Sunday, April 26, 2015

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee via @danmichaluk

from Twitter

Tuesday, April 07, 2015

Why privilege matters in privacy advice

After a data breach, a company can easily find that the due diligence it exercised to avoid the breach in the first place can readily be turned against it. “Privacy impact assessments” and “threat risk assessments” are increasingly common, identifying privacy and security risks associated with new projects, new products and new processes. They should be a frank assessment highlighting all of the things that can go wrong to that the business can understand the steps to take to mitigate these risks. If they don’t identify all the risks, they are incomplete. But as most privacy professionals know, you can readily pay a million dollars to avoid a thousand dollars worth of risk. Mitigation steps need to be proportional to the risk, but only the worst case scenarios can instruct you on how badly things can go.

As important as these documents are, they can easily become the “smoking gun” that is front and centre in an investigation by regulators or a class action lawsuit. A privacy risk that is identified and unaddressed (or not fully addressed) will quickly be presented as negligence and recklessness.

I recently reviewed a “privacy risk assessment” prepared by a privacy consultant that was authored a few months before a significant breach involving tens of thousands of individuals. The report was the work of a privacy consultant and can readily be interpreted as a chronicle of previous privacy breaches (all of which could have been much worse), common carelessness on the part of employees, and budgetary constraints that led to cut corners. Many risks were identified and not all were ultimately addressed. The report can be seen to point in a direct line to negligent and reckless handling and safeguarding of sensitive personal information, while management was fully aware of systemic shortcomings. The report concludes that the organization should seek an “acceptable level” of privacy and security breaches. I expect that this document will be Exhibit “A” the class action lawsuit that has already been filed. The consultant's working notes will also be relevant evidence, along with any interviews he carried out. It may well be that the manager who commissioned it will soon regret making that decision.

The reason why this privacy risk assessment will be front and centre in a lawsuit is that the report was not prepared by a lawyer. It was prepared by a consultant who is not able to offer legal advice, despite the fact that it refers to compliance with privacy legislation. The only way to confidently keep anything out of court and off the record is to make sure that it is protected by legal advice privilege. If the report had been prepared by a lawyer or even by a consultant on a lawyer’s instructions in order to support the lawyer’s legal advice, it would never see the light of day unless the organization chooses to waive its privilege. The report would have served its purpose of allowing the organization to have a frank assessment of its vulnerabilities -- warts and all -- without the risk that it would be front and centre in court.

Note: I expect that this may be received as self-serving since I am a lawyer. I look forward to any debate or discussion that this raises.

Wednesday, March 25, 2015

Cyberbullying for family law practitioners (*not intended to be a how-to guide)

I was invited to speak with the Canadian Bar Association's Nova Scotia Family Law Section on cyberbullying law for family law practitioners. I was very happy to do so, given that many instances of cyberbullying arise from failed relationships and this will be a growing issue for family lawyers.

In case it is of interest, here is the presentation:

Wednesday, March 18, 2015

In Bill C-51, you can be ORDERED to help CSIS violate the Charter

Oh, there are so many things wrong with Bill C-51, the government's proposed Anti-Terrorism Act, 2015. But one aspect that I find particularly frightening has not received much attention. Under new amendments to the CSIS Act, you can be ordered to help CSIS violate the Charter rights of others.

Yup. Bill C-51 expands the sort of warrants that the Canadian Security Intelligence Service can obtain. It used to be that they could make secret applications, in secret, in front of a judge in a secret bunker for secret warrants to do things like wiretap, install bugs, etc. Now, CSIS is given a broader mandate to take measures to reduce "threats to the security of Canada". (Which is an incredibly vague term that should send chills up your spine.) And under C-51, CSIS can apply for warrant permitting its agents to break laws, including the Charter, to reduce such threats:

21.1 (1) If the Director or any employee who is designated by the Minister for the purpose believes on reasonable grounds that a warrant under this section is required to enable the Service to take measures, within or outside Canada, to reduce a threat to the security of Canada, the Director or employee may, after having obtained the Minister’s approval, make an application in accordance with subsection (2) to a judge for a warrant under this section.

So such a warrant would allow CSIS to do things, inside or outside of Canada, that would otherwise violate our criminal law or the Charter. That's bad enough. But Bill C-51 also gives CSIS the ability to get an order requiring others to help them violate our criminal law or the Charter.

