Thursday, April 28, 2016

You'd better forget the right to be forgotten in Canada

Summary: This discussion paper is intended to address the following question put forward in the OPC’s consultation paper on online reputation: “Can the right to be forgotten find application in the Canadian context and, if so, how?” The author is of the view that the right to be forgotten cannot be shoehorned into existing privacy law because search engines do not come within the scope of PIPEDA and the activity of indexing newsworthy content online is subject to the journalism exception in PIPEDA. Furthermore, any attempt to compel a search engine to not include particular results -- particularly pointing to lawful content -- would fall afoul of the freedom of expression right under the Canadian Charter of Rights and Freedoms. The paper concludes with some additional thoughts that will need to be factored into the discussion of the right to be forgotten in Canada.
The next battle over privacy and freedom of expression in Canada will -- not surprisingly -- be carried out over the internet. Or at least it will be about the internet. Following the important decision by the European Court of Justice in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014), which found a “right to be forgotten” in the European Data Protection Directive, it is natural to ask if there is an equivalent or similar right to be forgotten in Canada.

In my submission, there is not. It cannot be shoehorned into our existing federal privacy law, the Personal Information Protection and Electronic Documents Act, and any attempt to do so would ultimately be unconstitutional on at least two grounds.

But there is also the more general, philosophical discussion worth having about whether one can import “RTBF” into Canada, a country that values freedom of expression and purports to embrace the internet. How can it make any sense at all to have a law that says a person or a news outlet can lawfully post material on the internet, but it is illegal for a search engine to tell you that it even exists?    

While I am sympathetic to many who may want to leave unpleasant or embarrassing facts behind them as they progress through their lives, it is wrong in principle to allow information to remain on the internet but to only prohibit a completely uninvolved party from indexing and including it in search results.

If the problem is with the embarrassing or out-of-date information, then any efforts should be directed at the person responsible for the information. However, the legal reality is that it would be constitutionally untenable to pass a law that would prohibit a news outlet or other content producer from expressing him or herself

Are search engines and the results they produce subject to PIPEDA?

The first question to be asked is whether one can locate a right to be forgotten within the existing framework of PIPEDA. I suggest you cannot, for a range of reasons.

Are search engines engaged in “commercial activities”?

To begin with, search engines are likely not engaged in commercial activities, at least for the purposes of section 4(1)(a) of PIPEDA. In order for PIPEDA to apply to any activity, the collection, use and disclosure of personal information must be in the course of “commercial activities.” One cannot simply say that a search engine is a private commercial undertaking because the definition is not as broad as it seems. As found by the Federal Court in  State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736, the actual activity at issue is what needs to be characterised for the purposes of s. 4(1)(a):
[106]      I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties... [emphasis added]
While most search engines are commercial enterprises and supported by advertising revenue, it does not charge users for search results and it does not charge content providers to be indexed in the search engine for inclusion in search results. The indexing, retrieval and serving of search results are not part of any commercial transaction. Ultimately, the search engine is about facilitating timely and easy access to information on the world wide web, which is not an inherently commercial activity. It can most readily be likened to compiling a card-catalogue for a library, but it is electronic and the library is the global internet.

Are search engines handling personal information for “journalistic, artistic or literary purposes”?

Instead of being included in PIPEDA by s. 4(1)(a), I would suggest that most search engines are excluded due to the operation of s. 4(2)(c) of PIPEDA:
Limit
(2)         This Part does not apply to ...
(c)         any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
Search engines are fundamentally journalistic or literary operations, particularly when providing a user with access to news media content. At the same time, they are also providing news media producers with access to readers.

The Torstar case was abundantly  clear that writing on matters of public interest is not reserved to the mass media. On this particular question, the Chief Justice’s judgement in Grant v. Torstar Corp., 2009 SCC 61 (“Torstar”), at paragraphs 96 and 97, is interesting:

However, the traditional media are rapidly being complemented by new ways of communicating on matters of public interest, many of them online, which do not involve journalists.  These new disseminators of news and information should, absent good reasons for exclusion, be subject to the same laws as established media outlets.  I agree with Lord Hoffmann that the new defence is “available to anyone who publishes material of public interest in any medium”: Jameel, at para. 54. …
[97]        A review of recent defamation case law suggests that many actions now concern blog postings and other online media which are potentially both more ephemeral and more ubiquitous than traditional print media. While established journalistic standards provide a useful guide by which to evaluate the conduct of journalists and non-journalists alike, the applicable standards will necessarily evolve to keep pace with the norms of new communications media. [emphasis added]
While Torstar was a defamation case, it is instructive of how traditional categories of “journalism” are being expanded in the modern age, particularly by our courts. This expansion was specifically in reference to the operation of the Canadian Charter of Rights and Freedoms, which is discussed in greater detail below.

The journalism exception to privacy laws has been applied by the Office of the Information and Privacy Commissioner of Alberta in Order P2005-004, which focused on the actions of the Calgary Herald Newspaper. In that case, the Adjudicator appointed under the Personal Information Protection Act (Alberta) (“PIPA”) determined that any interpretation of that Act must follow the Charter and the Alberta Bill of Rights. The complainant alleged that the Calgary Herald had violated PIPA in its publication of a news story. The Calgary Herald argued that sections 4(3)(c) and 4(3)(k) of PIPA meant that PIPA would not apply to these activities. The adjudicator stated:

[para 19] Webster’s New College Dictionary defines “journalistic” as “Of, relating to, or typical of journalists.” “Journalism” is defined as:

1.Collection, writing, editing and dissemination of news through the  media 2. Material written for publication in the media 3. A style of  writing used in newspapers and magazines, characterized by the direct  presentation of facts or occurrences with little attempt at analysis or  interpretation.

[para 20] The personal information disclosed was in the form of a newspaper article which was published by the Organization. This in itself meets the definition of “material written for publication in the media”. Having reviewed the newspaper article itself, the personal information within it is a direct presentation of the facts and is clearly collected and disclosed for journalistic purposes. There is no evidence before me or any evidence from the newspaper article itself that would lead me to conclude that the collection, use and disclosure of the personal information was for any other purpose other than for journalistic purposes.

Having found that s. 4(3)(c) of PIPA applied, the adjudicator determined that that the OIPC had no jurisdiction to consider the matter further:

[para 22] However, my authority under the Act is to determine whether the collection, use or disclosure of personal information was for journalistic purposes only. Once I have established that the use of personal information was for journalistic purposes only, the Act does not apply and my authority to decide any other issue ceases. Any inquiry into what is a reasonable collection, use and disclosure of personal information, can only come into play if I have jurisdiction to proceed under the Act. In this case, I have determined that the Act does not apply to the matter in question and I can go no further.
At their core, search engines perform a journalistic function: it primarily relates to the dissemination of news and information, and is comprised of material written for publication in the media. On that basis, s. 4(2)(c) of excludes the operation of PIPEDA. The fact that this particular paragraph in PIPEDA refers to “journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose” remains vulnerable to Charter challenge, as was the case in the UFCW case discussed below.

