Wednesday, May 10, 2017

Alberta law provides civil remedies for cyberbullying victims

Tort regarding non-consensual distribution of intimate images supplements recent criminal amendments

The Alberta legislature has passed a bill to provide civil remedies for victims of the non-consensual distribution of intimate images. Bill 202, Protecting Victims of Non-Consensual Distribution of Intimate Images Act, creates a new civil cause of action for what has become known “revenge porn” or non-consensual pornography. When the law comes into effect, in August 2017, it will be actionable in the province, without proof of harm, for anyone to distribute “an intimate image of another person knowing that the person depicted in the image did not consent to the distribution, or is reckless as to whether or not that person consented to the distribution”. The statute builds upon the criminal provisions for such actions added to the Criminal Code in Bill C-13 and closely follows the similar statute in Manitoba, the Intimate Image Protection Act.

An “intimate image” is defined as an image or video in which the person depicted is nude or includes the breasts, genitals or anal region, or depicts explicit activity. It is further defined with reference to the expectation of privacy that existed at the time the image was created or distributed:

(ii) which was recorded in circumstances that gave rise to a reasonable expectation of privacy in respect of that image, and

(iii) if the image has been distributed, in which the person depicted in the image retained a reasonable expectation of privacy at the time it was distributed;

Importantly, that expectation of privacy is not necessarily lost if the image was taken by another person or was given to another person where it was not to be further distributed:

Expectation of privacy
5 In an action for the distribution of an intimate image without consent, the person depicted in the image does not lose the expectation of privacy in respect of the image if that person
(a) consented to another person recording the images, or

(b) provided the image to another person,

in circumstances where that other person knew or ought reasonably to have known that the image was not distributed to any other person.

The bill also contains a public interest defence, which is similar to that found in the Criminal Code for other pornography and obscenity offences. Also of note, if the defendant in an action under the new law is a child, the statute specifically deems that the parent of the defendant will not be jointly and severally liable unless the parent “directly participated” in the distribution of the image.

Friday, March 10, 2017

Privacy and the use of census information for population health research

Professor Teresa Scassa has a very interesting comment on her blog about a recent case from the Federal Court of Canada, O’Grady v. Canada (Attorney General), 2017 FC 167. Her comment is here: Recent Federal Court Decision Examines Privacy and the Census.

The case itself is a judicial review of a decision of the Chief of Statistics to enter into an agreement with McGill University’s Faculty of Medicine to conduct a study examining perinatal outcomes in Canada. This sort of research collaboration and data matching happens all the time, but seldom is it objected-to and the discussions do not often end up in front of the courts.

The context, from the decision:

[3] In 2011, Statistics Canada and McGill entered into a Letter of Agreement to conduct a study that would assess infant mortality and newborn health by examining perinatal outcomes in Canada according to risk factors related to socioeconomic position, ethno-cultural background, and environmental exposure [Study]. In connection with the Study, record linkages were used to link information from the national birth record database and the 1996 and 2006 censuses. In order to minimize the privacy intrusion, the record linkages were performed in accordance with s 6 of the Statistics Act, RSC 1985, c S-19 [Statistics Act] by Statistics Canada employees, or deemed employees, and the composite records were stripped of direct personal identifiers before they were made accessible to McGill. The composite records were also restricted to Statistics Canada’s premises. Additionally, the usage of the record linkages was publicly posted on the Statistics Canada website.

The applicant complained to the Privacy Commissioner of Canada, who concluded that the applicant's personal information had not been improperly used.

[7] The Privacy Commissioner agreed that the Applicant’s census information met the definition of personal information, as defined by s 3 of the Statistics Act. Additionally, the Privacy Commissioner found that usage of census information in the Study was beyond the scope of the purposes for which it was collected, which is prohibited under s 7 of the Statistics Act. However, there was no evidence to suggest that the Applicant’s information had actually been used in the Study as her information had been excluded. Furthermore, even if the Applicant’s information had been used, Statistics Canada had the authority to do so under the Statistics Act. Consequently, the Privacy Commissioner found that the Applicant’s complaint was not well-founded.

The Court, in reviewing the decision by the Chief of Statistics, found that it was lawful as the use of the census data in this manner is consistent with the purpose for which it was originally collected.

[68] There is no doubt that census information is personal information, so the issue in this case is whether it was used “for a use consistent” with the “purpose for which it was obtained or complied….”

[69] The Supreme Court of Canada set out the “consistent use” test in Bernard, above:

[31] A use need not be identical to the purpose for which information was obtained in order to fall under s. 8(2) (a) of the Privacy Act; it must only be consistent with that purpose. As the Federal Court of Appeal held, there need only be a sufficiently direct connection between the purpose and the proposed use, such that an employee would reasonably expect that the information could be used in the manner proposed.

(emphasis in original)


[70] It is clear that Statistics Canada could not have contemplated the Study at the time of either the 1996 census or the 2006 census. Hence, the information collected by those censuses was not obtained specifically for the Study. However, the purpose of the Study is to compile and analyse statistics related to the health and welfare of Canadians, so that it complies with the purpose of the censuses and with Statistics Canada’s mandate.


The application was dismissed, but the Court noted it was premature overall:

[86] The real problem with this application is that it is premature. The Study has not yet been released or used. The Applicant speculates that personal information will be used and disclosed, but has produced no convincing evidence to support that position. Whatever I have said in this application, which is based solely upon the record before me, should not prevent anyone whose personal information is inappropriately used or disclosed from bringing the matter before the Court in the future.

