Monday, December 15, 2014

Audio of interview with Macleans Magazine about SCC Fearon cell phone privacy decision

Last week, I was interviewed by Cormac MacSweeney for Macleans Magazine about the recent Supreme Court of Canada decision in R v Fearon. Listen to the full 15 minute-long interview here:

Monday, December 08, 2014

Former federal privacy commissioner Bruce Phillips has died at 84

Bruce Phillips, who served as Canada's Privacy Commissioner from 1991 to 2000 has died at age 84.

See: Former journalist and federal privacy commissioner Bruce Phillips dead at 84 | Metro.

Friday, November 28, 2014

Nova Scotia FOIPOP Review Officer annual report for 2013

Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer, Catherine Tully, has just tabled the annual report for 2013 [PDF]. Former review officer Dulcie McCallum was at the helm for the period covered by the report.

From the media release that accompanied the report:

Proactive protection of personal information and disclosure of government data highlight FOIPOP Review Officer’s annual report

Halifax – Privacy breaches were front and centre across the country in 2013. In Nova Scotia, at least two of those breaches sparked class-action lawsuits against health care organizations. Today Catherine Tully, Nova Scotia’s Freedom of Information and Protection of Privacy Review Officer, released her office’s annual report for 2013. In the report, Tully highlighted the need for government departments and health care organizations to have strong privacy management frameworks in place to help mitigate the risks from privacy breaches.

“In determining whether or not damages will be awarded the court will no doubt look to the adequacy of the security arrangements and the steps the health authorities took to both prevent and detect the unauthorized viewing of medical records,” said Tully. “Equally important are the steps public bodies take to manage a breach once it occurs.”

The Review Officer said that assisting public bodies and health care custodians to develop privacy management frameworks would be a focus of her office going forward.

Tully also highlighted the importance of government finding ways to be transparent through proactive disclosures of information. Two examples that helped citizens understand how their tax dollars were spent were Halifax’s open data pilot project and the Department of Health and Wellness’ reporting on patient safety indicators. 2013 also saw calls for modernization of access and privacy legislation across the country, including in Nova Scotia. Going forward Tully plans to continue meeting with stakeholders to assess the need for modernization of Nova Scotia’s set of access and privacy laws.

“Transparency and accountability are at the heart of access and privacy legislation. A key element of such legislation is independent oversight that both public bodies and citizens can have confidence in,” said Tully. “Over the course of the coming months I will meet with stakeholders, and review complaints to develop an informed opinion about how well our legislation is working for Nova Scotians.” The annual report noted the backlog of case files that has built up at the Review Office. Tully committed that the backlog will be a priority for her office in the immediate future.

Tully also noted that 2013 saw the Personal Health Information Act (PHIA) come into force, though the Review Office received less contact from the public and custodians under that Act than expected. Tully plans to increase public education efforts around PHIA in the near future.

Friday, November 21, 2014

Newfoundland Supreme Court considers privacy class action, clears first hurdle to certification

The Supreme Court of Newfoundland and Labrador this week considerd the first part of a bifurcated application to certify a class action in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. The cases arose from inappropriate browsing of personal health records by an employe of the defendant health authority. The application was split into two parts and the first focused on whether the pleadings disclosed a cause of action.

The court agreed that the case could proceed on the basis of the following causes of action:

  • breach of privacy based on statutory tort established under the Privacy Act;
  • breach of privacy based on common law tort (“intrusion upon seclusion”);
  • negligence; and
  • breach of contract.

What's remarkable is that Newfoundland already has a statutory tort of invasion of privacy under the Privacy Act. This case stands for the proposition that the existence of the statutory invasion of privacy law does not preclude the existence of the common law "intrusion upon seclusion" tort as described in Jones v Tsige. This is the opposite of the repeated holdings of the courts of British Columbia, where courts have held that the provincial Privacy Act means that the common law tort does not exist there. (See: No common law tort of invasion of privacy in British Columbia, judge finds.)

Wednesday, November 19, 2014

Alberta introduces amendments to privacy law to render it constitutional, falls short

On 18 November 2014, the government of Alberta introduced Bill 3: Personal Information Protection Amendment Act, 2014 to address the shortcomings in the law that rendered it unconstitutional according to the Supreme Court of Canada in the UFCW Case.

While the amendments directly address the constitutional problems of the UFCW Case, but dramatically fall short in addressing the underlying structural issues in the law that led to the the Court's finding that the law was unconstitutional. The Bill grants trade unions -- and trade unions only -- the ability to collect, use and disclose personal information in certain circumstances but do not permit any other organization to do so under the same circumstances. A trade union can record replacement workers crossing the picket lines, but an employer cannot similarly record a picket line, even in a public place.

While the SCC necessarily focused on the union context, PIPA (and the federal PIPEDA) don't sufficiently take into account other forms of constitutionally protected, expressive activities. I suppose it will be left to another day to have either PIPA or PIPEDA struck down on those bases.

For anyone who may be interested, here is a copy of PIPA showing the Bill 3 changes in-place [PDF].

