In January, the fine folks at the Citizen Lab made some very in-depth inquiries of Canadian telecommunications providers asking about the practices of providing customer information to law enforcement and national security agencies. According to a post on the Citizen Lab's website, ten companies have responded showing a huge range of responsiveness. Check out their post: The Murky State of Canadian Telecommunications Surveillance - The Citizen Lab.
Thursday, March 06, 2014
Tuesday, February 25, 2014
In a decision issued yesterday, the Federal Court ordered the the identity of plaintiffs in a putative class action against Health Canada should be protected to allow them to pursue their claim against the Government for the breach of privacy of members of the Medical Marihuana Access Program.
As blogged about last year, my firm filed a proposed class action lawsuit against Health Canada after it sent a mailing to approximately 40,000 people who are authorized to possess or grow marijuana under the program administered by Health Canada. (More info is here.)
Shortly after the breach occurred, lawsuits were filed in the federal courts by my firm, McInnes Cooper of Nova Scotia, and Branch McMaster of British Columbia. Sutts Strosberg of Ontario filed a lawsuit in the Ontario Superior Court. Each of these cases has a separate named plaintiff and all three of them were filed with the intent that they would be certified as class actions on behalf of all similarly affected participants in the MMAP.
The suit commenced by McInnes Cooper was filed on behalf of “John Doe”, a resident of Nova Scotia. The suit commenced by Sutts Strosberg was filed on behalf of “Suzie Jones”, a resident of Ontario. The case commenced by Branch McMaster was filed on behalf of an individual who chose to identify himself. The “John Doe” and “Suzie Jones” cases have been consolidated into one case in the Federal Court of Canada.
“John Doe” and “Suzie Jones” are pseudonyms for the proposed representative plaintiffs, so that the identities of those individuals would not become known. On February 20, 2014, a motion was heard in the Federal Court of Canada for an order of the court protecting the identities of “John Doe” and “Suzie Jones”. In most cases, parties to a legal action are required to name themselves and this information appears on the public record. Because the case against Health Canada is based on the disclosure of program members’ identities in association with the MMAP, requiring participants in these lawsuits to name themselves would further harm their privacy.
On February 25, 2013 we received the decision of the Court. The Court agreed that to deny the plaintiffs anonymity in the court proceeding would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada’s mailing that identified them as a participant in the Program.
Government lawyers, on behalf of Health Canada, argued that this was a matter related solely to marihuana use and that the plaintiffs’ privacy should not be protected. Relying on newspaper articles and internet research, they argued that public opinion about marihuana use has changed to be more accepting. The Court rejected this evidence as irrelevant, explaining:
“What the Plaintiffs’ marijuana use discloses is their medical and health information. The Plaintiffs are patients, no simply “users”. Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor, and that they suffer from serious health conditions and symptoms. Identifying the Plaintiffs by name or information that discloses their personal identity also discloses that they have or are likely to have medical marihuana in their homes – something that Health Canada itself saw as a serious safety and security risk.
Accordingly, I am satisfied that in the within case of John Doe and Suzy Jones, without the protection they seek on this motion, the important issues they raise in their Amended Statement of Claim may not be determined in this forum, and that the issues they raise regarding patient rights, privacy and whether Health Canada owes a duty of care and has breached that duty and is liable are issues that are in the public interest to be determined. The Plaintiffs have requested only that their personal identity be protected and with minimum intrusion on the open court process.”
It's particularly gratifying that the Court acknowledged that this isn't just a matter of protecting the privacy of marihuana users, but more centrally concerns sensitive health information that was disclosed.
(Members of the proposed class can register and get more information at http://www.marijuanaclassaction.com).
Monday, February 17, 2014
Apparently the Canadian government plans to appeal a Federal Court decision that roundly chastised the Canadian Security Intelligence Service, the Communications Security Establishment of Canada and Department of Justice for misleading the Court in order to get warrants to have "Five Eyes" partners spy on Canadians outside of Canada. This is according to Star Phoenix and statements made during testimony before the Senate National Defence Committee.