Assistance order

22.3 (1) A judge may order any person to provide assistance if the person’s assistance may reasonably be considered to be required to give effect to a warrant issued under section 21 or 21.1.

And to make it worse, the order can include a gag-order preventing you from complaining about it.


(2) The judge may include in the order any measure that the judge considers necessary in the public interest to ensure the confidentiality of the order, including the identity of any person who is required to provide assistance under the order and any other information concerning the provision of the assistance.

I don't think that this would survive Charter scrutiny, but it's very troubling that the government wants CSIS to be able to deputize anyone and to force them to help in CSIS's "kinetic activities".

That's incredibly troubling.

Monday, March 16, 2015

Privacy Commissioner: Health Canada violated privacy laws by disclosing personal health information of over 40,000 Canadians

A press release issued today by my firm and the other firms listed below, who are representing more than 40,000 Canadians affected by a Health Canada privacy breach:

The Office of the Privacy Commissioner of Canada has completed its investigation of Health Canada's privacy breach affecting over 40,000 licensees of the Marihuana Medical Access Program (MMAP), concluding that Health Canada violated federal privacy laws.

In November 2013, Health Canada sent written notices to over 40,000 individuals, outlining changes to the MMAP. The envelopes used for the mail-out clearly included the words "Health Canada - Marihuana Medical Access Program" on the return address, indicating to anyone who saw the envelopes that the recipient was either licensed to possess medical marihuana or to grow it for medical purposes. The envelopes were oversized so more likely to come to people's attention. Previously, Health Canada had been discreet in its communications with program members.

Three hundred and thirty nine affected individuals complained to the Office of the Privacy Commissioner, who initiated an investigation. The complainants cited several concerns relating to the impact of Health Canada's actions on their personal lives including concerns about losing their jobs, reputational damage and personal safety.

In a finding dated March 3, 2015, the Commissioner determined that Health Canada had violated the federal Privacy Act, which is designed to protect the privacy of Canadians when the federal government handles their sensitive information. The Commissioner's Finding was only sent to the 339 individuals who filed complaints with the Privacy Commissioner, but a copy of the document can be found here. Affected individuals who were not among the original complainants do not have to file additional complaints to the Commissioner, as the investigation is concluded.

The finding rejects the justifications put forward by Health Canada, which include blaming the patients for having gone to the media about the breach, which brought attention to the matter. The government also suggested that including the full name of the program instead of an abbreviation that would protect privacy was one of the "reasonable options" available to it under the law.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing affected users in an intended class action lawsuit against Health Canada filed in the Federal Court.

"It was clear to me, as soon as my phone started ringing in November 2013, that there was no justification for the careless error made by Health Canada in this case," said privacy lawyer David Fraser of McInnes Cooper. "It's one thing to acknowledge making a mistake, which Health Canada did, but immediately turning around to blame the victims is repulsive."

"We are pleased that the Privacy Commissioner of Canada agrees that Health Canada violated the law in its mishandling of patients' personal information," said David Robins of Sutts Strosberg LLP.

"Hundreds of people have reached out to us through our secure website for the class action to tell us how the breach has affected them, from lost jobs, effects on family relationships and social stigma. Each person who was a part of the MMAP was promised by Health Canada that their confidentiality would be protected," said Ted Charney of Charney Lawyers, adding that "the Commissioner is not able to award compensation to the victims or penalize Health Canada for its unlawful conduct, so the class action lawsuit is important in pursuing justice."

"We expect that the court hearing to ask that the case be blessed as a certified class action will take place in the early summer. If the judge agrees, we can move forward with the merits of the case," said Ward Branch of Branch MacMaster. "The privacy commissioner's report serves as a helpful roadmap for the case."

Affected class individuals are encouraged to register at While class members are not required to "opt in" to participate in the intended class action lawsuit, providing contact information and advising class counsel about how this privacy breach has affected you individually will help class counsel in bringing the case forward. Those who have already registered on the secure website do not need to re-register, but may want to update their information if their circumstances have changed or if they have experienced additional harms as a result of the breach.

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world's leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

Monday, March 09, 2015

Canadian "revenge porn" and lawful access law is now in effect

Bill C-13, entitled the "Protecting Canadians from Online Crime Act", is now in effect. It received royal assent on December 9, 2014 and states that it comes into effect three months after that. (See: LEGISinfo - House Government Bill C-13 (41-2))

For previous commentary on the Bill, check out my past posts labelled "Bill C-13".

