Saturday, August 29, 2015

Canadian Police Chiefs looking to resurrect warrant-less access to telecom users' data

The Canadian Association of Chiefs of Police, at their annual conference, just passed a resolution looking to resurrect the lawful access debate following R. v. Spencer.

I find it puzzling. They are looking for warrantless access to customer data (which they call BSI, or basic subscriber information) where there is no expectation of privacy, while the Supreme Court of Canada said that there is a reasonable expectation of privacy in basic subscriber information. Their resolution (reproduced below), refers to recent caselaw that follows old pre-Spencer decisions that say there is no expectation of privacy in customer name and address connected to a telephone number. The resolution also refers to options being considered by a federal, provincial and territorial cybercrime working group to provide warrantless access to BSI.

Let me get this straight: they want warrantless access to BSI where there is no expectation of privacy, while the Supreme Court has said there is an expectation of privacy in BSI. So what's left of the categories of BSI where there is no expectation of privacy?

A few things are clear to me, which make this resolution and the apparent efforts to circumvent the warrant process very problematic.

  • The Supreme Court said there is a reasonable expectation of privacy in BSI, at least in the internet context;
  • The CACP and law enforcement generally have consistently said -- contrary to what the Court found in Spencer -- that there is never an expectation of privacy in BSI;
  • You can't trust law enforcement to determine whether an expectation of privacy exists.

I recognize that BSI is often critical to investigations, but it can't be a free for all where the police get access to it without an impartial judicial officer determining, on sworn evidence, that the balance between privacy and public safety is in favour of public safety. The inexorable conclusion is that the only solution to this is to make the warrant and production order process more efficient and streamlined.

Justin Ling did a great article on this for the CBA's National Magazine: National | Accessing subscriber data: Working around the Spencer ruling.

Resolution #03 - 2015


Submitted by the E-Crimes Committee

WHEREAS law enforcement requires real-time, or near real-time access to basic subscriber (customer name and address) information (BSI) as it relates to telecommunications’ customers for investigative reasons, and;

WHEREAS the Supreme Court of Canada, in their majority decision in R. v Spencer, 2014 SCC 43, did state that:

  • a reasonable expectation of privacy exists in the identity of an internet subscriber where there is an ability to link that identity to specific online activity;

  • the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name address and telephone number found in the subscriber information;

  • absent an exigent circumstance, or authority from a reasonable law, such as authority from a judicial warrant or order, police do not have the power to conduct a search for basic subscriber information (BSI) when there exists a reasonable expectation of privacy in that information, and;

WHEREAS since the Spencer decision, the telecommunications companies refuse to provide any basic subscriber information (BSI) in the absence of an exigent circumstance, or a judicial warrant or order, even where there exists no reasonable expectation of privacy, and;

WHEREAS there exists no lawful authority designed specifically to require the provision of basic subscriber information, and the problems posed by this gap in the law are particularly acute where there exists no reasonable expectation of privacy in that information.

THEREFORE BE IT RESOLVED that the Canadian Association of Chiefs of Police supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, basic subscriber information (BSI) from telecommunications providers.



In June 2014, the Supreme Court of Canada issued a decision in the case of R v. Spencer - identifying that subscriber information that allows for the linking of the identity of a person with specific online activity in the context of a criminal investigation engages a high level of informational privacy. However, telecommunications and other service providers (e.g. financial institutions, rental companies) have interpreted the court's findings more broadly, and now demand judicial authorization (based on a reasonable grounds to believe threshold) for nearly all types of government requests for basic identifying information, extending beyond instances involving a person's substantive Internet activity.

The impact of the Spencer ruling and the broader response by telecommunications and other service providers is having a significant impact on law enforcement and criminal investigations. Basic identifying information is often required at the onset of an investigation where technology plays a role, but the judicial threshold required to obtain warrants and general production orders to access basic identifying information is difficult, and often impossible, to satisfy when an investigation is in its early stages.

Moreover, the impact of the Spencer ruling has caused substantial resource and workload challenges for law enforcement. For example, prior to the Spencer ruling, law enforcement agencies would generally complete a voluntary request to telecommunications service providers for basic identifying information in under an hour, and receive a response from service providers within the same day. Following the Spencer ruling, accessing the same information now often requires ten to twenty times the amount of administrative work and documentation, days of preparation to seek judicial authorization, and responses from service providers can take upwards of one month - sometimes exceeding a service provider's data retention schedule for the same information (meaning the information is no longer available).

