Wednesday, March 25, 2015

Cyberbullying for family law practitioners (*not intended to be a how-to guide)

I was invited to speak with the Canadian Bar Association's Nova Scotia Family Law Section on cyberbullying law for family law practitioners. I was very happy to do so, given that many instances of cyberbullying arise from failed relationships and this will be a growing issue for family lawyers.

In case it is of interest, here is the presentation:

Wednesday, March 18, 2015

In Bill C-51, you can be ORDERED to help CSIS violate the Charter

Oh, there are so many things wrong with Bill C-51, the government's proposed Anti-Terrorism Act, 2015. But one aspect that I find particularly frightening has not received much attention. Under new amendments to the CSIS Act, you can be ordered to help CSIS violate the Charter rights of others.

Yup. Bill C-51 expands the sort of warrants that the Canadian Security Intelligence Service can obtain. It used to be that they could make secret applications, in secret, in front of a judge in a secret bunker for secret warrants to do things like wiretap, install bugs, etc. Now, CSIS is given a broader mandate to take measures to reduce "threats to the security of Canada". (Which is an incredibly vague term that should send chills up your spine.) And under C-51, CSIS can apply for warrant permitting its agents to break laws, including the Charter, to reduce such threats:

21.1 (1) If the Director or any employee who is designated by the Minister for the purpose believes on reasonable grounds that a warrant under this section is required to enable the Service to take measures, within or outside Canada, to reduce a threat to the security of Canada, the Director or employee may, after having obtained the Minister’s approval, make an application in accordance with subsection (2) to a judge for a warrant under this section.

So such a warrant would allow CSIS to do things, inside or outside of Canada, that would otherwise violate our criminal law or the Charter. That's bad enough. But Bill C-51 also gives CSIS the ability to get an order requiring others to help them violate our criminal law or the Charter.

Assistance order

22.3 (1) A judge may order any person to provide assistance if the person’s assistance may reasonably be considered to be required to give effect to a warrant issued under section 21 or 21.1.


And to make it worse, the order can include a gag-order preventing you from complaining about it.

Confidentiality

(2) The judge may include in the order any measure that the judge considers necessary in the public interest to ensure the confidentiality of the order, including the identity of any person who is required to provide assistance under the order and any other information concerning the provision of the assistance.


I don't think that this would survive Charter scrutiny, but it's very troubling that the government wants CSIS to be able to deputize anyone and to force them to help in CSIS's "kinetic activities".

That's incredibly troubling.

Monday, March 16, 2015

Privacy Commissioner: Health Canada violated privacy laws by disclosing personal health information of over 40,000 Canadians

A press release issued today by my firm and the other firms listed below, who are representing more than 40,000 Canadians affected by a Health Canada privacy breach:

The Office of the Privacy Commissioner of Canada has completed its investigation of Health Canada's privacy breach affecting over 40,000 licensees of the Marihuana Medical Access Program (MMAP), concluding that Health Canada violated federal privacy laws.

In November 2013, Health Canada sent written notices to over 40,000 individuals, outlining changes to the MMAP. The envelopes used for the mail-out clearly included the words "Health Canada - Marihuana Medical Access Program" on the return address, indicating to anyone who saw the envelopes that the recipient was either licensed to possess medical marihuana or to grow it for medical purposes. The envelopes were oversized so more likely to come to people's attention. Previously, Health Canada had been discreet in its communications with program members.

Three hundred and thirty nine affected individuals complained to the Office of the Privacy Commissioner, who initiated an investigation. The complainants cited several concerns relating to the impact of Health Canada's actions on their personal lives including concerns about losing their jobs, reputational damage and personal safety.

In a finding dated March 3, 2015, the Commissioner determined that Health Canada had violated the federal Privacy Act, which is designed to protect the privacy of Canadians when the federal government handles their sensitive information. The Commissioner's Finding was only sent to the 339 individuals who filed complaints with the Privacy Commissioner, but a copy of the document can be found here. Affected individuals who were not among the original complainants do not have to file additional complaints to the Commissioner, as the investigation is concluded.