Thursday, March 05, 2015

Quebec man charged with obstruction for not giving up smartphone password to customs officer

The CBC (Quebec resident Alain Philippon to fight charge for not giving up phone password at airport and the Halifax Chronicle Herald (Quebec man faces charge for refusing to let Halifax border guards check his phone) are reporting that a man from Quebec has been charged with obstruction for not giving this smartphone password to a Canada Border Services Agency inspector upon his return to Canada at Halifax International Airport.

It would appear that the individual has been charged under s. 153.1 of the Customs Act, which deals with "hindering" a customs officer:

Hindering an officer 153.1 No person shall, physically or otherwise, do or attempt to do any of the following:

(a) interfere with or molest an officer doing anything that the officer is authorized to do under this Act; or

(b) hinder or prevent an officer from doing anything that the officer is authorized to do under this Act.

To my knowledge, this is the first case of its kind. I haven't been able to find any case where this provision has been used in similar circumstances.

There is little doubt that there is a reduced expectation of privacy at the border, and past cases have found that a warrantless search of a laptop for child pornography was as justifiable as a search of a suitcase. What will be most interesting to watch as this cases progresses is whether the Courts will take into account more recent Supreme Court cases dealing with laptop and cell phone searches and if there is a positive duty on the part of a traveler to unlock or provide the password to a digital device.

This is definitely a case to watch: if a Court finds this accused has obstructed or hindered a customs officer in this case, it would likely also be an offense to refuse to unlock a smartphone for a police officer carrying out a lawful search.

CRTC issues first CASL penalty: $1.1 million levied against Compu-Finder

The CRTC has levied its first penalty under Canada's Anti-spam Law (CASL): a whopping $1.1 million against Compu-Finder for sending commercial electronic messages without consent and for not meeting the unsubscribe requirements under the law.

It would appear that Compu-Finder got the CRTC's attention quite vividly thanks to a huge number of complaints made to the CRTC's anti-spam reporting centre. Apparently 26% complaints received for this industry segment related to this company.

Here's the CRTC's media release:

CRTC Chief Compliance and Enforcement Officer issues $1.1 million penalty to Compu-Finder for spamming Canadians - Canada News Centre

March 5, 2015 – Ottawa-Gatineau - The Canadian Radio-television and Telecommunications Commission’s (CRTC’s) Chief Compliance and Enforcement Officer today issued a Notice of Violation to Compu-Finder, which includes a penalty of $1.1 million, for breaking Canada’s anti-spam law. Compu-Finder has 30 days to submit written representations to the CRTC or pay the penalty. It also has the option of requesting an undertaking with the CRTC on this matter.

Further to an investigation, the Chief Compliance and Enforcement Officer finds that Compu-Finder sent commercial electronic messages without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly. The emails sent by Compu-Finder promoted various training courses to businesses, often related to topics such as management, social media and professional development. The four alleged violations occurred between July 2, 2014 and September 16, 2014. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted.

The CRTC is assessing complaints submitted to the Spam Reporting Centre that are under its legislative mandate and a number of investigations are currently underway. The CRTC is working with its partners, both within Canada and internationally, to protect Canadians from online threats and contribute to a more secure online environment.

The CRTC can discuss corrective actions with individuals, firms or organizations, which may lead to an undertaking that includes an amount to be paid and other corrective measures. As part of its powers, the CRTC can also issue warning letters, preservation demands, notices to produce, restraining orders and notices of violation.

Canadians are encouraged to report spam to the Spam Reporting Centre. The information sent to the Centre is used by the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner to enforce Canada’s anti-spam law.

Quick Facts

  • The CRTC’s Chief Compliance Officer has issued Compu-Finder a Notice of Violation, which includes a penalty of $1.1 million, for four violations of Canada’s anti-spam law.
  • Compu-Finder had sent commercial emails without consent, as well as messages in which the unsubscribe mechanisms did not function properly.
  • To help Canadian businesses comply with the law, the CRTC has provided numerous information sessions across the country and made guidance materials available on its website.
  • The CRTC is working with its partners, both within Canada and internationally, to protect Canadians from online threats and contribute to a more secure online environment.
  • Canada’s anti-spam law protects Canadians while ensuring that businesses can continue to compete in the global marketplace.
  • Canada’s anti-spam legislation was adopted by Parliament in December 2010 and came into force on July 1, 2014.
  • Penalty amounts are calculated using the factors outlined in section 20 of Canada’s anti-spam legislation.


