Thursday, November 26, 2015

Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong

The CBC and the Canadian Press are reporting on comments made by RCMP Commissioner Bob Paulson calling for warrantless access to internet service provider customer information. (Bob Paulson, RCMP boss, wants warrantless access to online subscriber info - Politics - CBC News)

Yes, this is a revival of the lawful access debates that have taken place intermittently over the past decade or so.

Lets take a close look at what he said and why he's wrong.

Police need warrantless access to Internet subscriber information to keep pace with child predators and other online criminals, says RCMP Commissioner Bob Paulson.

The top Mountie said Wednesday that a Supreme Court of Canada ruling curtailing the flow of basic data about customers — such as name and address — has "put a chill on our ability to initiate investigations."

I don't disagree with that. But having to get a warrant to search someone's house also puts a chill on investigations.

"I'm all for warrantless access to subscriber info," Paulson told a security conference in Ottawa, comparing the process to his beat-cop days of entering licence-plate data into a computer and coming up with a vehicle owner's name.

"If I had to get a judge on the phone every time I wanted to run a licence plate when I was doing my policing, there wouldn't have been much policing getting done."

Whoa! This is an absurd characterization. Commissioner Paulson is either ignorant or disingenuous. The courts have held that you don't have an expectation of privacy -- vis-a-vis the police -- in your license plate information and your car registration information that it is connected to. The Supreme Court of Canada, in R v. Spencer (the case that Paulson clearly doesn't like or agree with), said very clearly that you have an expectation of privacy in your online customer data. In fact, the Court said at paragraph 50 of that decision:
"I conclude therefore that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy."

And as Paulson should know, where there is an expectation of privacy, the police must get a warrant. It's that simple.

Mounting public concern

In June last year, the Supreme Court of Canada ruled police must have a judge's authorization to obtain customer data linked to online activities.

The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

The Supreme Court of Canada was not at all ambiguous about it. You and I have a reasonable expectation of privacy (which includes anonymity). In the absence of a production order from the Court or exigent circumstances, they police can't have it. (For a summary of the case, you may want to read this blog post.)

The Charter is the supreme law of Canada and the Supreme Court gets to have the final word. No amount of wishful thinking by the police will change that. Since their job is to uphold and enforce Canada's laws, they should start with that.

Police say telecommunications companies and other service providers — such as banks and rental companies — now demand court approval for nearly all types of requests from authorities for basic identifying information.

The Supreme Court judgment came amid mounting public concern about authorities quietly gaining access to customer data with little oversight or independent scrutiny.

Paulson said after his speech that he advocates giving police ready access to basic subscriber information while respecting the Charter of Rights and Freedoms.

'We've been consistent'

"I think we've been consistent in recognizing that we are very respectful of the charter and people's charter rights and nobody is recommending that we go any further," he said. "But there needs to be some sort of administrative access to basic subscriber information."

No, they really haven't. Not at all. The Charter requires a warrant. Paulson wants a way around that fundamental legal fact that is rooted in the supreme law of our country.

The Canadian Association of Chiefs of Police revealed in August that government officials were mulling just such a scheme — though it's not clear exactly how it would square with the court ruling.

The chiefs said a discussion paper spearheaded by the Department of Justice was presented to the federal, provincial and territorial cybercrime working group of senior officials.

The paper outlined three legislative options for allowing access to basic subscriber information:

  • An administrative scheme that would not involve court approval.
  • A new judicial order process or a tweak to the existing regime.
  • A judicial order process for subscriber information with a greater expectation of privacy and an administrative, non-judicial one for less sensitive subscriber data.

Paulson said while the Internet is a marvellous boon to communication, education and commerce, it is also a place where a vast array of crime takes place, including rampant sexual abuse of youngsters.

Time for a public conversation

Children are "being hurt at a pace and a frequency that is alarming," the commissioner said.

"Technology is fuelling that. So now these people can encrypt their communications and they can exploit children for sexual purposes and it's a little harder to get at them from a police point of view."

Many people want the Internet to be completely free, without rules, Paulson noted. "That's fine if we don't want justice there."

The as expected "think of the children!" appeal. I'm surprised that he didn't mention the terrorists. It is worth noting that the RCMP Commissioner and the Canadian Association of Chiefs of Police advocated for Bill C-30, which would have provided for warrantless access to customer data even for a parking ticket or even no crime had been committed.

