my firm or any of its clients.

I have expressed some concerns about the Act, to your department’s officials, through public commentary and in a written submission to the Law Amendments Committee. My main concern related to access to justice, given the cost and complexity that is inherent in applications in the Supreme Court of Nova Scotia under Rule 5 of the Civil Procedure Rules. Of course, these proceedings are simpler than Actions brought under Rule 4, but I expect that process will still be daunting, particularly for self-represented individuals or younger persons. It would be tragic if such complexity were the deter victims from seeking justice. I am also concerned about the administration of the courts, which I understand is challenged by self-represented litigants handling their own complex proceedings without the benefit of legal counsel. Given the fallout from R v Jordan, 2016 SCC 27, this concern is particularly acute.

The reason for my letter is to suggest that you exercise your authority as Minister to make regulations that, among other things, address procedures for applications. From the Act:

15 (1) The Minister may make regulations

(a) respecting forms and procedures for hearing an application under Section 5, including an application to extend, vary or terminate an order; and ….


If I may suggest some characteristics of these proceedings that you may wish to specifically consider:

  • The default timelines for applications should be abbreviated. It is my experience that victims of cyberbullying want the behaviour to stop or want their intimate images removed as quickly as possible.

  • Perhaps a specific form for the application can be prescribed, similar to the form currently used for peace bond applications in the Nova Scotia Provincial Court.

  • It is important for victims to be specifically “heard” and be given the opportunity to tell their story to the Court. Relying exclusively on affidavit evidence with only cross-examination in Court may not be appropriate for these proceedings, though it remains important that the respondent know and understand the specific allegations in advance.

  • The Civil Procedure Rules currently require a written brief, which is likely daunting for a victim to consider.

  • The Act prescribes circumstances where an applicant is entitled to a publication ban. I am afraid that without clear guidance, victims may be confused about the effect of including their full name in the style of cause for an application. Perhaps all applications can be sealed by the Court for a few business days until a Judge or the Prothonotary has determined whether a publication ban is being sought?

  • The Act also permits applications to seek information to identify an unknown respondent. A clear path, on an expedited basis, for seeking an ex parte order for the identification of an unknown respondent would be helpful.

  • Given that the Act addresses intimate images in which the victim has had and continues to have a privacy interest (some of which may include child pornography or voyeurism images), a streamlined procedure by which evidence can be sealed would be desirable.

I know we both share a common desire to make sure that this Act is effective in protecting victims. I hope that regulations along the lines set out above will make sure that legal remedies are within reach of victims.

If I can be of assistance with this process, please let me know.

Friday, October 20, 2017

CRTC finds CASL to be constitutional in CompuFinder challenge

On October 19, 2017, the CRTC issued its decision in a constitutional challenge to CASL brought by CompuFinder. You may recall that in 2015, the CRTC levied the largest penalty to date -- $1.1 million -- against CompuFinder. (My previous blog post.) The company challenged the constitutionality of the legislation, primarily on the grounds that it is ultra vires federal jurisdiction (outside of powers granted to the federal parliament under the constitution) and that it violated s. 2(b) of the Charter and could not be saved by s. 1.

For the non-lawyers out there, a law can violate Charter rights but can still be upheld if the infringement is justifiable using s. 1:

1. The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.

The framework for s. 1 analysis set by the Supreme Court requires all of the following to be met for a limitation on a constitutionally-guaranteed right to be upheld:

1. The limit must be prescribed by law

2. There must be a pressing and substantial objective

3. The means must be proportional
a. The means must be rationally connected to the objective

b. There must be minimal impairment of rights

c. There must be proportionality between the infringement and objective

In my personal view, the decision is incorrect in a number of ways. I think the Commission suffered the same issue that plagues much of the discussion of CASL: the use of the word "spam" in its colloquial sense when the focus really needs to be on what the law really regulates: commercial electronic messages. It is comparing apples to oranges, and statistics like "spam is down in Canada" is only slightly useful in the discussion.