“Prior to the coming into force of the anti-spam law, the CRTC conducted numerous outreach initiatives to increase the awareness of businesses on the new requirements. Creating a secure online environment for Canadians is also the responsibility of industry. Despite the CRTC’s efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force to email addresses it found by scouring websites. Complaints submitted to the Spam Reporting Centre clearly indicate that consumers didn’t find Compu-Finder’s offerings relevant to them. By issuing this Notice of Violation, my goal is to encourage a change of behaviour on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law. We take violations to the law very seriously and expect businesses to be in compliance.”

Manon Bombardier, Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Edit: Corrected/clarified the information in italics above.

Thursday, February 26, 2015

The disaster of the Nova Scotia cyberbullying law; it's time to go back to the drawing board

I often represent victims of true cyberbullying, including adults whose lives have been turned upside down by malicious online actors, so I am very sympathetic to the nominal goals of Nova Scotia's Cyber-safety Act. But the legislation fails to take into account -- in any way -- that all expression is protected by the Charter and can only be regulated or suppressed by reasonable limits, prescribed by law. The legislation is defective and has been enforced by the province in a manner that only makes it worse.

In Nova Scotia, any electronic speech that would reasonably be expected to cause someone distress or hurt feelings or harm to self-esteem is deemed to be cyberbullying. There are no defences. Here is the definition of cyberbullying from the Act:

(b) “cyberbullying” means any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably [to] be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self- esteem or reputation, and includes assisting or encouraging such communication in any way;

You may want to read that again, but focus on this bit: "any electronic communication ... that ought reasonably be expected to cause .. humiliation, distress or other damage or harm to another person's ... self-esteem or reputation...".

Every other Canadian law that tries to limit speech has defences, such as the defence of truth or fair comment under defamation law. Hate speech laws in the Criminal Code have defences. The Supreme Court of Canada, in Grant v Torstar, recently recognized that traditional defamation law was not compatible with the Charter because a diligent commentator on a matter of public interest would be found liable under existing rules so created a defence of "responsible communication on a matter of public interest." Under defamation law, you can call a convicted thief a thief, but if you dare tweet that in Nova Scotia or put it on a blog, you're a cyberbully.

We just have to look at how the Cyber-safety Act has been applied by the CyberSCAN unit to understand how incompatible it is with Charter protected expression. After a teenager started a twitter argument with MLA Lenore Zann, the CyberSCAN folks called an individual who regularly tweets about Nova Scotia politics and told him to remove his tweets or there would be unspecified "further action". His tweets questioned the judgement of an elected member of the legislature. He deleted his tweets. (See: Nova Scotia politician alleges cyberbullying, calls the authorities on tweeting teen)

On another occasion, the CyberSCAN folks met with an individual who was demanding financial transparency and accountability from his elected First Nations Band Chief. I will admit his questioning was inelegant and his frustration is apparent in his comments. (At one point, he apparently suggested she could use a punch in the face.) They told him to not communicate with or about her, and to remove any negative comments about her from the internet, or there would be "further action". When he reneged on his agreement to lay off, they went to court and got an order of the Supreme Court of Nova Scotia that forbids him from communicating with or about his elected representative, effectively cutting him out of the democratic process. The judge did not issue any written reasons for the decision. (See: More details about Nova Scotia's first cyberbullying prevention order)

Most recently, Frank Magazine has reported in its 29 January 2015 issue that a local, politically active twitter user and blogger received a late-night visit from from CyberSCAN unit. Here's how it was related in the Frank article:

"A government agent from the province's Cyberscan cyberbullying division came to my house and ordered me to take down my political blog," Eric tells me.

"Or they would get a court order, and... they would seize all my computers, cell phones, ban me from using the internet, fine me thousands of dollars and jail me for up to two years."

According to the Frank magazine article, the CyberSCAN officer, Lisa Greenough, refused to tell the individual who had filed the complaint or what was the substance of the actual complaint. He was essentially told to just stop participating in politics online. Or there would be consequences.

The CyberSCAN unit's modus operandi when it comes to political participation appears to be to tell folks to stop. Not to tone it down. Just stop. And the invariable "or there will be further action."