Criminal investigations impacted by the Spencer ruling are now often delayed and in some cases, not pursued, due to judicial authorization or resource challenges. This impact applies to a range of investigative work, such as cases involving suspected online child sexual exploitation and abuse, fraud and other financially-motivated crimes, organized crime, requests for international law enforcement assistance, and national security matters involving suspected extremism and other threats to Canada - all of which may require basic identifying information from a telecommunications or other service provider to identify potential evidence for criminal investigations and prosecutions.

Transparency Guidelines

Transparency Reporting Guidelines were prepared by Industry Canada, in consultation with RCMP and other relevant Government of Canada partners, to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities. Specifically, the Guidelines cover categories of disclosures for reporting purposes and limitations to consider when reporting statistics. Of note, the Guidelines specify that there should be a six month delay in reporting timeframe to ensure that most active investigations have no possibility of being compromised. On June 30, 2015, the Transparency Reporting Guidelines were published on Industry Canada’s website:

Coordinating Committee of Senior Officials

Recently, a discussion paper, led by Justice, was presented to the Federal, Provincial and Territorial Coordinating Committee of Senior Officials, Cybercrime Working Group. The paper focuses on the impact of Spencer and legislative reform considerations.

Option 1: Create an administrative (non-judicial) scheme for access to Basic Subscriber Information (BSI).

Option 2: Create a new judicial order (production order) for basic subscriber information and/or add BSI to existing production orders.

Option 3: Create a specific production order for some types of basic subscriber information with a greater expectation of privacy, and create a specific administrative (non-judicial) authority for access to other types of basic subscriber information.

Recent Case Law

  • Since the Supreme Court of Canada released its decision in R. v. Spencer in June 2014, case law has started to emerge that applies the analysis in Spencer to other cases involving police requests for BSI.

  • The majority of relevant cases thus far are from Ontario and involve requests for BSI associated to a phone number. The cases have generally found that the privacy interests in BSI associated to a phone number are not the same as the privacy interests in BSI linked to an IP address, and distinguish Spencer on that basis. As such, the Ontario decisions have upheld warrantless requests for BSI associated to phone numbers as they found in the circumstances of each case that there was no expectation of privacy in such information. See: R. v. Morrison (unreported, Ontario Court of Justice, Reasons released on December 17, 2014); R. v. Khan (2014 ONSC 5664); R. v. Latiff (2015 ONSC 1580); R. v. Nurse and Plummer (2014 ONSC 6004).

  • The issue of whether there is a reasonable expectation of privacy in BSI associated to a phone number has also emerged in the context of transmission data recorders warrants (TDRW). These warrants provide judicial authorization to record incoming and outgoing dialed phone numbers. In Ontario, police/Crowns have argued before the Superior Court of Justice that an assistance order is the proper authorization to obtain in conjunction with a TDRW to compel a service provider to provide the BSI associated with the dialed numbers. However, Telus has argued that due to the privacy interests in BSI, as found in Spencer, a general warrant is the proper authorization. Nordheimer J. agreed with the police/Crown and held that Spencer was a decision dealing with the Internet and it did not find that there is always a reasonable expectation of privacy in BSI, but rather it will depend on the circumstances of each case. This is a very recent decision (June 19, 2015), and it will be interesting to see if other jurisdictions follow this reasoning. See H.M.Q. v. TELUS Communications Company, 2015 ONSC 3964.


Action Plan

The CACP Law Amendments Committee will work with the E Crime Committee to develop new legislation that supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, BSI from telecommunications providers.

The Committee will keep abreast of the ongoing work of the F/P/T Coordinating Committee of Senior Officials, Cyber crime Working Group who is leading the policy development of legislative reform considerations; next meeting schedule in November, 2015.

Requirement to develop an overall government-wide approach to ensure law does not run counter to government objectives or would require major modifications in the future.

Monday, August 17, 2015

Nova Scotia's Cyber-safety Act (hopefully) heading for a Charter challenge

A case I am involved with is hopefully heading to argument on Friday in the Supreme Court of Nova Scotia on whether the province's Cyber-safety Act goes too far in infringing Charter protected speech. There has been a lot of interest in the statute since the former NDP government jammed it through the legislature in the wake of the tragic death of Rehtaeh Parsons. It's my opinion that rather than address a dramatic failing on the part of the police and prosecution service (which the government would have to admit occurred on its watch), the government pulled out the old "there wasn't a law! we need a new law!". The result was a hastily assembled statute, which is more fully described elsewhere on this blog.