Also, nice straw man there, Paulson. Please show me the people who are contributing to the debate who call for the Internet to be "completely free, without rules." You won't find them. Your opponents in this debate do not question that police need appropriate powers to investigate online crime.

It's time for a public conversation about how best to prevent all kinds of exploitation in cyberspace, he said.

Allies in the United States, Britain, Australia and New Zealand are confronting the same issues, Paulson added.

"We're all struggling with this. It's hard to keep people safe on the internet right now.

The RCMP and the lobbying agency for Canadian police are obviously trying to revive a debate that has been definitively settled. If they want to try to make the judicial authorization process more efficient or to tweak the thresholds for getting customer information in the event of serious crime, I can help them with that. But when the police state things that are simply wrong about a subject matter they really should know very well, I'm going to call them on it.

Saturday, November 14, 2015

Presentation: Use of drones in journalism & media

I had the great pleasure of speaking at the annual conference of the Canadian Media Lawyers Association's annual meeting in Toronto on the topic of legal issues related to the use of drones by the media and in journalism in Canada.

For anyone who may be interested, here's the presentation:

Wednesday, November 04, 2015

Let's all avoid technopanic in the call for additional privacy regulation for drones

Full disclosure: I'm not a bystander to this discussion. I'm an avid drone user, having purchased a training drone and then DJI Phantom 3 Advanced in May of this year. I've been capturing, editing and proudly showing relatively unique perspectives of the beautiful province in which I live. Feel free to check my videos out:

Over the past few months, Transport Canada has been engaged in a consultation process to look at how to safely integrate unmanned aerial vehicles into Canadian airspace. This involved a call for comments regarding draft regulations or proposed regulatory approaches. Sensibly, Transport Canada was focused on their mandate under the Canadian Aviation Regulations, which is to enhance safety and competition in Canadian airspace.

The Office of the Privacy Commissioner of Canada submitted a response dated August 27, 2015. (Notably, this was posted on the OPC's website in October, well after the opportunity to respond.) There has been some reporting on this (Protect schools, homes from drones' prying eyes, privacy czar says | Toronto Star), but not much.

If you think there's some vacuum regarding privacy and the use of drones, think again. Federal agencies are subject to the Privacy Act and the Charter. Provincial agencies are subject to relevant Freedom of Information and Protection of Privacy Acts and the Charter. Private companies are regulated under the Personal Information Protection and Electronic Documents Act or the Alberta, Quebec and British Columbia equivalents. All of them -- and private citizens -- are subject to the Criminal Code for voyeurism and the torts of "invasion of privacy". There really is no gap. And in most of them, we consider whether there is a reasonable expectation of privacy in the totality of the circumstances.

With respect, I think at least part of the position articulated in their submission is wrongheaded and is an example of technopanic. The Commissioner's office calls for the creation of a completely new concept of "sensitive and protected areas". These are areas that " while perhaps public, carry with them some expectation of privacy when people use them". Here's the relevant sections of the submission:

Sensitive and protected areas

From a safety perspective, operation of UAVs in crowded areas, around aerodromes, airports and heliports has already been restricted, both in Canada and many other countries. Other jurisdictions, including many in the US, have placed outright bans on usage of UAVs in certain sensitive areas where people might congregate or other aircraft might be operating – certainly until such time as sense and avoid systems are better developed and more widely deployed.

We would encourage CARAC members to give thought to exploring a similar line of reasoning with regard to privacy concerns. Residential areas, schoolyards and shelters, hospitals and prisons, places of worship and memorial sites – all come to mind as spaces which, while perhaps public, carry with them some expectation of privacy when people use them.

As with identification methods noted above, we do not here have an exhaustive list of locations in mind, nor would we recommend an outright prohibition on usage in these areas, but would ask CARAC to consider developing a best practices approach to flag certain spaces like those mentioned as privacy sensitive (places where individuals’ sense of potential intrusion is generally heightened). Just as we would anticipate organizations concerned about their own security would be alarmed by sudden increases in the use of UAVs around their property, we would expect citizens could be similarly concerned if certain spaces were encroached upon.

