Thursday, November 27, 2014

Presentation: Social media, privacy and the workplace: From hiring to firing (with a little discipline in between)

I was invited to speak about social media, privacy and the workplace at Verney's Maritime Connections conference on access and privacy. Here is the presentation, in case it is of interest:

Friday, November 21, 2014

Newfoundland Supreme Court considers privacy class action, clears first hurdle to certification

The Supreme Court of Newfoundland and Labrador this week considerd the first part of a bifurcated application to certify a class action in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. The cases arose from inappropriate browsing of personal health records by an employe of the defendant health authority. The application was split into two parts and the first focused on whether the pleadings disclosed a cause of action.

The court agreed that the case could proceed on the basis of the following causes of action:

  • breach of privacy based on statutory tort established under the Privacy Act;
  • breach of privacy based on common law tort (“intrusion upon seclusion”);
  • negligence; and
  • breach of contract.

What's remarkable is that Newfoundland already has a statutory tort of invasion of privacy under the Privacy Act. This case stands for the proposition that the existence of the statutory invasion of privacy law does not preclude the existence of the common law "intrusion upon seclusion" tort as described in Jones v Tsige. This is the opposite of the repeated holdings of the courts of British Columbia, where courts have held that the provincial Privacy Act means that the common law tort does not exist there. (See: No common law tort of invasion of privacy in British Columbia, judge finds.)

Wednesday, November 19, 2014

Alberta introduces amendments to privacy law to render it constitutional, falls short

On 18 November 2014, the government of Alberta introduced Bill 3: Personal Information Protection Amendment Act, 2014 to address the shortcomings in the law that rendered it unconstitutional according to the Supreme Court of Canada in the UFCW Case.

While the amendments directly address the constitutional problems of the UFCW Case, but dramatically fall short in addressing the underlying structural issues in the law that led to the the Court's finding that the law was unconstitutional. The Bill grants trade unions -- and trade unions only -- the ability to collect, use and disclose personal information in certain circumstances but do not permit any other organization to do so under the same circumstances. A trade union can record replacement workers crossing the picket lines, but an employer cannot similarly record a picket line, even in a public place.

While the SCC necessarily focused on the union context, PIPA (and the federal PIPEDA) don't sufficiently take into account other forms of constitutionally protected, expressive activities. I suppose it will be left to another day to have either PIPA or PIPEDA struck down on those bases.

For anyone who may be interested, here is a copy of PIPA showing the Bill 3 changes in-place [PDF].

#‎YouKnowHerName‬: Declare amnesty on breaking ban

I wrote this as an opinion for the Halifax Chronicle Herald, where it was printed on 19 November 2014:

The story of the past week has been the publication ban in the “high profile child pornography case” (Google it), when it should have been a discussion about sexual assault, child pornography and cyberbullying.

The police have investigated a number of instances of clear violations of the publication ban and have declined to press charges. They have also declined to provide a rationale, so that the rest of us have no guidance about whether we can discuss this incredibly important story without facing the wrath of the justice system.

The parents of the victim have said her name, over and over again. Social media is rife with mentions of her name. Foreign media have said her name in the context of her story. And this is a good thing, since we as a society have to come to terms with and learn from the horrible ordeal faced by a 15-year-old whose photo was taken and used to further abuse and bully her.

The rest of us are left wondering whether we would face the full brunt of the criminal justice system for saying a single word — her unique name — which has become synonymous with rape, cyberbullying and suicide.

The Criminal Code is clear: in all cases of child pornography, a judge must issue a ban prohibiting the publication or dissemination of the identity of the victim. This makes perfect sense. The last thing we as a society would ever want would be the re-victimization of a young person in the justice system or in the media.

Parliament, when the law was written, did not have this particular situation in mind and left the judge no wiggle room. The ban is mandatory.

However, the judge did make it clear in his decision when media outlets challenged the ban that there is a natural escape valve: even if the evidence shows a clear violation of the law and a slam dunk for a conviction, the prosecutor must determine whether the public interest is best served by the prosecution of the case.