The finding rejects the justifications put forward by Health Canada, which include blaming the patients for having gone to the media about the breach, which brought attention to the matter. The government also suggested that including the full name of the program instead of an abbreviation that would protect privacy was one of the "reasonable options" available to it under the law.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing affected users in an intended class action lawsuit against Health Canada filed in the Federal Court.

"It was clear to me, as soon as my phone started ringing in November 2013, that there was no justification for the careless error made by Health Canada in this case," said privacy lawyer David Fraser of McInnes Cooper. "It's one thing to acknowledge making a mistake, which Health Canada did, but immediately turning around to blame the victims is repulsive."

"We are pleased that the Privacy Commissioner of Canada agrees that Health Canada violated the law in its mishandling of patients' personal information," said David Robins of Sutts Strosberg LLP.

"Hundreds of people have reached out to us through our secure website for the class action to tell us how the breach has affected them, from lost jobs, effects on family relationships and social stigma. Each person who was a part of the MMAP was promised by Health Canada that their confidentiality would be protected," said Ted Charney of Charney Lawyers, adding that "the Commissioner is not able to award compensation to the victims or penalize Health Canada for its unlawful conduct, so the class action lawsuit is important in pursuing justice."

"We expect that the court hearing to ask that the case be blessed as a certified class action will take place in the early summer. If the judge agrees, we can move forward with the merits of the case," said Ward Branch of Branch MacMaster. "The privacy commissioner's report serves as a helpful roadmap for the case."

Affected class individuals are encouraged to register at www.marijuanaclassaction.com. While class members are not required to "opt in" to participate in the intended class action lawsuit, providing contact information and advising class counsel about how this privacy breach has affected you individually will help class counsel in bringing the case forward. Those who have already registered on the secure website do not need to re-register, but may want to update their information if their circumstances have changed or if they have experienced additional harms as a result of the breach.

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world's leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

Monday, March 09, 2015

Canadian "revenge porn" and lawful access law is now in effect

Bill C-13, entitled the "Protecting Canadians from Online Crime Act", is now in effect. It received royal assent on December 9, 2014 and states that it comes into effect three months after that. (See: LEGISinfo - House Government Bill C-13 (41-2))

For previous commentary on the Bill, check out my past posts labelled "Bill C-13".

Thursday, March 05, 2015

Quebec man charged with obstruction for not giving up smartphone password to customs officer

The CBC (Quebec resident Alain Philippon to fight charge for not giving up phone password at airport and the Halifax Chronicle Herald (Quebec man faces charge for refusing to let Halifax border guards check his phone) are reporting that a man from Quebec has been charged with obstruction for not giving this smartphone password to a Canada Border Services Agency inspector upon his return to Canada at Halifax International Airport.

It would appear that the individual has been charged under s. 153.1 of the Customs Act, which deals with "hindering" a customs officer:

Hindering an officer 153.1 No person shall, physically or otherwise, do or attempt to do any of the following:

(a) interfere with or molest an officer doing anything that the officer is authorized to do under this Act; or

(b) hinder or prevent an officer from doing anything that the officer is authorized to do under this Act.

To my knowledge, this is the first case of its kind. I haven't been able to find any case where this provision has been used in similar circumstances.

There is little doubt that there is a reduced expectation of privacy at the border, and past cases have found that a warrantless search of a laptop for child pornography was as justifiable as a search of a suitcase. What will be most interesting to watch as this cases progresses is whether the Courts will take into account more recent Supreme Court cases dealing with laptop and cell phone searches and if there is a positive duty on the part of a traveler to unlock or provide the password to a digital device.

This is definitely a case to watch: if a Court finds this accused has obstructed or hindered a customs officer in this case, it would likely also be an offense to refuse to unlock a smartphone for a police officer carrying out a lawful search.

CRTC issues first CASL penalty: $1.1 million levied against Compu-Finder

The CRTC has levied its first penalty under Canada's Anti-spam Law (CASL): a whopping $1.1 million against Compu-Finder for sending commercial electronic messages without consent and for not meeting the unsubscribe requirements under the law.

It would appear that Compu-Finder got the CRTC's attention quite vividly thanks to a huge number of complaints made to the CRTC's anti-spam reporting centre. Apparently 26% complaints received for this industry segment related to this company.