Friday, February 10, 2017

Nova Scotia Appeals Court: No privacy and defamation double-dip damages

The Nova Scotia Court of Appeal, in Marson v Nova Scotia, 2017 NSCA 17 has affirmed the decision of the NS Supreme Court, which found that you don't get to double-dip on damages if essentially the same is grounded in invasion of privacy and defamation. The unanimous Court reasoned:

[27] The trial judge was alive to the potential to award damages for “Breach of Privacy/Intrusion upon seclusion”. She discussed the issue of whether there was any need to rely upon an Ontario case, Jones v. Tsige, 2012 ONCA 32 (CanLII), which recognized the tort of intrusion upon seclusion. In Jones the Court made an award based on the tort of invasion of privacy, or intrusion upon seclusion. That case referenced the fact that one who intentionally intrudes upon the seclusion of another in his private affairs is subject to liability for invasion of privacy if the invasion would be highly offensive to a reasonable person. A reasonable person, in the context of that tort, would find it highly offensive to have records such as health records, or in the context of the present case, confidential policing/corrections information disseminated.

[28] The Jones case made it clear that the damages for such a tort were in the category of “symbolic” or “moral” damages where a plaintiff suffered no provable pecuniary loss. Here, the trial judge correctly pointed out that while in Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245 (CanLII) it was made clear that the court could award damages for a tort of intrusion upon seclusion, it was not necessary in the present case. She said:

175 … I do not need to undertake that analysis. The actions complained of under this heading are, essentially, the same actions underpinning the defamation claim, for which I have already awarded complete damages. The factors noted in par. 87 of Jones have already been considered in that award. It would be inappropriate to make further awards. …

[29] I agree with the trial judge’s approach on this issue. The approach argued by the appellant would have resulted in double recovery for the same delict. The trial judge’s comments make it clear that the intrusion of seclusion was subsumed within the other heads of damages.

A claim can be both rooted in privacy and defamation, but your compensation is for the harm itself and not multiplied by the different torts you can claim.

Tuesday, February 07, 2017

Did the Canadian Federal Court take the first step to a "right to be forgotten" with a global take-down order?

This past week, the Federal Court of Canada released a very interesting decision in A.T. v. Globe24h.com, 2017 FC 114, which seems to be the first step towards a Canadian "right to be forgotten". (You may recall that I generally don't think such a right exists in Canada (You'd better forget the right to be forgotten in Canada). The decision includes an order that purports to tell a non-Canadian what information can be published on the internet globally.

The decision is generally unsatisfying in a number of ways. But first here's the background: The Applicant, identified only as A.T., registered a complaint with the Privacy Commissioner of Canada that a Romanian website was hosting and making available an Alberta Labour Board decision that he did not want to be associated with. An internet search of his name would turn up this decision, hosted by Globe24h. He wanted it taken down. The Office of the Privacy Commissioner of Canada (OPC) had previously investigated a number of complaints against the outfit and issued a finding. Essentially, the OPC had found that the site scraped decisions from Canadian legal, courts and tribunal websites and made them searchable on the internet. Most of these tribunals and courts made these records available online, but restricted them from being indexed and fully searchable. The business model of the site seems to be that they will promptly take down decisions -- presumably those not favourable to individuals -- if the individual paid a processing fee. The OPC had found this was a violation of Canada's Personal Information Protection and Electronic Documents Act.

In the case before the Federal Court, only the complainant and the OPC appeared. As a result, the record is one-sided and there was not a complete, adversarial analysis of all the issues to be considered. Our legal system is premised upon having opposing sides present their best arguments and best evidence before a Court. This decision only includes one side and no interveners who may have helped the court get a more balanced view. It does appear that the Court generally accepted the arguments put forward by the OPC, including hearsay related to the dialogue that OPC had with Globe24h (but which it declined to have with the Court).

The Court relied on, among other authorities, the Equustek v. Google decision from the British Columbia Court of Appeal, which was appealed to the Supreme Court of Canada and for which a decision is pending, to support its ability to issue a mandatory order against an entity with no presence in Canada. This decision may be reversed.

Secondly, because there was nobody to present the other side, there was no discussion about the impact of freedom of expression or the right to information on the case. The Court concluded that because the original case was available online, but not indexed, removing it from Globe24h would not have any real impact. And because the site's purpose was concluded to be mostly mercenary, it could not take advantage of the exclusion given to exclusively journalistic reports. In fact, the Court determined that the website's approach was not "appropriate" for the purposes of s. 5(3) of PIPEDA, which reads:

Appropriate purposes

(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.


Here's the judge's reasoning on that point:

[75] I agree with the OPCC that a reasonable person would not consider the respondent to have a bona fide business interest. In making this argument, the Commissioner relies on the Canadian Judicial Council’s (CJC) Model Policy for Access to Court Records in Canada (Model Policy) and the OPCC’s own guidance document to federal administrative tribunals. The CJC Model Policy discourages decisions that are published online to be indexed by search engines as this would prevent information from being available when the purpose of the search is not to find court records. The policy recognizes that a balance must be struck between the open courts principle and increasing online access to court records where the privacy and security of participants in judicial proceedings will be at issue.