For a recent specific example of regulation in this context, please see guidance issued this summer by Argentina’s Data Protection Authority, and where investigative use is contemplated, you might refer to our own Office’s Guidelines on the Use of Video surveillance by Public Authorities.

One of the great characteristics of Canadian law is that it is technologically neutral. We generally focus on the mischief, rather than the instrumentality. Fraud is fraud, regardless of whether it is done with a quill, a pen, a phone or a fax machine. While we may get excited about new technologies, we don't legislate about them specifically unless there really is a need to do so or a clear gap in the law.

With "sensitive and protected areas", we are still talking about public spaces. Is there any difference between taking a photo in a residential area with a DSLR or with a drone? I have a 300mm lens for my Nikon D90 and any law that said I couldn't use it to take photos in the park down the street would be unconstitutional. My drone has a 20mm wide angle. A military predator drone can do much better than anyone's civilian digital camera. If there is a problem with people taking photos in parks or residential areas, make a law that deals with photos in residential areas or parks. And any law would have to apply to me in the same what that it applies to a TV news crew. (And then see whether it survives a Charter challenge.) It should not matter what technology you use to do that. If the problem is the effect, focus on the effect. Not on the shiny new technology that you think may be creepy.

Everyone who uses these devices needs to follow all relevant laws, which include privacy laws. And that covers it.

If you want more about this, I just gave a presentation at the Unmanned Systems Canada 2015 conference on privacy law and drones and will be speaking at the Canadian Media Lawyers Association - Ad Idem conference on privacy and drones.

Presentation: Privacy and drones in Canada - the current state of the law

I had the pleasure of presenting at the Unmanned Systems 2015 conference this week, on the topic of privacy and drones (or unmanned aerial vehicles or unmanned aerial systems). I mostly spoke about what privacy laws apply to the different aerial activities in Canada, with a bit of discussion about what might be over the horizon.

For anyone who may be interested, here's the presentation I gave:

Thursday, October 29, 2015

Supreme Court to hear important case about legal privilege and access to information/privacy laws

This morning, the Supreme Court granted leave to appeal the Alberta Court of Appeal decision in University of Calgary v JR, 2015 ABCA 118.

In a nutshell, this will be a revisiting of Blood Tribe, but in the context of the provincial access to information laws that govern public bodies and government agencies.

Here’s the summary of the issue in appeal from the SCC website:

Information and Privacy Commissioner of Alberta v. Board of Governors of the University of Calgary

(Alberta) (Civil) (By Leave)

Keywords Privacy - Access to information.


Case summaries are prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch) for information purposes only.

Privacy — Access to information — What words must a statute employ to empower a tribunal to review records to determine whether a claim of privilege is valid?

In the course of a wrongful dismissal suit by an individual against the respondent University, the University asserted solicitor-client privilege over certain material. The individual made an access to information request under s. 7 of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25, seeking certain records about her in the University’s possession. The University provided some disclosure, but claimed solicitor-client privilege over some of the requested material. The Commissioner’s delegate eventually directed the University to the Commissioner’s “Solicitor-Client Privilege Adjudication Protocol”. When the University did not comply, the delegate issued a “notice to produce records” under s. 56(3) of the Act. It reads, in part, “[t]he Commissioner may require any record to be produced to the Commissioner and may examine any information in a record… [d]espite any other enactment or any privilege of the law of evidence”. The delegate indicated in an accompanying letter that the purpose of the notice was to enable him to determine whether solicitor-client privilege had been properly asserted because the University had not provided sufficient evidence to allow him to make that determination. The University sought judicial review of the delegate’s decision to issue the notice to produce. The Law Society of Alberta was granted intervener status at the Court of Queen’s Bench and the Court of Appeal. The application for judicial review was dismissed, and the subsequent appeal was allowed.

In the same batch of leave applications, the Court dismissed leave to appeal from the Ontario decision of Hopkins v. Kay, 2015 ONCA 112. In that Case, the Ontario Court of Appeal declined to throw out a class action brought against a health authority which had argued that the provinces Personal Health Information Protection Act was a complete code which ousts claims for intrusion upon seclusion.