We should remember that Costeja arose in the context of a newspaper article appearing in a search result. If a similar case were to arise in Canada, it would be clear that the search engine, in pointing to a newspaper article, is performing a journalistic function.

However, even if one were to conclude that PIPEDA may facially apply to a search engine’s indexing and serving of content to users, any interpretation of the statute along those lines is unconstitutional both on a separation of powers analysis and under s. 2(b) of the Charter.

Freedom of Expression under the Charter

Any reading of PIPEDA that has the effect of regulating the indexing of public content -- particularly newsworthy content -- and providing links to users via a search engine effectively regulates the expressive activity of the search engine operator and would be very problematic under the Charter. As I intend to argue, doing so would offend s. 2(b) of the Charter and cannot be justified under s. 1.

Given that legislation should be read in a manner that is consistent with the Charter, regulators should interpret PIPEDA in a manner that excludes search engines. As the Chief Justice wrote in R. v. Sharpe, 2001 SCC 2, at paragraph 33:

Supplementing this approach is the presumption that Parliament intended to enact legislation in conformity with the Charter. If a legislative provision can be read both in a way that is constitutional and in a way that is not, the former reading should be adopted. [citations omitted]

It is important to consider whose rights are actually engaged in the RTBF discussion. Clearly we are looking at the rights of a search engine operator to communicate meaning from its indexing of websites. But we also have to be mindful that RTBF affects the rights of the organization that created the linked-to content. They have the right to communicate their content to the public and to use search engines to reach their audiences. Finally, the rights of internet users are also engaged as section 2(b) also includes the right to receive expressive content.[1] It is clear that the freedom of expression under the Charter limits the government’s ability to regulate the content of communications, but also the mode and timing of such communication.

Here we are not only concerned with a search engine operator’s constitutionally protected right to freedom of expression, but the right of every Canadian to get access to relevant content on the internet via the use of Google’s search engine. This also limits Canadian media outlets’ constitutionally protected right to disseminate its expressive content on the internet.

Any law or the operation of any law that restricts the mode or content of expression violates s. 2(b) of the Charter and must be justified under s. 1 of the Charter. Once a search engine has shown that any legislative provision limits its rights to expression, the onus will be on the government to justify it.

In R. v. Sharpe, the Supreme Court laid out the framework of analysis that a tribunal must follow at paragraph 78:

The question we must answer is whether that limitation is reasonable and demonstrably justified in a free and democratic society.  To justify the intrusion on free expression, the government must demonstrate, through evidence supplemented by common sense and inferential reasoning, that the law meets the test set out in R. v. Oakes, [1986] 1 S.C.R. 103, and refined in Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, and Thomson Newspapers Co. v. Canada (Attorney General), [1998] 1 S.C.R. 877.  The goal must be pressing and substantial, and the law enacted to achieve that goal must be proportionate in the sense of furthering the goal, being carefully tailored to avoid excessive impairment of the right, and productive of benefits that outweigh the detriment to freedom of expression.

Thus, in order to be justifiable under the Charter, all of the following questions must be answered in the affirmative for this particular application of PIPEDA to be upheld under Section 1 of the Charter:

(a)        Is the limitation prescribed by law?
(b)        Is the legislative objective pressing and substantial?
(c)        Is there proportionality between the limitation on the right and the benefits of the law? This requires answering the following questions:
(i)        Is there a rational connection between the legislative objective and the means in the law meant to achieve that objective?
(ii)        Is the right in issue “minimally impaired”?
(iii)        Is there proportionality between the deleterious and salutary effects of the law? 
There is certainly an argument to be made that RTFB fails on all counts, but the Charter question will likely hinge on the proportionality analysis.

Assuming the limitation would be “prescribed by law”, we have to determine the objective of the legislators and then consider whether it is “pressing and substantial”.

The purpose of the statute is set out in s. 3:

3.         The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

As noted by the Federal Court in State Farm:

[104]        These purposes are reflected in the long title of PIPEDA [emphasis added]:An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

[105]        The collection of information in order to properly defend a civil tort action has little or nothing to do with these purposes.

In the State Farm case, the Court determined that “[t]he collection of information in order to properly defend a civil tort action has little or nothing to do with these purposes.”

The Supreme Court’s characterization of the Personal Information Protection Act (Alberta) in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733 (“UFCW”) is also helpful, as that law is substantially similar to PIPEDA:

[19]         There is no dispute that PIPA has a pressing and substantial objective. The purpose of PIPA is explicitly set out in s. 3, as previously noted, which states:
3          The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.

The focus is on providing an individual with some measure of control over his or her personal information: Gratton, at pp. 6 ff.   The ability of individuals to control their personal information is intimately connected to their individual autonomy, dignity and privacy.  

The purpose of PIPEDA is to protect the privacy of individuals, in a manner that is tempered against the needs of organizations to collect, use or disclose personal information for legitimate purposes, particularly focused on supporting and promoting electronic commerce.

One might even connect PIPEDA’s purposes to the protection of reputation, which has been repeatedly held by the Supreme Court of Canada to be an important value. However, one should note that civil and criminal defamation law has repeatedly been held to be consistent with the Charter because the falsity of the information is a key component. (See Hill v. Church of Scientology of Toronto, [1995] 2 SCR 1130, 1995 CanLII 59 and R. v. Lucas, [1998] 1 SCR 439, 1998 CanLII 815.) Falsity of the information is not integral to the right to be forgotten. Information that is true can still be caught within the European model of RTBF.

There likely is a rational connection between protecting the privacy of individuals and regulating the collection, use and disclosure of their personal information in the course of commercial activity, per (c)(i) above. However, this is not minimally impairing and thus fails the proportionality analysis.

From RJR-MacDonald Inc. v. Canada (Attorney General), [1995] 3 SCR 199 at para. 160), it is clear that only very focused and restricted impairments of the right to free expression can survive Charter challenge:

As the second step in the proportionality analysis, the government must show that the measures at issue impair the right of free expression as little as reasonably possible in order to achieve the legislative objective.  The impairment must be “minimal”, that is, the law must be carefully tailored so that rights are impaired no more than necessary.  The tailoring process seldom admits of perfection and the courts must accord some leeway to the legislator.  If the law falls within a range of reasonable alternatives, the courts will not find it overbroad merely because they can conceive of an alternative which might better tailor objective to infringement . . . On the other hand, if the government fails to explain why a significantly less intrusive and equally effective measure was not chosen, the law may fail.
PIPEDA, if interpreted in a way that would regulate the inclusion of any particular search result, would simply not be minimally impairing. Prohibiting someone from connecting Canadians to information lawfully existing on the internet goes dramatically beyond the legitimate purposes of PIPEDA, particularly where the information is news reporting.

If PIPEDA is applied to search results, the law does not include any mechanisms by which the constitutional right to freedom of expression may be balanced with the interests protected by the legislation. One cannot save legislation by the belief that it will be applied constitutionally. And I cannot imagine a situation where a private corporation can be expected to carry out the difficult task of balancing rights that would be required for any such scheme to survive constitutional muster. This aspect is completely without precedent in Canadian law.