The case has been bifurcated, so that on Friday there will be a decision on whether, in the view of the judge, my client should be subject to a "cybersafety protection order" under the Act. Depending on the outcome of that decision, we will argue that the Court should consider the Charter and our arguments that the Cyber-safety Act violates Section 2(b) of the Charter and cannot be saved by Section 1 as a reasonable limitation on freedom of expression. But even if the judge determines that he does not have to consider the Charter, I am sure that this dumpster fire of a statute will face Charter scrutiny sometime soon.

The Halifax Chronicle Herald did a big piece on the story (much larger than I had expected) in the weekend edition of the paper and there's been a lot of other media attention as well, including this interview on CTV Atlantic which summarizes my view.

Here's the Herald article:

Lawyer set to launch charter case against law inspired by Rehtaeh Parsons | The Chronicle Herald

A law inspired by the death of Rehtaeh Parsons could face its first court challenge next week when a Halifax lawyer will attempt to argue it violates charter rights regarding freedom of expression.

The Cyber-safety Act was brought in by the former NDP government in response to a wave of public criticism of the way Rehtaeh’s case was handled. The 17-year-old girl died after attempting suicide in 2013. She accused several boys of raping her while she was drunk and a photo of the alleged sexual assault was widely circulated among her peers.

Within weeks of Rehtaeh’s death, former justice minister Ross Landry was in a Halifax high school unveiling the new legislation. Critics, Halifax lawyer and privacy expert David Fraser being one of the most vocal, say the government’s actions were too fast, too sweeping and did not consider the full implications of such a bill.

Cyberbullying is a real problem, said Fraser, but his argument goes beyond that.

“The issue is, how do you define it and how do you define it in a way that takes into account the fact that people should have freedom of expression to, particularly, speak about matters of public interest?” said the partner with McInnes Cooper.

On Friday, Fraser and his client, Robert Snell, will learn from a judge whether Snell did in fact cyberbully a former business partner as defined by the province’s Cyber-safety Act. Snell had a protection order placed on him by the courts as a result of statements he made online. The order prevents Snell from communicating with Giles Crouch or discussing their disagreement.

Following the judge’s decision, Fraser hopes he will be able to begin arguing that the law breaches Section 2 of the Charter of Rights and Freedoms. The two issues were split following an argument from the attorney general. The government’s view is if the judge finds Snell’s actions were not cyberbullying, there is no reason to address the charter aspect.

Regardless, Fraser is going to court prepared to begin the charter fight.

Laws need to be more nuanced when they approach values protected by the charter, said Fraser. It’s why injecting more context is so important, he said. The legislation doesn’t take into account, for example, the difference between criticism of a public official and hurtful comments directed at a young or vulnerable person, said Fraser.

“I should be able to go on social media and, let’s say, call the premier of a province a liar for not keeping a campaign promise. Now, that may hurt his feelings, may harm his self-esteem, and so that would be cyberbullying. We need to have a way of taking those sort of things into account.”

Fraser isn’t the only person who has issues with the law.

Cara Faith Zwibel at the Canadian Civil Liberties Association said she’s not sure the law is even necessary.

“My inclination would be to take a really hard look at what already exists out there to address these problems, and I think the fact is that there is quite a lot out there already that can; it’s a matter of the will to actually use those tools.”

The serious and damaging kind of cyberbullying could be addressed through existing elements of the Criminal Code that handle harassment, as well as defamation law when the matter concerns reputation, said Zwibel. She shares Fraser’s view that the breadth of the definition of cyberbullying goes too far and also has concerns about the protection orders the CyberSCAN unit can impose, which can include bans on using electronic communication.

“I don’t think it’s a matter of just tweaking the existing legislation,” Zwibel said. “I don’t think there’s been a compelling case made for why it’s necessary.”

The man who has become a leading expert on cyberbullying understands the concerns of Fraser and Zwibel, but Wayne MacKay said there are several broad questions that must be weighed.

A professor at Dalhousie University’s law school, MacKay was the lead on the province’s cyberbullying task force. He said the former government adopted a similar broad definition as was laid out in the task force’s final report. MacKay was not consulted in the drafting of the legislation.

“There’s no question that it does limit freedom of speech, as does hate speech,” he said. “The question is often whether or not it is a reasonable limit in a free and democratic society.”

The main debate will be whether the benefits of the law outweigh the invasions of rights for those who want to exercise free speech, MacKay said. It’s not an easy debate, but he thinks there is reason to believe this is reasonable.

“I think the problem of cyberbullying is a very large and significant one.”