I think the Commission was dramatically wrong in finding that there was a minimal impairment of constitutional rights. This generally asks whether the restriction unduly limits speech or expression that is outside of the scope of the "pressing and substantial objective."

In its decision (Compliance and Enforcement Decision CRTC 2017-367 | CRTC), the CRTC agreed with the government regarding the law's objective:

108. The government’s objective in enacting CASL is revealed within the title of the Act: “to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities….”

109. The Act is clearly focused on e-commerce in Canada as a whole. This is expanded on in the objective clause of the Act (section 3).

110. In the Commission’s view, it is clear that the government’s objective is pressing and substantial. The factual evidence put forward by the Attorney General is detailed and convincingly supports this conclusion. There is an abundance of literature, analyses, reports, and statistical evidence that demonstrate the existence of spam and other electronic threats, the impact that they have on Canadian businesses and consumers, and how countries around the world have been compelled to introduce legislation to address these threats.


Note again the use of the word "spam". The law regulates and generally prohibits "commercial electronic message" and its main defect -- in my view -- is that it goes after "spam" by limiting legitimate expression that is not "spam" and that has little if anything to do with harming confidence in electronic commerce.

However, the Commission did not follow CompuFinder's argument that the law is not minimally impairing.

152. CompuFinder’s argument at this stage is essentially that CASL’s CEM prohibition regime is overbroad, capturing more forms of expression than are necessary to achieve the statute’s purpose.

153. The Attorney General did not directly respond to each specific allegation of the law’s overreach. Instead, its main response to the overbreadth arguments raised by CompuFinder is that the Act does not impose a total ban on the sending of CEMs. Persons wishing to send commercial messages are not barred from using the Internet or email to advertise. In addition, the exceptions and exemptions to the general prohibition contained in section 6 of CASL act as levers that further limit the infringement of freedom of expression.

154. The Commission notes that, as indicated by the Supreme Court in JTI-Macdonald Corp., when interpreting these exceptions and exemptions, specific words should not be considered in isolation; rather, the interpretation must be guided by Parliament’s objective and its global intention sought.

155. In the case of CASL, Parliament’s concern was to combat a multitude of electronic threats that could have deleterious effects on Canada’s e-economy, Canadian businesses, and Canadian Internet users. In pursuing its objectives, Parliament has deliberately narrowed, and empowered the Governor in Council to make regulations narrowing, the applicability of the Act to certain commercial activities (as defined in subsection 1(1) of the Act), and enacted a long series of exceptions, exclusions, and limitations to the application of prohibitions on the sending of CEMs.

156. Examples of these exceptions can be found in subsections 6(5) and 6(6) of CASL and in the provisions regarding excluded messages in section 3 of the Governor in Council regulations. As a result of these and other exceptions and exemptions, the prohibition in section 6 of CASL does not apply to numerous types of CEMs, including those sent by or on behalf of an individual who has a personal or family relationship with the recipient, those consisting of an inquiry relating to a commercial activity engaged in by the recipient, certain notice-giving or transactional messages, and certain intra-organizational and inter-organizational messages.

157. Further, given that, in cases of ambiguity, claims of overbreadth may be resolved by appropriate interpretation, where the application of these exceptions and exclusions are potentially ambiguous, and such ambiguity could potentially lead to overbreadth of the provisions in question, they must be interpreted in the manner that would result in the least possible intrusion upon protected expression, while also respecting the intention of Parliament.

158. Accordingly, the Commission agrees with the Attorney General that the expression limited by CASL is substantially lessened as a result of its exceptions and exemptions. These exceptions, when taken as a whole, significantly narrow the application of section 6 and, as a result, on a balance of probabilities, the impugned provisions do not impair free expression more than necessary to achieve the objectives of CASL. In these circumstances, the limitations on the sending of CEMs, are not unreasonable in light of their legislative purpose.