Here's the CRTC's media release:

CRTC Chief Compliance and Enforcement Officer issues $1.1 million penalty to Compu-Finder for spamming Canadians - Canada News Centre

March 5, 2015 – Ottawa-Gatineau - The Canadian Radio-television and Telecommunications Commission’s (CRTC’s) Chief Compliance and Enforcement Officer today issued a Notice of Violation to Compu-Finder, which includes a penalty of $1.1 million, for breaking Canada’s anti-spam law. Compu-Finder has 30 days to submit written representations to the CRTC or pay the penalty. It also has the option of requesting an undertaking with the CRTC on this matter.

Further to an investigation, the Chief Compliance and Enforcement Officer finds that Compu-Finder sent commercial electronic messages without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly. The emails sent by Compu-Finder promoted various training courses to businesses, often related to topics such as management, social media and professional development. The four alleged violations occurred between July 2, 2014 and September 16, 2014. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted.

The CRTC is assessing complaints submitted to the Spam Reporting Centre that are under its legislative mandate and a number of investigations are currently underway. The CRTC is working with its partners, both within Canada and internationally, to protect Canadians from online threats and contribute to a more secure online environment.

The CRTC can discuss corrective actions with individuals, firms or organizations, which may lead to an undertaking that includes an amount to be paid and other corrective measures. As part of its powers, the CRTC can also issue warning letters, preservation demands, notices to produce, restraining orders and notices of violation.

Canadians are encouraged to report spam to the Spam Reporting Centre. The information sent to the Centre is used by the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner to enforce Canada’s anti-spam law.

Quick Facts

  • The CRTC’s Chief Compliance Officer has issued Compu-Finder a Notice of Violation, which includes a penalty of $1.1 million, for four violations of Canada’s anti-spam law.
  • Compu-Finder had sent commercial emails without consent, as well as messages in which the unsubscribe mechanisms did not function properly.
  • To help Canadian businesses comply with the law, the CRTC has provided numerous information sessions across the country and made guidance materials available on its website.
  • The CRTC is working with its partners, both within Canada and internationally, to protect Canadians from online threats and contribute to a more secure online environment.
  • Canada’s anti-spam law protects Canadians while ensuring that businesses can continue to compete in the global marketplace.
  • Canada’s anti-spam legislation was adopted by Parliament in December 2010 and came into force on July 1, 2014.
  • Penalty amounts are calculated using the factors outlined in section 20 of Canada’s anti-spam legislation.

Quote

“Prior to the coming into force of the anti-spam law, the CRTC conducted numerous outreach initiatives to increase the awareness of businesses on the new requirements. Creating a secure online environment for Canadians is also the responsibility of industry. Despite the CRTC’s efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force to email addresses it found by scouring websites. Complaints submitted to the Spam Reporting Centre clearly indicate that consumers didn’t find Compu-Finder’s offerings relevant to them. By issuing this Notice of Violation, my goal is to encourage a change of behaviour on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law. We take violations to the law very seriously and expect businesses to be in compliance.”

Manon Bombardier, Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Edit: Corrected/clarified the information in italics above.

Thursday, February 26, 2015

The disaster of the Nova Scotia cyberbullying law; it's time to go back to the drawing board

I often represent victims of true cyberbullying, including adults whose lives have been turned upside down by malicious online actors, so I am very sympathetic to the nominal goals of Nova Scotia's Cyber-safety Act. But the legislation fails to take into account -- in any way -- that all expression is protected by the Charter and can only be regulated or suppressed by reasonable limits, prescribed by law. The legislation is defective and has been enforced by the province in a manner that only makes it worse.

In Nova Scotia, any electronic speech that would reasonably be expected to cause someone distress or hurt feelings or harm to self-esteem is deemed to be cyberbullying. There are no defences. Here is the definition of cyberbullying from the Act:

(b) “cyberbullying” means any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably [to] be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self- esteem or reputation, and includes assisting or encouraging such communication in any way;

You may want to read that again, but focus on this bit: "any electronic communication ... that ought reasonably be expected to cause .. humiliation, distress or other damage or harm to another person's ... self-esteem or reputation...".