[76] The CJC has struck a balance by advising courts to prevent judgments from being discovered unintentionally through search engines. To this end, the CJC has recommended that judgments published online should not be indexed by search engines. The OPCC notes that CanLII and other court and tribunal websites generally follow the CJC’s Model Policy and prevent their decisions from being indexed by search engines through web robot exclusion protocols and other means. Indeed, the Federal Court has taken such measures to prevent our decisions from being indexed. That does not bar anyone from visiting the Federal Court website and conducting a name search. But it does prevent the cases from being listed in a casual web search. The respondent’s actions result in needless exposure of sensitive personal information of participants in the justice system via search engines.


The Court agreed with the OPC's submissions that the "journalism" exception doesn't apply in the case either. In doing so, the Court followed the reasoning of the Alberta Court of Appeal in United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, which was affirmed on other grounds by the Supreme Court of Canada in 2013 SCC 62.

[67] The respondent has claimed in communications with the OPCC that his purposes in operating Globe24h.com should be considered exclusively journalistic. Should the Court accept that claim, Part 1 of PIPEDA does not apply to his activities because the personal information collected, used or disclosed falls under the exception provided by paragraph 4(2)(c) of PIPEDA.

[68] The “journalistic” purpose exception is not defined in PIPEDA and it has not received substantive treatment in the jurisprudence. The OPCC submits that the Canadian Association of Journalists has suggested that an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation ”. Those criteria appear to be a reasonable framework for defining the exception. None of them would apply to what the respondent has done.

[69] The Alberta Court of Appeal interpreted similar statutory language in Alberta’s Personal Information Protection Act, SA 2003, c P-6.5: United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII), [2012] AJ No 427, aff’d 2013 SCC 62 (CanLII), [2013] 3 SCR 733 [United Food]. Specifically, in considering the adjective “journalistic”, the Court of Appeal noted that “it is unreasonable to think that the Legislature intended it to be so wide as to encompass everything within the phrase “freedom of opinion and expression””: United Food, above, at para 56. Further, the Court noted that “[n]ot every piece of information posted on the Internet qualifies [as journalism]”: United Food, above, at para 59.

[70] In my view, the respondent’s claimed purpose “to make law accessible for free on the Internet” on Globe24h.com cannot be considered “journalistic”. In this instance, there is no need to republish the decisions to make them accessible as they are already available on Canadian websites for free. The respondent adds no value to the publication by way of commentary, additional information or analysis. He exploits the content by demanding payment for its removal.

[71] The evidence indicates that the respondent’s primary purpose is to incentivize individuals to pay to have their personal information removed from the website. A secondary purpose, until very recently, was to generate advertising revenue by driving traffic to his website through the increased exposure of personal information in search engines. There is no evidence that the respondent’s intention is to inform the public on matters of public interest.

[72] Even if the respondent’s activities could be considered journalistic in part, the exemption under paragraph 4(2)(c) only applies where the information is collected, used or disclosed exclusively for journalistic purposes. It is clear from the record that Globe24h.com’s purposes extend beyond journalism.


While this case is very interesting and the first in Canada to approach a "right to be forgotten", I would caution against assuming that it is a strong precedent for Canadian law. Unfortunately, it appears all the argument and evidence was one-sided. The case raises some very interesting, very important and nuanced issues. We really would have benefited from a full presentation of all arguable positions, particularly those related to freedom of expression and the appropriateness of global takedown orders.

Here's the final order from the Court:

THIS COURT’S JUDGMENT is that:

1. It is declared that the Respondent, Sebastian Radulescu, contravened the Personal Information Protection and Electronics Documents Act, SC 2000, c 5 by collecting, using and disclosing on his website, www.Globe24h.com (“Globe24h.com”), personal information contained in Canadian court and tribunal decisions for inappropriate purposes and without the consent of the individuals concerned;

2. The Respondent, Sebastian Radulescu, shall remove all Canadian court and tribunal decisions containing personal information from Globe24h.com and take the necessary steps to remove these decisions from search engines caches;

3. The Respondent, Sebastian Radulescu, shall refrain from further copying and republishing Canadian court and tribunal decisions containing personal information in a manner that contravenes the Personal Information and Electronic Documents Act, SC 2000, c 5;

a) The Respondent, Sebastian Radulescu, shall pay the Applicant damages in the amount of $5000;

b) The Applicant is awarded costs in the amount of $300; and

c) The style of cause is amended to substitute the initials “A.T.” for the name of the applicant.

Thursday, February 02, 2017

My testimony on the Security of Canada Information Sharing Act

Earlier this week, I was invited to testify before the House of Commons Standing Committee on Access to Information, Privacy and Ethics as part of their study of the Security of Canada Information Sharing Act (here's the notice of meeting: House of Commons Committees - ETHI (42-1) - Notice of Meeting - Number 042 (Official Version)).

The Act is one of the more problematic portions of the Anti-terrorism Act of 2015, which was passed by the previous government. The new government has said they'd fix it, but it it unclear what they would fix.

I was pleased to testify alongside Laura Tribe of OpenMedia and David Elder, who spoke on behalf of the Canadian Bar Association Privacy and Access Law Section.

The audio of the full session is here, and below is my opening statement:

Thank you to the committee and to the chair for the opportunity to speak with you today about this very important subject.