Tuesday, October 06, 2015

EU Court of Justice invalidates "Safe Harbour" framework for EU-US personal data transfers

The European Court of Justice has just declared that the European-American Safe Harbour framework to be invalid. The Safe Harbour Framework was a compromise solution to address the prohibition against transfers of European personal information to any jurisdiction without "adequate" privacy protections. The American government and the European Union arrived at a voluntary, opt-in framework by which US companies could submit to a form of regulation that would be considered adequate for European standards. Following a complaint by an Austrian Facebook user, the court essentially determined that -- in light of the Snowden revelations -- that personal data in the US is not afforded adequate protection.

The decision is here: Maximillian Schrems v Data Protection Commissioner.

Here's the Court's press release 117/15:

Court of Justice of the European Union

PRESS RELEASE No 117/15 Luxembourg, 6 October 2015

Press and Information

Judgment in Case C-362/14

Maximillian Schrems v Data Protection Commissioner

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell  (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite"  (+32) 2 2964106

Saturday, August 29, 2015

Canadian Police Chiefs looking to resurrect warrant-less access to telecom users' data

The Canadian Association of Chiefs of Police, at their annual conference, just passed a resolution looking to resurrect the lawful access debate following R. v. Spencer.

I find it puzzling. They are looking for warrantless access to customer data (which they call BSI, or basic subscriber information) where there is no expectation of privacy, while the Supreme Court of Canada said that there is a reasonable expectation of privacy in basic subscriber information. Their resolution (reproduced below), refers to recent caselaw that follows old pre-Spencer decisions that say there is no expectation of privacy in customer name and address connected to a telephone number. The resolution also refers to options being considered by a federal, provincial and territorial cybercrime working group to provide warrantless access to BSI.

Let me get this straight: they want warrantless access to BSI where there is no expectation of privacy, while the Supreme Court has said there is an expectation of privacy in BSI. So what's left of the categories of BSI where there is no expectation of privacy?

A few things are clear to me, which make this resolution and the apparent efforts to circumvent the warrant process very problematic.

  • The Supreme Court said there is a reasonable expectation of privacy in BSI, at least in the internet context;
  • The CACP and law enforcement generally have consistently said -- contrary to what the Court found in Spencer -- that there is never an expectation of privacy in BSI;
  • You can't trust law enforcement to determine whether an expectation of privacy exists.

I recognize that BSI is often critical to investigations, but it can't be a free for all where the police get access to it without an impartial judicial officer determining, on sworn evidence, that the balance between privacy and public safety is in favour of public safety. The inexorable conclusion is that the only solution to this is to make the warrant and production order process more efficient and streamlined.

Justin Ling did a great article on this for the CBA's National Magazine: National | Accessing subscriber data: Working around the Spencer ruling.

Resolution #03 - 2015


Submitted by the E-Crimes Committee

WHEREAS law enforcement requires real-time, or near real-time access to basic subscriber (customer name and address) information (BSI) as it relates to telecommunications’ customers for investigative reasons, and;

WHEREAS the Supreme Court of Canada, in their majority decision in R. v Spencer, 2014 SCC 43, did state that:

  • a reasonable expectation of privacy exists in the identity of an internet subscriber where there is an ability to link that identity to specific online activity;

  • the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name address and telephone number found in the subscriber information;

  • absent an exigent circumstance, or authority from a reasonable law, such as authority from a judicial warrant or order, police do not have the power to conduct a search for basic subscriber information (BSI) when there exists a reasonable expectation of privacy in that information, and;

WHEREAS since the Spencer decision, the telecommunications companies refuse to provide any basic subscriber information (BSI) in the absence of an exigent circumstance, or a judicial warrant or order, even where there exists no reasonable expectation of privacy, and;

WHEREAS there exists no lawful authority designed specifically to require the provision of basic subscriber information, and the problems posed by this gap in the law are particularly acute where there exists no reasonable expectation of privacy in that information.

THEREFORE BE IT RESOLVED that the Canadian Association of Chiefs of Police supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, basic subscriber information (BSI) from telecommunications providers.



In June 2014, the Supreme Court of Canada issued a decision in the case of R v. Spencer - identifying that subscriber information that allows for the linking of the identity of a person with specific online activity in the context of a criminal investigation engages a high level of informational privacy. However, telecommunications and other service providers (e.g. financial institutions, rental companies) have interpreted the court's findings more broadly, and now demand judicial authorization (based on a reasonable grounds to believe threshold) for nearly all types of government requests for basic identifying information, extending beyond instances involving a person's substantive Internet activity.