Every other Canadian law that tries to limit speech has defences, such as the defence of truth or fair comment under defamation law. Hate speech laws in the Criminal Code have defences. The Supreme Court of Canada, in Grant v Torstar, recently recognized that traditional defamation law was not compatible with the Charter because a diligent commentator on a matter of public interest would be found liable under existing rules so created a defence of "responsible communication on a matter of public interest." Under defamation law, you can call a convicted thief a thief, but if you dare tweet that in Nova Scotia or put it on a blog, you're a cyberbully.

We just have to look at how the Cyber-safety Act has been applied by the CyberSCAN unit to understand how incompatible it is with Charter protected expression. After a teenager started a twitter argument with MLA Lenore Zann, the CyberSCAN folks called an individual who regularly tweets about Nova Scotia politics and told him to remove his tweets or there would be unspecified "further action". His tweets questioned the judgement of an elected member of the legislature. He deleted his tweets. (See: Nova Scotia politician alleges cyberbullying, calls the authorities on tweeting teen)

On another occasion, the CyberSCAN folks met with an individual who was demanding financial transparency and accountability from his elected First Nations Band Chief. I will admit his questioning was inelegant and his frustration is apparent in his comments. (At one point, he apparently suggested she could use a punch in the face.) They told him to not communicate with or about her, and to remove any negative comments about her from the internet, or there would be "further action". When he reneged on his agreement to lay off, they went to court and got an order of the Supreme Court of Nova Scotia that forbids him from communicating with or about his elected representative, effectively cutting him out of the democratic process. The judge did not issue any written reasons for the decision. (See: More details about Nova Scotia's first cyberbullying prevention order)

Most recently, Frank Magazine has reported in its 29 January 2015 issue that a local, politically active twitter user and blogger received a late-night visit from from CyberSCAN unit. Here's how it was related in the Frank article:

"A government agent from the province's Cyberscan cyberbullying division came to my house and ordered me to take down my political blog," Eric tells me.

"Or they would get a court order, and... they would seize all my computers, cell phones, ban me from using the internet, fine me thousands of dollars and jail me for up to two years."

According to the Frank magazine article, the CyberSCAN officer, Lisa Greenough, refused to tell the individual who had filed the complaint or what was the substance of the actual complaint. He was essentially told to just stop participating in politics online. Or there would be consequences.

The CyberSCAN unit's modus operandi when it comes to political participation appears to be to tell folks to stop. Not to tone it down. Just stop. And the invariable "or there will be further action."

When the legislation was introduced, I was interviewed by CBC saying that it was likely unconstitutional. In a later interview with the Premier of Nova Scotia, they played him that clip with my critique of the law. He said he couldn't disagree with me more. Having the Premier of a province tell you that you're wrong surely would hurt my feelings and harm my self esteem. If he had tweeted it, would have been cyberbullying according to the law his government passed. The CBC put the article on their website, so they cyberbullied me by "assisting or encouraging". None of them would have intended to have hurt my feelings, but that doesn't matter under this province's bizarre law.

This law was passed less than one hundred feet from the statue of Joseph Howe at the legislature. But if Howe had been on Twitter, he would have been branded a cyberbully; his comments almost certainly hurt the feelings of the local magistrates and caused them distress.

Cyberbullying is a very hard thing to define, and the law's supporters said that it had to be very broadly defined but would be applied with judgement and discretion. I have not seen evidence of that. Though most of the CyberSCAN unit's activities have not been reported on, those cases that have hit the media or the courts show a complete disregard for freedom of expression. When I asked the CyberSCAN unit about how they incorporate this fundamental human right into their decision-making, this is the response I received:

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

I would suggest that there is no evidence that the Charter was considered when the legislation was put together. And I seen no evidence that the Charter has been given consideration when the Act is applied.

Cyberbullying -- of kids and adults -- is a real issue that demands a real, meaningful response. However, the Cyber-safety Act of Nova Scotia is a disaster and the province's government needs to go back to the drawing board.