Friday, February 14, 2014
The Ontario Superior Court in Hopkins v. Kay, 2014 ONSC 321 (CanLII) has concluded that the Personal Health Information Protection Act does not pre-empt a claim for "intrusion upon seclusion" against a hospital and its employees for unlawfully perusing personal health records:
 While it is argued by counsel for the Hospital that Jones dealt with Federal privacy legislation (“PIPEDA”), it is equally clear to me that Sharpe J.A. conducted a review of other similar legislation and specifically referred in his decision to PHIPA. At paragraphs 47-51, however, and again at paragraphs 52-54, there can be no doubt that Sharpe J.A. was well aware of the provisions of PHIPA and the potential impact of recognizing a common law tort of breach of privacy. In dealing with whether or not the legislation had occupied the field, the comments of Justice Sharpe at paragraph 54 are particularly apropos when he states:Significantly, however, no provincial legislation provides a precise definition of what constitutes an invasion of privacy. The courts and provinces with a statutory tort are left with more or less the same task as courts and provinces without such statutes. The nature of these acts does not indicate that we are faced with a situation where sensitive policy choices and decisions are best left to the legislature. To the contrary, existing provincial legislation indicates that when the legislatures have acted, they have simply proclaimed a sweeping right to privacy and left it to the courts to define the contours of that right. I am not satisfied from a review of Jones that it should be, as suggested by counsel for the Hospital, restricted to the facts of that case. Rather, I am of the view that the Court of Appeal in Jones has determined that the common law right to proceed with a claim, based on the tort of breach of privacy, as alleged in the plaintiff’s statement of claim is a claim that should be allowed to proceed. This is not a case that, in my view, is so plain and obvious that the court should strike out the claim. If the position of the Hospital is to be sustained, it will require a decision of the Court of Appeal, which as the British Columbia Court of Appeal has done, determines that there is no claim for breach of privacy and that the claim must rest on the provisions of PHIPA. The defendants’ motion is therefore dismissed with costs.
Thanks to Barry Sookman for pointing this case out ...
Breach of privacy case allowed to proceed Hopkins v. Kay, 2014 ONSC 321 (CanLII) http://t.co/PUEQlK73by— Barry Sookman (@bsookman) February 15, 2014
Wednesday, February 12, 2014
Yesterday, I blogged about the first cyberbullying prevention order issued under Nova Scotia's Cyber-safety Act. (See: Canadian Privacy Law Blog: Nova Scotia court issues first cyberbullying prevention order.)
At that point, all I had to go on was the media reporting. Since then, I've managed to get my mitts on the Order of Justice Robertson, the brief filed by the Nova Scotia Director of Public Safety, the affidavit of Chief Paul, and the affidavit of CyberScan Unit enforcement officer Dana Bowden. No copy of actual decision or reasoning of the judge is available. Hopefully that will be released shortly.
In the past, I've been critical of the over-breadth of the Cyber-safety Act and its definition of cyberbullying that can capture legitimate speech that is protected by the Charter of Rights and Freedoms. Most of the reporting on this case focused on comments that were characterised as harassing. The crown attorney went even further:
Crown attorney Angela Jones told the court that the comments made by Prosper were “defamatory, vulgar, … abusive and obscene.”
[None of the comments that I saw met the legal definition of "obscene".]
However, the contents of the affidavit seem to tell a different tale. While certainly the communications that were alleged to have been made by the respondent were what I would call unpleasant, sometimes vulgar and certainly repeated, it also appears to be rooted in questions related to the management of the finances of the Pictou Island First Nation overseen by the complainant. I didn't see any attempt anywhere in the documents to do anything less than shut the respondent down completely. The CyberScan investigator met with the respondent and told him to stop all of his communications with the Chief, not to tone it down.
While this is the first such order, it's a bit disheartening that a statute with the potential to dramatically chill constitutionally protected speech doesn't seem to be applied in a manner to temper this overreach, as was the case when a constituent of Nova Scotia MLA Lenore Zahn was told by the CyberScan Unit to remove tweets that questioned her judgement.
A judge of the Nova Scotia Supreme Court has issued the first "Cyberbullying prevention order" under the province's Cyber-safety Act.
The case, as it has been reported, appears to be a classic case of online harassment where the victim reportedly received numerous threatening messages through Facebook. When the user was "blocked", he then repeatedly communicated with the victim's children conveying threatening messages. I haven't seen the actual order yet, but it reportedly orders him to stop "cyberbullying" and communicating with or about the victim.
One additional point that's worth pondering is that the respondent to the order, who did not appear, is in Ontario which may make enforcing this order under Nova Scotia's unique law a challenge.
From Global TV (the link will also take you to a video where I was interviewed):
Nova Scotia court issues first cyberbullying prevention order - Halifax | Globalnews.ca
HALIFAX – A Nova Scotia Supreme Court judge has imposed a cyberbullying prevention order on a man who was accused of using Facebook to post threatening and defamatory statements about the chief of a First Nation.
The order is the first imposed by a court under the province’s Cyber-safety Act and involves allegations made by Andrea Paul, chief of the Pictou Landing First Nation.
She alleges Christopher George Prosper posted abusive and obscene comments about her and her family on Facebook last year.
Paul says she contacted the province’s CyberSCAN unit, which is the first of its kind in the country to be tasked with investigating complaints of cyberbullying.