The impact of the Spencer ruling and the broader response by telecommunications and other service providers is having a significant impact on law enforcement and criminal investigations. Basic identifying information is often required at the onset of an investigation where technology plays a role, but the judicial threshold required to obtain warrants and general production orders to access basic identifying information is difficult, and often impossible, to satisfy when an investigation is in its early stages.

Moreover, the impact of the Spencer ruling has caused substantial resource and workload challenges for law enforcement. For example, prior to the Spencer ruling, law enforcement agencies would generally complete a voluntary request to telecommunications service providers for basic identifying information in under an hour, and receive a response from service providers within the same day. Following the Spencer ruling, accessing the same information now often requires ten to twenty times the amount of administrative work and documentation, days of preparation to seek judicial authorization, and responses from service providers can take upwards of one month - sometimes exceeding a service provider's data retention schedule for the same information (meaning the information is no longer available).

Criminal investigations impacted by the Spencer ruling are now often delayed and in some cases, not pursued, due to judicial authorization or resource challenges. This impact applies to a range of investigative work, such as cases involving suspected online child sexual exploitation and abuse, fraud and other financially-motivated crimes, organized crime, requests for international law enforcement assistance, and national security matters involving suspected extremism and other threats to Canada - all of which may require basic identifying information from a telecommunications or other service provider to identify potential evidence for criminal investigations and prosecutions.

Transparency Guidelines

Transparency Reporting Guidelines were prepared by Industry Canada, in consultation with RCMP and other relevant Government of Canada partners, to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities. Specifically, the Guidelines cover categories of disclosures for reporting purposes and limitations to consider when reporting statistics. Of note, the Guidelines specify that there should be a six month delay in reporting timeframe to ensure that most active investigations have no possibility of being compromised. On June 30, 2015, the Transparency Reporting Guidelines were published on Industry Canada’s website:

Coordinating Committee of Senior Officials

Recently, a discussion paper, led by Justice, was presented to the Federal, Provincial and Territorial Coordinating Committee of Senior Officials, Cybercrime Working Group. The paper focuses on the impact of Spencer and legislative reform considerations.

Option 1: Create an administrative (non-judicial) scheme for access to Basic Subscriber Information (BSI).

Option 2: Create a new judicial order (production order) for basic subscriber information and/or add BSI to existing production orders.

Option 3: Create a specific production order for some types of basic subscriber information with a greater expectation of privacy, and create a specific administrative (non-judicial) authority for access to other types of basic subscriber information.

Recent Case Law

  • Since the Supreme Court of Canada released its decision in R. v. Spencer in June 2014, case law has started to emerge that applies the analysis in Spencer to other cases involving police requests for BSI.

  • The majority of relevant cases thus far are from Ontario and involve requests for BSI associated to a phone number. The cases have generally found that the privacy interests in BSI associated to a phone number are not the same as the privacy interests in BSI linked to an IP address, and distinguish Spencer on that basis. As such, the Ontario decisions have upheld warrantless requests for BSI associated to phone numbers as they found in the circumstances of each case that there was no expectation of privacy in such information. See: R. v. Morrison (unreported, Ontario Court of Justice, Reasons released on December 17, 2014); R. v. Khan (2014 ONSC 5664); R. v. Latiff (2015 ONSC 1580); R. v. Nurse and Plummer (2014 ONSC 6004).

  • The issue of whether there is a reasonable expectation of privacy in BSI associated to a phone number has also emerged in the context of transmission data recorders warrants (TDRW). These warrants provide judicial authorization to record incoming and outgoing dialed phone numbers. In Ontario, police/Crowns have argued before the Superior Court of Justice that an assistance order is the proper authorization to obtain in conjunction with a TDRW to compel a service provider to provide the BSI associated with the dialed numbers. However, Telus has argued that due to the privacy interests in BSI, as found in Spencer, a general warrant is the proper authorization. Nordheimer J. agreed with the police/Crown and held that Spencer was a decision dealing with the Internet and it did not find that there is always a reasonable expectation of privacy in BSI, but rather it will depend on the circumstances of each case. This is a very recent decision (June 19, 2015), and it will be interesting to see if other jurisdictions follow this reasoning. See H.M.Q. v. TELUS Communications Company, 2015 ONSC 3964.