In case you are curious about the CyberSCAN unit, here are the questions I asked of the group and the answers I received:

1. How many employees (FTE) are there in the CyberSCAN unit?

There are five full time investigators, a Director, a case manager, and an administrative assistant that have additional duties associated with similar programs.

2. How many complaints or inquiries has the CyberSCAN unit received from victims of cyberbullying? Of these, how many are from adults and how many are from youth/children?

Since September 30, 2013, the unit has received 497 complaints that have initiated investigations.

3. How many files has the CyberSCAN unit opened in connection with complaints? Of these, how many are from adults and how many are from youth/children?

SEE Q4

4. How many formal investigations have been launched by the CyberSCAN unit? Of these, how many are from adults and how many are from youth/children?

497 complaints received have involved the following:

Adult – 302 – adult reporting they are being cyberbullied

Guardian – 7 – guardian reporting on behalf of minor child

Parent – 76 – reporting on behalf of minor child

Referral by Police – 27

Referral by School – 66

Referral by Victim Services – 1

Youth – 19 – youth reporting they are being cyberbullied

5. How many complaints have been resolved informally by the CyberSCAN unit without having to open a file or launch a formal investigation?

There have been 163 informal resolutions.

6. How many Cyber Safety Prevention Orders have been applied for by the Director of Public Safety? Of these, how many are from adults and how many are from youth/children?

The Director has applied for and received 2 Prevention orders in court.

7. Does the CyberSCAN Unit have full time legal counsel assigned to it?

The unit utilizes Legal Services within the Department of Justice.

8. On the unit’s website, it says “The CyberSCAN unit will determine which alleged victims are at the most risk and respond to cases in order of priority.” How do you prioritize cases?

Cases are prioritized based on the potential harm to the individual.

9. Are there any formal or informal means by which the CyberSCAN unit takes Charter guaranteed freedom of expression rights into account in its activities?

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

Full disclosure: I am representing clients in two separate cases that are challenging the Cyber-safety Act and its application on Charter and other grounds. I have also been a witness in an application to obtain a cyberbullying protection order.

Thursday, February 19, 2015

Pre-installed adware may be kosher under Canadian anti-spyware provisions of CASL

The Next Web is reporting that Lenovo has been shipping consumer laptops pre-equipped with adware (see: Lenovo Caught Installing Adware On New Computers). This raises an interesting question for Canadians: would something like this be ok under the anti-spyware provisions of Canada's Anti-Spam Law (CASL)?

In true lawyerly style, the answer is "it depends". But maybe this highlights one of the many problems with the law.

The owner or authorized user of a computer system can install whatever he or she wants on the device, but this may not be the ultimate end-user. So if a manufacturer installs adware software on the device before title to it passed to the end user, that may be just fine under the law (but likely problematic from the point of view of the end user). Also, if it is embedded in the operating system of the device, that may be OK because there's deemed consent for the installation of operating systems by third parties.

I think most consumers would say that adware, crapware, bloatware, etc. should not be on their devices without their consent and the company that put it there should be required to remove it on request. However, if the software was installed when the manufacturer owned the device, the law may not meet consumers' expectations.

For more information on the software installation provisions of CASL, check out my firm's FAQ on the subject.

Wednesday, February 18, 2015

Ontario health privacy law doesn't preclude class actions for intrusion upon seclusion claims

The Ontario Court of Appeal in Hopkins v. Kay, 2015 ONCA 112 (CanLII) has just ruled that the Personal Health Information Protection Act (PHIPA) doesn't preclude common law claims for intrusion upon seclusion. In the decision under appeal, The motion judge held that it was not plain and obvious that the claim based on Jones v. Tsige could not succeed. He noted that the existence of PHIPA and other privacy legislation had been brought to the appeal court’s attention in Jones v. Tsige and refused to strike the claim under Rule 21.

It was argued by the appellants that PHIPA creates an exhaustive code that ousts common law torts, such as intrusion upon seclusion. The Court of Appeal did not agree:

[30] An intention to create an exhaustive code may be expressly stated in the legislation or it may be implied. As there is nothing explicit in PHIPA dealing with exclusivity, the question is whether an intent to exclude courts’ jurisdiction should be implied. In Pleau v. Canada (A.G.), 1999 NSCA 159 (CanLII), 182 D.L.R. (4th) 373, leave to appeal refused, [2000] S.C.C.A. No. 83, Cromwell J.A. explained, at para. 48: “Absent words clear enough to oust court jurisdiction as a matter of law, the question is whether the court should infer… that the alternate process was intended to be the exclusive means of resolving the dispute.”