If I may introduce myself: I am a privacy lawyer practicing with McInnes Cooper in Halifax. I’ve been practicing law in this area for more than fifteen years and I have had the benefit of advising clients on a full range of privacy, access to information and technology issues for that time. I work with clients who regularly have contact with the police and with national security authorities looking for information, both through regular lawful channels and -- shall we say -- informal channels.

I am here in my personal capacity, so I am not speaking for any of my clients, any associations that I am a member of nor on behalf of my firm.

This committee has a very important opportunity and I think we are at a turning point in global history. We have the chance, right now, to take a deep breath, take a step back and ask some very important questions. Who are we as Canadians and what do we want to be? What kind of country do we want to live in and are we taking positive steps to make it happen?

Looking south of the border, I am very mindful of a phrase I first heard said by William Binnie after he left the National Security Agency. He was afraid that what he was being asked to create within that organization was “turnkey totalitarianism”. If you build an intrusive tool for the most benevolent institution, you can have faith in the people you build it for but you can’t be sure that it will not fall into the wrong hands. Setting aside the cynicism I have developed over the last dozen years, even if you absolutely believe what the leaders of our national security and policing agencies say to you, you can’t be sure that their replacements will have the same good faith and concern about the rights of citizens. You can’t be sure about the good faith and commitment to Canadian values of the next prime minister. The new US administration has at its disposal the most significant surveillance apparatus ever assembled, and it’s being built with Canadian collaboration. This committee needs to look at the “here and now”, but also has to be looking over the horizon for what may come next. The Anti-Terrorism Act of 2001 and the Anti-Terrorism Act of 2015 are the foundation that massive abuse of Canadians’ rights may be built on.

We also need to look at whether any of this is really necessary or proportional. Look at what we have here and what is going on. On one hand, we’ve seen that CSIS, with the assistance of the Department of Justice lawyers, has lied to courts in order to feed CSIS’ databases.

And we’ve also seen that CSIS has refused to delete the information they unlawfully retain.

And we’ve most recently seen that CSIS has been working to try to justify their data mining practices and has been looking for more data to put into that data base.

And, on the other hand, we have the Security of Canada Information Sharing Act, which is a privacy disaster. The privacy of Canadians was previously protected by information silos. You knew that information about your Canada Pension Plan or EI claims would not be used for another purpose unless the (relatively weak) hurdles built into the Privacy Act were complied with or unless a judge determined it was appropriate in those circumstances. Now we have a system where CSIS can ask any government department for virtually any data (as long as they think it is relevant), can get it and it’s no longer covered by the same protection of the originating institution.

They may think “people who visit bad guys are probably bad guys, so let’s get all the visitor logs from Corrections Canada”. Then “let’s match that up against Canada Border Services records of people leaving and returning to Canada.” And why not “all the records of people receiving EI?” And then everyone’s tax returns to see who has donated to muslim charities? This law would allow CSIS or the RCMP to collect, in one massive database, all the information that every other government department has about you.

SCISA does not contain any limit on what organizations like CSIS or the RCMP can do once they build these databases.

There is NO limit on how much information can be transferred between any government department and any of those institutions listed in the schedule to the Act. And all of this happens in the shadows. As parliamentarians, all you get to know are the evasive non-answers given to you. There is no oversight and no accountability. This is essentially a blank cheque giving national security agencies access some of the most sensitive information about Canadians. This is a real problem and the Act should be repealed.

I would also highlight that the presence of s. 9 should raise a red flag: “9 No civil proceedings lie against any person for their disclosure in good faith of information under this Act.” If a statute has to provide immunity for otherwise unlawful conduct, we should be very careful about authorizing that conduct and should be very careful about granting that immunity.

I look forward to your questions.

Tuesday, December 13, 2016

Parliamentary Committee calls for reform of federal Privacy Act

Yesterday, the Parliament of Canada Standing Committee on Access to Information, Privacy and Ethics has issued the result of its study of the Privacy Act. The Act, which regulates the collection, use and disclosure of personal information by federal public bodies, is antiquated and is in dire need of reform. You'll see in the Report that I appeared as a witness, generally backing the recommendations of the Privacy Commissioner and the Canadian Bar Association.

Many of the recommendations are not new and have been ignored by a succession of federal governments. We'll see what happens now ...

Here, in short, are the recommendations:

LIST OF RECOMMENDATIONS

RECOMMENDATION 1

a) That the purpose clause in section 2 of the Privacy Act be expanded to reinforce the quasi-constitutional nature of privacy rights by including generally accepted and technologically neutral privacy principles similar to those in contained in the Personal Information Protection and Electronic Documents Act, including accountability; identifying purposes; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

b) That the Privacy Act be modified to clarify that the privacy principles in the amended purpose clause shall guide the interpretation of the Act.

RECOMMENDATION 2

That the definition of “personal information” in section 3 of the Privacy Act be amended to ensure that it be technologically neutral and that it include unrecorded information.

RECOMMENDATION 3

That the Government of Canada define metadata in the Privacy Act, in a technologically neutral way and with an emphasis on the information it can reveal about an individual.

RECOMMENDATION 4

That the Privacy Act be amended to require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act be governed by written agreements and that these agreements include specified elements.

RECOMMENDATION 5

That the Privacy Act be amended to create an explicit requirement that new or amended information-sharing agreements be submitted to the Office of the Privacy Commissioner of Canada for review, and that existing agreements should be reviewable by the Privacy Commissioner upon request.