The Supreme Court has long recognized the fundamental importance of freedom of expression, including expression by corporations. PIPEDA, interpreted in this manner, would outlaw the collection, use, or disclosure of personal information for many legitimate, expressive purposes related to seeking information and knowledge. This infringement of the right to freedom of expression is disproportionate to the government’s objective of providing individuals with control over the personal information, particularly information that has been deemed to be newsworthy.

A proposed interpretation of PIPEDA that would include the search engine would also fail on the final proportionality branch. In this branch of the s. 1 analysis, the tribunal has to determine whether there is proportionality between the infringement of the rights of Canadians and the salutary effect of such limitation. As set out by the Supreme Court of Canada in R. v. Sharpe:

102        This brings us to the third and final branch of the proportionality inquiry: whether the benefits the law may achieve in preventing harm to children outweigh the detrimental effects of the law on the right of free expression. The final proportionality assessment takes all the elements identified and measured under the heads of Parliament’s objective, rational connection and minimal impairment, and balances them to determine whether the state has proven on a balance of probabilities that its restriction on a fundamental Charter right is demonstrably justifiable in a free and democratic society.  

One must consider whether the benefit actually achieved in the form of protecting privacy in the context of e-commerce outweighs the affront to the right to provide access to relevant information and to get access to relevant, lawful information. Preventing a search engine from providing access to this search result does little, if anything, to advance this interest.

At this portion of the analysis, one must also consider what expression is being squelched and how close it is to the “core of Charter values”. It is clear that certain kinds of expression are distant from the core of Charter values and can more readily be limited. Providing access to relevant, lawful information is at the core of Charter values:  “individual self-fulfilment, finding the truth through the open exchange of ideas, and the political discourse fundamental to democracy” (R. v. Sharpe, quoting Irwin Toy). Regulating search results would limit expression that cuts to the core of Charter values (and does little to advance the objectives of the legislation).

A court or tribunal is not only focused on the actual speech in question, but also considers what other speech can be “caught in the net” of the impugned legislation. One can readily imagine that a politician seeking election could attempt to have unflattering material removed, even if entirely truthful. If PIPEDA applies and one has to rely on knowledge and consent, the operator of the search engine may have no choice but to remove it as any consent to include it in the index has been revoked.

I also note that such a finding would legally compel a search engine operator to provide incorrect information to its users, which is a disproportionate effect on freedom of expression. When a user enters a query into a search engine, they expect to receive the most relevant results using the search engine’s usual algorithms. Omitting a highly relevant, responsive search result would mislead that user into believing that certain content does not exist, though it continues to exist and remains accessible on the media outlet’s site. This is akin to a student asking a research librarian for everything the library has about a specific individual, but legally requiring the librarian to lie to the patron. The book would remain on the shelf, but the librarian is prohibited from mentioning it.

Similar to the finding of the Supreme Court of Canada in UFCW striking down Alberta’s privacy law, limiting legitimate expression that relates to the core of Charter values of seeking lawful information is “too high a price to pay”:

[20]        PIPA’s objective is increasingly significant in the modern context, where new technologies give organizations an almost unlimited capacity to collect personal information, analyze it, use it and communicate it to others for their own purposes. There is also no serious question that PIPA is rationally connected to this important objective. As the Union acknowledges, PIPA directly addresses the objective by imposing broad restrictions on the collection, use and disclosure of personal information. However, in our view, these broad restrictions are not justified because they are disproportionate to the benefits the legislation seeks to promote.  In other words, “the Charter infringement is too high a price to pay for the benefit of the law”: Peter W. Hogg, Constitutional Law of Canada (5th ed. Supp.), vol. 2, at p. 38-43.

A failure to satisfy any of the questions in the Oakes analysis results in the legislation being found to be unconstitutional. I fully expect that the Federal Court would find applying PIPEDA to create a “right to be forgotten” in this manner to be unconstitutional. I expect this analysis would yield the same result for a standalone right to be forgotten law.

Separation of powers - Constitution Act, 1867 

Under the Canadian constitution, the provincial governments are given exclusive jurisdiction over matters of property and civil rights in each province. Privacy is a matter of civil rights, as is non-criminal law that would mandate the removal of content such as that referred to by the complainant. The federal government bases PIPEDA on the “General Trade and Commerce Power” that is located within s. 91(2) of the Constitution Act, 1867. In order to be valid federal legislation rooted in the general branch of the trade and commerce clause, the law would have to follow the indicia set out in General Motors of Canada Ltd. v. City National Leasing, [1989] 1 SCR 641, 1989 CanLII 133 (S.C.C.) (“General Motors”).  In upholding the Combines Investigation Act as valid federal law under the general branch of s. 91(2), the Chief Justice Dickson at paras. 32 and 34, enumerated five indicia or factors of the valid exercise of the general Trade and Commerce power:
  1. The impugned legislation must be part of a general regulatory scheme.
  2. The scheme must be monitored by the continuing oversight of a regulatory agency.
  3. The legislation must be concerned with trade as a whole rather than a particular industry or commodity
  4. The legislation must be of such a nature that the provinces, together or independently, would be constitutionally incapable of enacting it.
  5. The failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.
PIPEDA itself rests on a tenuous foundation, as it does not regulate the economy or trade as a whole, but one singular commodity: personal information. Nevertheless, the application of a “right to be forgotten” would rest on an even more shaky foundation as it would be regulating only one activity: the operation of internet search engines.

Final issues

Who is the decision maker?

Even if one were to create a right to be forgotten in Canadian federal law, transplanting the European model of operation into Canada would be grossly problematic. In Europe, the burden is entirely on the search engines to receive applications for removal, to evaluate them and to act upon them. This places the search engine in the position of having to decide, using its own frame of reference, whether the information is out of date, inaccurate or obsolete. The search engine does not know the complainant, does not know the context, does not know if the individual is a public figure and does not know whether the individual has genuinely “moved on with his life”. There may be some scenarios that are relatively easy to deal with, such as revenge porn, but for most cases the search engine will only have the complainant’s submissions to rely upon.

Content providers’ rights

Any process needs to also appreciate that the content provider’s interests are also at stake. Content providers choose to make their materials available online and also choose whether to allow it to be indexed by search engines. Meddling with how such content appears in search engine listings interferes with the ability of content providers to reach their intended audiences. Doing so without their input is very problematic: At the very least, content providers will need to be consulted to provide input on whether the content is “newsworthy”. However, placing the search engines as the arbiters of the content provider’s rights is not fair to the content provider.

Reviving forgotten information

A final consideration would have to be how can one revive forgotten information that becomes relevant again. The last election saw a number of political candidates whose social media activity and other online content came back to haunt them. Most notably, an old video surfaced online of an individual who was working as a plumber who was recorded urinating into a customer’s coffee cup. When it surfaced, the plumber was running as a candidate for Parliament. One can readily imagine scenarios in which someone with political ambitions will seek to have content suppressed before seeking a nomination. If successful, relevant information about the candidate’s history and character many be indelibly lost.  