#‎YouKnowHerName‬: Declare amnesty on breaking ban

I wrote this as an opinion for the Halifax Chronicle Herald, where it was printed on 19 November 2014:

The story of the past week has been the publication ban in the “high profile child pornography case” (Google it), when it should have been a discussion about sexual assault, child pornography and cyberbullying.

The police have investigated a number of instances of clear violations of the publication ban and have declined to press charges. They have also declined to provide a rationale, so that the rest of us have no guidance about whether we can discuss this incredibly important story without facing the wrath of the justice system.

The parents of the victim have said her name, over and over again. Social media is rife with mentions of her name. Foreign media have said her name in the context of her story. And this is a good thing, since we as a society have to come to terms with and learn from the horrible ordeal faced by a 15-year-old whose photo was taken and used to further abuse and bully her.

The rest of us are left wondering whether we would face the full brunt of the criminal justice system for saying a single word — her unique name — which has become synonymous with rape, cyberbullying and suicide.

The Criminal Code is clear: in all cases of child pornography, a judge must issue a ban prohibiting the publication or dissemination of the identity of the victim. This makes perfect sense. The last thing we as a society would ever want would be the re-victimization of a young person in the justice system or in the media.

Parliament, when the law was written, did not have this particular situation in mind and left the judge no wiggle room. The ban is mandatory.

However, the judge did make it clear in his decision when media outlets challenged the ban that there is a natural escape valve: even if the evidence shows a clear violation of the law and a slam dunk for a conviction, the prosecutor must determine whether the public interest is best served by the prosecution of the case.

The public interest would never be served by a prosecution of anyone for naming the victim in this case. But we are left with a situation where the rules are completely unclear and anybody discussing this case is standing on shaky ground.

It is time for the Attorney General of Nova Scotia or the Director of Public Prosecutions to publicly state that the public interest would not be served by any prosecution for saying her name and that they would not pursue charges against anyone for doing so.

And then we can stop talking about the publication ban and instead talk about the much more important issues of sexual assault and cyberbullying, and what we are doing about it.

David T.S. Fraser practises Internet and privacy law with McInnes Cooper law firm in Halifax.

Friday, November 14, 2014

The publication ban that makes no sense

I had the pleasure of sitting down to speak with Steve Murphy of CTV Atlantic about the publication ban in a very high profile child pornography / cyberbullying case here in Halifax. (CTV Atlantic: Privacy lawyer weighs in on pub ban | CTV Atlantic News)

The case has become very well known and most people are aware of the name of the victim, but the mandatory publication ban has resulted in a significant chilling of discussion related to this very important issue.

The ban is a mandatory one; the Criminal Code is clear that a judge MUST order a ban on the publication of any information that would identify the victim.

486.4(3) In proceedings in respect of an offence under section 163.1, a judge or justice shall make an order directing that any information that could identify a witness who is under the age of eighteen years, or any person who is the subject of a representation, written material or a recording that constitutes child pornography within the meaning of that section, shall not be published in any document or broadcast or transmitted in any way.

In an application made by the media to have the ban set aside, the judge made it abundantly clear in his decision turning down the application that his hands were tied.

In this case, the victim is no longer alive, having taken her own life as a result of a sexual assault, the distribution of the photo at the heart of the child pornography case, the subsequent bullying and slut shaming. The parents of the victim have been very vocal advocates in this area and need to continue to do so. But the telling of their daughter's story and the discussion that needs to take place all run the risk of violating the publication ban.

The publication ban, in this case, makes no sense and is chilling the discussion of a very important subject. Some have decided to ignore the ban and the Halifax Police today decided they would not pursue charges against a number of who have dared to mention the victim's name, but made it clear that they would investigate any further possible violations on a case-by-case basis. This is counter-productive. As the judge clearly stated in his decision, all of this can be solved by the Nova Scotia Director of Public Prosecutions issuing a statement that it would not be in the public interest to pursue charges in this case.

55. It is not for the court to purport to direct or even to advise or provide recommendations to the Director of Public Prosecutions. I will note however that it would be within the authority of the DPP to issue a direction to prosecutors in a specific case or in a certain classes of cases that it would not be in the public interest to prosecute. It would be within the authority of the Attorney General to issue a public direction to the DPP to that same effect.

The existence of the ban and police/prosecution discretion is having a chilling effect on discussion of this important issue. In my view, it is in the public interest that people be able to tell the whole story of the victim in this case.

If you agree, please feel free to share your opinion with the Director of Public Prosecutions:

Public Prosecution Service (Head Office)
Suite 1225, Maritime Centre
1505 Barrington Street
Halifax, Nova Scotia, B3J 3K5
Tel: (902) 424-8734
Fax: (902) 424-4484

Thursday, November 13, 2014

Police "shoulder surfing" accused's texts via casino CCTV camera is a Charter privacy violation

A judge of the Supreme Court of British Columbia in R. v. Ley and Wiwchar, 2014 BCSC 2108 has just held that police peeping on an suspect's text messages displayed on his blackberry screen via high-powered casino CCTV cameras was a violation of the Charter and would have required a wiretap order to make it permissible. From the decision:

[48] Moldaver J. in Telus Communications Co. concluded that the investigative technique used in that case was substantially equivalent to an intercept under Part VI and in my view the same can be said about the technique of using zoom cameras in the casino. Rather than seeking a disclosure of the messages sent by the applicant from the service provider, the police chose to read them in the process of being sent with the use of a camera. That, in my view, is substantially equivalent to an intercept under Part VI.