RECOMMENDATION 6

a) That the Privacy Act be amended to create an explicit requirement that departments be transparent about the existence of any information-sharing agreements.

b) That the Privacy Act be amended to require, except in appropriate circumstances, the publication of the content of information-sharing agreements between departments or with other governments.

RECOMMENDATION 7

That the Privacy Act be amended to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data.

RECOMMANDATION 8

That the Privacy Act be amended to set out clear consequences for failing to safeguard personal information.

RECOMMENDATION 9

That the Privacy Act be amended to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 10

That the Privacy Act be amended to create an explicit requirement for government institutions to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.

RECOMMENDATION 11

That section 4 of the Privacy Act be amended to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information, consistent with other privacy laws in effect in Canada and abroad.

RECOMMENDATION 12

That the Privacy Act be amended to clarify that a recipient federal institution that receives personal information through information sharing with another federal institution is collecting personal information within the meaning of section 4 of the Privacy Act, and must meet the criteria of necessity and proportionality that apply to the collection of personal information.

RECOMMENDATION 13

That section 6 of the Privacy Act be amended so as to explicitly require compliance with the criteria of necessity and proportionality in the context of any retention of personal information.

RECOMMENDATION 14

That the Privacy Act be amended to set clear rules governing the collection and protection of personal information that is collected on the internet and through social media.

RECOMMENDATION 15

a) That the Government of Canada strengthen the oversight of privacy rights by adopting an order-making model with clear and rigorously defined parameters.

b) That, in order to ensure the most effective use of resources, the Government of Canada explore ways of finding efficiencies, by, among other things, combining the adjudicative functions of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada.

RECOMMENDATION 16

That the Government of Canada further examine the possibility of expanding judicial recourse and remedies under the Privacy Act.

RECOMMENDATION 17

That the Privacy Act be amended to include a requirement for government institutions to conduct privacy impact assessments for new or significantly amended programs and submit them to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 18

That the Privacy Act be amended to require federal government institutions to consult with Office of the Privacy Commissioner of Canada on draft legislation and regulations with privacy implications before they are implemented.

RECOMMENDATION 19

That the Privacy Act be amended to explicitly confer the Privacy Commissioner with:

a) the authority to conduct, on his own initiative, research and studies on issues of public importance, and

b) a mandate to undertake public education and awareness activities.

RECOMMENDATION 20

That the Privacy Act be amended to require an ongoing five-year parliamentary review.

RECOMMENDATION 21

That section 64 of the Privacy Act be amended to create an exemption from confidentiality requirements to provide the Privacy Commissioner with the discretionary authority to report proactively on government privacy issues where he considers it in the public interest to do so.

RECOMMENDATION 22

That the Privacy Act be amended to expand the ability of the Office of the Privacy Commissioner of Canada to collaborate with other data protection authorities and review bodies on audits and investigations of shared concern in connection with Privacy Act issues.

RECOMMENDATION 23

That section 32 of the Privacy Act be amended to grant the Privacy Commissioner discretion to discontinue or decline complaints on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith, and that the Commissioner’s decision to discontinue or decline a complaint be subject to a right of appeal by the complainant.

RECOMMENDATION 24

That reporting requirements on broader privacy issues dealt with by federal institutions be reinforced by requiring the addition of a descriptive element so as to make the information in the reports accessible and relevant.

RECOMMENDATION 25

That there be specific transparency requirements for lawful access requests from agencies involved in law enforcement.

RECOMMENDATION 26

That the Government of Canada explore extending the scope of the Privacy Act to all federal government institutions, including ministers’ offices and the Prime Minister’s Office.

RECOMMENDATION 27

That the Government of Canada consider extending the right of access to personal information to foreign nationals.

RECOMMENDATION 28

That the Government of Canada examine the possibility of limiting exemptions to access to personal information requests under the Privacy Act.‎

Thursday, December 01, 2016

Did the Supreme Court of Canada formally establish a new form of consent? Is "implied consent" really "deemed, irrevocable consent"?

I just posted a comment on the new Royal Bank of Canada v. Trang decision from the Supreme Court of Canada (Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections), but there’s an aspect of it I’d like to dig into further.

On close review, it does appear that the Supreme Court of Canada has -- perhaps inadvertently -- re-written a key aspect of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the decision, the Court found that Scotiabank had Trang’s implied consent to disclose a mortgage discharge statement to the Royal Bank of Canada. I don’t think that’s very controversial, but if you dig into it, the Court’s conclusion is significant. It found that "implied consent" is really not consent, but deemed and irrevocable consent where it’s reasonable.

“Implied consent” is consent where you can imply someone’s permission or consent from the circumstances. For example, if I ask someone for their name and address to send them something and they give their name and address, you can imply their consent to use it for that purpose. In other circumstances, it can be unspoken. If I were to ask the same person for their name and address and it is clear in the circumstances that I’d be using it to send them something, their consent can be implied by their providing the information.

This is in contrast to express consent, which is where the individual has expressed his or her consent at the time. (“Yes, I give you consent to use my name and address to send me that thing.”)