If there is to be a change, MacKay hopes it would be to adjust the definition of cyberbullying rather than just repealing the law.

“To eliminate the law or strike the whole thing down would be quite unfortunate.”

One of the problems with attempting to address the issue through other avenues, said MacKay, is those options aren’t as well known as the new legislation. More importantly, he said, CyberSCAN is a specialized agency focused only on these kind of matters. The unit has a range of remedies at its disposal, from informal meetings with involved parties all the way up to passing the matter on to police for crim-inal charges.

“I think there really isn’t another vehicle at the moment that offers that whole range of possible remedies.”

Although there may be room for clarification and improvement with the legislation, MacKay said judges are developing a fair degree of expertise in “drawing between what is acceptable free speech” and things that aren’t. They can’t ignore the legislation, but they can interpret it and, in so doing, judges can provide the necessary nuance, said MacKay.

The government will only become involved in the matter if the discussion of a charter challenge proceeds.

Provincial officials would not comment outside of the court proceedings. An email from a Justice Department spokesman said the province believes the act is constitutional. In a brief filed with the court, the government notes that “should the protection order be revoked by this court, such a result would remove the need to review the legislation under the charter as the matter would become moot.”

“To argue issues unnecessarily wastes precious judicial resources, does not advance the administration of justice and spends counsel’s time incurring unnecessary costs.”

Fraser, obviously, doesn’t see things that way. Regardless of how the judge rules in the matter of his client, the larger issue of constitutionality needs to be addressed, he said.

“I recognize we need to protect people, particularly vulnerable people, but it should not be at the expense of charter-protected speech. There needs to be a balance, and I don’t see any of that in the legislation as it exists.”

Tuesday, July 28, 2015

Privacy breach class action certified against Government of Canada for medical marijuana breach

In a decision issued on July 27, 2015 but not yet published (but available here as a PDF), the Federal Court of Canada has certified a class action against the Government of Canada for disclosing the personal health information of participants in the "Marihuana Medical Access Program" in a botched mailout that was intended to advise program participants about changes to the regulation, which ironically where said to protect privacy and safety.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error and that it was outside their normal practice, its reaction has consistently been "no harm, no foul".

What's most notable about this decision -- which is consistent with the recent decision in Condon v. Canada -- is that the court certified the plaintiffs' claim under the novel tort of "public disclosure of private facts". This tort is recognized in the United States, but is untested in Canada. It is a part of the four different privacy torts recognized by the Ontario Court of Appeal in Jones v. Tsige.

In March 2015, the Privacy Commissioner of Canada found that Health Canada's breach was a violation of the Privacy Act. At the certification hearing, the Government of Canada argued that the Privacy Commissioner's finding should be enough to satisfy everyone harmed by the breach, but the Court noted that the Commissioner can't award any of the damages sought by the plaintiffs.

Full disclosure: My firm is one of the firms representing the plaintiffs.

From the firms' media release:

Federal Court certifies privacy class action by Medical Marijuana patients against Health Canada


The Federal Court of Canada has certified a class action commenced on behalf of more than 40,000 medical marijuana licensees alleging that Health Canada violated their privacy.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error, it insists that no one was harmed by the breach.

In March 2015, the Office of the Privacy Commissioner of Canada concluded that Health Canada violated federal privacy laws. However, in the recent certification decision, the Court found that the class action is necessary to provide access to justice because the Privacy Commissioner cannot order the Government of Canada to compensate class members harmed by the breach. The Government has 30 days to appeal the certification decision.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing the plaintiffs in the medical marijuana privacy breach class action filed in the Federal Court against the Government of Canada. The plaintiffs seek damages for breach of contract, breach of confidence, invasion of privacy and Charter violations.

“We are very glad to see this case moving forward. The certification decision means that the Court has agreed that this is an appropriate case for a class action and that allowing all of the class members to proceed in a group is in the interests of justice,” said Ward Branch of Branch MacMaster LLP. “The Government of Canada has fought us at every turn, but have also lost each motion to date. We are hopeful that they will now see the wisdom of sitting down to resolve the issues created by this error.”

“This is not over yet, but the thousands of affected program members should take some comfort that every legal claim we advanced on their behalf has been approved to go forward,” said David Fraser of McInnes Cooper.

“As citizens of this great country, we rely on our government to protect our sensitive personal information from being disclosed and to protect our privacy during all communications. This decision sends a clear message to the government that our Courts consider privacy to be of the utmost importance and expect our government to take its privacy obligations seriously or face the consequences,” said Ted Charney of Charney Lawyers.