Conclusion

While aspects of the right to be forgotten can be compelling, particularly for privacy advocates like myself, it is a concept that cannot find a Charter-resistant foothold either within PIPEDA or some other means in Canadian law.
 
David TS Fraser is lawyer with McInnes Cooper, where his practice is exclusively devoted to internet and privacy law. David is also a part-time faculty member at Dalhousie Law School and an associate of the Institute of Law and Technology. The views expressed in this paper are solely those of the author and should not be attributed to the firm or any of its clients.


17        Freedom of expression protects not only the individual who speaks the message, but also the recipient. Members of the public —  as viewers, listeners and readers —  have a right to information on public governance, absent which they cannot cast an informed vote; see Edmonton Journal, supra, at pp. 1339-40.  Thus the Charter protects listeners as well as speakers; see Ford v. Quebec (Attorney General), 1988 CanLII 19 (SCC), [1988] 2 S.C.R. 712, at pp. 766-67.
18        This is not a Canadian idiosyncrasy.  The right to receive information is enshrined in both the Universal Declaration of Human Rights, G.A. Res. 217 A (III), U.N. Doc. A/810, at 71 (1948), and the International Covenant on Civil and Political Rights, Can. T.S. 1976 No. 47.  Canada is a signatory to both.  American listeners enjoy the same right; see Red Lion Broadcasting Co. v. Federal Communications Commission, 395 U.S. 367 (1969), at p. 390; Martin v. City of Struthers, 319 U.S. 141 (1943), at p. 143. The words of Marshall J., dissenting, in Kleindienst v. Mandel, 408 U.S. 753 (1972), at p. 775, ring as true in this country as they do in our neighbour to the south: [T]he right to speak and hear —  including the right to inform others and to be informed about public issues —  are inextricably part of [the First Amendment]. The freedom to speak and the freedom to hear are inseparable; they are two sides of the same coin. But the coin itself is the process of thought and discussion. The activity of speakers becoming listeners and listeners becoming speakers in the vital interchange of thought is the means indispensable to the discovery and spread of political truth. [Citations omitted.]

Tuesday, January 26, 2016

Ontario court explicitly adopts new privacy tort: public disclosure of private facts

For anyone who was wondering: the arc of the common law is long and it bends towards privacy. The Ontario Superior Court of Justice has this past week expressly recognized the tort of "public disclosure of private facts".

This is a huge deal, as it explicitly expands the scope of privacy protection under the common law and stands as an example of how the traditional courts (and perhaps new-ish torts) can be called upon to help victims of cyberbullying.

Arising from a horrific case of revenge porn where the defendant had uploaded to the internet an explicit sexual video of the plaintiff, the Court in Doe v D., 2016 ONSC 541 (CanLII) [Edit: try this version -- I understand that CanLII may have inadvertently published some details contrary to the publication ban], said this about the ability to sue for invasion of privacy:

C. Invasion of Privacy

[34] In Jones v. Tsige, 2012 ONCA 32 (CanLII), the Court of Appeal for Ontario recognized the existence of the tort of invasion of privacy in the context of intrusion upon seclusion. In that case, the Court found that the defendant had committed the tort of intrusion upon seclusion when she used her position as bank employee to repeatedly examine private banking records of her spouse's ex-wife. While that case dealt with a significantly different fact situation, many of the Court’s comments are germane to this case, and I will therefore refer extensively to that decision.

[35] To begin with, the Court noted (at para. 15) that “[t]he question of whether the common law should recognize a cause of action in tort for invasion of privacy has been debated for the past one hundred and twenty years. Aspects of privacy have long been protected by causes of action such as breach of confidence, defamation, breach of copyright, nuisance and various property rights. Although the individual's privacy interest is a fundamental value underlying such claims, the recognition of a distinct right of action for breach of privacy remains uncertain.”

[36] The Court went on to recognize as authoritative a seminal American legal article on the subject by William L. Prosser, "Privacy" (1960), 48 Cal. L. Rev., noting that “Prosser argued that what had emerged from the hundreds of cases he canvassed was not one tort, but four, tied together by a common theme and name, but comprising different elements and protecting different interests. Prosser delineated a four-tort catalogue, summarized as follows, at p. 389:

1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.

2. Public disclosure of embarrassing private facts about the plaintiff.

3. Publicity which places the plaintiff in a false light in the public eye.

4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness. “

[37] The Court also noted (at para. 19) that “[t]he tort that is most relevant to this case, the tort of ‘intrusion upon seclusion’, is described by the Restatement [Restatement (Second) of Torts (2010)], at 652B as: ‘One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.’”

[38] The Court went on to note (at para. 20) that “[t]he comment section of the Restatement elaborates this proposition and explains that the tort includes physical intrusions into private places as well as listening or looking, with or without mechanical aids, into the plaintiff's private affairs. Of particular relevance to this appeal is the observation that other non-physical forms of investigation or examination into private concerns may be actionable. These include opening private and personal mail or examining a private bank account, ‘even though there is no publication or other use of any kind’ of the information obtained.’” The Court commented that if the plaintiff in Jones had a right of action, it fell into the first category of intrusion upon seclusion, described by Prosser as comprised of the following elements:

• there must be something in the nature of prying or intrusion;

• the intrusion must be something which would be offensive or objectionable to a reasonable person;

• the thing into which there is prying or intrusion must be, and be entitled to be, private; and

• the interest protected by this branch of the tort is primarily a mental one. It has been useful chiefly to fill in the gaps left by trespass, nuisance, the intentional infliction of mental distress, and whatever remedies there may be for the invasion of constitutional rights.

[39] Later in its reasons, when considering the desirability of recognizing the tort of intrusion upon seclusion, the Court made a number of comments that are relevant to the issues in this case, including the following:

39 Charter jurisprudence identifies privacy as being worthy of constitutional protection and integral to an individual's relationship with the rest of society and the state. The Supreme Court of Canada has consistently interpreted the Charter's s. 8 protection against unreasonable search and seizure as protecting the underlying right to privacy. In Hunter v. Southam Inc., 1984 CanLII 33 (SCC), [1984] 2 S.C.R. 145, [1984] S.C.R. No. 36, at pp. 158-59 S.C.R., [page254] Dickson J. adopted the purposive method of Charter interpretation and observed that the interests engaged by s. 8 are not simply an extension of the concept of trespass, but rather are grounded in an independent right to privacy held by all citizens.

43 In Hill v. Church of Scientology of Toronto 1995 CanLII 59 (SCC), [1995] 2 S.C.R. 1130, Cory J. observed, at para. 121, that the right to privacy has been accorded constitutional protection and should be considered as a Charter value in the development of the common law tort of defamation. …

45 While the Charter does not apply to common law disputes between private individuals, the Supreme Court has acted on several occasions to develop the common law in a manner consistent with Charter values: [citations omitted].

46 The explicit recognition of a right to privacy as underlying specific Charter rights and freedoms, and the principle that the common law should be developed in a manner consistent with Charter values, supports the recognition of a civil action for damages for intrusion upon the plaintiff's seclusion ….