All of this is clear from PIPEDA. But what is also clear from PIPEDA is that an individual can withdraw his or her consent at any time:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

In the Trang case, it was abundantly clear that Trang did not consent to any disclosure of the mortgage discharge statement. While the decision does not specifically say that Trang revoked it, it is clear that Trang was asked and did not consent. Further, Trang did not appear at an examination in aid of execution. (I’d imply no consent there.)

So what does this mean? In short, “implied consent” as used by the Supreme Court here is really not “implied consent” but “deemed deemed”. It’s a consent that is reasonable in the circumstances but really cannot be revoked or overridden. It occurs regardless of the actual wishes of the individual. And that’s a big deal.

Now, I don’t think that the Supreme Court just made this up. You might even say it is necessary given that that PIPEDA only has a limited number of circumstances where an organization can do away with consent, all of which are listed in s. 7 of the Act. We can see many examples in findings from the Office of the Privacy Commissioner of Canada, particularly those that arise in the workplace. For example, in Transit driver objects to use of technology (MDT and GPS) on company vehicle, the Commissioner found there was implied consent for a transit operation to use GPS to track his movements on the job. The driver who complained clearly objected -- definitively communicated a lack of consent, but the Commissioner found that the purpose was reasonable and that notice was given to the employees, so all was kosher.

Much of this has been fixed with the Digital Privacy Act (but only for employees), which added this new section 7.3:

Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

So 7.3 fixes it and makes this discussion moot in the employment context, but the Supreme Court’s decision seems to support the proposition that there are circumstances where implied consent really equals deemed, irrevocable consent.

I hesitate to predict how this will play out in the future, but it's likely significant.

Wednesday, November 30, 2016

Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections

The Supreme Court of Canada has recently applied common sense to prevent debtors from using Canadian privacy laws to tie the hands of lenders looking to enforce their legal rights.

In a proceeding brought by the Royal Bank of Canada against a debtor, the bank required the mortgage discharge statement held by Scotiabank in order to complete a sheriff’s sale of the property. Scotiabank took the view, following Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3, that the discharge statement is “personal information” and that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) prohibits its disclosure unless there is consent or a court order. The debtor would not consent.

The Royal Bank brought a motion for such an order and was denied, citing the Citi Cards case. The Ontario Court of Appeal upheld this decision.

Ultimately, in front of the Supreme Court of Canada (Royal Bank of Canada v. Trang), the Court overruled Citi Cards and made some interesting observations that likely have broader application. The Court principally considered two questions: first, would the order sought by the Royal Bank satisfy the consent exception in PIPEDA that permits disclosure pursuant to a court order? Secondly, is there implied consent so that a mortgage discharge statement can be disclosed to a judgement creditor?

On the first question, the Court was clear that a creditor can seek and obtain such an order, and that the order would satisfy the provisions of PIPEDA:

[31] Further, it is clear that this is a case in which it was appropriate to make an order for disclosure. The majority of the Court of Appeal observed that a party seeking an order under rule 60.18(6) must demonstrate “difficulty” in enforcing its judgment, and that “courts should be reticent to require strangers to the litigation to appear on a motion” (para. 77). Hoy A.C.J.O. concluded, however, that rule 60.18(6)(a) can be applied less cautiously where a mortgagee is being examined in order to obtain a mortgage discharge statement. I agree. As Hoy A.C.J.O. noted, a mortgagee is not a stranger to the litigation in the sense that its interest in the property is at issue as well — the sheriff requires the mortgage discharge statement in part to settle the priority between mortgagees and creditors. Moreover, in practice, only the mortgagee can produce a mortgage discharge statement.

[32] I also agree with Hoy A.C.J.O. regarding the application of rule 60.18(6). I conclude that an order requiring disclosure can be made by a court in this context if either the debtor fails to respond to a written request that he or she sign a form consenting to the provision of the mortgage discharge statement to the creditor, or fails to attend a single judgment debtor examination. A creditor who has already obtained a judgment, filed a writ of seizure and sale, and completed one of the two above-mentioned steps has proven its claim and provided notice. Provided the judgment creditor serves the debtor with the motion to obtain disclosure, the creditor should be entitled to an order for disclosure. A judgment creditor in such a situation should not be required to undergo a cumbersome and costly procedure to realize its debt. The foregoing is a sufficient basis to order Scotiabank to produce the statement to RBC, and I would so order. But there is more in the present case.


On the second question, the Court effectively determined that an order – while available – is not necessary. It can be given under implied consent. PIPEDA provides that implied consent can be applicable where the information is less sensitive. Though financial information is generally considered to be sensitive, the Court noted that the information in a mortgage discharge statement is at the less sensitive end of that spectrum. PIPEDA also states that the reasonable expectations of the individual are relevant in the circumstances.

[43] Turning to the reasonable expectations of the individual, the parties disagree on the appropriate scope of the inquiry. The Privacy Commissioner submits that only the relationship between the Trangs as mortgagors and Scotiabank as mortgagee is relevant to assessing the Trangs’ reasonable expectations in the circumstances; the relationship between the Trangs and RBC has no role to play. On the other hand, RBC argues that the party receiving the disclosure is a relevant consideration when determining the Trangs’ reasonable expectations.

[44] In my view, when determining the reasonable expectations of the individual, the whole context is important. This is supported by the Office of the Privacy Commissioner’s consideration of context in various decisions: PIPEDA Report of Findings No. 2014-013; PIPEDA Case Summary No. 2009-003; PIPEDA Case Summary No. 311. Indeed, to do otherwise would unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect, bearing in mind that the overall intent of PIPEDA is “to promote both privacy and legitimate business concerns”: L. M. Austin, “Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices” (2006), 44 Can. Bus. L.J. 21, at p. 38.