Action Plan

The CACP Law Amendments Committee will work with the E Crime Committee to develop new legislation that supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, BSI from telecommunications providers.

The Committee will keep abreast of the ongoing work of the F/P/T Coordinating Committee of Senior Officials, Cyber crime Working Group who is leading the policy development of legislative reform considerations; next meeting schedule in November, 2015.

Requirement to develop an overall government-wide approach to ensure law does not run counter to government objectives or would require major modifications in the future.

Monday, August 17, 2015

Nova Scotia's Cyber-safety Act (hopefully) heading for a Charter challenge

A case I am involved with is hopefully heading to argument on Friday in the Supreme Court of Nova Scotia on whether the province's Cyber-safety Act goes too far in infringing Charter protected speech. There has been a lot of interest in the statute since the former NDP government jammed it through the legislature in the wake of the tragic death of Rehtaeh Parsons. It's my opinion that rather than address a dramatic failing on the part of the police and prosecution service (which the government would have to admit occurred on its watch), the government pulled out the old "there wasn't a law! we need a new law!". The result was a hastily assembled statute, which is more fully described elsewhere on this blog.

The case has been bifurcated, so that on Friday there will be a decision on whether, in the view of the judge, my client should be subject to a "cybersafety protection order" under the Act. Depending on the outcome of that decision, we will argue that the Court should consider the Charter and our arguments that the Cyber-safety Act violates Section 2(b) of the Charter and cannot be saved by Section 1 as a reasonable limitation on freedom of expression. But even if the judge determines that he does not have to consider the Charter, I am sure that this dumpster fire of a statute will face Charter scrutiny sometime soon.

The Halifax Chronicle Herald did a big piece on the story (much larger than I had expected) in the weekend edition of the paper and there's been a lot of other media attention as well, including this interview on CTV Atlantic which summarizes my view.

Here's the Herald article:

Lawyer set to launch charter case against law inspired by Rehtaeh Parsons | The Chronicle Herald

A law inspired by the death of Rehtaeh Parsons could face its first court challenge next week when a Halifax lawyer will attempt to argue it violates charter rights regarding freedom of expression.

The Cyber-safety Act was brought in by the former NDP government in response to a wave of public criticism of the way Rehtaeh’s case was handled. The 17-year-old girl died after attempting suicide in 2013. She accused several boys of raping her while she was drunk and a photo of the alleged sexual assault was widely circulated among her peers.

Within weeks of Rehtaeh’s death, former justice minister Ross Landry was in a Halifax high school unveiling the new legislation. Critics, Halifax lawyer and privacy expert David Fraser being one of the most vocal, say the government’s actions were too fast, too sweeping and did not consider the full implications of such a bill.

Cyberbullying is a real problem, said Fraser, but his argument goes beyond that.

“The issue is, how do you define it and how do you define it in a way that takes into account the fact that people should have freedom of expression to, particularly, speak about matters of public interest?” said the partner with McInnes Cooper.

On Friday, Fraser and his client, Robert Snell, will learn from a judge whether Snell did in fact cyberbully a former business partner as defined by the province’s Cyber-safety Act. Snell had a protection order placed on him by the courts as a result of statements he made online. The order prevents Snell from communicating with Giles Crouch or discussing their disagreement.

Following the judge’s decision, Fraser hopes he will be able to begin arguing that the law breaches Section 2 of the Charter of Rights and Freedoms. The two issues were split following an argument from the attorney general. The government’s view is if the judge finds Snell’s actions were not cyberbullying, there is no reason to address the charter aspect.

Regardless, Fraser is going to court prepared to begin the charter fight.

Laws need to be more nuanced when they approach values protected by the charter, said Fraser. It’s why injecting more context is so important, he said. The legislation doesn’t take into account, for example, the difference between criticism of a public official and hurtful comments directed at a young or vulnerable person, said Fraser.

“I should be able to go on social media and, let’s say, call the premier of a province a liar for not keeping a campaign promise. Now, that may hurt his feelings, may harm his self-esteem, and so that would be cyberbullying. We need to have a way of taking those sort of things into account.”