67 For over 100 years, technological change has motivated the legal protection of the individual's right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of "the pressing need to preserve 'privacy' which is being threatened by science and technology to the point of surrender": "The Law and Privacy: the Canadian Experience", at p. 1. See, also, Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message.

68 It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

69 Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. …

[40] The passage quoted immediately above most certainly applies to the case before me.

[41] While the facts of this case bear some of the hallmarks of the tort of "intrusion upon seclusion", they more closely fall within Prosser’s second category: “Public disclosure of embarrassing private facts about the plaintiff.” That category is described by the [Restatement (Second) of Torts (2010) at 652D as follows: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.”

[42] The comment section of the Restatement elaborates on this proposition as follows:

Every individual has some phases of his life and his activities and some facts about himself that he does not expose to the public eye, but keeps entirely to himself or at most reveals only to his family or to close friends. Sexual relations, for example, are normally entirely private matters, as are family quarrels, many unpleasant or disgraceful or humiliating illnesses, most intimate personal letters, most details of a man's life in his home, and some of his past history that he would rather forget. When these intimate details of his life are spread before the public gaze in a manner highly offensive to the ordinary reasonable man, there is an actionable invasion of his privacy, unless the matter is one of legitimate public interest.

Although written in somewhat antiquated language, the concepts described are entirely apposite to this case. Among the illustrations offered by the Restatement is the following: “A publishes, without B's consent, a picture of B nursing her child. This is an invasion of B's privacy.”

[43] Prosser listed the features of this tort as follows:

• the disclosure of the private facts must be a public disclosure, and not a private one;

• the facts disclosed to the public must be private facts, and not public ones; and

• the matter made public must be one which would be offensive and objectionable to a reasonable man of ordinary sensibilities.

[44] Plainly, writing in 1960, Prosser was discussing events that might occur in a pre-Internet world, where the concepts of pornographic websites and cyberbullying could never have been imagined. Nevertheless, the essence of the cause of action he described is the unauthorized public disclosure of private facts relating to the plaintiff that would be considered objectionable by a reasonable person. In the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection. Personal and private communications and the private sharing of intimate details of persons’ lives remain essential activities of human existence and day to day living.

[45] To permit someone who has been confidentially entrusted with such details – and in particular intimate images - to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies. I therefore would hold that such a remedy should be available in appropriate cases.

[46] I would essentially adopt as the elements of the cause of action for public disclosure of private facts the Restatement (Second) of Torts (2010) formulation, with one minor modification: One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of the other’s privacy, if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. [modification shown by underlining]

[47] In the present case the defendant posted on the Internet a privately-shared and highly personal intimate video recording of the plaintiff. I find that in doing so he made public an aspect of the plaintiff’s private life. I further find that a reasonable person would find such activity, involving unauthorized public disclosure of such a video, to be highly offensive. It is readily apparent that there was no legitimate public concern in him doing so.

[48] I therefore conclude that this cause of action is made out.

Friday, January 22, 2016

Presentation: Lawyers and social media

I had the great pleasure this morning of giving a presentation to the council of the Nova Scotia Barristers Society on the use of social media by lawyers. The Society has been a very keen adopter of social media itself. Check out their presence on Facebook, Twitter, YouTube and LinkedIn.

I thought the slides may be of interest to other members of the profession, so here it is:

Monday, January 18, 2016

Tower dump case raises troubling questions about law enforcement and privacy

I blogged a couple of days ago about the important case of R v Rogers, 2016 ONSC 70 (Canadian Privacy Law Blog: Ontario court provides clear guidance on privacy and "tower dumps" in R v Rogers and Telus). You may recall that it is the decision that provides police and justices of the peace with guidance on how to formulate “tower dump” production orders in compliance with the Canadian Charter of Rights and Freedoms. This is very important for the future of the use of this investigative technique.

But I think we need to look closely at what happened that gave rise to the decision, and to carefully consider what this says about law enforcement in Canada. I see an institutional attitude that does not even consider privacy rights of Canadians and the Charter that creates them. I find this to be very troubling.

If you’ve read the decision or a summary of it, you will know that the Peel Regional Police were investigating a string of jewelry store robberies. So the Peel Police sought a series of production orders requiring telecommunications companies to deliver the records of all the cellphone towers that are in the vicinity of the crimes being investigated. But its nature, this is purely a fishing expedition. They were hoping that information about a small number of suspects was among the details of tens of thousands of Canadians uninvolved with the crime.

I am told that they got production orders against six telcos, but only two of them pushed back ultimately leading to the court hearing.

So at one point one (or more) police officers thought it was appropriate, and presumably legal, to ask for a production order that would hand him (or her) the personal information of tens of thousands of innocent people, hoping to find that there was information in there about a possible suspect. Presumably, a senior officer signed off on it. A crown prosecutor may have signed off on it, as well.

So what kind of personal information was being sought? A staggering range:

  • Names of all customers connected to the towers at the relevant times;
  • Addresses of all those customers;
  • Who all those customers were calling at the relevant times, including the names and addresses of those persons
  • Who all those customers were texting at the relevant times, including the names and addresses of those persons
  • Billing information, including credit card and bank information, of all those customers

As found by the court, they sought production of information that was entirely irrelevant to their investigation. Billing information would not be helpful at all to this investigation, but they sought it anyways.

Starting this this grossly overbroad request, which included irrelevant information, the police went to a justice of the peace who granted the order. Justices of the peace are the independent judicial officers who are supposed to ensure that intrusive orders are appropriate in the circumstance, including whether they are proportional. This one got by.

Then, when Rogers and Telus pushed back, they tried to withdraw the order in secret, tried to convince the Court that the question was now moot and the Court should not consider Rogers and Telus’ arguments about the privacy of their customers. I infer from this that the police did not want either this production order or their practices regarding “tower dumps” to be scrutinized by a superior court judge. They were caught with their hands in the privacy cookie jar.

The police sought a grossly overbroad order, which included sensitive personal information that was entirely irrelevant to their investigation. This request was presumably signed-off on by a senior officer. They managed to get a justice of the peace to approve it. The detective who testified said that the practice is to limit the request to what is “manageable and can be meaningfully reviewed.” No mention that it is limited because of privacy, proportionality or the Charter.

In court, the police and crown argued that Rogers and Telus have no standing to assert their customers’ privacy interests. The judge dismissed this. (I expect the original production order included a “gag order”, as well. I can’t think of the last time that I saw one that did not include a gag order.) The police and the crown also tried to argue that there was no search in this case that would engage the Charter. The judge dismissed this, too.

The crown also tried to put forward an absurd proposition: if faced with an over-broad production order, the burden should be on the telco to negotiate with the police to narrow it down. I have been in the position of representing companies like these telcos (but not these exact telcos) in discussions with police who are seeking access to customer information. It is really not a discussion. In no way can it be called a negotiation. Threats of obstruction and contempt are to be expected. Not surprisingly, the judge dismissed this out of hand.

Importantly, the judge said that the police have to present the justice of the peace with a constitutionally valid request. They can’t go for everything they can get and then hide behind the justice’s signature.