[45] As the motion judge observed in the initial motion, and as I have already noted, a mortgage discharge statement “is not something that is merely a private matter between the mortgagee and mortgagor, but rather is something on which the rights of others depends, and accordingly is something they have a right to know” (2012 ONSC 3272 (CanLII), para. 29). In other words, the legitimate business interests of other creditors are a relevant part of the context which informs the reasonable expectations of the mortgagor.

Looking at the situation and assuming a “reasonable debtor”, the Court found implied consent:

[48] Here, RBC is seeking disclosure regarding the very asset it is entitled to, and intends to, realize on. A reasonable person borrowing money knows that if he defaults on a loan, his creditor will be entitled to recover the debt against his assets. It follows that a reasonable person expects that a creditor will be able to obtain the information necessary to realize on its legal rights. From the opposite perspective, it would be unreasonable for a borrower to expect that as long as he refused to comply with his obligation to provide information, his creditor would never be able to recover the debt.

Interestingly, the Court did not consider or comment on whether this implied consent that would have existed initially had been or could be overridden by the debtor’s clear refusal of consent that was communicated during the collection proceedings.

Tuesday, September 13, 2016

Lawful Access (2016): There, I fixed it for you.

In December 2013, I posted "Lawful Access: There, I fixed it for you.". I didn't think I'd need to link to it again so soon, but in light of the Government of Canada's recent Green Paper on national security, lawful access is back in the public policy spotlight. If you'd thought that the Spencer decision had put a bullet into the law enforcement and national security argument that "basic subscriber information" needs no protection and should be available wholesale the state, you're apparently wrong. The RCMP and the Canadian Association of Chiefs of Police have been working behind the scenes to try to circumvent the SCC's Spencer decision (See Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong.)

In my 2013 post, I'd suggested a fix for the apparent problem of police having difficulty in getting access to "basic subscriber information". It's now relevant again and I offer it for your consideration. I've made some small tweaks since 2013.

I'm happy to hear any input ...

Subscriber information production order
*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.
Production to peace officer
(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given
(a) to a peace officer named in the order; or
(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.
Conditions for issuance of order
(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that
(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;
(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;
(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and
(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.
Terms and conditions
(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.
Power to revoke, renew or vary order
(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.
Notice
(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, aAny person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph may be made by the justice or judge who made the order, or a judge of the same territorial division may be made shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.
Probative force of copies
(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.
Return of copies
(8) Copies of documents produced under this section need not be returned.
Subscriber information
(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.
Use and retention of subscriber information
(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,
(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and
(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.
Designated offences
(11) For the purposes of this Section, a designated offense means
(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or
(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).
Tele-production Orders
(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.
National effect
(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.
Compensation
(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.
Report to Parliament
(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:
(a) the number of subscriber information production orders issued in total for the previous calendar year;
(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;
(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;
(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and
(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Application for review of production order

(16) Section 487.0193 shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies to the production orders referred to in that Section.



Saturday, September 10, 2016

Ontario court awards damages for family member's disclosure of mental health information

The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff's stay there. No other information was disclosed.

10. The plaintiff left the crisis facility after a 6 day stay feeling much better and in control. Unfortunately this did not last. A week after returning home she was sitting on the front porch of Dean’s home when Lisa, Fabion’s former common law spouse, arrived. Upon seeing the plaintiff, Dean recalls that Lisa “blurted out ‘Were you in a crisis house?’ not even saying Hello first”. The plaintiff was visibly upset and shaken by the question and asked how she knew. Lisa said Fabion told her about the stay.

12. In the opinion of the plaintiff’s family doctor, filed as Exhibit 5, the plaintiff has “definitely” become more stressed, anxious and depressed since finding out that others were told of her stay in the crisis facility. It may also be contributing to her increased back pain.

13. Both the plaintiff and her boyfriend Dean report that she has become more fragile, anxious and reclusive than before the incident. Unlike before she rarely goes out, will not go shopping and has blackened the windows of her basement apartment. She will not seek respite care help even from other facilities because she fears treatment would likely come to the attention of the defendant through the network of caregivers.

The Court noted that two invasion of privacy torts exist in Ontario:

19. In sum, there are two recognized invasion of privacy torts in Ontario; neither requires proof of pecuniary loss or harm to an economic interest. Aggravated and punitive damages may be awarded and an award should serve as a deterrent to others.

20. These two common law torts exist in addition to the statutory right or cause of action available to a plaintiff under the privacy legislation. The Personal Health Information Protection Act, 2004 S.O. c. 3, Sch A, s. 65 (PHIPA) contemplates mental anguish damages for breaches of statutory duty up to a maximum of $10,000. In Hopkins v. Kay 2015 ONCA 112 (CanLII) (paras 44-45, 73) the Ontario Court of Appeal considered whether the complaints process available under PHIPA displaces the common law authority of the courts to award damages for breach of the statutory duty and found that the legislation is not intended to be an exhaustive or comprehensive compensatory scheme. The complaints process is more suited to systemic breaches and an individual victim retains the right to bring a civil court action for damages.