The public interest would never be served by a prosecution of anyone for naming the victim in this case. But we are left with a situation where the rules are completely unclear and anybody discussing this case is standing on shaky ground.

It is time for the Attorney General of Nova Scotia or the Director of Public Prosecutions to publicly state that the public interest would not be served by any prosecution for saying her name and that they would not pursue charges against anyone for doing so.

And then we can stop talking about the publication ban and instead talk about the much more important issues of sexual assault and cyberbullying, and what we are doing about it.

David T.S. Fraser practises Internet and privacy law with McInnes Cooper law firm in Halifax.

Friday, November 14, 2014

The publication ban that makes no sense

I had the pleasure of sitting down to speak with Steve Murphy of CTV Atlantic about the publication ban in a very high profile child pornography / cyberbullying case here in Halifax. (CTV Atlantic: Privacy lawyer weighs in on pub ban | CTV Atlantic News)

The case has become very well known and most people are aware of the name of the victim, but the mandatory publication ban has resulted in a significant chilling of discussion related to this very important issue.

The ban is a mandatory one; the Criminal Code is clear that a judge MUST order a ban on the publication of any information that would identify the victim.

486.4(3) In proceedings in respect of an offence under section 163.1, a judge or justice shall make an order directing that any information that could identify a witness who is under the age of eighteen years, or any person who is the subject of a representation, written material or a recording that constitutes child pornography within the meaning of that section, shall not be published in any document or broadcast or transmitted in any way.

In an application made by the media to have the ban set aside, the judge made it abundantly clear in his decision turning down the application that his hands were tied.

In this case, the victim is no longer alive, having taken her own life as a result of a sexual assault, the distribution of the photo at the heart of the child pornography case, the subsequent bullying and slut shaming. The parents of the victim have been very vocal advocates in this area and need to continue to do so. But the telling of their daughter's story and the discussion that needs to take place all run the risk of violating the publication ban.

The publication ban, in this case, makes no sense and is chilling the discussion of a very important subject. Some have decided to ignore the ban and the Halifax Police today decided they would not pursue charges against a number of who have dared to mention the victim's name, but made it clear that they would investigate any further possible violations on a case-by-case basis. This is counter-productive. As the judge clearly stated in his decision, all of this can be solved by the Nova Scotia Director of Public Prosecutions issuing a statement that it would not be in the public interest to pursue charges in this case.

55. It is not for the court to purport to direct or even to advise or provide recommendations to the Director of Public Prosecutions. I will note however that it would be within the authority of the DPP to issue a direction to prosecutors in a specific case or in a certain classes of cases that it would not be in the public interest to prosecute. It would be within the authority of the Attorney General to issue a public direction to the DPP to that same effect.

The existence of the ban and police/prosecution discretion is having a chilling effect on discussion of this important issue. In my view, it is in the public interest that people be able to tell the whole story of the victim in this case.

If you agree, please feel free to share your opinion with the Director of Public Prosecutions:

Public Prosecution Service (Head Office)
Suite 1225, Maritime Centre
1505 Barrington Street
Halifax, Nova Scotia, B3J 3K5
Tel: (902) 424-8734
Fax: (902) 424-4484

Thursday, November 13, 2014

Police "shoulder surfing" accused's texts via casino CCTV camera is a Charter privacy violation

A judge of the Supreme Court of British Columbia in R. v. Ley and Wiwchar, 2014 BCSC 2108 has just held that police peeping on an suspect's text messages displayed on his blackberry screen via high-powered casino CCTV cameras was a violation of the Charter and would have required a wiretap order to make it permissible. From the decision:

[48] Moldaver J. in Telus Communications Co. concluded that the investigative technique used in that case was substantially equivalent to an intercept under Part VI and in my view the same can be said about the technique of using zoom cameras in the casino. Rather than seeking a disclosure of the messages sent by the applicant from the service provider, the police chose to read them in the process of being sent with the use of a camera. That, in my view, is substantially equivalent to an intercept under Part VI.

[49] As I have said, I am not aware of another way that a copy of text messages can be surreptitiously obtained from someone’s handheld communication device other than by photographing the messages or by obtaining a copy from the service provider. Based on Telus Communications Co., an authorization under Part VI would be required for the latter and should be required for the former.