[31] Cromwell J.A. identified three factors that a court should consider when discerning whether there is a legislative intent to confer exclusive jurisdiction. First, a court is to consider “the process for dispute resolution established by the legislation” and ask whether the language is “consistent with exclusive jurisdiction”. Courts should look at “the presence or absence of privative clauses and the relationship between the dispute resolution process and the overall legislative scheme”: Pleau, at para. 50 (emphasis in original).

[32] Second, a court should consider “the nature of the dispute and its relation to the rights and obligations created by the overall scheme of the legislation”. The court is to assess “the essential character” of the dispute and “the extent to which it is, in substance, regulated by the legislative… scheme and the extent to which the court’s assumption of jurisdiction would be consistent or inconsistent with that scheme”: Pleau, at para. 51 (emphasis in original).

[33] The third consideration is “the capacity of the scheme to afford effective redress” by addressing the concern that “where there is a right, there ought to be a remedy”: Pleau, at para. 52 (emphasis in original).

With respect to the first criterion, the court said:

[45] I conclude that PHIPA provides an informal and highly discretionary review process that is not tailored to deal with individual claims, and it expressly contemplates the possibility of other proceedings.

For the second criterion:

[52] The above comparison leads me to conclude that allowing actions based on Jones v. Tsige to proceed in the courts would not undermine the PHIPA scheme. The elements of the common law cause of action are, on balance, more difficult to establish than a breach of PHIPA, and therefore it cannot be said that a plaintiff, by launching a common law action, is “circumventing” any substantive provision of PHIPA. The aspects of the common law that may at first glance appear more lenient are not, upon closer consideration, significantly advantageous.

[53] Allowing common law actions to proceed in the courts would, however, allow plaintiffs to avoid PHIPA’s complaint procedure, and I now turn to the issue of whether that procedure is sufficient to ensure effective redress.

And thirdly:

[61] It was suggested in oral argument that an individual complainant could always ask the Attorney General to launch a prosecution pursuant to s. 72 and then use the conviction as a basis for claiming damages under s. 65(2). I am not persuaded that this argument alleviates the problem. First, it would subject the individual complainant to yet another discretionary hurdle. Second, it is hardly a persuasive argument supporting the exclusivity of the PHIPA process to say that individuals can obtain redress by resorting to the courts by way of a prosecution.

And in the result:

[73] For these reasons, I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

Friday, February 13, 2015

To combat fraud, you want Visa to track your smartphone

A couple of years ago, I got into my office, sat down at my desk and the phone rang. It was my bank. The conversation went something like this:

Bank: Mr. Fraser, it's * from [my bank branch]. Do you have your bank card with you?

Me: Yes, it's right here [I pulled it out of my wallet].

Bank: Did you use your card to withdraw $400 from a no-name ABM at 2:00am this morning?

Me: No. I was asleep. Where was the ABM?

Bank: We think it was at a strip club.

Me: Yeah, that wasn't me.

Bank: We've cancelled your card and we'll put the $400 back in your account. Can you come by the branch to pick up a new card and choose a new PIN?

Me: Yup.

To me, this was a great example of how a company can use your personal information to protect you. Obviously, I was not in the habit of withdrawing cash at last call in strip joints so my bank's algorithms knew it was not me.

Now Visa is planning to roll out a new opt-in feature that will use the location of your mobile phone to combat fraud. If your phone is in New York but a transaction on your card is in Thailand, it is much less likely to be you. But if you really are in Thailand, you probably do not want Visa to disable your transactions as a precaution. This is a great feature that uses your personal information to protect you, and will not be used for secondary purposes/

From the Associated Press: To combat fraud, Visa wants to track your smartphone - Yahoo Finance:
.

(I'd suggest the title to the AP article should be "To combat fraud, you want Visa to track your smartphone.")