Fraser isn’t the only person who has issues with the law.

Cara Faith Zwibel at the Canadian Civil Liberties Association said she’s not sure the law is even necessary.

“My inclination would be to take a really hard look at what already exists out there to address these problems, and I think the fact is that there is quite a lot out there already that can; it’s a matter of the will to actually use those tools.”

The serious and damaging kind of cyberbullying could be addressed through existing elements of the Criminal Code that handle harassment, as well as defamation law when the matter concerns reputation, said Zwibel. She shares Fraser’s view that the breadth of the definition of cyberbullying goes too far and also has concerns about the protection orders the CyberSCAN unit can impose, which can include bans on using electronic communication.

“I don’t think it’s a matter of just tweaking the existing legislation,” Zwibel said. “I don’t think there’s been a compelling case made for why it’s necessary.”

The man who has become a leading expert on cyberbullying understands the concerns of Fraser and Zwibel, but Wayne MacKay said there are several broad questions that must be weighed.

A professor at Dalhousie University’s law school, MacKay was the lead on the province’s cyberbullying task force. He said the former government adopted a similar broad definition as was laid out in the task force’s final report. MacKay was not consulted in the drafting of the legislation.

“There’s no question that it does limit freedom of speech, as does hate speech,” he said. “The question is often whether or not it is a reasonable limit in a free and democratic society.”

The main debate will be whether the benefits of the law outweigh the invasions of rights for those who want to exercise free speech, MacKay said. It’s not an easy debate, but he thinks there is reason to believe this is reasonable.

“I think the problem of cyberbullying is a very large and significant one.”

If there is to be a change, MacKay hopes it would be to adjust the definition of cyberbullying rather than just repealing the law.

“To eliminate the law or strike the whole thing down would be quite unfortunate.”

One of the problems with attempting to address the issue through other avenues, said MacKay, is those options aren’t as well known as the new legislation. More importantly, he said, CyberSCAN is a specialized agency focused only on these kind of matters. The unit has a range of remedies at its disposal, from informal meetings with involved parties all the way up to passing the matter on to police for crim-inal charges.

“I think there really isn’t another vehicle at the moment that offers that whole range of possible remedies.”

Although there may be room for clarification and improvement with the legislation, MacKay said judges are developing a fair degree of expertise in “drawing between what is acceptable free speech” and things that aren’t. They can’t ignore the legislation, but they can interpret it and, in so doing, judges can provide the necessary nuance, said MacKay.

The government will only become involved in the matter if the discussion of a charter challenge proceeds.

Provincial officials would not comment outside of the court proceedings. An email from a Justice Department spokesman said the province believes the act is constitutional. In a brief filed with the court, the government notes that “should the protection order be revoked by this court, such a result would remove the need to review the legislation under the charter as the matter would become moot.”

“To argue issues unnecessarily wastes precious judicial resources, does not advance the administration of justice and spends counsel’s time incurring unnecessary costs.”

Fraser, obviously, doesn’t see things that way. Regardless of how the judge rules in the matter of his client, the larger issue of constitutionality needs to be addressed, he said.

“I recognize we need to protect people, particularly vulnerable people, but it should not be at the expense of charter-protected speech. There needs to be a balance, and I don’t see any of that in the legislation as it exists.”

Tuesday, July 28, 2015

Privacy breach class action certified against Government of Canada for medical marijuana breach

In a decision issued on July 27, 2015 but not yet published (but available here as a PDF), the Federal Court of Canada has certified a class action against the Government of Canada for disclosing the personal health information of participants in the "Marihuana Medical Access Program" in a botched mailout that was intended to advise program participants about changes to the regulation, which ironically where said to protect privacy and safety.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error and that it was outside their normal practice, its reaction has consistently been "no harm, no foul".

What's most notable about this decision -- which is consistent with the recent decision in Condon v. Canada -- is that the court certified the plaintiffs' claim under the novel tort of "public disclosure of private facts". This tort is recognized in the United States, but is untested in Canada. It is a part of the four different privacy torts recognized by the Ontario Court of Appeal in Jones v. Tsige.