[50] There was no evidence to suggest that the police could not have obtained a copy of the video footage taken of the applicant after it had been recorded by obtaining a production order, nor was there evidence to suggest that they could not have obtained copies of the text messages sent and received by the applicant during the time that he was at the casino, from the service provider. By instead choosing to photograph the applicant’s messages and retain the recorded footage the police bypassed the authorization requirement that, in my view, would otherwise have been necessary.

Summary of Conclusions

[51] Considering the totality of the circumstances in this case, I have concluded that the applicant’s rights under s. 8 of the Charter were violated by the use by the police of surveillance cameras in the casino to photograph messages on his Blackberry. If I am wrong in that conclusion, then in my view an authorization under Part VI of the Code was required because the actions of the police amounted to an interception of the applicant’s text messages.

Friday, November 07, 2014

Ontario Court awards $10K damages for Legal Aid file-peeking

The Ontario Superior Court of Justice has recently released its decision in McIntosh v. Legal Aid Ontario, 2014 ONSC 6136. While the background facts are messy and complicated (and, once again, related to jilted relationships), the one important takeaway is that the Court granted $10,000 in damages to the plaintiff based on the tort of intrusion upon seclusion after the defendant peeked into her Legal Aid file.

The defendant did not appear to defend the claim, so the court was left with assessing damages on a pretty sparse record, but one that was full of unsubstantiated claims of harms.

According to the plaintiff, her ex-boyfriend provided the defendant with the plaintiff’s full name and date of birth. The defendant used that information to access the plaintiff’s file with Legal Aid Ontario. A few days later, the defendant called the plaintiff and said that she had obtained confidential information from the plaintiff’s Legal Aid Ontario case file. The defendant’s review of the file disclosed that the plaintiff was involved with a Children’s Aid file. The defendant threatened to call the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her. The plaintiff filed a complaint with legal aid and with the Information and Privacy Commissioner of Ontario. Following that investigation, Legal Aid Ontario provided a written of apology to the plaintiff. The plaintiff asserted that information was provided by the defendant to Children's Aid, an investigation took place and it was subsequently closed. There was no evidence of any other disclosure of the plaintiff’s private information.

In her claim made against Legal Aid Ontario and the individual defendant, the plaintiff alleged that as a result of such breach of privacy, she has experienced “substantial anxiety, emotion [sic] upset, depression, significant stress, embarrassment, weight loss, insomnia, isolation, and an inability to concentrate at work.”

In the course of the hearing, virtually no evidence was led to substantiate any of the pecuniary or health-related claims. The Court was left with deciding damages solely on the basis of the peeking into the file.

Here's the court's analysis of the calculation of damages in this case:

[29] The plaintiff asserts in her affidavit that the defendant used the private information to contact the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her, but no documentation of any sort was filed in support of this bald allegation. The failure of the plaintiff to specify disclosure of information to the Children’s Aid Society with the original complaints or as part of the investigative process, coupled with the lack of any sort of supporting documentation, leads me to conclude that the plaintiff has failed to satisfy me that there was any disclosure of the plaintiff’s private information.

[30] In view of this finding, I am left with the task of assessing damages based upon the defendant’s improper access to the plaintiff’s private information only.

[31] The information that had been provided by the plaintiff to Legal Aid Ontario was clearly personal information. It was provided with an expectation that the plaintiff’s privacy interests would be respected and that the information would be used in connection with her legal aid application alone.

[32] The tone of the original complaint to Legal Aid Ontario itself is more consistent with irritation rather than devastation.

[33] If the invasion of her privacy did affect her emotional state, the evidence suggests that it did so in a minor fashion only. There is no detailed medical report, only a doctor’s note concerning a consultation for anxiety, something that has already been noted was a pre-existing condition. Having said that, I am satisfied that the evidence supports a finding that the disclosure of personal information caused the plaintiff a measure of annoyance, anxiety and distress.

[34] Although Legal Aid Ontario provided a letter of apology, the defendant has not seen fit to do so.