The Court made a number of conclusions that are worth noting:

27. I disagree for at least four reasons. First, personal health information includes information about the providing of health care (s. 4(1)(b) PHIPA), not just the details of diagnosis or treatment. The defendant’s disclosure told others that the crisis facility was providing health care to the plaintiff. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. I agree with the opinion of the crisis facility director; the staff and facility are under a statutory and contractual duty to keep the provision of care private.

28. Second, the names associated with the facility – Crisis Respite and Homes for Mental Health – provide some information about the mental health status or condition of the individuals who seek treatment there. Therefore the disclosure went beyond just the providing of care but gave some indication of the nature of the condition being treated. This health information was also required to be kept private.

29. Third, the plaintiff considered this a “private matter” – she did not tell anyone in her family and signed consents limiting the access to information to only two people. The defendant saw the file, and Dean’s name on the paperwork. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. The defendant knew or should have known that this was a private matter and it was a secret to be kept from other family members. In her evidence and counsel submissions, the defendant acknowledges the private nature of the stay when she submits that she did everything she could to protect the plaintiff’s privacy during her shift. She claims to have sought advice, stopped reading the file, remained out of sight and gave away her other shifts, all out of respect for the plaintiff’s privacy. These actions show that prior to disclosure she knew the stay was a private matter to be held in confidence.

30. Finally, the confidentiality agreement signed by the defendant included a broad undertaking to keep confidential “any information regarding any consumer” – this promise extends beyond just personal health information. It clearly prohibits the health care worker from discussing resident’s information at all. The privacy policy requires a staff member to obtain the consumer’s express consent before giving personal health information or personal information to a “family member who is not a substitute decision maker.” The word “Express” is in bold font. In sum, I find that the information disclosed was personal health information, was a private matter concerning the private life of the plaintiff, and was information that the defendant was required to keep confidential under her confidentiality agreement and the privacy policy. Disclosure fell below the privacy standard established by the legislation and the crisis facility and forms the basis for tort liability.

The Court took judicial notice that mental health issues are particularly stigmatized and concluded that the disclosure of this information is highly offensive to a reasonable person: "I have no trouble finding that a reasonable person would find disclosure of their need for crisis mental health treatment to be highly offensive."

The Court also found malice:

39. I have already found that the disclosures were made intentionally and not for advice, support or concern. The defendant denies that they were done with malice but on the facts I am prepared to infer that the disclosures were done with malice, particularly that to the brother. They were intended to diminish the plaintiff in the eyes of her family and cause her embarrassment. I emphasize the brother because I suspect the defendant’s daughter and husband had already had their opinion of the plaintiff shaped by the defendant. However, the brother appeared to be trying to walk a middle ground between the two feuding sisters. The defendant seemed engaged in some kind of competition for her brother’s attention as evidenced when she races to be the first to invite him to Christmas dinner, calling the plaintiff “crazy” as she did so. This subsequent conduct along with her failure to apologize, confirms malice.

On the topic of damages, the Defendant argued that it was a case for nominal damages of around $300. The Court strongly disagreed:

42. I disagree. Actual emotional harm was suffered by the plaintiff. The doctor’s opinion confirms the worsening of her mental health condition following the public disclosure. In submissions during closing, the defendant asks me to disregard the general practitioner’s opinion but did not summons or cross examine the doctor’s opinion nor supply contrary medical expert evidence. Therefore, I accept the opinion of the plaintiff’s doctor as to the plaintiff’s worsened anxiety and depression. It is the only medical expert evidence submitted at trial and was not contradicted.

43. As to the claim that the plaintiff’s reaction is extreme and unusual, again I disagree. It is completely reasonable and foreseeable that the mental health of a patient already suffering from anxiety will deteriorate when someone releases mental health information about them. Unlike Mustapha the withdrawal of the plaintiff is not an extreme, unpredictable or unusual reaction – it is completely reasonable and foreseeable. This is an obvious situation of “take your victim as you find them” – mental fragility was not an unknown or hidden condition which the defendant could not have foreseen. The defendant knew the mental health status of the plaintiff before she committed the wrongful act and therefore she must take her victim as she found her and (I would add) as she knew her to be.

44. Finally, the defendant argues that the failure to subsequently seek treatment at other facilities is a failure to mitigate which goes to reduce her damage award. The failure to seek in-patient treatment is completely predictable in the circumstances and is a by-product of the defendant’s humiliation and embarrassment of the plaintiff. The defendant’s actions have made it more difficult for the plaintiff to seek treatment as she no longer trusts institutional care. She is still privately seeing her family doctor for out-patient care as the doctor’s opinion verifies. Failure to seek in-patient treatment is a symptom evidencing the worsening of the plaintiff’s condition. Prior to the disclosure the plaintiff was willing to seek in-patient treatment, after she was not. In sum the severity of her anxiety and depression is worsened, she rarely leaves her darkened apartment and her quality of life is severely reduced.

45. This is not a case for nominal damages. It properly falls within the range set for non-pecuniary damages in Jones. The summary of past damage awards contained in Appendix A & B of Jones offers a context for setting damages in this case. The documented psychological harm suffered takes the damages well beyond nominal amounts for embarrassment and humiliation while the limited number of people told and the temporary manner of communication (telephone rather than internet) go to contain the award. I award $7,500 for general damages.

The Court then awarded an additional $1500 in punitive damages.