“Over one thousand people have registered on our secure website to tell us how the breach affected them. We will continue to pursue justice for those harmed by the breach,” said David Robins of Sutts, Strosberg LLP.

While it is not necessary to “opt in” to participate in the class action, class members are urged to visit the website to obtain updates and to register because the information collected on the secured site will assist class counsel in communicating with class members and moving the case forward. Those who have already registered do not need to re-register but should update their information if their circumstances change or to report further harm suffered from the breach.

- 30 -

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

For more information or to request an interview, please contact:

Ashley LeCroy
Manager, Marketing & Communications

For more background, check out these previous posts.

Friday, July 17, 2015

Supreme Court to hear PIPEDA case that left lender out in the cold

The Supreme Court of Canada has granted leave to appeal from the Ontario Court of Appeal decision in Royal Bank of Canada v. Trang, 2014 ONCA 883. This is and will be an important decision about how to deal with certain provisions of the federal privacy law that have an impact on lenders.

On December 9, 2014, the Ontario Court of Appeal decided that the Personal Information Protection and Electronic Documents Act (PIPEDA) prevents a mortgagee from disclosing the mortgagor’s discharge statement to another lender – even when that lender has a judgement against the mortgagor – without either the mortgagor’s express consent or a specific court order. The decision is relevant beyond Ontario because PIPEDA is federal legislation applicable across Canada, and Atlantic Canadian Provinces have legislation analogous to the Ontario legislation.

Scotiabank held a registered first mortgage on the Trang’s Toronto real property. RBC subsequently loaned the Trangs money. They defaulted and RBC obtained a judgment against them. Twice, the Trangs did not appear for their examination in aid of execution. RBC asked Scotiabank for a mortgage discharge statement to facilitate sale of the property. Scotiabank said PIPEDA precludes it from disclosing the statement without the Trangs’ consent. RBC asked the Ontario court for an order compelling Scotiabank to produce the mortgage discharge statement – but a split five-judge panel of the Ontario Court of Appeal refused. The Court did note that RBC could use the usual procedural tools to examine a representative of Scotiabank, though it is unclear to me whether that would result in the discharge statement.

The majority of the Court found that a mortgage discharge statement is personal information, and there was no implied consent on the part of the borrowers to have it disclosed in the circumstances.

It'll be interesting to see where the Supreme Court of Canada falls on this issue.

Wednesday, July 08, 2015

Court of Appeal finds negligence and breach of confidence claims should go forward in privacy class action against the Federal Government

The Federal Court of Appeal in Condon v Canada, 2015 FCA 159 (not yet available on CanLII but here as a Google Drive PDF), has reversed a lower court decision to not certify claims of negligence and breach of confidence in the class action lawsuit that followed the Federal Government's loss of a hard drive containing personal information about 583,000 Canada Student Loan recipients.

The plaintiffs, in Condon v Canada, 2014 FC 250, sought certification under a number of causes of action, including breach of contract, intrusion upon seclusion (invasion of privacy), negligence and breach of confidence. Breach of contract and intrusion upon seclusion do not require damages for an individual to recover, and both of these causes of action were certified. Those that do require damages to succeed, negligence and breach of confidence, were not successful at the certification motion.

The Court of Appeal noted that the proper test for certification is only to review the pleadings and to not inquire into the evidence. Since the plaintiffs had pleaded damages, that should be determinative:

[13] As stated by the Supreme Court, the determination of whether the pleadings disclose a reasonable cause of action is to be based on the assumption that the facts as pleaded are true. This would mean that evidence is not to be submitted at the hearing of the motion. Otherwise, the hearing of the motion could turn into a full hearing on the merits.

[14] In this case, the parties submitted affidavit evidence. In paragraphs 68 and 69 of her reasons the Federal Court Judge noted that:

68 In addition, a summary review of the evidence adduced by both parties leads the Court to the conclusion that the Plaintiffs have not suffered any compensable damages. The Plaintiffs have not been victims of fraud or identity theft, they have spent at most some four hours over the phone seeking status updates from the Minister, they have not availed themselves of any credit monitoring services offered by the credit reporting agencies nor have they availed themselves of the Credit Flag service offered by the Defendant.