[35] After taking all of these factors into consideration, I award general damages in the amount of $10,000. In determining this amount, I have taken into consideration the resolution that occurred between the plaintiff and Legal Aid Ontario, who was originally named as a party defendant, but who is no longer involved in the claim


Though damages for intrusion upon seclusion may range from nominal to $20,000 (per Jones v Tsige), but we may see $10,000 become the standard award.

Thanks to Dan Michaluk for bringing this case to my attention. Check out his commentary on this blog at AllAboutInformation.ca.

Wednesday, November 05, 2014

Appeals Court upholds decision that CSIS lawyers lied to the court to obtain warrants to spy on Canadians outside of Canada

The Federal Court of Appeal has confirmed the decision by Justice Moseley which found that CSIS and the Department of Justice had lied and withheld material evidence in order to get warrants under the CSIS Act to surveil Canadians outside of Canada. (X (Re), 2014 FCA 249) I wrote about the decision under appeal here: Canadian intelligence agencies lied to obtain warrants, Federal Court judge says.

In summary, Justice Mosley had found that the Department of Justice lawyers, acting for CSIS in various warrant applications, had withheld information from the Court in order to get warrants under the CSIS Act. What they withheld was that they would get one or more of their Five Eyes partners to do the spying for them. Justice Mosley had found that the CSIS Act (and customary international law) did not permit the Court to grant a warrant that would effectively authorize the intelligence service to violate the laws of wherever the spying was to take place. (This last part has been addressed in proposed amendments to the CSIS Act in Bill C-44.)

The Federal Court of Appeal agreed with Mosley J that DOJ lawyers did not meet the standard expected and required on an ex parte application:

[66] On this evidence we are satisfied that once the decision was made to routinely seek the assistance of foreign agencies after the issuance of a DIFTS warrant, the duty of candour and utmost good faith required that CSIS disclose to the Federal Court the scope of its anticipated investigation, and in particular that CSIS considered itself authorized by section 12 of the CSIS Act to seek foreign agency assistance without a warrant. CSIS failed to make such disclosure.

On the question of spying outside of Canada, the Court of Appeal did not reach the same conclusion as Mosley J. The Service is authorized to conduct activities at home and abroad. In general, the Court can authorize intrusive activities outside of Canada, but there was not sufficient information in the record before the Court to decide about its ability to authorize activities that would violate the laws of another jurisdiction:

[90] Here, we emphatically endorse the submission of the amicus that the question of whether the Federal Court had jurisdiction to issue a warrant authorizing the Service to lawfully intercept the communication of Canadians abroad (through the agency of CSEC and another country) was not before Justice Blanchard. Further, we see no legal impediment to the issuance of such a warrant. Thus, for example, the Federal Court could issue a warrant where the interception authorized by the warrant is in accordance with the domestic law of the state in which the interception takes place.

[91] What Justice Blanchard found was that the Federal Court lacked jurisdiction to issue a warrant that authorized activities in another country that CSIS conceded would violate the laws of that country. This issue does not properly arise on this record and cannot be decided on the record before us.

.... [96] It is for another day on another application with a more fully developed record for the Federal Court to consider whether in the national security context, section 21 warrants necessarily have a sufficient real and substantial link to Canada that the Court may issue a warrant that authorizes intrusive extraterritorial activity without offending the principle of comity and principles of international law.

The Court of Appeal did seem to accept that CSIS or CSEC could engage one of the other Five Eyes intelligence agencies to carry out the surveillance on its behalf.

According to the Canadian Press, the government is looking to appeal this to the Supreme Court of Canada.

Here is some additional coverage: Appeal Court upholds ruling CSIS kept judge in the dark on foreign spying.

Monday, November 03, 2014

SCC grants Alberta privacy law a reprieve, legislature gets another six months to fix unconstitutional privacy law

Last week the Supreme Court of Canada, following a motion brought by the government of Alberta, extended the life of the Personal Information Protection Act by six months. Readers may recall that the "nuclear option" was exercised in the Information and Privacy Commissioner, et al. v. United Food and Commercial Workers, Local 401, et al. case. The Court found that a portion of that Act was unconstitutional but, at the request of the Information and Privacy Commissioner and Government of Alberta, the entire statute was declared to be unconstitutional but with the declaration of invalidity suspended for twelve months. The idea was that the Alberta government would be able to get its ducks in a row and fix it in that time. We'll, that's not how it panned out and the clock was ticking down to November 14, 2014.