Judge Heather Robertson told a Halifax courtroom that she was satisfied this was a case of cyberbullying under the act, saying Prosper’s actions hurt Paul’s reputation and psychological well-being.
David Fraser, a privacy lawyer with the McInnes Cooper firm in Halifax, says Nova Scotia’s cyberbullying legislation is ultimately doomed to fail.
“There is … a very real possibility that this legislation could be used to chill charter-protected speech, the ability of individuals to express themselves, the ability of individuals to be critical of their government, of public officials,” he said.
Fraser believes the bill will be challenged in the near future.
The court order is imposed for one year and it says Prosper must remove all messages deemed to be cyberbullying, refrain from contacting Paul and stop cyberbullying.
Tuesday, February 11, 2014
Take action against mass, suspicionless surveillance. If you're from Canada, go here and tell your MP that this is an important issue that cannot be ignored: TheDayWeFightBack.Ca and then go here: Necessary and Proportionate - Take Action.
In the US, go here: TheDayWeFightBack.Org.
Monday, February 03, 2014
If you were watching today's testimony of John Forster, chief of the Communications Security Establishment Canada and Michel Coulombe of the Canadian Security and Intelligence Agency before the Senate national security and defence committee, you probably noticed the consistent denial that they were intercepting "private communications", in contrast to metadata. That phrase was repeated like a mantra. The origin seems to come from the Criminal Code, which contains the following ambiguous definition at Section 183.
"private communication” means any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it;
It would certainly appear that these witnesses were well coached to believe that "private communication" includes "metadata", which was dismissed as just "data about data". I'm not so convinced that "private communication" excludes signalling information or transmission data. First, the definition refers to "any oral communication" or "any telecommunication", not "any oral communication" or "any [oral] telecommunication". Words matter and -- in this case -- punctuation matters.
Any capturing of metadata is, in my view, capturing "private communications".
And the suggestion that capturing "metadata" is somehow innocuous flies in the face of reality. Who I call is my business. How often I call them is also my business. I have no problem if you can get a judge to issue a warrant, based on reasonable and probable grounds, to intercept it. But dragnet surveillance of innocent people is not acceptable in a free and democratic society.
(I'm afraid, given the recent revelations, that nobody will be able to say -- for any communication -- that it "is reasonable for the originator to expect that it will not be intercepted".)
Sunday, February 02, 2014
This is important to watch. And once you've watched the full half hour, consider why it was never broadcast in North America.
Friday, January 31, 2014
Dulcie McCallum has resigned as Freedom of Information and Protection of Privacy Review Officer, effective next week. Here's the message from her, released today:
Message from Dulcie McCallum
Freedom of Information and Protection of Privacy Review Officer
January 31, 2014
On January 17, 2014, I was advised by the government of Nova Scotia that it had elected not to offer me reappointment for another term as the Nova Scotia Freedom of Information and Protection of Privacy [“FOIPOP”] Review Officer which was an option available to it under the statute. Therefore I am announcing my departure from my position as Nova Scotia’s FOIPOP Review Officer is effective Tuesday February 4, 2014.
I was honoured to be appointed in 2007 as the first female FOIPOP Review Officer for Nova Scotia and in 2009 as Nova Scotia's first Privacy Review Officer. During my term, the oversight role of FOIPOP Review Officer was significantly expanded to include privacy under the Privacy Review Officer Act and access and privacy under the Personal Health Information Act. I have thoroughly enjoyed my seven year tenure in this position particularly having the support and collaboration of my Federal/ Provincial/ Territorial Access and Privacy Commissioner colleagues and being part of the effective and vibrant team at the FOIPOP Review Office.
I am most proud of how much our small team of only six people has accomplished over the past seven years: tabled six Annual Reports with the House of Assembly to which the FOIPOP Review Officer reports, received over 8,500 inquiries, opened 716 Reviews, closed 521 investigations, 314 of which were informally resolved or mediated, issued 62 public and private Review Reports, built up a body of best practices and hosted the 2012 Annual Summit of the Canadian Access and Privacy Commissioners for the first time in Nova Scotia.
My Director Ms. Carmen Stuart will be appointed as Acting FOIPOP Review Officer effective February 5, 2014. I am confident she will meet this challenge while a search is conducted for the new FOIPOP Review Officer. I trust that my team and I were able to effectively serve the access and privacy interests of Nova Scotians during this seven year period. In particular, the applicants who entrusted us with their Requests for Review and the public bodies, municipalities and health custodians who worked with my office to diligently protect the rights of access and privacy. Thank you for being given the opportunity to make a contribution to Nova Scotia’s public service.