I disagree with this overall, but I am particularly concerned with what the Commission said in paragraph 157. It essentially said that the law can be made constitutional in some cases by erring on the side of a constitutional interpretation in the event of any ambiguity. That essentially says that the law can remain constitutional because the CRTC enforcement folks can interpret in a manner that scales back its overbreadth. I don't think I know anyone who practices in this area who thinks that the CRTC enforcement folks can be counted on to do that.

I remain of the view that CASL is overbroad and unduly limits protected expression that has nothing to do with protecting consumer confidence in e-commerce. The Commission's decision doesn't change my mind on that at all, and it will be interesting to see if this particular case goes any further.

Thursday, October 19, 2017

My comments on Nova Scotia's Intimate Images and Cyber-protection Act

Note: Because of very short notice, I will not be able to appear at the Nova Scotia Legislature's Law Amendments Committee to provide my views on Nova Scotia's new cyberbullying law. Here are my written comments that will be sent to the Committee for their consideration.

Thank you for the opportunity to provide my views on Bill 27, the Intimate Images and Cyber-protection Act.


I am a lawyer with McInnes Cooper whose practice is focused on internet and privacy law matters. I need to emphasise from the outset that these are my own personal and professional comments, and do not necessarily represent the views of my firm, its clients or any other organizations with which I am associated. I have been practicing in this area of law for over fifteen years. In this context, I am perhaps best known as being a vocal critic of the Cyber-Safety Act and being the lawyer who argued in Court that the old Act was unconstitutional.


If I could first comment on a matter of process, I am disappointed that I am not able to appear before the committee and answer any questions you may have. When this bill was first considered on October 16, 2017, I had less than one business day’s notice of the hearing and was out of town. I was advised on Thursday, October 19 that it would be before the committee on Monday, October 23. That’s one and a half day’s notice and I will be out of town on Monday. If the government were serious about getting this right, surely it would make it easier for experts to appear on the Bill. I am sure the Committee would benefit from testimony from Canadian Civil Liberties Association or the Canadian Bar Association, but these organizations can’t just drop tools, consult with their stakeholders and develop a coherent and helpful position with that kind of notice. I can name  at least five people who have immense expertise in the field of civil rights, cyberbullying, restorative justice and youth suicide who this Committee and Nova Scotians should hear from, but none will have a chance to provide their well-informed and expert views. I do not know if this is peculiar to this bill, but it certainly was the case with the original Cyber-Safety Act and Nova Scotians have suffered as a result.


In the meantime, the government has had a number of targeted consultations. I did meet with Justice officials twice to provide my views, with the final meeting commenting on a draft of the bill. I had some misgivings then which I’ll share with you today.


As I mentioned, I was the lawyer in the case that resulted in the Cyber-Safety Act being declared unconstitutional. I was previously very critical of the law and the former Premier said he “could not disagree with me more”. When that quote was posted by the CBC on their website, that cyberbullied me according to the law’s definition.


While the law was declared unconstitutional on December 10, 2015, it was unconstitutional on the day it was introduced on April 25, 2013, fewer than three weeks after the tragic death of Rehtaeh Parsons.


I stood up in court and called the Cyber-Safety Act a “dumpster fire”. Justice McDougall called it, much more politely, a “colossal failure” as far as the Charter is concerned.  


I argued, and the Court agreed, that the law had two principal failures. The first was that the definition of “cyberbullying” was far, far too broad and would include anything that could hurt someone’s feelings (including legitimate, political speech). The second failure was that a complainant could get a protection order without the alleged cyberbullying ever having an opportunity to defend themselves. The justice of the peace would make a decision on the basis of only hearing one side of the case. And the first that the respondent would hear of it would be when a police officer would show up at their house -- usually at night -- and serve them with the order.


I think both of these issues have been addressed in the new Bill. The definition of “cyberbullying” raises the bar much, much higher. It may be too high, by requiring “malice”, but it does capture communications that are intended to harm the victim. The issue of procedural fairness has certainly been addressed, but I am afraid the pendulum may have swung too far the other way.