In March 2015, the Privacy Commissioner of Canada found that Health Canada's breach was a violation of the Privacy Act. At the certification hearing, the Government of Canada argued that the Privacy Commissioner's finding should be enough to satisfy everyone harmed by the breach, but the Court noted that the Commissioner can't award any of the damages sought by the plaintiffs.

Full disclosure: My firm is one of the firms representing the plaintiffs.

From the firms' media release:

Federal Court certifies privacy class action by Medical Marijuana patients against Health Canada


The Federal Court of Canada has certified a class action commenced on behalf of more than 40,000 medical marijuana licensees alleging that Health Canada violated their privacy.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error, it insists that no one was harmed by the breach.

In March 2015, the Office of the Privacy Commissioner of Canada concluded that Health Canada violated federal privacy laws. However, in the recent certification decision, the Court found that the class action is necessary to provide access to justice because the Privacy Commissioner cannot order the Government of Canada to compensate class members harmed by the breach. The Government has 30 days to appeal the certification decision.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing the plaintiffs in the medical marijuana privacy breach class action filed in the Federal Court against the Government of Canada. The plaintiffs seek damages for breach of contract, breach of confidence, invasion of privacy and Charter violations.

“We are very glad to see this case moving forward. The certification decision means that the Court has agreed that this is an appropriate case for a class action and that allowing all of the class members to proceed in a group is in the interests of justice,” said Ward Branch of Branch MacMaster LLP. “The Government of Canada has fought us at every turn, but have also lost each motion to date. We are hopeful that they will now see the wisdom of sitting down to resolve the issues created by this error.”

“This is not over yet, but the thousands of affected program members should take some comfort that every legal claim we advanced on their behalf has been approved to go forward,” said David Fraser of McInnes Cooper.

“As citizens of this great country, we rely on our government to protect our sensitive personal information from being disclosed and to protect our privacy during all communications. This decision sends a clear message to the government that our Courts consider privacy to be of the utmost importance and expect our government to take its privacy obligations seriously or face the consequences,” said Ted Charney of Charney Lawyers.

“Over one thousand people have registered on our secure website to tell us how the breach affected them. We will continue to pursue justice for those harmed by the breach,” said David Robins of Sutts, Strosberg LLP.

While it is not necessary to “opt in” to participate in the class action, class members are urged to visit the website to obtain updates and to register because the information collected on the secured site will assist class counsel in communicating with class members and moving the case forward. Those who have already registered do not need to re-register but should update their information if their circumstances change or to report further harm suffered from the breach.

- 30 -

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

For more information or to request an interview, please contact:

Ashley LeCroy
Manager, Marketing & Communications

For more background, check out these previous posts.

Friday, July 17, 2015

Supreme Court to hear PIPEDA case that left lender out in the cold

The Supreme Court of Canada has granted leave to appeal from the Ontario Court of Appeal decision in Royal Bank of Canada v. Trang, 2014 ONCA 883. This is and will be an important decision about how to deal with certain provisions of the federal privacy law that have an impact on lenders.

On December 9, 2014, the Ontario Court of Appeal decided that the Personal Information Protection and Electronic Documents Act (PIPEDA) prevents a mortgagee from disclosing the mortgagor’s discharge statement to another lender – even when that lender has a judgement against the mortgagor – without either the mortgagor’s express consent or a specific court order. The decision is relevant beyond Ontario because PIPEDA is federal legislation applicable across Canada, and Atlantic Canadian Provinces have legislation analogous to the Ontario legislation.

Scotiabank held a registered first mortgage on the Trang’s Toronto real property. RBC subsequently loaned the Trangs money. They defaulted and RBC obtained a judgment against them. Twice, the Trangs did not appear for their examination in aid of execution. RBC asked Scotiabank for a mortgage discharge statement to facilitate sale of the property. Scotiabank said PIPEDA precludes it from disclosing the statement without the Trangs’ consent. RBC asked the Ontario court for an order compelling Scotiabank to produce the mortgage discharge statement – but a split five-judge panel of the Ontario Court of Appeal refused. The Court did note that RBC could use the usual procedural tools to examine a representative of Scotiabank, though it is unclear to me whether that would result in the discharge statement.

The majority of the Court found that a mortgage discharge statement is personal information, and there was no implied consent on the part of the borrowers to have it disclosed in the circumstances.

It'll be interesting to see where the Supreme Court of Canada falls on this issue.