In this context, we need to recall that Bill C-30, when put forward to Vic Toews and supported by the law enforcement community, could have required Rogers and Telus to hand over this information without a justice of the peace ever having seen the application or the basis upon which it would be based. Recall also, that the current RCMP Commissioner is pushing for a way to go around the Charter and the R. v. Spencer decision from the Supreme Court to get access to this sort of information without judicial oversight.

As a postscript, I should be clear: I think that tower dumps should remain available to law enforcement in the appropriate circumstances. I think that the judge in this case did produce a set of guidelines that -- if followed -- will give police access to this useful tool in a manner that decreases the threat to the privacy of uninvolved persons and is consistent with the Charter.

Friday, January 15, 2016

The Digital Privacy Act: New and upcoming changes to PIPEDA

I was invited this week to present a webinar to the Conference Board of Canada's Council of Chief Privacy Officers on the current and upcoming changes to Canada's privacy law as a result of the Digital Privacy Act (Bill S-4). The changes are pretty significant so I thought it would be worthwhile to share the presentation more broadly. The materials cover most of the major changes, including enhanced consent, business transactions, data breaches, record keeping and compliance agreements.

Thursday, January 14, 2016

Ontario court provides clear guidance on privacy and "tower dumps" in R v Rogers and Telus

It is becoming clear that internet companies and telcos are the guardians of personal privacy in this connected age. We surf the internet and walk through the streets in relative anonymity, but the telcos are able to make the connections and name you for the police. For that reason, we need clear rules so that this ability is only used where it is reasonable to do so, in accord with our Charter of Rights and Freedoms.

This morning, the Ontario Superior Court released its important decision in R. v. Rogers & Telus, 2016 ONSC 70 [PDF]. (Some previous discussion is here.)This is a very important decision, which finally provides police and prosecutors with clear guidance on when and how they can obtain telco customer information through "tower dumps". In a nutshell, tower dumps are the production of all the records of a cell phone tower at a particular time. Since your mobile phone is always communicating with at least one tower, tower dumps can tell the police who is in the vicinity of a particular location at a particular time. They are really troubling or problematic because the records overwhelmingly contain information about people who have nothing to do with the underlying investigation.

The production orders obtained by the Peel Regional Police at issue were breathtakingly broad. The police were investigating a string of robberies and went to at least Telus and Rogers, looking for the following information related to cellular towers operated by them:

  • Names of all customers connected to the towers at the relevant times;
  • Addresses of all those customers;
  • Who all those customers were calling at the relevant times, including the names and addresses of those persons
  • Who all those customers were texting at the relevant times, including the names and addresses of those persons
  • Billing information, including credit card and bank information, of all those customers

Rogers asserted that complying with the order would result in the disclosure of information about 34,000 customers. Telus said their demand would involve 9,000 customers. Remember, there was probably only one suspect in all that data, so it would have given the police detailed information about approximately 43,000 people who had NOTHING TO DO WITH THE CRIME. Also note that a justice of the peace granted these orders.

Thankfully, Rogers and Telus pushed back and went to court to challenge the production orders. The police withdrew them, presumably having been caught with their hands in the proverbial cookie jar seeking a breathakingly broad order, and argued that the telcos' application was now moot and that Rogers and Telus didn't have standing to assert the privacy interests of their customers. The court disagreed and ordered a hearing, which leads us to this decision.

The court agreed with the police that tower dumps are a valuable investigative technique. A police detective described the two most common scenarios in which tower dumps are sought:

a. the police have reasonable grounds to believe that a series of crimes were committed by the same person in various locations. For example, a series of robberies with similar hallmarks. Cellular records can identify any subscribers who were in close proximity to more than one of the crime scenes.

b. the police are investigating a single incident, such as a robbery or murder, and have reasonable grounds to believe that the perpetrator used a cell phone at or near the crime scene. The names of persons accessing the cell tower(s) close to the crime scene can then be cross-referenced with other investigative leads. Other such leads might be a list of the owners of Ontario registered vehicles of the type observed leaving the crime scene or the name of a person whose DNA was found at the scene.

The court framed the issues under review as (a) whether there is a reasonable expectation of privacy in the records at issue, (b) do Rogers and Telus have standing to assert their customers' privacy interests, (c) were the production orders overly broad? Did they thus infringe s. 8 of the Charter and what's the appropriate declaration, and (d) what guidance to the police and justices of the peace are appropriate?

Do users have a reasonable expectation of privacy in the cell phone records (including banking information)?

With respect to "reasonable expectation of privacy", the Court said it's a matter of common sense:

[19] Common sense indicates that Canadians have a reasonable expectation of privacy in the records of their cellular telephone activity. Whether and when someone chooses to contact a divorce lawyer, a suicide prevention hot line, a business competitor or a rehabilitation clinic obviously implicates privacy concerns. The location of a person at a particular time also, raises privacy concerns. Was the person at the Blue Jays game instead of at work?

[20] Admittedly this type of information is in the vast majority of cases innocuous. It remains that in a number of cases it will be quite sensitive. It is also not tenable to reason that since only the police will be in possession of this information any sensitive information will never see the light of day. One needs only read a daily newspaper to be aware of the fact that governments and large corporations, presumably with state of the art computer systems, are frequently "hacked" resulting in confidential information being stolen and sometimes posted on-line.

[21] I appreciate that cell phone data is not right up there with Wikileaks and Ashley Madison in terms of information likely to be hacked and published. It remains that it is information Canadians certainly regard as private. The law supports this conclusion.

...

[23] The Criminal Code, s. 492.2, requires judicial authorization, on a "reasonable grounds to suspect" standard, to install transmission data recorders, which can capture the telephone numbers of persons sending and receiving communications. This supports the conclusion that there is a reasonable expectation of privacy in this information.

...

[31] In my opinion the statutes and caselaw align with common sense. Canadians have a reasonable expectation of privacy in their cell phone records.

Do Telus and Rogers have standing to assert their customers' privacy interests

Perhaps not surprisingly, the crown argued that Telus and Rogers have no standing to argue in favour of their customers. And given that the production order likely contained a gag order, the natural result of that would be that nobody can argue for the 43,000 people whose information was implicated. The Court disagreed and notably came to the conclusion that they may have a contractual obligation to stand up for their customers:

[37] The choice is stark. There is an issue concerning the privacy rights of hundreds of thousands of Canadians. If Rogers and Telus are correct, this legal issue can and will be addressed with opposing points of view put forward by counsel. A decision on point can provide guidance to the police and issuing justices. If the Respondent is correct, this legal issue will never be addressed and some justices of the peace will continue to grant similar production orders which, as I will later explain, are overly broad and unconstitutional.

[38] To my mind the choice is clear. Rogers and Telus have standing to assert the privacy interests of their subscribers and are contractually obligated to do so.