The way the Bill sets it out, a victim of cyberbullying has only one option: to commence an application in the Supreme Court of Nova Scotia following the Nova Scotia Civil Procedure Rules. I have 100% confidence in the fairness of a judge of the Supreme Court. But forcing a victim of cyberbullying to start a conventional lawsuit will represent a huge barrier to access to justice.


What I am saying is completely contrary to my own pecuniary self interests. I am a lawyer who practices law in this area. My law partners much prefer that I charge clients for my time and for my services. We have a great pro bono program -- I think it’s one of the best in the country of any law firm that I am familiar with -- but I am not able to take the cases of all victims of cyberbullying. Going to the Supreme Court requires that a victim understand and follow Civil Procedure Rules. They’ll have to read and understand Rules 5, 4, 5, and 6. They have to prepare a notice of application in court and an affidavit, all according to the rules. They’ll have to hire a process server to serve the documents on the respondent. They likely have to be in court across from their tormentor to schedule the next steps and the court hearing. They get a written affidavit from the respondent. They can then maybe file another response affidavit. They can maybe cross-examine the respondent outside of Court, assuming they are in a position to pay a court reporting service to transcribe the cross-examination on an expedited basis. Then they have to file their brief. And then they have their day in Court, except they never get to directly tell a judge their story. They don’t get to testify on their own behalf, since their testimony is only in their affidavit.


I would expect it would cost at least $10,000 for me to represent an applicant in this process. That is daunting. But what’s equally daunting is the prospect of a traumatized cyberbullying victim having to find, let alone understand and precisely follow, the civil procedure rules. That greatly troubles me and I think it should trouble you.


The legislature should seriously consider a different approach. I do not think I have all the answers, but I would suggest that the legislature should consider a less formal approach that still preserves the procedural fairness that was lacking in the old Cyber-safety Act. While the procedure for a peace bond is not without its shortcomings, there should be a procedure through which an applicant can go to court and tell their story. The respondent has the same right to know what is being alleged, to appear, to present their story and possible justification. If neither adduced evidence about some of the essential factors to be considered under the Act, the judge can ask them questions. And a decision follows. This can be before the Supreme Court of Nova Scotia or a judge of the Provincial Court.
I do agree with sidelining the CyberSCAN unit from enforcement of the law. In my experience and in my opinion, they were the wrong tool for the job. While perhaps not representative of all the people with whom they interacted, I consistently heard from and about people whose political or legitimate Charter-protected speech was removed from the internet because they bullied the people into removing it under threat of unspecified “legal action” that could include removing their internet access. It may have been a matter of who they hired for the role or how they were led, but the CyberSCAN unit was part and parcel of the speech suppression that the law represented. When I asked Roger Merrick how the CyberSCAN unit took the Charter into account in doing their jobs, I was told that the legislature took it into account when the bill was passed by this House. That was clearly incorrect.


I do think the CyberSCAN unit or some replacement of it could go good things. Education and awareness is important. Providing support to victims is important. I am sure that victims will need a lot of help in figuring out how to have their day in court, and they can be a resource for that.

One final concern that I have is that the legislation says that if the victim is a minor, their parent or guardian has to commence the application on their behalf. There should be a mechanism by which a minor can do this on their own. First of all, there may be a case where the case relates to intimate images and the minor does not want to tell their parents. Secondly, I can imagine a scenario where the parent is either the perpetrator or is unwilling to help the child. Some safeguard needs to be in place to give a child direct access to the courts.


I do want to take the opportunity to praise the manner in which the non-consensual distribution of intimate images is treated in the statute. By separating this from the definition of cyberbullying, it will effectively shield this from being struck down if the conventional cyberbullying aspect is found to be unconstitutional.


Again, I regret that there was not enough notice for me to appear in person and answer any questions by the Committee. However, I am easy to find and I would be pleased to discuss this important matter with any Committee members or their staffers.