69 Nor does the evidence adduced support a claim for increased risk of identity theft in the future. Since the Data Loss, Equifax has produced reports pertaining to the credit files of the 88,548 individuals who availed themselves of the Credit Flag service. These reports show that there had been no increase in the relevant indicia that would be consistent with an increase in criminal activities involving those individuals' Personal Information. The rate of criminal activities registered was not higher than the 3% of the population generally victim of identity theft. Moreover, the Plaintiffs submitted a CBC news article concerning a Class Member who had been a victim of identity theft yet the article noted no proven causal link between the Data Loss and that theft.

[15] It appears that the Federal Court Judge evaluated the evidence in concluding that the Appellants had not suffered any “compensable damages”. The determination of whether the Appellants had a reasonable cause of action in negligence or breach of confidence should have been made based on the facts as pled, not on the evidence adduced in support of the motion.

[22] Reading the Consolidated Statement of Claim with this principle in mind, the Appellants have claimed that they have suffered damages and they have identified the nature of the damages that they are claiming. In particular, the Appellants have claimed special damages for “costs incurred in preventing identity theft” and “out-of-pocket expenses” and, as noted above, it is to be assumed that these costs have been incurred. As a result there was no basis to not include the claims for negligence and breach of confidence as part of the class proceeding.

The Federal Court of Appeal has sent the matter back to the trial level for determination, including the claims for negligence and breach of confidence and to determine the common questions in the class proceeding in relation to those claims.

Canadian government issues "transparency reporting guidelines"

The Canadian federal government has released "Transparency Reporting Guidelines", to provide companies with guidance on reporting law enforcement and national security requests for customer information. Surprisingly, the guidance came from Industry Canada and not Public Safety Canada or the Department of Justice.

What is particularly notable is that the government is strongly advocating for "banding", so it says that companies should not report exact numbers where they are between 1 and 100. Companies who wish to be transparent (which should be all companies) should know that these are guidelines only and there is no basis in law that I am aware of (absent a term in a particular court order) that requires this banding or aggregation.

B. Limitations

When reporting statistics by each of the categories listed in Part A, organizations should respect the following limitations, in order to protect the work of law enforcement, national security, and regulatory agencies

1. As presented in the sample chart below, figures between 0 and 100 should be represented in a band of '0-100' when any figure in column A (Number of Requests) or Column B (Number of Disclosures) is less than 100. In such cases the banding of figures should apply to all columns for that data type whose figure is between 0-100. Any figure over 100 may be represented by its actual number. This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

2. Figures should be aggregated to reflect Canada-wide statistics, and should not differentiate between law enforcement, national security, and regulatory agencies (i.e. there should be no breakdown by geography or specific agency). Moreover, these figures should also be aggregated such that service type and its associated network technology are not distinguishable (i.e. cellular voice services should not be subdivided and reported according to 2G, 3G or 4G/LTE network type, etc.). This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

3. There should be a six month delay in reporting timeframe. For example, if a report covers the period January 1 to December 31, 2014, it should not be released before July 1, 2015. This is to ensure that most active investigations have no possibility of being compromised.

The limitation provisions will ensure that transparency reporting does not impair or compromise national security or criminal investigations, and the safety and security of Canada and its citizens.

These provisions are dynamic and may be subject to change based on sensitive Canadian government operations that necessitate additional or other safeguards, or to keep pace with suspected criminal and unlawful activities that use telecommunications services and related technologies.

Personally, I think that companies should separately report ordinary criminal law enforcement requests and national security requests.

As an aside, I wonder if this means we'll get transparency reporting from Bell Canada, which is the only major Canadian telco to not provide such reporting.

Thursday, June 18, 2015

Digital Privacy Act (Bill S-4) now (partially) in force

Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.

Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.

See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.

New Law to Protect the Personal Information of Canadians Online

Government of Canada's Digital Privacy Act comes into force

June 18, 2015 — Ottawa — Industry Canada

As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.

Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.

Under the Digital Privacy Act:

  • Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
  • Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
    Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
  • The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
Quick facts
  • Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
  • All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.

"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry

"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada

Friday, May 01, 2015

In the absence of actual harm, privacy cases are hardly worth pursuing

Continuing the theme of "don't bother unless you have actual losses ..."

In Albayate v. Bank of Montreal, 2015 BCSC 695, the plaintiff claimed against her bank for wrongly changing the address on their records and thus exposing her financial info to her former spouse. In short, the court found the bank mistakenly changed her address but the husband did not read her statement. He did not use them to her detriment. The bank apologized. End of story.

Her damages were assessed at a nominal $2000.

Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist

from Twitter

Tuesday, April 28, 2015

Ontario school bus association says Toronto crash records should be public | Toronto Star

from Twitter