[49] As I have said, I am not aware of another way that a copy of text messages can be surreptitiously obtained from someone’s handheld communication device other than by photographing the messages or by obtaining a copy from the service provider. Based on Telus Communications Co., an authorization under Part VI would be required for the latter and should be required for the former.

[50] There was no evidence to suggest that the police could not have obtained a copy of the video footage taken of the applicant after it had been recorded by obtaining a production order, nor was there evidence to suggest that they could not have obtained copies of the text messages sent and received by the applicant during the time that he was at the casino, from the service provider. By instead choosing to photograph the applicant’s messages and retain the recorded footage the police bypassed the authorization requirement that, in my view, would otherwise have been necessary.

Summary of Conclusions

[51] Considering the totality of the circumstances in this case, I have concluded that the applicant’s rights under s. 8 of the Charter were violated by the use by the police of surveillance cameras in the casino to photograph messages on his Blackberry. If I am wrong in that conclusion, then in my view an authorization under Part VI of the Code was required because the actions of the police amounted to an interception of the applicant’s text messages.

Friday, November 07, 2014

Ontario Court awards $10K damages for Legal Aid file-peeking

The Ontario Superior Court of Justice has recently released its decision in McIntosh v. Legal Aid Ontario, 2014 ONSC 6136. While the background facts are messy and complicated (and, once again, related to jilted relationships), the one important takeaway is that the Court granted $10,000 in damages to the plaintiff based on the tort of intrusion upon seclusion after the defendant peeked into her Legal Aid file.

The defendant did not appear to defend the claim, so the court was left with assessing damages on a pretty sparse record, but one that was full of unsubstantiated claims of harms.

According to the plaintiff, her ex-boyfriend provided the defendant with the plaintiff’s full name and date of birth. The defendant used that information to access the plaintiff’s file with Legal Aid Ontario. A few days later, the defendant called the plaintiff and said that she had obtained confidential information from the plaintiff’s Legal Aid Ontario case file. The defendant’s review of the file disclosed that the plaintiff was involved with a Children’s Aid file. The defendant threatened to call the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her. The plaintiff filed a complaint with legal aid and with the Information and Privacy Commissioner of Ontario. Following that investigation, Legal Aid Ontario provided a written of apology to the plaintiff. The plaintiff asserted that information was provided by the defendant to Children's Aid, an investigation took place and it was subsequently closed. There was no evidence of any other disclosure of the plaintiff’s private information.

In her claim made against Legal Aid Ontario and the individual defendant, the plaintiff alleged that as a result of such breach of privacy, she has experienced “substantial anxiety, emotion [sic] upset, depression, significant stress, embarrassment, weight loss, insomnia, isolation, and an inability to concentrate at work.”

In the course of the hearing, virtually no evidence was led to substantiate any of the pecuniary or health-related claims. The Court was left with deciding damages solely on the basis of the peeking into the file.

Here's the court's analysis of the calculation of damages in this case:

[29] The plaintiff asserts in her affidavit that the defendant used the private information to contact the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her, but no documentation of any sort was filed in support of this bald allegation. The failure of the plaintiff to specify disclosure of information to the Children’s Aid Society with the original complaints or as part of the investigative process, coupled with the lack of any sort of supporting documentation, leads me to conclude that the plaintiff has failed to satisfy me that there was any disclosure of the plaintiff’s private information.

[30] In view of this finding, I am left with the task of assessing damages based upon the defendant’s improper access to the plaintiff’s private information only.

[31] The information that had been provided by the plaintiff to Legal Aid Ontario was clearly personal information. It was provided with an expectation that the plaintiff’s privacy interests would be respected and that the information would be used in connection with her legal aid application alone.

[32] The tone of the original complaint to Legal Aid Ontario itself is more consistent with irritation rather than devastation.

[33] If the invasion of her privacy did affect her emotional state, the evidence suggests that it did so in a minor fashion only. There is no detailed medical report, only a doctor’s note concerning a consultation for anxiety, something that has already been noted was a pre-existing condition. Having said that, I am satisfied that the evidence supports a finding that the disclosure of personal information caused the plaintiff a measure of annoyance, anxiety and distress.

[34] Although Legal Aid Ontario provided a letter of apology, the defendant has not seen fit to do so.

[35] After taking all of these factors into consideration, I award general damages in the amount of $10,000. In determining this amount, I have taken into consideration the resolution that occurred between the plaintiff and Legal Aid Ontario, who was originally named as a party defendant, but who is no longer involved in the claim


Though damages for intrusion upon seclusion may range from nominal to $20,000 (per Jones v Tsige), but we may see $10,000 become the standard award.

Thanks to Dan Michaluk for bringing this case to my attention. Check out his commentary on this blog at AllAboutInformation.ca.