When the legislation was introduced, I was interviewed by CBC saying that it was likely unconstitutional. In a later interview with the Premier of Nova Scotia, they played him that clip with my critique of the law. He said he couldn't disagree with me more. Having the Premier of a province tell you that you're wrong surely would hurt my feelings and harm my self esteem. If he had tweeted it, would have been cyberbullying according to the law his government passed. The CBC put the article on their website, so they cyberbullied me by "assisting or encouraging". None of them would have intended to have hurt my feelings, but that doesn't matter under this province's bizarre law.

This law was passed less than one hundred feet from the statue of Joseph Howe at the legislature. But if Howe had been on Twitter, he would have been branded a cyberbully; his comments almost certainly hurt the feelings of the local magistrates and caused them distress.

Cyberbullying is a very hard thing to define, and the law's supporters said that it had to be very broadly defined but would be applied with judgement and discretion. I have not seen evidence of that. Though most of the CyberSCAN unit's activities have not been reported on, those cases that have hit the media or the courts show a complete disregard for freedom of expression. When I asked the CyberSCAN unit about how they incorporate this fundamental human right into their decision-making, this is the response I received:

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

I would suggest that there is no evidence that the Charter was considered when the legislation was put together. And I seen no evidence that the Charter has been given consideration when the Act is applied.

Cyberbullying -- of kids and adults -- is a real issue that demands a real, meaningful response. However, the Cyber-safety Act of Nova Scotia is a disaster and the province's government needs to go back to the drawing board.

In case you are curious about the CyberSCAN unit, here are the questions I asked of the group and the answers I received:

1. How many employees (FTE) are there in the CyberSCAN unit?

There are five full time investigators, a Director, a case manager, and an administrative assistant that have additional duties associated with similar programs.

2. How many complaints or inquiries has the CyberSCAN unit received from victims of cyberbullying? Of these, how many are from adults and how many are from youth/children?

Since September 30, 2013, the unit has received 497 complaints that have initiated investigations.

3. How many files has the CyberSCAN unit opened in connection with complaints? Of these, how many are from adults and how many are from youth/children?


4. How many formal investigations have been launched by the CyberSCAN unit? Of these, how many are from adults and how many are from youth/children?

497 complaints received have involved the following:

Adult – 302 – adult reporting they are being cyberbullied

Guardian – 7 – guardian reporting on behalf of minor child

Parent – 76 – reporting on behalf of minor child

Referral by Police – 27

Referral by School – 66

Referral by Victim Services – 1

Youth – 19 – youth reporting they are being cyberbullied

5. How many complaints have been resolved informally by the CyberSCAN unit without having to open a file or launch a formal investigation?

There have been 163 informal resolutions.

6. How many Cyber Safety Prevention Orders have been applied for by the Director of Public Safety? Of these, how many are from adults and how many are from youth/children?

The Director has applied for and received 2 Prevention orders in court.

7. Does the CyberSCAN Unit have full time legal counsel assigned to it?

The unit utilizes Legal Services within the Department of Justice.

8. On the unit’s website, it says “The CyberSCAN unit will determine which alleged victims are at the most risk and respond to cases in order of priority.” How do you prioritize cases?

Cases are prioritized based on the potential harm to the individual.

9. Are there any formal or informal means by which the CyberSCAN unit takes Charter guaranteed freedom of expression rights into account in its activities?

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

Full disclosure: I am representing clients in two separate cases that are challenging the Cyber-safety Act and its application on Charter and other grounds. I have also been a witness in an application to obtain a cyberbullying protection order.

Thursday, February 19, 2015

Pre-installed adware may be kosher under Canadian anti-spyware provisions of CASL

The Next Web is reporting that Lenovo has been shipping consumer laptops pre-equipped with adware (see: Lenovo Caught Installing Adware On New Computers). This raises an interesting question for Canadians: would something like this be ok under the anti-spyware provisions of Canada's Anti-Spam Law (CASL)?

In true lawyerly style, the answer is "it depends". But maybe this highlights one of the many problems with the law.

The owner or authorized user of a computer system can install whatever he or she wants on the device, but this may not be the ultimate end-user. So if a manufacturer installs adware software on the device before title to it passed to the end user, that may be just fine under the law (but likely problematic from the point of view of the end user). Also, if it is embedded in the operating system of the device, that may be OK because there's deemed consent for the installation of operating systems by third parties.

I think most consumers would say that adware, crapware, bloatware, etc. should not be on their devices without their consent and the company that put it there should be required to remove it on request. However, if the software was installed when the manufacturer owned the device, the law may not meet consumers' expectations.

For more information on the software installation provisions of CASL, check out my firm's FAQ on the subject.