Cap in hand, the Alberta Government filed a motion in the Court to extend the suspension period by six further months and, on October 30, 2014, the Chief Justice of the Court granted the motion:

Decision on miscellaneous motion, CJ, UPON APPLICATION by the appellant, the Attorney General of Alberta, for an order extending the suspension of the declaration of invalidity of the Personal Information Protection Act, S.A. 2003 c. P-6.5, as granted in this appeal on November 15, 2013, for a period of six months;

AND THE MATERIAL FILED having been read;

IT IS HEREBY ORDERED THAT:

The motion is granted without costs. The suspension of the declaration of invalidity is extended for a period of six months from the original deadline set by this Court in the judgment dated November 15, 2013.

Granted, without costs

What is particularly shocking is that -- I am told -- the trade union involved in the case opposed the motion for the extension. If the legislation "fell", all members of the trade union and all employees in the provincially regulated sector would have been without privacy protection. That strikes me as absurd.

Friday, October 31, 2014

Lawful access I can get behind: Missing Persons Act (NS) still in limbo

Among the many reasons put forward for "lawful access" and warrantless access to personal information is the need to obtain information in missing persons cases, where the timeliness of obtaining phone information about a missing person can be pivotal in finding a missing person. Where there is no evidence of wrong-doing, regular productions orders are unavailable because no crime is believed to have been committed.

In response to this, the Government of Nova Scotia developed a properly tailored statute to allow police to get a court-sanctioned order requiring telcos and others to provide information. The Missing Persons Act was passed, but hasn't yet been proclaimed into force. Here are the key, operative provisions:

6 (1) Upon application for a record-access order, a justice who is satisfied that access to and, where requested, copies of any of the records set out in subsection (2)
(a) may assist a police agency in locating the missing person; and

(b) are in the possession or under the control of a person,

may make an order requiring the person to provide members of a police agency access to and, where requested, copies of the records set out in the order in respect of the missing person or, where subsection (3) applies, a person who may be accompanying the missing person.

(2) A record-access order may be made in respect of

(a) records containing contact or identification information;

(b) telephone and other electronic communication records, including, without limiting the generality of the foregoing,

(i) records related to signals from a wireless device that may indicate the location of the wireless device,

(ii) cell phone records,

(iii) inbound and outbound text messaging records, and

(iv) Internet browsing-history records;

(c) global-positioning system tracking records;

(d) video records, including closed-circuit television footage;

(e) records containing employment information;

(f) records containing personal health information as defined in the Personal Health Information Act;

(g) records from a school, university or other educational institution containing attendance information;

(h) records containing travel and accommodation information;

(i) records containing financial information; and

(j) any other records specified in the order that the justice considers appropriate.

(3) Where the missing person is a minor or a vulnerable person and there are reasonable grounds to believe that the missing person may be in the company of another person, the justice may order that members of the police agency be given access to and, where requested, copies of any of the records set out in the order in respect of the person who may be accompanying the missing person.

(4) In a record-access order, the justice may impose any restrictions or limits on the records to be produced that the justice considers appropriate.

(5) The justice may include a provision in a record-access order requiring a person to provide members of the police agency with an accounting of the efforts made by the person to locate any records that cannot be found.

A recent and ongoing case in Nova Scotia highlights the necessity for legislation such as this. Despite the fact that the law isn't in force, the spouse of the missing person was authorized on his account and was able to authorize it. (See: Missing Persons Act to be proclaimed soon, says minister - Nova Scotia - CBC News).

A key learning from this is that specific problems can have specific solutions, without broadening access to private information in other cases. While the range of information accessible under the Act is remarkably broad, the limited circumstances under which the orders are available and judicial oversight prevents abuse of this access.