Breadth of the production orders

The Court had little trouble concluding that the production orders, described above, were too broad and thus violated s. 8 of the Charter:

[41] The "minimal intrusion" principle embodied in s. 8 was described by Mr. Chan in Morelli and Beyond: Thinking about Constitutional Standards for Computer Searches, the Criminal Lawyers Association Newsletter, vol. 33, No. 2, as follows:
The animating policy is that the state must always be alive to the privacy interests of the individual and must always infringe such interests as little as possible.

[42] The issuing justice did not have the benefit of the evidence before me and the legal submissions of counsel. With that benefit, I have no hesitation in finding that the Production Orders were overly broad and that they infringed s. 8 of the Charter. The disclosure of personal information the Production Orders required went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation. For example, the Production Orders:

a) required production of information relating not only to the cell phone subscriber proximate to the crime scene but also the personal information and location of the other party to the call who may have been hundreds or thousands of miles removed from the crime scene;

b) required production of bank and credit card information which, if it had any relevance at all in locating an individual, could have been sought in a follow-up application for a small number of actual suspects (i.e.) a person whose cell phone was proximate to multiple crime locations; and

c) required production of personal information pertaining to over 40,000 subscribers when all the police were really interested in was information, which could have been provided in a report, listing the few individuals, if any, utilizing a cell phone proximate to more than one robbery location.

[43] I, therefore, make the requested declaration that the Production Orders authorized unreasonable searches and so breached the s. 8 Charter rights of the Rogers and Telus subscribers. As the Production Orders have been revoked nothing would be gained by addressing the further issue of whether the Production Orders also violated the rights of Rogers and Telus.

Interestingly (and shockingly, in my view), the Crown argued that the cure for an overly broad order is for the police and the telco to negotiate it down. The Court had little regard for this and I agree. Telcos like Rogers and Telus should only be asked to respond to legal (meaning constitutionally valid) production orders. And having advised clients regarding broad production orders myself, the police will never give you information that substantiates the breadth of the request.

Guidance for police and justices of the peace

The heart of the decision and the portion that will hopefully have a far-reaching and lasting impact, are the guidelines produced by the Court to be followed by the police and justices of the peace. In my view, it hits just the right balance between the clear public interest in having the police investigate crimes with the appropriate tools while respecting the privacy of those whose information is implicated.

Guidelines for police

[65] The police should include in the information to obtain a production order:

a) One — a statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind. — An awareness of the Charter requirements is obviously essential to ensure that production orders are focused and Charter compliant.

b) Two — an explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters, are relevant to the investigation. — This obviously flows from what is now the s. 487.014(2)(b) Criminal Code requirement that there be reasonable grounds to believe that the documents or data requested will afford evidence respecting the commission of the offence.

c) Three — an explanation as to why all of the types of records sought are relevant. - For example, the Production Orders sought bank and credit card information, and information as to name and location of the party to the telephone call or text communication who was not proximate to the robbery location. This information was clearly irrelevant to the police investigation.

d) Four — any other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records. — For example, if the evidence indicates that a robber made a series of calls lasting less than one minute this detail might permit the target of the order to narrow the search and reduce the number of records to be produced. If the evidence indicates that the robber only made telephone calls then there may be no grounds to request records of text messages. (Although the use of voice recognition software may make it difficult to distinguish between a person making a telephone call and a person dictating a text message.)

e) Five — a request for a report based on specified data instead of a request for the underlying data itself. — For example, in this case a report on which telephone numbers utilized towers proximate to multiple robbery locations would contain identifying information concerning only a small number of robbery suspects and not the personal information of more than 40,000 subscribers which the Production Orders sought. This would avoid the concern expressed by Mr. Hutchison that 99.9% of vast amounts of tower dump personal information relates to individuals who are not actually suspects.

f) Six — If there is a request for the underlying data there should be a justification for that request. — In other words, there should be an explanation why the underlying data is required and why a report based on that data will not suffice.

g) Seven — confirmation that the types and amounts of data that are requested can be meaningfully reviewed. — If the previous guidelines have been followed the production order should be focused which will minimize the possibility of an order to produce unmanageable amounts of data. This confirmation does, however, provide an additional assurance of Charter compliance.

Guidelines for Issuing Justices

[66] The guidelines for issuing justices flow from the guidelines for police. Issuing justices should generally insist upon the police providing the information, confirmations and explanations outlined in the Guidelines for Police. Doing so will focus the scope of the production order and ensure that production orders conform to both the requirements of the Criminal Code and the dictates of the Charter.

I think this is ultimately a very important decision that pulls tower dump production orders out of the shadows, shines the light on abusive and overly-broad orders and has led to very sensible, balanced rules to be followed by the police and justices of the peace.


Wednesday, January 13, 2016

Ontario court case suggests that PGP and Blackberry security have been cracked

A recent case from the Ontario courts suggests -- quite strongly -- that PGP (Pretty Good Privacy) and Blackberry security have been cracked by the Royal Canadian Mounted Police.

We rarely get much insight about police techniques from reported cases, but this seems to be a doozy in R v Tsekouras, 2015 ONSC 1470:

[10] The police were presented with a Blackberry cell-phone ….44505 that had been seized from the accused. Their objective was to read the information embedded in that cellphone. The BlackBerry has a reputation for being a very secure means of communication. There were three levels of security. Entry was protected by a password, the device was protected by encryption generally and e-mails processed by this particular device were protected by PGP, a form of e-mail encryption provided as an “add-on” by a third party after-market supplier. This encryption was previously thought to be undefeatable. The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected. These materials are collected in Exhibit 8.

Of course, it could have been defeated by really bad OpSec, but who knows?

Thursday, December 17, 2015

Nova Scotia's cyberbullying law declared to be unconstitutional and a "colossal failure"

Full disclosure: I was counsel to the applicant respondent in this case. (The party seeking to have the order set aside and to have the statute found to be unconstitutional.)

The Nova Scotia Supreme Court has just released its decision in Crouch v Snell, 2015 NSCC 340 (PDF).

In the decision, the Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. The law has been found to violate the Canadian Charter of Rights and Freedoms' guarantees of freedom of expression and “life, liberty and security of the person” rights, in a manner that cannot be upheld as a reasonable limit on those rights that can be justified in a free and democratic society. In short, the law is a dramatic failure.

The case related to two adults, former business partners, who had a falling out. Mr. Crouch sought and obtained an ex parte cybersafety protection order before a justice of the peace in December 2014. The respondent (I was his counsel) challenged the order and the legislation.

I have not been known as a fan of the Cyber-safety Act. I've blogged about it, written Op-Eds about it and I've called it a dumpster fire. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the tragic death of Rehtaeh Parsons. In my view, it was created in haste in the immediate, emotional aftermath of the tragic death of a young woman who had been sexually assaulted and had photos of the assault circulated around the community. The government of the day -- which was heading for an election -- was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent.

Among other things, the Act allows an alleged victim of cyberbullying to appear before a justice of the peace to obtain a cybersafety protection order. These orders can go so far as to result in the confiscation of electronic devices and being barred from using the internet. An alleged cyberbully never has any notice of this hearing and has no right to give his side before the order is made. In this case, the order of the justice of the peace even ordered the respondent to delete all of his social media postings that didn’t refer to anyone in particular, as they may have referred to the complainant.

The case mainly focused on two aspects: the definition of "cyberbullying" at the heart of the Act and the scheme that permits applications and orders without notice to the other side. The Court found the Act violates freedom of expression rights and cannot be saved. The definition is overbroad and encompasses a range of expression that is constitutionally protected:

[115] The Act restricts "any electronic communication through the use of technology ... that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way". It is not difficult to come up with examples of expressive activity that falls within this definition, and at the same time promotes one of the core freedom of expression values. Moir J. did just that in Self, supra at para. 25:
A neighbour who calls to warn that smoke is coming from your upstairs windows causes fear. A lawyer who sends a demand letter by fax or e-mail causes intimidation. I expect Bob Dylan caused humiliation to P.F. Sloan when he released "Positively 4th Street", just as a local on-line newspaper causes humiliation when it reports that someone has been charged with a vile offence. Each is a cyberbully, according to the literal meaning of the definitions, no matter the good intentions of the neighbour, the just demand of the lawyer, or the truthfulness of Mr. Dylan or the newspaper.

[116] In conclusion, I find that the Act has both the purpose and effect of controlling or restricting freedom of expression.



Once any limitation on a Charter protected right is found, it can only be justified if (i) it is prescribed by law, (ii) it relates to a pressing and substantial objective, (iii) the impugned provision must be rationally connected to the objective, (iv) it must impair the Charter right "minimally" and (v) the effects must be proportional. In this case, remarkably, the Court found that it is not even "prescribed by law" as it is not sufficient intelligible:

[137] In this regard, I find that the Act provides no intelligible standard according to which Justices of the Peace and the judiciary must do their work. It does not provide sufficiently clear standards to avoid arbitrary and discriminatory applications. The Legislature has given a plenary discretion to do whatever seems best in a wide set of circumstances. There is no "limit prescribed by law" and the impugned provisions of the Act cannot be justified under s. 1. In the event I am wrong, I will perform the balance of the Oakes analysis.

The Court also found that the ex parte procedure is not rationally connected to the mischief to be addressed:

[156] ... Section 5(1) must be read as requiring protection order applications to be made without notice to the respondent. I also agree with the Respondent's submission that even if s. 5(1) did give applicants a choice in the matter, it would be a rare case indeed where an applicant would choose to give notice.

[157] Finally, with respect to the Attorney General's reliance on the various procedural safeguards set out in the Act, the reality is that while the respondent waits for the opportunity to be heard at a de novo hearing, his or her Charter-protected rights and freedoms will continue to be infringed upon. This will be on the basis of a proceeding that most likely occurred without notice to the respondent, and without the respondent having had an opportunity to be heard.

[158] I find the process set out in s. 5(1) of the Act is not rationally connected to the legislative objectives. The process does not specifically address a targeted mischief.


On "minimal impairment", the Court called the Act a "colossal failure":

[165] I need to consider all of the types of expression that may be caught in the net of the Cyber-safety Act, and determine whether the Act unnecessarily catches
material that has little or nothing to do with the prevention of cyberbullying: R. v. Sharpe, 2001 SCC 2, [2001] S.C.J. No. 3 at para. 95. In this regard, the Cyber-safety Act, and the definition of cyberbullying in particular, is a colossal failure. The Attorney General submits that the Act does not pertain to private communication between individuals, but rather, deals with "cyber messages or public communications". With respect, I find that the Act restricts both public and private communications. Furthermore, the Act provides no defences, and proof of harm is not required. These factors all culminate in a legislative scheme that infringes on s. 2(b) of the Charter much more than is necessary to meet the legislative objectives. The procedural safeguards, such as automatic review by this Court and the respondent's right to request a hearing, do nothing to address the fact that the definition of cyberbullying is far too broad, even if a requirement for malice was read in. Moir J.'s comments in Self supra at para. 25, are instructive:
The next thing to note is the absence of conditions or qualifications ordinarily part of the meaning of bullying. Truth does not appear to matter. Motive does not appear to matter. Repetition or continuation might ("repeated or with continuing effect") or might not ("typically") matter.

[166] In conclusion, the Cyber-safety Act fails the "minimum impairment" branch of the Oakes test.
Emphasis added


The Court also found that the Act fails on the final proportionality test:

[174] The Attorney General submits that the Act strikes an appropriate balance because it only restricts expression that is malicious, and therefore low-value. The
Respondent says this Court must instead balance an individual's right to express any sort of speech captured in the definition of "cyberbullying" against the objectives of the Act. The Respondent says the Act prevents an individual from telling the truth if it hurts another person's feelings or harms their self-esteem, and it does not provide any defences. The Act does not accommodate expression that relates to individual self-fulfillment, truth-finding or political discourse. The Respondent submits that the Act can therefore "limit speech that cuts to the core of Charter values". The Respondent distinguishes Lucas on the basis that the libel provisions in the Criminal Code were upheld because they prohibit only falsehoods that are known by the defendant to be false.

[175] It is clear that many types of expression that go to the core of freedom of expression values might be caught in the definition of cyberbullying. These deleterious effects have not been outweighed by the presumed salutary effects.


In the end, the Court found that the Cyber-safety Act offends sections 2(b) and 7 of the Charter and cannot be justified.

Interestingly, the Attorney General asked that if the Act were declared to be unconstitutional, the Court should suspend the declaration of invalidity so that the legislature could go back to the drawing board. In court, we agreed that it could be suspended with respect to anyone but my client. The Court declared the entire Act to be unconstitutional but refused to suspend the order:

[220] Both parties confined their submissions to the definition of cyberbullying and Part I of the Act. I have identified a number of problems with both components. The remaining parts of the Act cannot survive on their own. They are inextricably connected to the offending provisions, in particular the definition of cyberbullying. Severance would not be appropriate. The Act being over-inclusive rather than underinclusive, reading in also would not be an appropriate remedy. I have already explained why reading in a requirement for malice is not, in my view, appropriate or sufficient. The Act must be struck down in its entirety. The Attorney General has not persuaded me that a temporary suspension is warranted. To temporarily suspend the declaration of validity would be to condone further infringements of Charter protected rights and freedoms. Further, the fact that the Act was enacted to fill a "gap" in the legislation does not mean that victims of cyberbullying will be completely without redress in the time it takes to enact new cyberbullying legislation. They will have the usual albeit imperfect civil and criminal avenues available to them.
Emphasis added

So far, the government of Nova Scotia has not commented on the case and it remains to be seen whether they will appeal the case or go back to the drawing board, or both.

If they do go back to the drawing board, I really hope they will do it with very careful deliberation and full consultation with experts. But if nothing else, they have a good example of how not to do it.

Thursday, December 10, 2015

Privacy Commissioner tables annual report on privacy in the federal government

The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

Here's the media release prepared by the Commissioner:

Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner

2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

  • More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
  • More than 90% did not track all portable storage devices throughout their lifecycle.
  • More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
  • One-quarter did not enforce the use of encrypted USB storage devices.
  • Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.